Even as states continue to pass comprehensive privacy laws, Attorneys General remain active enforcing their data breach laws and utilizing their deceptive trade practice authority in the privacy space.  Just last week, 46 State AGs signed on to a settlement, which took the form of an Assurance of Voluntary Compliance, with international cruise corporation Carnival for its 2019 data breach. This breach of employee email accounts purportedly exposed sensitive personal information contained in email contents, thereby impacting state consumers. The payment to the states is $1.25 million total.

While this settlement joins a long list of AG privacy cases, it serves as a useful roadmap for companies wishing to stay on top of what AGs expectations are for data security, and what type of enforcement terms you can expect if you suffer a breach.

In its agreement, Carnival has agreed to comply with state laws prohibiting unfair and deceptive trade practices, as well as specific data security and breach notification laws, specifically in connection with securing Personal Information (as defined by state statutes) against Security Incidents, defined as confirmed unauthorized access to or acquisition of a Consumer’s personal information owned, licensed, or maintained by Carnival. It also agrees to comply with consumer protection acts with respect to representations regarding privacy and security of personal information.

Within 180 days of the effective date Carnival must maintain a comprehensive information security program, appropriate to the size and complexity of operations, nature and scope of activities, and the sensitivity of personal information. Carnival must employ a Chief Information Security Officer and must further must provide security awareness and privacy training to all personnel with access to the network or responsibility for personal information every year and after hiring.  Carnival also must update its written incident response and data breach notification plan to ensure compliance addressing preparation, detection and analysis, containment, eradication, and recovery workflows.

Carnival must further develop, implement and maintain retention of personal information policies, use email filtering and protection, establish encryption policies, and maintain an appropriate system to collect logs and monitor network activity through and establish policies to analyze security events and real time. Carnival must implement appropriate policies to audit accounts, ensure protected passwords, multifactor authentication for remote access, firewall policies, penetration testing, and conduct an annual risk assessment. The company also must obtain a risk assessment from a third party within 18 months of the effective date and provide a copy to the State of Washington for review.

While several of the specific provisions expire after 5 years, it should be apparent that State AGs will demand detailed compliance programs and continued oversight if they find a lapse in security practices.  Ensuring you have a detailed security program now and continually seeking ways to enhance your security practices are valuable ways to minimize AG scrutiny later.  Note also that some of the injunctive terms are broadly applicable even beyond the specific incident in question, which potentially can subject the company to heightened penalties should there be another, albeit unrelated, security incident.

*   *   *   *

Join us tomorrow for State Attorneys General 102. This short 30-minute webinar picks up where State Attorneys General 101 left off and answers a number of questions regarding:

  • Pre-suit/investigation notice requirements for Attorneys General
  • Additional information on the scope of Attorneys General investigative authority and how to challenge an investigation
  • Consumer Complaints: differences among the AGs on handling and use

Register here

Ad Law Access PodcastOn a timely new episode of Kelley Drye’s Ad Law Access podcast, Privacy and Data Security practice chair Alysa Hutnik and partner Aaron Burstein provide 101 level tips on how to manage the clock and begin to deal with data breaches when they happen.

For more information on data breaches, visit:

Advertising and Privacy Law Resource Center

Earlier this month, we offered our analysis and takeaways from a Magistrate Judge’s decision that defendant Capital One was required to produce a third-party data breach assessment report as part of ongoing consumer litigation.  Available here.  Not surprisingly, Capital One appealed that order.  On June 25, 2020, District Court Judge Anthony Trenga affirmed the decision, ordering Capital One to produce the report.

Brief Recap of the Incident and Order   

In November 2015, Capital One retained FireEye, Inc. d/b/a Mandiant (“Madiant”) to provide support in case of a data breach or security incident.  When a breach occurred in March 2019, Capital One’s outside counsel called on Mandiant.  While they executed a new letter agreement, the analysis requested from Mandiant was the same as that outlined in the 2015 Scope of Work.

Several putative consumer class actions were filed and a multi-district litigation is currently pending in the Eastern District of Virginia, captioned In re Capital One Consumer Data Breach Litigation, Case No. 1:19-md-2915.

