Legal insights on navigating privacy, data protection, Cybersecurity, information governance, and e-discovery.
Data Law Insights Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery
- Mini-Series on CIPA â Part 4: How Big is the Risk?by Jason Stiehl, Jacob Canter and Jazmine Buckley on February 13, 2025 at 6:51 pm
Jason, Jacob, and Jaz have prepared four brief posts on the California Invasion of Privacy Act (CIPA), an old law now applied to new technology. With damages of $5,000 per violation or treble damages, CIPA lawsuits cannot be ignored. If you have a website and want to protect your company from litigation costs, check out these posts and contact us with any questions. The California Invasion of Privacy Act (CIPA) was enacted in 1967 to âprotect the right of privacy by, among other things, requiring that all parties consent to a recording of their conversation.â Whether intentional or not, from these modest origins CIPA has become a giantâcreate substantial liability risk for thousands of companies every year. But just how great is the risk? Section 637.2 states that â[a]ny person who has been injured by a violation of this chapter may bring an action against the person who committed the violation for the greater of the following amounts: (1)Â Five thousand dollars ($5,000) per violationâ or â(2)Â [t]hree times the amount of actual damages, if any, sustained by the plaintiff.â Moreover, the same provision states that â[i]t is not a necessary prerequisite to an action pursuant to this section that the plaintiff has suffered, or be threatened with, actual damages.â So, a website faces risk up to $5,000 per violation even when the user has sustained no damages. In practice, only a few cases that involve CIPA claims against a website have reached the stage where damages have been awarded, and they are hard to analogize. So, website owners are left in a tough position: if I am accused of violating CIPA, how should I proceed? Crowell has counseled dozens of clients on this very question and can help you walk through the factors that may determine the best approach. If you are facing these questions and want to discuss, please reach out.
- Mini-Series on CIPA â Part 3: Can I Eavesdrop on My Own Conversation?by Jason Stiehl, Jacob Canter and Jazmine Buckley on February 11, 2025 at 5:03 pm
Jason, Jacob, and Jaz have prepared four brief posts on the California Invasion of Privacy Act (CIPA), an old law now applied to new technology. With damages of $5,000 per violation or treble damages, CIPA lawsuits cannot be ignored. If you have a website and want to protect your company from litigation costs, check out these posts and contact us with any questions. The California Invasion of Privacy Act (CIPA) penalizes those âwho willfully and without the consent of all parties to the communication . . . read, or attempt to read, or to learn the contents or meaning of any message, report, or communication.â Cal. Penal Code § 631 (cleaned up). This rule seems sensible when applied to someone surreptitiously eavesdropping on a phone conversation. The law was passed in the 1960s to protect phone conversations from wiretaps, and if I am secretly listening in on your phone call, then my conduct may fall under the law. But what happens if there is no third-party eavesdropper? Can I violate the law even when nobody is secretly listening in? Or, in other words, under CIPA, can I eavesdrop on my own conversation? For many courts in California, the answer is no. These courts have explained that CIPA has a âone-party exception,â which provides that CIPA only applies where a third party to the conversation is actually eavesdropping on the conversation. But this exception has its limits. For example, the exception may not apply to third-parties that have promised in writing to use data it collects for specific, disclosed purposes. And while courts have traditionally drawn a distinction between actually listening into anotherâs conversation and merely recording anotherâs conversation, this distinction is harder to justify with some new technological tools. If you have questions about complying with California, U.S., and global privacy laws, reach out. We can help you identify practical steps to limit your liability risk.
- Mini-Series on CIPA Part 2: What is a âPhoneâ?by Jason Stiehl, Jacob Canter and Jazmine Buckley on February 6, 2025 at 6:24 pm
Jason, Jacob, and Jaz have prepared four brief posts on the California Invasion of Privacy Act (CIPA), an old law now applied to new technology. With damages of $5,000 per violation or treble damages, CIPA lawsuits cannot be ignored. If you have a website and want to protect your company from litigation costs, check out these posts and contact us with any questions. The California Invasion of Privacy Act (CIPA) penalizes unauthorized eavesdropping on communications âcarried on among the parties in the presence of one another or by means of a telegraph, telephone, or other device, except a radio. . .â Cal. Penal Code § 632.7(a). Recently, plaintiffs have pressed courts to include internet-enabled communications on smartphones within the auspice of § 632.7(a). But is a smartphone communication over the internet a phone under this section of CIPA? Courts have interpreted the plain text of § 632.7 to cover five types of telephone calls: communications transmitted between â(1) two cellular radio telephones, (2) a cellular radio telephone and a landline telephone, (3) two cordless telephones, (4) a cordless telephone and a landline telephone, and (5) a cordless telephone and a cellular radio telephone.â Missing from this list? Using a smartphone to communicate with others over the internet. With its web-enabled capabilities and ability to access websites from the device, plaintiffs have argued that their use of a websiteâs chat feature on their smartphones is akin to a telephonic communication. Many California federal courts have rejected this argument (such as here, here, and here). But at least one court in the Central District of California has taken the minority approach and determined that â[s]martphones are cellular phones with web capabilities and fall within the cellular phone category.â Ultimately, California appellate courts will need to step in and provide clarity on whether a smartphone remains a phone when used to communicate via the internet. Until then, courts (and litigants) will continue to grapple with the question: under CIPA, what is a phone?
