Companies and even law firms suffer data breaches, and usually claim privilege and work product protection for the inevitable resulting investigation. Unfortunately, courts seem to have rejected such protection claims in all but a few cases. Most of the other data breach victims have tried to emulate two of the winners, but have failed.

In Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023), defendant suffered a ransomware attack, triggering a lawsuit by current and former employees claiming that their personal data had been breached. McMenamins retained the Stoel Rives law firm to represent it. That firm in turn hired Stroz Friedberg to “provide consulting and technical services” that the law firm claimed it needed to provide legal advice to its client McMenamins. Id. at *2. McMenamins asserted privilege and work product protection for the Stroz Friedberg report. The court flatly rejected McMenamins’ privilege claim, bluntly stating that “the report does not provide legal advice.” Id. at *12. The court also rejected the privilege claim for communications between McMenamins and Stroz Friedberg personnel — noting that “neither [Stroz Friedberg’s] engagement letter nor the scope of work identifies any work by Stroz Friedberg related to the provision of legal advice.” Id. at *13. The court explained that “[t]he evidence demonstrates Stroz Friedberg was providing a business service, by seeking and providing factual information to McMenamins and their counsel,” which did not become protected “merely because an attorney was copied.” Id. at *13-14.

The court also rejected McMenamins’ work product claim. Next week’s Privilege Point will address that other losing argument.

On January 16, 2024, New Jersey became the thirteenth state to enact a comprehensive data privacy law, named the New Jersey Data Privacy Act (the “NJDPA”).

The NJDPA, which will take effect on January 15, 2025, includes some provisions that are different from other data privacy laws, thereby requiring entities that fall within its scope to examine their compliance obligations with respect to those provisions.

Continue Reading New Jersey Becomes the Latest State to Enact a Comprehensive Data Privacy Law

Last week, Merck & Co. filed documents with the Supreme Court of New Jersey indicating that it reached a settlement with its “all risk” property insurers in a long-running coverage dispute involving over $1.4 billion in losses stemming from a 2017 NotPetya cyberattack that impacted tens of thousands of Merck computers. Read on for analysis of this development and key takeaways regarding coverage for cyberattacks that in-house counsel and risk managers should consider in 2024.

On Dec. 20, 2023, the Federal Trade Commission announced its intent to file a notice of proposed rulemaking related to the Children’s Online Privacy Protection Rule — the first proposed changes to the rule in 10 years.

What are some of the key proposed changes?

  • Separate Opt-In for Targeted Advertising.  Covered service operators are required to obtain separate verifiable parental consent before disclosing children’s personal information to third parties unless the disclosure is integral to the nature of the online service.  Access to services cannot be conditioned on disclosure of personal information to third parties.
  • Writing Current Ed Tech Guidance into the Rule.  As in the current policy statement on education technology and COPPA, schools and school districts may authorize ed tech providers to collect, use, and disclose students’ personal information only for school-authorized educational purposes and not for any commercial purpose.
  • Children’s Personal Information Security Program.  Services operators must implement a written children’s personal information security program with safeguards appropriate for the sensitivity of the personal information collected from children.
  • Data Retention Limits. Data may only be retained for as long as necessary to fulfill the purpose for which it was collected (and may not be retained for any secondary purpose) and may not be retained indefinitely.  Operators must create and publish a written data retention policy for children’s personal information.

Why It Matters

These proposed changes come at a time when the effects of children’s use of the internet and social media are receiving significant media scrutiny and legislation on children’s privacy continues to proliferate.  States across the country are considering and enacting children’s online privacy bills and the U.S. Senate recently passed out of committee two such bills that await a floor vote.  Organizations that handle children’s data are subject to a regulatory environment with overlapping requirements and that is changing rapidly.

What’s Next

Once the NPRM is published in the Federal Register, comments to the proposed regulations will be due 60 days later.  The FTC will then take those comments into consideration and presumably publish a final rule, should Congress not enact any legislation.  Impacted organizations will need to watch this area closely to update compliance programs and internal practices implicated by any regulatory changes.

On Nov. 30, the Illinois Supreme Court, in Mosby v. The Ingalls Memorial Hospital et al., held that certain healthcare providers’ biometric data, used for healthcare operational purposes under the Health Insurance Portability and Accountability Act, is not protected under the Illinois Biometric Information Privacy Act. Read on for details about this development and why the exemption applies.

In light of a significant rise in cyberattacks against hospitals and health systems, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the U.S. Department of Health and Human Services recently released a cybersecurity toolkit. Read on for details about the toolkit and how the federal government is prioritizing cybersecurity in healthcare.

Seeking to formalize its Sept. 15, 2021, Statement of the Commission on Breaches by Health Apps and Other Connected Devices, the Federal Trade Commission proposed broadening the Health Breach Notification Rule to cover “most health apps and similar technologies that are not covered by HIPAA.” Read on for details about this proposed rule, which is intended to better align the Health Breach Notification Rule with recent technological advancements and mobile applications that access personal health data.

Once an outlier, the 11th U.S. Circuit Court of Appeals recently joined seven other Circuit Courts in holding that receipt of a single, unwanted text message constitutes the concrete injury required for standing in class actions filed under the Telephone Consumer Protection Act. Read on for details about this development and implications for TCPA class actions moving forward.

On July 26, the U.S. Securities and Exchange Commission adopted new rules regarding public companies’ reporting of (i) cybersecurity incidents, (ii) policies and procedures for identifying and managing cybersecurity risks and (iii) management and board roles in implementing cybersecurity policies and procedures. Read on for details about the new rules and recommended next steps for reporting companies.

On June 21, the U.S. Department of Homeland Security issued a long-anticipated cybersecurity final rule that revises an existing clause and adds two new clauses to the Homeland Security Acquisition Regulation related to contractors’ handling of controlled unclassified information.

Read on for highlights from this rule, which goes into effect July 21 and is likely to complicate DHS contractors’ cybersecurity compliance programs.