There is no valid argument that the Mandiant report does not qualify as relevant and responsive information; however, Capital One argued that it was shielded from discovery by the attorney work product doctrine.  Plaintiffs filed a motion to compel its production.  On May 26, 2020, Magistrate Judge John Anderson granted Plaintiffs’ motion, finding that Capital One failed to meet its burden of establishing a valid privilege.

District Court Affirms

Capital One objected to the Magistrate Judge’s ruling and sought relief from the District Court Judge under Federal Rule of Civil Procedure 72(a).  The Magistrate Judge’s decision was subject to evaluation under a “clearly erroneous or contrary to law” standard.  The Court considered whether the order failed to apply or misapplied relevant statutes, case law, or procedure.

The District Court focused on whether the report was compiled “because of the prospect of litigation.”  The Court questioned whether the prospect of litigation was “the driving force behind” the preparation of the Mandiant report.  Despite retention by outside counsel, the Court found that Mandiant’s investigation would have been conducted, and report compiled, in materially the same way whether or not there was litigation or counsel involved.  The Court also agreed with the Magistrate Judge that Capital One’s broad distribution showed that the Mandiant report “was significant for regulatory and business reasons” and underscored that business purpose.

The Court downplayed the prospect of potential litigation.  The Court agreed with the Magistrate Judge that “[t]here is no question that at the time Mandiant began its ‘incident response services’ in July 2019, there was a very real potential that Capital One would be facing substantial claims following its announcement of the data breach.”  Capital One’s website confirms that the breach resulted in access to consumer and small business credit card applications from 2005 to 2019, transaction data for certain customers, and about 140,000 social security numbers and information from 80,000 bank accounts.  Even before the full extent of the breach was known and a report compiled, Capital One almost certainly had reason to believe this could be a litigation event.

Rather than a subjective (or even objective) analysis of the potential for litigation, the Court focused on whether the report would have been compiled in the same form whether there was a litigation threat or not.  On that point, Capital One failed to demonstrate any input, direction, or strategic guidance from its outside counsel.  The report was compiled as it had been envisioned for “business critical” purposes in 2015, and without any focus on the potential for litigation.  That contributed significantly to Capital One’s inability to establish a privilege.

Thus, Capital One was ordered to produce the Mandiant report “forthwith.”  If it wants to press the issue further, Capital One’s next option would be to seek permission for an interlocutory review by the Fourth Circuit Court of Appeals.

Implications and Lessons

The District Court’s affirmance and acceptance of the Magistrate Judge’s order confirms the importance of having proper protocols and protections in place when engaging an external (or even internal) expert to assist with litigation-relevant analyses.  As detailed in our prior post, if a written report is required, companies should keep certain key points in mind, along with one new point emphasized by the District Court as to active involvement by outside counsel in the report itself:

  • Clearly Defined Legal Scope of Work: Where a consultant has already been engaged and works with the company, the retainer signed at the direction of counsel must clearly define the terms and scope of work as distinct from the previous business relationship.
  • Paid by Legal: If a consultant is being retained to provide support for legal advice or concerning potential legal claims, that work should be managed and paid for by legal personnel.
  • Outside Counsel Active Involvement in Written Work Product:  Outside counsel should be actively involved in providing input and strategic direction to the consultant as to what the consultant report addresses and incorporating legal considerations.
  • Narrow Internal Distribution: Distribution of investigation reports should be limited to those individuals necessary to complete the legal analysis and litigation work.
  • No External Non-Legal Distribution: Investigation reports should not be distributed to third parties.
  • Track Distribution: Distribution of investigation reports should be tracked so that limited distribution can be demonstrated.
  • Segregate Legal from Operational Work: Where business and legal issues or analysis are part of the same investigation, steps should be taken to segregate the legal- and litigation-related work product from business or operational reports and work.

While no protocol is guaranteed to satisfy every court, and each factual situation is unique, these guideposts improve the odds of meeting the burden required to withhold production of a consultant’s report.

Should you have any questions concerning these issues or would like advice concerning how to approach the interplay of consultants and privilege, please feel free to contact us.