- Mini-Series on CIPA â Part 1: What is a âCommunicationâ Anyway?by Jason Stiehl, Jacob Canter and Jazmine Buckley on February 4, 2025 at 8:09 pm
Jason, Jacob, and Jaz have prepared four brief posts on the California Invasion of Privacy Act (CIPA), an old law now applied to new technology. With damages of $5,000 per violation or treble damages, CIPA lawsuits cannot be ignored. If you have a website and want to protect your company from litigation costs, check out these posts and contact us with any questions. Companies have websites to reach customers, share products and services, and communicate brands. But websites can also create legal risks. Recently, litigation has surged against website owners for violating the California Invasion of Privacy Act (CIPA). This 1960s phone-wiretapping law is now used against websites that collect and share visitor data with third-party vendors. The legal theory, in part, is that when a user visits a website and their information is processed, the third-party vendor listens in on this communication without notice or consent from the website user. But what is a communication anyway? Thereâs little question that a phone conversation is a communication under CIPAâthe law was originally passed in 1967 to protect phone conversations from elicit wiretaps. And while no California state appellate court has published on this question, several courts in California have held that typing information into a website chat box is a communication. Efforts have been made to stretch the definition of a âcommunicationâ under CIPA even further. Are website clicks, time spent on a webpage, or information gathered from the route a user takes to complete a purchase communications? Litigation in California lower courts has yielded mixed results. In October 2023, the Massachusetts Supreme Judicial Court ruled that web browsing is not a communication under Massachusettsâ wiretap law. But we still do not know if California appellate courts will follow. You can take practical and straightforward steps to significantly limit your risk of liability under CIPA. And, if done right, this low-cost preventative work does not have to impact how your business or website operates. Reach out if you want to discuss.
- The NIS2 Directive is on the Edge of Enforcement: What Now for EU/US Companies?by Crowell & Moring on August 26, 2024 at 1:14 pm
Key Takeaways 1. New cybersecurity measures and requirements are introduced by the EU for companies. 2. Contractual provisions with the supply chain may need to be revised. 3. High penalties and liability for management, including personal liability. I. Introduction On October 18, 2024, the requirements of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) will enter into force. The NIS2 Directive outlines the cybersecurity responsibilities of both âessentialâ and âimportantâ entities whose âmanagement bodiesâ are tasked with implementation, emphasizing potential liability for failure to comply with the new mandates, along with significant penalties for entities and individuals that fail to meet their obligations. II. What is the NIS2 Directive? The objective of the NIS2 Directive is to set out measures to achieve a high common level of cybersecurity across the EU. It expands the scope of cybersecurity requirements to include both âessentialâ and âimportantâ entities in various sectors, including energy, transport, banking, health, digital infrastructure, and others. The NIS2 Directive introduces size-based thresholds for its applicability and imposes substantial fines for non-compliance. III. Which Entities Fall within the Scope of the NIS2 Directive? The NIS2 Directive applies to a public or private entity that (1) falls within any of the industry sectors listed in Annex I (Sectors of High Criticality) or Annex II (Other Critical Sectors) of the Directive, (2) provides a service within the European Union, and (3) is at least a medium-sized enterprise within the meaning of the European Commission Recommendation 2003/361/EC of May 6, 2003 concerning the definition of micro, small and medium-sized enterprises. If an entity is subject to the NIS2 Directive, it will have differing responsibilities depending on whether it is classified as an âessentialâ entity or an âimportantâ entity. Essential entities are subject to a comprehensive ex ante and ex post supervisory regime, while important entities are subject to a light, ex post only, supervisory regime. Essential entities are organizations that provide a service listed in Annex I that meet the definition of a large enterprise as set out in Recommendation 2003/361/EC. Important entities are organizations providing a service that: is listed in Annex I and meets the definition of a âmedium-sized enterprise as set out in Recommendation 2003/361/EC; is listed in Annex II and meets the definition of a medium or large enterprise as set out in Recommendation 2003/361/EC; It is important to note that entities with subsidiaries may need to take into account the number of employees and annual turnover of their subsidiaries for the purposes of assessing medium or large enterprise criteria. Moreover, some entities automatically fall under the purview of the NIS2 Directive, regardless of their number of employees or annual revenue, because of the potential for significant adverse impacts on European citizens resulting from disruptions to these businesses. They include: Providers of public electronic communications networks or services that are available to the public; Providers of trust services; Registries for top-level domain names and providers of domain name system services; and Public institutions. As all Member States are required to transpose the NIS2 Directive into their national legislation by October 17, 2024, it is crucial for businesses to ensure that the Member State has not broadened the scope of the NIS2 Directive to apply to additional companies. In addition, entities that are not established in the EU but provide their services within the EU must designate a representative (similar to the requirements of the GDPR, Digital Services Act, etc.). The Member State in which the representative is established will be deemed to be the Member State in which the entity is subject to jurisdiction. In the absence of a representative, any Member State in which the entity provides its services may take direct action against the entity if it violates the NIS2 Directive. IV. Which Obligations? 