Information Management

As none of us can forget, the COVID-19 pandemic forced companies to close their brick and mortar offices with little time to adequately prepare their employees for a remote work environment. All of a sudden, in-person meetings were replaced with virtual conferences via Microsoft Teams, Zoom, and Amazon Chime – each leaving a new data

Increasing mobile device usage for routine business – such as through text messages and mobile applications like WhatsApp – is contributing to a new developing trend in E-Discovery: broad discovery requests for businesses to collect and produce data from their employees’ mobile phones.

The proliferation of electronic communication not only makes it imperative for organizations to have mechanisms in place to capture and preserve mobile text messages, but also raises new challenges about how to protect employee privacy.  As more and more employees use their personal devices for business purposes (and vice-versa – employees using company-provided devices also for personal purposes), there is an increasing desire among employees to ensure their personal data is protected, even as the company produces other data required in discovery.

Courts have recognized this is an issue, and the law is evolving to strike a balance between the discoverability of relevant information and privacy protections from overly intrusive requests for text messages.
Continue Reading Court Rules Personal Privacy Interests May Impact Scope of Discovery for Text Messages

On January 13, 2020, U.S. District Court Judge Castel of the Southern District of New York in SEC v. Telegram Group Inc. et al., No. 19 Civ. 9439 (PKC) granted the motion of the U.S. Securities and Exchange Commission (“SEC”) to compel Telegram Group Inc., a technology company best known for its secure messaging app, to produce overseas bank records (Dkt. 67). The SEC had sought these records “fully unredacted” on an expedited basis in support of its claim that Telegram engaged in an unregistered securities offering (Dkt. 52). Telegram objected to any production, asserting that the records were of questionable relevance, that they contained banking and personal information protected by a host of foreign laws, and that it would be unduly burdensome to “to cull through these records and redact the personal information of non-U.S. persons and entities subject to foreign data privacy law protections.” (Dkt. 55). In a short decision, the Court ordered Telegram to produce the records on a tight timeline, holding that “[o]nly redactions necessitated by foreign privacy laws shall be permitted, and a log stating the basis for any redaction shall be produced at the same time the redacted documents are produced.”

There are a few key takeaways from this decision. First, the Court recognized foreign data privacy laws as legitimate grounds for withholding otherwise discoverable information. Defendant was not given a blank check to redact; rather, the Court required Telegram to log the basis for any privacy assertions, and one can expect the SEC will closely question Telegram on the redactions. At the same time, the Court clearly did not agree with the SEC’s characterization of data privacy laws as “blocking statutes” to be ignored, and was not swayed by its complaints that Telegram had not shown that such laws require deference. This is consistent with an observed general heightened sensitivity to data privacy and data security interests in the U.S. and abroad.

Judge Castel’s approach represents a change from U.S. courts’ prior dismissive treatment of similar disclosure objections. Courts traditionally would apply a multi-factor comity analysis that generally prioritized U.S. discovery interests over those of conflicting foreign laws and ultimately required unredacted production. See, e.g., Laydon v. Mizuho Bank, Ltd., 183 F. Supp.3d 409 (S.D.N.Y. 2016) (requiring unredacted production of data protected by the then EU privacy regulation, the 1995 EU Directive 95/46/EC, based on comity analysis set out in Société Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, 482 U.S. 522, 544 n.29 (1987) (hereinafter “Aerospatiale”)). Certainly, the SEC pushed for the customary approach, but Judge Castel appears implicitly to have to have resolved in short form (or skipped over) the Aerospatiale comity analysis and accepted the legitimacy of foreign restrictions on disclosure in U.S. proceedings.


Continue Reading Burden of Compliance With Foreign Data Privacy Laws Does Not Justify Withholding of Banking Records

Following a draft Interagency Report published in February, the National Institute of Standards and Technology (“NIST”) has published NISTIR 8200: Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT), which seeks to assess the “current state of international cybersecurity standards development for IoT.” In this effort, the Report defines the major areas where IoT is currently being used and evaluates various IoT cybersecurity standards commonly applied in those areas. To evaluate the surveyed IoT standards, the Report relies on a framework that breaks the standards down into twelve core areas, each of which designates a distinct, common element of cybersecurity measures.

Where IoT is Being Used the Most

To help evaluate the current understanding of cybersecurity risks involved in IoT applications and the methods used to measure them, the Report overviews major IoT technologies and how they are deployed. It then breaks down the network-connected devices, systems, and services comprising IoT into five major categories of application, explaining the common components of each:


Continue Reading NIST Surveys and Assesses Broad Landscape of IoT Cybersecurity Standards in Interagency Report

The National Institute of Standards and Technology (“NIST”) is hosting a cybersecurity workshop on the Defense Federal Acquisition Regulation System (“DFARS”) Safeguarding Clause and related regulations on Thursday, October 18, 2018.  The workshop, in coordination with the Department of Defense (“DoD”) and the National Archives and Records Administration (“NARA”), will provide an overview of Controlled

On July 21, 2017, Governor Chris Christie signed the Personal Information Privacy and Protection Act (S-1913) (the “Act”) into law, further enhancing the protections afforded to consumers who make retail credit card purchases in New Jersey.  As technology has evolved, many retailers rely on electronic barcode scanners to review and capture information on

On June 19, 2017, the Federal Trade Commission (FTC) issued a public comment regarding the National Telecommunications & Information Administration’s (NTIA) draft guidance titled Communicating IoT Device Security Update Capability to Improve Transparency for Customers.  In commenting on the guidance, the FTC acknowledged the benefits of and challenges to IoT device security, and encouraged

Yesterday, Crowell & Moring hosted an International Association of Privacy Professionals (IAPP) KnowledgeNet featuring the Federal Trade Commission’s (FTC) new Chief Technologist, Lorrie Cranor.

In her short time at the FTC, Cranor has already made waves by encouraging companies to rethink mandatory password changes.  At the event, Cranor spoke about the focus of her

For only the second time in its history (following the $4.3 million Cignet case) the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) imposed civil money penalties (CMPs) on a company for violating the Health Insurance Portability and Accountability (HIPAA) Privacy Rule.

Lincare, Inc. (Lincare), a home health provider, was required to pay $239,800 in CMPs after an HHS Administrative Law Judge (ALJ) found that the undisputed evidence in the case established that Lincare violated HIPAA because it did not implement policies and procedures to safeguard records containing its patients’ protected health information (PHI).

The OCR investigation began when an individual complained to OCR that a Lincare employee left behind documents containing the PHI of 278 patients when the employee moved residences. According to the ALJ, Lincare had inadequate policies and procedures in place to safeguard PHI taken offsite even though employees regularly removed material from the business premises. Further evidence suggested that Lincare had an unwritten policy requiring certain employees to store PHI in their own vehicles for extended periods of time.


Continue Reading OCR Levies Second Ever HIPAA Civil Monetary Penalty

Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors.  Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts.  The Interim Rule proposes to significantly expand the scope of covered information and to require subcontractors to report cyber incidents directly to the DoD (in addition to prime contractors).  Together, these changes will likely increase the scope of potential liability for government contractors and subcontractors who fail to implement adequate cybersecurity measures.

The Interim Rule seeks to enhance cybersecurity protections primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate.  Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors.  First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls.  Second, they must report various cyber incidents to the DoD within 72 hours of their discovery.  These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application. 

The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI).  CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule.  But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information,  marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.”  Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes.  To keep up with its new application, the Interim Rule would change the name of Clause 252.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.”


Continue Reading Interim Rule Could Expand Already Onerous DFARS Cyber Requirements