Ad Law Access Podcast

Following a data breach, companies generally launch an investigation to determine the source and scope of the breach. These efforts are often led by in-house privacy, compliance, and/or litigation counsel with an eye firmly planted on the legal claims that might be asserted, or need to be defended, as a result of that breach. Often key to any data breach investigation is an incident response consultant that helps determine the scope and analyzes the causes of a potential breach. Many companies expect that any reports by, or communications with, the consultant would be protected by the attorney-client privilege and/or work product doctrine, which would shield relevant materials from production during any governmental investigations or third-party litigation that arise from the event. Recently, however, a federal court compelled production of just such a breach report and related documents, calling into question the scope of that protection for data breaches and possibly other corporate investigations.

This post discusses the background and rationale that led to the Court’s finding and offers our advice concerning steps that should be taken to maximize the potential scope of protection for consultant reports in data breach investigations and other corporate investigations. Continue Reading Lessons Learned for Maintaining Attorney-Client Privileged Data Breach Investigation (and other Consultant) Reports

Last week, the New York Attorney General’s Office announced that Bombas had agreed to pay $65,000 and implement a number of injunctive provisions to settle allegations that the sock startup failed to comply with the state’s data breach notification statute. According to the press release, Bombas learned in November 2014, that an unauthorized intruder had inserted malicious code designed to steal payment card information into its ecommerce platform. Bombas allegedly waited almost two months before remediating, and then mistakenly re-inserted the code into the website a few weeks later.

The company determined that the incident resulted in unauthorized access to the names, addresses, and credit card information of almost 40,000 customers nationwide, but did not notify those consumers until May 2018. New York’s data breach notification statute requires that businesses provide notice of a breach of personal information “in the most expedient time possible and without unreasonable delay” to both the affected resident(s) and the Attorney General, the Department of State, and the Division of State Police.

The AG’s Office has not made a copy of the settlement agreement public, but explains that the injunctive provisions are intended to help prevent future breaches and ensure compliance with the law, N.Y. Gen. Bus. Law § 899-aa. They include requirements for thorough and expeditious investigations into any future breaches and training for all appropriate officers, managers, and employees. This settlement highlights the importance of preparing for a breach, including developing and implementing policies and procedures that will allow the business to comply with the patchwork of state requirements in an efficient and timely manner.

On January 10, 2019, Massachusetts Governor Charlie Baker signed into law the Massachusetts’s Data Breach Notification Act, which amends Massachusetts data breach reporting laws. The new law, available here, amends the timing and content of individual and regulator data breach notifications, and provides for credit monitoring services when social security numbers may have been compromised.

Key updates to the state’s data breach notification laws include the following:

  • Free Credit Monitoring: Following breaches involving Social Security numbers, entities must “contract with a third party to provide” free credit monitoring services to impacted Massachusetts residents at no cost for at least 18 months (42 months, if the company is a consumer reporting agency), and provide consumers with instructions on how to access these services.
  • No Mandatory Arbitration Clauses: Companies are prohibited from asking individuals to waive their right to a private action as a condition for receiving credit monitoring services.
  • Additional Required Information for the Breach Notice: The required notice to consumers, the Massachusetts Attorney General, and the Office of Consumer Affairs and Business Regulation already provided for under current Massachusetts law must now also include additional information such as the name and address of the person that experienced the breach of security, the person responsible for the breach, if known, and the type of personal information compromised. Entities are also required to submit to regulators a sample of the notification letters that they send to consumers, which will be posted online.
  • Notice Timing: An entity may not delay notice to affected individuals on the grounds that it has not determined the total number of individuals affected. Rather, the entity must send out additional notices on a rolling basis, as necessary.
  • Disclosure of Parent/Affiliate Company: If the company experiencing a breach is owned by a separate entity, the individual notice letter must specify “the name of the parent or affiliated corporation.”

Under Massachusetts data security regulations (201 CMR § 17.03), any entity that owns or licenses personal information about a Massachusetts resident is currently obligated to develop, implement, and maintain a comprehensive written information security program that incorporates the prescriptive requirements contained in the regulation.

The Massachusetts’s Data Breach Notification Act will take effect on April 11, 2019. This is a good opportunity for businesses to update their data breach notification related policies and procedures to ensure that they are in compliance with all state requirements. We will continue to track any updates to state breach notification statutes and post on this blog.