1. Risk Management Measures Entities falling within the scope of the NIS2 Directive will be required to implement at least the following key measures: Risk analysis and information system security policies; Incident handling protocols; Business continuity plans, such as backup management and business resumption; Supply chain and network security measures, including the safety aspects between each entity and its direct suppliers or service providers. Companies must consider the specific vulnerabilities of each direct supplier and service provider, and evaluate the overall quality of their products and cybersecurity practices. This assessment shall include an examination of their secure development processes; Cybersecurity testing; Auditing procedures; Regular cybersecurity training, not only for management bodies but also for employees; HR Security, access control policies, and asset management; and The use of multi-factor authentication and encryption, and secure emergency communications systems within the entity (where appropriate). Management bodies are tasked with approving the cybersecurity risk management measures adopted by their entities and overseeing their implementation, and are responsible for failures to comply with the above measures. In addition, management bodies are required to undergo cybersecurity trainingâor face significant liability, discussed below. While the NIS2 Directive does not set forth specific standards for cybersecurity in the context of implementing risk management measures, it does encourage Member States to adopt European and international standards and technical specifications to ensure a harmonized implementation. For instance, Belgium, with Luxembourg likely to follow, has referenced ISO 27001 certification in its laws enacting the NIS2 Directive, offering entities with this certification a presumption of compliance. Beyond ISO standards, international frameworks like NIST or CMMC could also be instrumental for US-based entities aiming to ensure compliance with the NIS2 Directive. 2. Reporting Obligations Essential and important entities must promptly inform the national competent authority of any significant incident (i.e., a serious event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems). Additionally, they are required to notify the users of their services about significant incidents that could impact service delivery. For example, in the event of a significant cyber incident, a chemical manufacturer is required to notify both the relevant authority and its suppliers and customers, offering them any possible measures or remedies they can take in response to the threat. The initial reporting of the incident must occur within 24 hours of awareness, followed by an official incident notification within 72 hours. Interim and final reports should be submitted to the competent authority within one month of the formal notification. V. Implementation Essential and important entities, as well as entities providing domain name registration services, will have until January 17, 2025, to register with the competent authority. Essential entities are required to disclose their cybersecurity measures (ex ante) to the competent authorities, while important entities are only required to register. The competent authorities may, at any time, require the important entity to provide evidence of compliance. It is important to note that Member States may provide for a higher level of cybersecurity when implementing the NIS2 Directive into national law, so companies need to be careful and review the laws applicable in the countries where they provide services. VI. Enforcement Each Member State will need to appoint a competent national authority whose role encompasses overseeing the directiveâs enforcement, ensuring that entities comply with their cybersecurity obligations, and facilitating a coordinated response to cybersecurity incidents. This oversight is crucial for maintaining a high level of cybersecurity across the nation and for protecting the integrity of essential and important services. VII. Sanctions and Liability of Management Body? The enforcement measures range from issuing simple warnings to mandating remediation actions or requiring the public disclosure of violations of law. Entities that fail to meet their cybersecurity risk management or incident reporting requirements may face administrative fines. For important entities, fines can reach up to 7 million euros or 1.4 percent of their total global annual turnover. Essential entities could be fined up to 10 million euros or 2 percent of their total global annual turnover. Concerning the accountability of management bodies, any individual responsible for an entity, or acting as its representative, bears personal liability for failing to comply with the NIS2 Directive by requirementsâhighlighting the significance of personal responsibility in cases of non-compliance. Some Member States, in the process of integrating NIS2, have established provisions that allow for the temporary suspension of individuals in managerial roles, such as managing directors or representatives, from executing their managerial duties within the entity if they fail to comply with directives from the competent authority. VIII. Conclusion Todayâs business requires increased vigilance regarding cybersecurity, stemming from the rise of diverse threat actors, such as competitors, ideologues (hacktivists), terrorists, cybercriminals, and nation-state actors, each presenting a considerable threat to the security and integrity of the business. It is essential for entities to determine whether they are subject to the NIS2 Directive, and if so, to assess their cybersecurity responsibilities under the directive which should include, among other things, performing a thorough gap analysis of their existing security measures. Such an analysis is pivotal for the entity to adopt and enhance the necessary protocols to meet compliance with the NIS2 Directive by October 18, 2024. Although investing in cybersecurity may not be insignificant, it is important to note that the cost of these investments will likely be far less than the financial and reputational damage incurred from a cyber incident. Entities must shift their mindset from questioning if a cyber incident will occur to preparing for when it inevitably happens. EU Cybersecurity Contacts Edward Taelman, Partner at Crowell & Moring LLP Arthur Focquet, Associate at Crowell & Moring LLP
- Text Messages Lead to $4.47B Liability in Securities Fraud Caseby John Sohn on June 27, 2024 at 2:53 pm
