“Safe Harbor 2.0” Agreement in Principle; Senate Passes Cybersecurity Bill; Target Breach Investigation Documents Privileged; Text Message Alert May Fall Within TCPA

U.S.-EU reach agreement in principle on data sharing rules

Last week, the U.S. and the European Union announced they reached an agreement in principle concerning transatlantic data transfers .  This new deal, to which some refer as “Safe Harbor 2.0”, would address the concerns expressed in the October 6 European Court of Justice (“ECJ”) decision invalidating the original safe harbor agreement that had been in effect for fifteen years.  The timing of a finalized new agreement is up in the air, and could come as late as January 2016.  U.S. Commerce Secretary Penny Pritzker said that an announcement could come shortly, after the sides make “modest refinements” to an agreement that predated the ECJ decision.  However, EU Justice Commissioner Věra Jourová indicated that the sides still need to engage in “intensive technical discussions” on a number of issues  before finalizing the new agreement.  The key unresolved issues are the provision of safeguards in the U.S. equal to those in Europe; an effective oversight and enforcement mechanism for privacy violations; and appropriate limitations on data access for purposes of law enforcement and national security.  Until a final agreement is announced, companies transferring data between the U.S. and EU should continue to examine their policies and procedures to ensure compliance with the stated positions of the governing authorities.  For more on what may constitute an appropriate transfer, see our recent client alerts on the positions of the EU authorities , the Swiss and Israeli authorities, and the German authorities.

Senate passes cybersecurity bill to encourage information sharing

The Senate passed the Cybersecurity Information Sharing Act (“CISA”) , a bill designed to encourage – through lifting some legal barriers and mitigating litigation risks – public and private sector entities to voluntarily share cyber threat indicators and defensive measures.  In addition to opening channels of communication between the private and public sectors, the law would also permit private entities to monitor cybersecurity threats and vulnerabilities and act to defeat or mitigate any adverse action.  The bill’s liability protections apply, however, only to entities acting in accordance with the Act’s provisions that: (1) monitor information systems, and/or (2) share or receive indicators or defensive measures, provided that the manner in which an entity shares any indicators or defensive measures with the federal government is consistent with specified procedures and exceptions developed by DHS.  The law would require certain government agencies to create policies and procedures, consistent with the Attorney General’s privacy and civil liberties guidelines, by which entities may share cyber threat information but does not direct these agencies to provide an opportunity for the public to comment on draft policies or procedures.  Although the established program will be voluntary, participation would trigger a mandatory obligation upon an entity to use “security controls” to protect against unauthorized access to or acquisition of such cyber threat indicators or defensive measures.  But the bill does not specify how compliance will be demonstrated.  The law would prohibit indicators and defensive measures provided to the government from being used directly by government agencies to regulate the lawful activity of a private entity.  While proponents of the bill view it as key to combating the rising number of cyberattacks , opponents suggest that CISA fails to sufficiently protect privacy interests.  The bill will head to conference, where Congress will attempt to combine the Senate bill with companion legislation passed by the House of Representatives last April.

Court finds internal data breach investigation documents are privileged

A Minnesota federal court ruled that Target could withhold as privileged documents created during an internal investigation of its 2013 data breach.  The class action plaintiffs sought production of the documents and argued that they could not be privileged because Target had a duty to investigate and remediate any breach notwithstanding future litigation.  However, the court rejected the plaintiffs’ arguments, finding that most of the documents at issue were subject to attorney-client privilege.  The court explained that Target created a “two-track investigation” following the data breach.  One track was an “ordinary course” investigation aimed at determining how the breach occurred and how Target could appropriately respond.  The second track involved a separate team that commenced an investigation aimed at educating Target’s in-house and outside counsel so that counsel could provide advice to and defend Target in recently-filed litigation.  Documents produced in this second track were properly withheld as privileged.  In light of this ruling, companies should carefully structure any post-breach investigation if they intend to assert attorney-client privilege over investigation-related documents created in anticipation of litigation.  The “two-track” approach adopted by Target may be one appropriate model.

Text message alert system may be an “autodialer” under TCPA

A Pennsylvania federal court will consider whether a text message alert system falls within the Federal Communications Commission’s (“FCC”) recently-expanded definition of a an automatic telephone dialing system, or “autodialer”, under the Telephone Consumer Protection Act (“TCPA”).  In Dominguez v. Yahoo, the plaintiff filed a TCPA class action alleging that he received approximately fifty text messages per day from Yahoo during a seventeen-month period.  These messages were sent as part of Yahoo’s e-mail alert program that sent text messages to a user when that user received new e-mail.  The service could not be disabled without logging into the email account and disabling the feature.  The plaintiff received a phone number 2011 that was previously assigned to an individual who opted into Yahoo’s service but did not disable it before the number was reassigned.  The trial court entered summary judgment in Yahoo’s favor, finding an absence of evidence that Yahoo’s equipment could generate random or sequential numbers and thus constitute an autodialer under the TCPA.  The U.S. Court of Appeals for the Third Circuit vacated that order and remanded in light of the FCC’s July 10, 2015 Omnibus Declaratory Ruling and Order expanding the definition of an autodialer.  The FCC definition includes any equipment with “the capacity to store or produce, and dial random or sequential numbers . . . even if it is not presently used for that purpose.”  Thus, the court held, the question is whether the system as a whole, not a single particular piece of equipment, has the capacity to place autodialed calls.  While styled as a non-precedential ruling, this opinion, and the FCC’s expansive view, provides another arrow in the quiver of plaintiffs’ attorneys investigating and pursuing TCPA actions against companies that use automated systems to contact consumers.