Even as states continue to pass comprehensive privacy laws, Attorneys General remain active enforcing their data breach laws and utilizing their deceptive trade practice authority in the privacy space.  Just last week, 46 State AGs signed on to a settlement, which took the form of an Assurance of Voluntary Compliance, with international cruise corporation Carnival

On Tuesday, the New York Attorney General Letitia James announced a settlement with Dunkin’ Brands, Inc. over allegations that the company failed to adequately respond to years of cyberattacks that compromised customers’ online accounts.

According to the lawsuit, Dunkin’ customers with “DD Perks” accounts were first targeted in early 2015 in a series of “credential

Earlier this month, we offered our analysis and takeaways from a Magistrate Judge’s decision that defendant Capital One was required to produce a third-party data breach assessment report as part of ongoing consumer litigation.  Available here.  Not surprisingly, Capital One appealed that order.  On June 25, 2020, District Court Judge Anthony Trenga affirmed the

Following a data breach, companies generally launch an investigation to determine the source and scope of the breach. These efforts are often led by in-house privacy, compliance, and/or litigation counsel with an eye firmly planted on the legal claims that might be asserted, or need to be defended, as a result of that breach. Often key to any data breach investigation is an incident response consultant that helps determine the scope and analyzes the causes of a potential breach. Many companies expect that any reports by, or communications with, the consultant would be protected by the attorney-client privilege and/or work product doctrine, which would shield relevant materials from production during any governmental investigations or third-party litigation that arise from the event. Recently, however, a federal court compelled production of just such a breach report and related documents, calling into question the scope of that protection for data breaches and possibly other corporate investigations.

This post discusses the background and rationale that led to the Court’s finding and offers our advice concerning steps that should be taken to maximize the potential scope of protection for consultant reports in data breach investigations and other corporate investigations.
Continue Reading Lessons Learned for Maintaining Attorney-Client Privileged Data Breach Investigation (and other Consultant) Reports

Last week, the New York Attorney General’s Office announced that Bombas had agreed to pay $65,000 and implement a number of injunctive provisions to settle allegations that the sock startup failed to comply with the state’s data breach notification statute. According to the press release, Bombas learned in November 2014, that an unauthorized intruder

43 State Attorneys General and the District of Columbia announced yesterday a settlement with Neiman Marcus Group LLC resolving the states’ investigation into the company’s 2013 data breach and its security practices. Over a three-month period in 2013, a breach of the Dallas-based retailer exposed customer credit card data at 77 Neiman Marcus stores nationwide.

Just when you think you have it all under control, the data breach notification law landscape changes – again. Over the past few weeks, several data breach notification statutes were updated, including an effective date for Canada’s mandatory breach notification obligations, as well as the adoption of legislation in the two holdout states (Alabama and

InsuranceAs data breaches have continued to grow over the past few years, interest in cyber insurance coverage has grown along with it.  This week, the Fourth Circuit upheld a lower court’s ruling in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, finding that a commercial general liability (CGL) insurance policy covered the

Last week, the Washington Governor signed into law amendments to the state’s data breach notification statute. Importantly, the amendments, which take effect July 24, 2015, (1) expand the statute to cover breaches of non-computerized data; (2) mandate that businesses notify the Washington Attorney General of a breach affecting more than 500 Washington residents; and (3)