Text messages and other non-email, electronic communications have become increasingly important in securities fraud matters. These communications are often sent from personal mobile devices and often provide key evidence. It has become clear that the most interesting, and sometimes most problematic, communications often do not take place via email. Messages sent via text and other messaging applications are increasingly being relied upon as evidence in securities fraud investigations and litigations.  Since 2021, the SEC has investigated large trading firms for âoff-channel communications,â business-related communications through platforms that are not monitored or firm-approved (e.g., text messages).  As a result, the SEC has fined financial firms a total of over $1.7 billion for failure to maintain and preserve electronic communications.[1] Following a civil trial in June 2024, now-bankrupt Terraform Labs agreed to a $4.47 billion settlement to resolve an SEC lawsuit after its co-founder was found liable of fraud. This settlement will be treated as an unsecured claim in Terraformâs Chapter 11 case.[2] At trial, the SEC offered text messages among employees that detailed a secret arrangement between Terraform and a crypto trading platform to prop up Terraformâs cryptocurrency before it collapsed into evidence. These text messages included a message from the head of communications stating that the co-founder âsaid if [crypto trading platform] hadnât stepped in we actually mightâve been f-ed.â The business development head responded âI know. They saved our aâ.â SEC v. Terraform Labs PTE LTD, 23-cv-1346 (JSR) (July 31, 2023). After a discussion with a crypto trading platform, the communications head texted âSpoke with [co-founder], weâre going to deploy $250 million from stability reserve through [crypto trading platform] to stabilize the peg.â He followed up with â[crypto trading platform] has already started buying. May not need the entire $250 million.â The next day, Terraformâs official Twitter account posted âTerraâs not going anywhere. $1 parity on UST already recovered.â This is just one example of a case where the preservation, collection, and production of text messages were critical to its outcome. There are, at least, three areas where companies should examine their internal policies concerning mobile device data: (1) policies and procedures for mobile device use and âoff-channelâ communications; (2) preservation and collection obligations regarding employee communications on mobile devices (including personal devices) in litigation; and (3) content of mobile messages that will be produced in litigation. Policies and Procedures Internal policies governing the use of mobile devices and any âoff-channelâ communications should be in place and discussed with employees as a critical part of onboarding, as well as ongoing HR, and employee policies. Business-related communications via messaging applications that are not monitored or maintained by their employers has dramatically increased since the beginning of the COVID-19 pandemic. For those working in financial services, including investment bankers and securities traders, the existence of communications about firm business on messaging applications like iMessage, WhatsApp, Slack, or Signal risks scrutiny and fines from government regulators. Additionally, employees at financial firms may be more likely to send problematic or even illegal messages through unmonitored channels if they believe the messages will not be subject to scrutiny, particularly on their personal devices. These messages may give rise to civil liability to both regulators and private plaintiffs. When developing a mobile device policy, companies should consider the following questions: Whether employees use company-issued devices or, if not, is there a policy for employees who bring their own devices (a âBYODâ policy)? Many employees prefer to use a single device for both personal and work-related purposes, even when a corporate device is offered. They should, however, be informed of the risks of intermingling business and personal communications, particularly if their good friends are also business contacts. A friendly chat about the state of the industry could blur the lines into business-related communications. In United States v. Blaszczak, a CMS employee remained friends with Blaszczak, the defendant, after he left the organization to work for a hedge fund. 947 F.3d 19 (2d Cir. 2019). The employee then provided inside information via phone calls, emails, and text messages on CMS rate changes that lowered reimbursement rates in the course of his friendship with Blaszczak. Are employees required to cooperate with requests for access to their devices during litigation? This consideration underscores the requirement for a BYOD policy or corporate device policy. Either of these policies should specifically articulate the requirement of providing access to business-related communications, documents, photographs and other data stored on mobile devices in case of litigation. Policies should also discuss an employeeâs expectation of privacy with respect to the personal data on a device that is used for business purposes. This will also help employees make informed decisions about how and when to communicate on a mobile device for work purposes before the information is discoverable. How are the mobile device policies enforced? Which applications are employees allowed to use for work purposes? It is important to consider mobile device management and mobile device data archiving tools, and other corporate access to mobile devices that will be used for business purposes. The software can allow companies to remotely monitor, update, secure, and even delete data from personal smartphones or tablets that are used for business purposes. Employers can designate applications for business use. As an example, Microsoft Office 365 provides a full suite of applications, including Outlook, Teams, and applications to view and edit documents. These and other similar applications can be protected by passwords and/or two-factor authentication. Importantly, data from applications designed for corporate use can also be stored on a company server. Employee access can be granted or revoked remotely, and the data is preserved in the event that a device is lost or damaged. Additionally, if the employee has only used corporate applications such as Teams, Slack or Skype for business-related messaging (rather than texts or other platforms where personal communications are mixed in), it will not be necessary to collect messaging data from the employeeâs personal device during litigation because the company will already have that data on the companyâs servers. What are the policies and procedures for departing employees? If the departing employee used a corporate device, internal policies should require the employerâs IT department to verify whether there is an obligation to preserve the data on the device before it is erased. If the departing employee used a personal device, the company should collect any data that may be relevant to an ongoing or foreseeable litigation. If it is not possible to collect the data prior to the employeeâs departure, the employee should be reminded of the potential obligation. Preservation and Collection In litigation, companies are required to produce data that is within their possession, custody, and control. As part of this determination, courts will consider the following factors when it comes to mobile data: (1) whether the employer issued the devices, (2) how frequently the devices were used for business purposes, (3) whether the employer had a legal right to obtain communications from the devices, and (4) whether company policies address access to communications on personal devices.  