43 State Attorneys General and the District of Columbia announced yesterday a settlement with Neiman Marcus Group LLC resolving the states’ investigation into the company’s 2013 data breach and its security practices. Over a three-month period in 2013, a breach of the Dallas-based retailer exposed customer credit card data at 77 Neiman Marcus stores nationwide. The data breach, discovered in 2014, resulted in access to over 370,000 Neiman Marcus credit cards, at least 9,200 of which the states alleged were used fraudulently.

In addition to a monetary settlement of $1.5 million, Neiman Marcus has agreed to implement a number of security-relatedinjunctive terms, including:

  • Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
  • Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
  • Maintaining working agreements with two separate, qualified Payment Card Industry forensic investigators;
  • Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
  • Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company’s business; and
  • Devaluing payment card information, using technologies like encryption and tokenization, to obscure payment card data.

Neiman Marcus must also obtain an information security assessment and report from a qualified third-party professional and detail any corrective actions that it takes. The full settlement report is available here.

This settlement follows another multistate resolution with Adobe (here), highlighting the interest and monitoring by State Attorneys General on companies’ data security programs and steps taken to prevent, detect, and remediate data breaches. This most recent case is a good reminder to take steps to make sure you have an appropriate data security program in place, and that your records meaningfully reflect the comprehensive steps taken to address cyber incidents that may arise.

On May 29, Colorado Governor John Hickenlooper signed into law HB18-1128 to strengthen data breach notification requirements for companies and government entities collecting and maintaining personal information from Colorado residents.

Effective September 1, covered entities will be required to notify individuals within 30 days of discovery of a security breach, unless the entity is notified that such a disclosure will impede a criminal investigation. Existing law requires notification to be made “in the most expedient time possible, and without unreasonable delay.” Republican state representative and bill co-sponsor Cole Wist stated the term “reasonable” was “too subjective and loose,” and could prevent consumers from acting quickly to prevent identity theft.  This makes the new law one of the strictest data breach notification laws in the country.  The following identifies pertinent changes to existing law.

Mandatory Information Security Procedures or Programs

Businesses must implement “reasonable” information security procedures or programs to protect the personal data they have – including data that has been shared with third parties – from unauthorized access, use, modification, disclosure, or destruction. Businesses that maintain paper or electronic documents containing customer personal information must develop a written policy for the destruction of such documents once they are no longer needed. Continue Reading Colorado Reaches New High with Strict Data Breach Notification Law

Just when you think you have it all under control, the data breach notification law landscape changes – again. Over the past few weeks, several data breach notification statutes were updated, including an effective date for Canada’s mandatory breach notification obligations, as well as the adoption of legislation in the two holdout states (Alabama and South Dakota). Here is the latest:

  • Canada: On March 26, the Governor General in Council, on recommendation of the Minister of Industry, set November 1, 2018, as the effective date for the mandatory data breach notification obligations in the Digital Privacy Act 2015, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA). Beginning November 1, any organization must report to the Privacy Commissioner if it has a reasonable belief that a breach of information under its control creates a real risk of “significant harm” to Canadian residents, as well as notify affected individuals. The term “significant harm” includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business, or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property. The notice to affected individuals must contain sufficient information to allow the individual to understand the significance of the breach and to take any steps to mitigate or reduce the risk of any resulting harm.
  • Alabama: On May 1, 2018, the Alabama Data Breach Notification Act will take effect, requiring that companies provide notice of the unauthorized acquisition of electronic data containing sensitive personally identifiable information that is reasonably likely to cause substantial harm. The term “sensitive personally identifiable information” includes an Alabama resident’s first name or first initial and last name in combination with Social Security or tax identification number; driver’s license or other unique government-issued identification number; financial account number in combination with the required security code, access code, password, expiration date, or PIN; medical and health insurance information; or online account credentials. The Act sets a 45-day time limit for consumer and Attorney General (if more than 1,000 Alabama residents are affected) notice. The consumer notice must contain (1) the estimated date(s) of the breach; (2) a description of the affected information; (3) a general description of the remedial actions taken; (4) a general description of the steps consumers can take to protect themselves from identity theft; and (5) the company’s contact information. The Attorney General notice must contain (1) a synopsis of the event surrounding the breach at the time notice is provided; (2) the approximate number of affected Alabama residents; (3) any free services offered to affected individuals, and instructions on how to use those services; and (4) the name, address, telephone number, and email address of the company’s point person for the breach. A violation of the Act will constitute an unlawful trade practice under the Alabama Deceptive Trade Practices Act, subject to a civil penalty of up to $5,000 per day.
  • South Dakota: On March 21, South Dakota enacted S.B. 62. Effective July 1, 2018, the statute will require that companies provide notice of the unauthorized acquisition of unencrypted computerized data (or encrypted computerized data and the encryption key) that materially compromises the security, confidentiality, or integrity of personal or protected information. The statute (1) contains expanded definitions of personal and protected information, which include health information, an employer-assigned ID number in combination with the required security code, access code, password, or biometric data, and online account credentials; and (2) sets a 60-day time limit for consumer notice, unless legitimate law enforcement needs require a longer timer period. Attorney General notice is required if the number of affected South Dakota residents exceeds 250. Violators are liable for a civil penalty of up to $10,000 per day per violation.
  • Oregon: On March 16, Oregon enacted amendments to its data breach notification law, which take effect June 2, 2018. The amendments clarify that personal information includes an Oregon resident’s first name or first initial and last name in combination with any information or combination of information that would permit access to her financial account, and require consumer and Attorney General (if the number of affected residents exceeds 250) notice within 45 days of discovery of a breach. Additionally, if a company provides free credit monitoring or identity theft prevention and mitigation services, it may not require that consumers provide a credit or debit card number (or any fee) to take advantage of those free services. Likely prompted by the Experian data breach, the amendments also prohibit consumer reporting agencies from charging a fee for a consumer to place or lift a security freeze. Previously, the statute capped such fees at $10.
  • Arizona: On April 5, the Arizona Governor received H.B. 2154, which if enacted, would (1) expand the definition of personal information to include a private key unique to an individual and used to authenticate or sign an electronic record, medical and health insurance information, passport and taxpayer identification number, unique biometric data, and online account credentials; and (2) require notification to affected consumers, as well as the Attorney General and the three largest credit reporting agencies if more than 1,000 Arizona residents are affected, within 45 days. Such notices would need to include the approximate date of the breach; a brief description of the affected personal information; the toll-free numbers for the three largest CRAs; and the toll-free number, address, and website address for the FTC. Importantly, these amendments would also create notice provisions specific to online account credentials and clarify that notice should not be made to the affected account, and should prompt the individual to (1) immediately change her password or security question and answer, and (2) take appropriate steps to protect the affected account and all other online accounts with the affected account credentials. If Arizona adopts these amendments, it will become the twelfth state to require notice in the event of a breach of online account credentials – joining California, Delaware, Florida, Illinois, Maryland, Nebraska, Nevada, Rhode Island, and Wyoming, and most recently, Alabama and South Dakota.

These developments demonstrate that data breach notification statutes are evolving, often in response to high-profile data breaches and/or concerns about a specific industry or a specific type of data – such as online account credentials. We expect U.S. states to continue to update these laws, and in particular, to (1) expand the definition of personal information to include medical and health insurance information, biometric data, and online account credentials; (2) require notice to consumers and/or regulators within a specific time period; (3) impose data security requirements; and (4) address concerns with specific industries, such as credit reporting agencies. Stay tuned for more updates!

New York Attorney General Eric T. Schneiderman and Vermont Attorney General TJ Donovan (“Attorneys General”) announced a settlement with Hilton Domestic Operating Company, Inc. (“Hilton”) resolving allegations that the company did not have reasonable data security practices in place and failed to provide timely notice after two security breaches involving payment card information. The settlement provides some valuable lessons to companies about the “most expedient time possible and without unreasonable delay” standard in state data breach laws, and how a data breach can uncover potentially deficient security standards that can raise exposure for companies. Continue Reading Hilton Settles NY and VT State AG Investigation into 2015 Data Breach; Pays $700,000 Civil Penalty