See, e.g., Miramontes v. Peraton, Inc., No. 3:21-CV-3019-B, 2023 WL 3855603 (N.D. Tex. June 6, 2023). Given the increasing use of mobile communications to conduct business, particularly in the era of remote or hybrid work, it is reasonable to expect that mobile-device data will be part of a discovery request in a securities class action litigation. Companies have the same obligation to make reasonable, good faith efforts to preserve mobile data, including data on employee personal devices, as with any other type of data that may be relevant to a litigation. Here are some considerations related to preservation and collection of mobile data: What communications may be relevant? Any employee who may possess information relevant to the litigation may also possess relevant mobile data. Counsel, along with forensic examiners, will often interview employees who likely have information relevant to the litigation to identify the type and frequency of business communications, applications used for business purposes, and the amount of potentially-relevant information the employee possesses on their mobile device. In Boston Retirement System v. Uber Technologies, Inc., the defendant produced text messages from an employee related to an alleged securities fraud. No. 19-cv-06361-RS (DMR), 2024 WL 555891 (N.D. Cal. Feb. 12, 2024). The plaintiff filed a motion to compel additional text messages from other employees, but the court denied the motion because the employees stated in their interrogatories that they did not communicate about business via text message and they had not texted about the subject matter of the lawsuit. Other details may help focus the text message collection, including the relevant time periods of the conversation (e.g., the time periods surrounding a particular trade or release of information), the communication platforms used (e.g., iMessage, WhatsApp, Signal) and the parties of interest. In United States v. Buyer, the defendant was accused of trading on inside information related to a proposed acquisition of Navigant by Guidehouse. 22 CR. 397 (RMB) (S.D.N.Y. Mar. 14, 2023). He admitted to phone calls and text exchanges with a Guidehouse employee right before he purchased Navigant stock. The government also presented a Signal message from the defendant as evidence of an attempted coverup. The message read: âI need to see you. Please, I will catch the next flight. I was interviewed and told them I bought . . . .â The defendant had intended this message to be deleted after 5 minutes. What is the level of technical sophistication of the employees? Data may be inadvertently lost in a number of ways, including: failure to follow a litigation hold, accidental deletion of messages (e.g., auto-delete), upgrading the device to a different model without transferring or backing up its data, or performing a factory reset. It is important to assess whether to trust an employee to properly manage their device settings, or whether it may be necessary to preemptively collect mobile data to ensure that it is preserved. It is important to be aware of the default settings in place before a litigation hold is in effect, both on mobile devices and corporate servers, as these settings may need to be adjusted. Mobile device management systems and applications backed up to a remote server (e.g., Microsoft Outlook and Teams) make it easier to preserve data at a global level and eliminate user error. If an employee uses text messages or other messaging apps to communicate for business purposes, it will be important to instruct the employee to change their device settings to ensure no information will be inadvertently deleted, particularly because courts will likely consider business communications to be within the employerâs control. Although proper preservation of mobile data often does not require a substantial effort, a failure to adequately preserve relevant mobile data can result in monetary sanctions and/or adverse inferences at trial. In Hunters Capital, LLC et al v. City of Seattle, the Seattle mayor deleted thousands of text messages from her employer-owned phone, claiming that this was partly because she inadvertently set all text messages to auto-delete after 30 days. 2023 WL 184208 (W.D. Wash. Jan. 13, 2023). The court issued an adverse inference instruction to the jury, telling them they could presume that the text messages were unfavorable to the defendant. What are the technical requirements and procedures for collection? The collection process can often be performed remotely, but the forensic examiner will sometimes require physical possession of the device. If the mobile data in question is backed up on a remote server, it can be collected remotely, and with minimal disruption to the employee. Apple iPhone data can typically be collected remotely through iCloud, while Android data typically must be collected from the device itself. Messages and other data from mobile devices that are not available on a remote server are typically collected through a logical extraction, which creates a forensic image of the entire phone, preserving the integrity of the data at the time of the collection. Importantly, however, logical extraction cannot recover deleted files or be used on a locked device. Ephemeral messaging applications (e.g., Signal, Telegram), which do not permit archiving or remote storage of messages, can only be collected through screenshots or manual collection methods. Additionally, if an employee has very few relevant messages, a screenshot or other manual collection may be appropriate. After a logical collection, the collected data is encrypted and is not in a viewable format until it is processed. Accordingly, none of the employeeâs text messages or other application data are readable at this stage. Data collected through screenshots or other manual methods will be in an immediately viewable format. Messaging data and other data from sources identified as relevant to the litigation is processed and loaded into a database where it can be viewed by counsel. The employee can also identify their business contacts, further limiting what outside counsel will view and helping to ensure the privacy of their personal messages. Content of Mobile Messages In litigation, as opposed to regulatory investigations, the parties may have more room to negotiate the scope and relevancy of mobile messages to be produced to the other side. The legal team can opt to produce only the relevant portions of message threads, redacting non-relevant messages and images (including personal messages and photos). In some instances, however, it may be necessary to produce non-relevant messages to provide context. See Al Thani v. Hanke, No. 20 CIV. 4765 (JPC), 2022 WL 1684271, at *2 (S.D.N.Y. May 26, 2022) (âa single text message, standing alone, is oftentimes meaningless without other messages in the text chain to provide contextâ). Additionally, one-off messages, gifs or emojis can sometimes provide important evidence if they are understood to have a certain meaning in the relevant industry-specific communications. For example, in the case of In re Bed Bath & Beyond Corp. Securities Litigation, a message with an emoji provided potentially key evidence of securities fraud. U.S. Dist. LEXIS 129613 (D.D.C. July 27, 2023). In denying a motion to dismiss, the court noted: âSome online communities understand the smiley moon emoji to mean âto the moonâ or âtake it to the moon.â…In other words, according to Plaintiff, Cohen was telling his hundreds of thousands of followers that Bed Bathâs stock was going up and that they should buy or hold. They did so, sending the price soaring.â[i] Similarly, in Friel v. Dapper Labs, Inc., for example, the court reasoned that âthe ârocket shipâ emoji, âstock chartâ emoji, and âmoney bagsâ emoji objectively mean one thing: a financial return on investment.â No. 21-cv-5837, 2023 WL 2162747, at *17 (S.D.N.Y. Feb. 22, 2023). Even metadata can contain damaging information, as in the case of the now-defunct cryptocurrency exchange FTX, where Sam Bankman-Fried and other staff had a Signal chat group named âwire fraud.â[3] Employees may feel uncomfortable about the information that is included in a forensic image of their mobile device, particularly if it is a personal device. Personal data such as photos, banking information, and other personal data stored on their device is collected even when it is not relevant in any way to the litigation. Although the majority of the information will never be viewed, and forensic vendors take extensive security precautions (e.g., security certifications, double layers of encryption, locked storage within locked facilities), some employees may still feel uncomfortable about the collection of information from their personal devices. This underscores the importance of informing employees what the collection process may entail when they sign a mobile device agreement, as described above, so that they can decide whether to use a personal device for work well before any litigation has begun. Final considerations Given the proliferation of these communications, and their probative value in the cases discussed above, it is undeniable that litigants in securities fraud cases need to have robust mobile data policies that address the content and retention of messages, applications used for messaging, and the obligations of employees to allow for collection, in addition to an IT infrastructure that facilitates all of the processes outlined above. It is also important to ensure that employees understand the risks of communicating about business on a personal device, and the discovery obligations related to those communications. [1] https://www.reuters.com/legal/government/sec-sued-by-trade-association-details-record-keeping-probe-2024-06-06/ [2] https://www.reuters.com/legal/crypto-firm-terraform-labs-agrees-pay-447-bln-resolve-dispute-with-sec-2024-06-12/ [3] https://www.theguardian.com/business/2022/dec/13/sam-bankman-fried-ftx-signal-wirefraud-chat-alameda
- SEC âEncouragesâ Public Companies to Disclose âImmaterialâ Cybersecurity Incidents Under Item 8.01 of Form 8-Kby William J. Bruno, Anand Sithian, Jennie Wang VonCannon, Daniel L. Zelenko and Jacob Canter on May 23, 2024 at 7:16 pm
The U.S. Securities and Exchange Commission (âSECâ) adopted a final rule on July 26, 2023 that requires public companies to disclose material cybersecurity incidents under new Item 1.05 of Form 8-K. Since its adoption, public companies have faced practical challenges in determining whether and when a cybersecurity incident warrants disclosure under Item 1.05. On May 21, 2024, roughly six months after the final ruleâs effective date, Erik Gerding, Director of the SECâs Division of Corporation Finance, issued a statement signaling that public companies should consider disclosing incidents in a different fashion under a Form 8-K. Specific points of note: Immaterial Incidents. Public companies that disclose cybersecurity incidents that either are not material or have not yet been determined to be material are âencourage[d]â to âdisclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01)â as opposed to Item 1.05. Item 8.01 (Other Events) is the âcatch-allâ disclosure provision of Form 8-K, whereby disclosures made will not be deemed an admission by the reporting company as to the materiality of the reported event. Immaterial Incidents Later Deemed Material. âIf a company discloses an immaterial incident (or one for which it has not yet made a materiality determination) under Item 8.01 of Form 8-K, and then it subsequently determines that the incident is material, then it should file an Item 1.05 Form 8-K within four business days of such subsequent materiality determination.â Public companies must still must determine âwithout unreasonable delay, whether the incident was material.â Material Incidents Whose Impact Has Not Been Determined. In âcases in which a cybersecurity incident is so significant that a company determines it to be material even though the company has not yet determined its impact (or reasonably likely impact) . . . the company should disclose the incident in an Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available.â Director Gerding explained that he issued this statement because âit could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05.â While not explicitly stated, Director Gerdingâs announcement is likely in response to several voluntary disclosures of cybersecurity incidents that use Item 1.05 on the Form 8-K to disclose the incident, but which indicate a lack of firm determination by the disclosing company as to the materiality of the reported incident and its purported impact. This latest statement from the SEC provides some direction regarding how and where to disclose an incident on a Form 8-K when the materiality determination has not yet been made, or if the incident is immaterial. However, the statement offers little guidance for companies looking for clarity on understanding whether an incident is material by explaining that companies âshould assess all relevant factorsâ when making the determination. It remains to be seen how public companies will digest these statements by the SEC as they relate to cybersecurity incident disclosure.
- FBI Offers Pathway to Request Delay of SEC Cybersecurity Incident Disclosuresby Daniel L. Zelenko, Jennie Wang VonCannon, William J. Bruno and Anand Sithian on December 19, 2023 at 3:15 pm
Public companies now have a pathway to request a delay in their cybersecurity incident disclosure to the U.S. Securities and Exchange Commission (âSECâ). On December 6, 2023, the Federal Bureau of Investigation (âFBIâ) Cyber Division published the âCyber Victim Requests to Delay Securities and Exchange Commission Public Disclosure Policy Noticeâ (the âPolicy Noticeâ) in response to the SECâs finalized disclosure rules (the âFinal Rulesâ). Published on July 26, 2023, the Final Rules established guidelines around cybersecurity risk management, strategy, governance, and incidents for public companies subject to the Securities Exchange Act of 1934. Among several requirements under the Final Rules, companies are required to disclose cybersecurity incidents within four days of a materiality determination by filing an SEC Form 8-K. SEC Disclosure Delay Provisions The Final Rules include a provision allowing a company to delay filing a disclosure[1] where there is an active law enforcement investigation or the U.S. Attorney General (âAttorney Generalâ) determines disclosure implicates national security or public safety, and notifies the SEC in writing. The disclosure may be delayed for several reasons: Initially, disclosure may be delayed for up to 30 days following the date when the disclosure was otherwise required to be provided. The delay may be extended for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the SEC. Delays cannot exceed a total of 120 business days without an exemptive order from the SEC. To facilitate timely communication of the Attorney Generalâs findings with the SEC, the U.S. Department of Justice (âDOJâ) established an interagency communication process where the Federal Bureau of Investigation (âFBIâ) is responsible for: (i) intaking all such requests either from a victim directly, the Cybersecurity and Infrastructure Security Agency (âCISAâ), or other government agencies, on behalf of the DOJ, (ii) coordinating checks of USG national security and public safety equities, and (iii) reporting the outcome of these checks to DOJ. Requesting a Delayed Disclosure The FBI, in coordination with the DOJ, issued the DOJ Material Cybersecurity Incident Delay Determinations Guidelines and FBI Policy Notice, on how victims may request disclosure delays for national security or public safety reasons. The FBI strongly recommends all publicly traded companies contact the FBI soon after a company believes disclosure of a newly-discovered cybersecurity incident may pose a substantial risk to national security or public safety. Delay requests will not be processed by the FBI unless they are received by the FBI immediately upon a companyâs determination that disclosure of a cybersecurity incident to the SEC is required. Companies may request a disclosure delay by contacting the FBI directly at cyber_sec_disclosure_delay_referrals@fbi.gov or through the U.S. Secret Service, CISA, the U.S. Department of Defense, or another sector risk management agency. In their delay request, victim companies must provide the following information: Company name; When the cyber incident occurred; When a determination was made to disclose a cyber incident to the SEC via Form 8-k (including the date, time, and time zone).âŻFailure to report this information immediately upon determination will cause the delay-referral request to be denied;  Whether the company already in contact with the FBI or another U.S. government agency regarding this incident. If so, provide the names and field offices of the FBI points of contact or information regarding the U.S. government agency with whom the company is in contact; Describe the incident in detail. Include the following details, at minimum: The type of incident that occurred; The known or suspected intrusion vectors, including any identified vulnerabilities if known; The infrastructure or data were affected (if any) and how were they affected; Whether the operational impact on the company, if known; Whether there is confirmed or suspected attribution of the cyber actors responsible; The current status of any remediation or mitigation efforts; Where the incident occurred (including the street address, city, and state where the incident occurred); The companyâs points of contact for this matter (including the name, phone number, and email address of personnel the FBI may contact to discuss this request); and Whether the company previously submitted a delay referral request or if this is the first time. If victim companies have previously submitted a delay request, they must include details about when DOJ made its last delay determination(s), on what grounds, and for how long it granted the delay, if applicable. With the increased regulatory scrutiny of a companyâs cybersecurity hygiene, public companies should remain current on cybersecurity incident reporting requirements. Crowell & Moring LLP is highly experienced at advising clients on SEC and law enforcement developments impacting organizations. Additional information on the latest SEC activities is available at the following Crowell client alerts: Uncharted Territory: The SEC Sues SolarWinds and its CISO for Securities Laws Violations in Connection with SUNBURST Cyberattack, Five Key Takeaways from the SECâs Final Cybersecurity Rules for Public Companies, and SEC Proposes New Cybersecurity Risk and Incident Disclosure Obligations. If you have questions about this alert or similar issues, please contact one of the Crowell & Moring attorneys listed below, or your regular Crowell & Moring contact. [1] Under the SEC Final Rules, public companies are required to file cybersecurity incident disclosures via submission of Item 1.05 on the SEC Form 8-K.
- European Parliament Adopts Final EU Data Actby Sari Depreeuw on November 17, 2023 at 2:00 pm
On November 9, 2023, the European Parliament has adopted the final version of the Data Act, marking a significant milestone in the evolving landscape of digital regulation. The Data Act is part of the European Commissionâs broader strategy to shape Europeâs digital future (see our earlier posts here and here). The widespread use of internet-connected products (the so-called Internet of things or âIoTâ) has notably increased the volume and potential value of data for consumers, businesses, and society at large. Recognizing that barriers to data sharing hinder optimal data allocation for societal benefit, led to the drafting of the Data Act. Initially proposed by the European Commission in February 2022, the Data Act is designed to regulate data sharing and usage within the EU. The Data Act, which applies to both personal and non-personal data, encompasses several key elements designed to foster an efficient, fair, and innovative data economy: It facilitates data sharing, particularly data generated by connected devices and used by related services. This spans all sectors, underscoring the significance of non-personal data sharing for societal and economic benefits; Itestablishes mechanisms for data transfer and usage rights, with a special focus on cloud service providers and data processing services. This facilitates a more fluid and secure data sharing environment; It introduces interoperability standards to ensure data can be accessed, transferred, and used across different sectors, which is crucial for innovation and competitive markets; It reinforces the right to data portability, allowing users to move their data across different service providers, which enhances user autonomy and promotes competition; It mandates that providers of data processing services, such as cloud and edge services, implement reasonable measures against unauthorized third-party access to non-personal data, thereby fostering trust in data; It aims to balance the availability of data with the protection of trade secrets; It recognizes the need for public sector bodies, the Commission, the European Central Bank or Union bodies to use existing data to respond to public emergencies or in other exceptional cases; and It provides protections against unfair contractual terms that are unilaterally imposed. These elements collectively aim to enhance data accessibility and utility, protect individual and business interests, and foster a more competitive and innovative digital market in the EU. The adopted text now needs formal approval by the Council to become law. Once finalized, the Data Act will enter into force on the 20th day following its publication in the Official Journal of the European Union and will apply from 20 to 32 months from the date of entry into force. The timeline for complete enforcement is thus expected to span several years, allowing businesses and stakeholders adequate time to adapt to the new requirements. As always, we will continue to monitor the developments in this matter and keep you informed of any further updates.
- European Data Protection Supervisor Releases New Opinion on the EUâs Proposed AI Actby Sari Depreeuw on November 13, 2023 at 3:11 pm
On October 24, 2023, the European Data Protection Supervisor (EDPS), which is the supervisory authority for the EU institutions, bodies, offices and agencies (EUIs), published a new opinion on the widely discussed proposal for an EU Regulation laying down harmonized rules on artificial intelligence (commonly known as the AI Act Proposal). Although the EDPS does not supervise the private sector, it plays an influential role in both the European and global regulatory community and this new opinion is, thus, a valuable addition to the current legislative debate. The AI Act Proposal was published by the European Commission in April 2021 with a view to establishing harmonized rules for AI within the EU. In short, the purpose of this AI Act is to regulate the development and use of AI-based systems, based on the risks they entail. The EDPS previously issued a joint opinion in collaboration with the European Data Protection Board (in June 2021). However, this new opinion is solely the EDPSâ initiative, and it aims to provide further recommendations to the EU co-legislators as the negotiations on the AI Act Proposal enter their final stage. The opinion focuses on a number of institutional, legal and technical aspects related to the role and tasks of the EDPS as future AI supervisor of the EUIs. Key takeaways: The EDPS supports the establishment of a legal framework for AI systems based on the EU values as enshrined in both the EU Charter of Fundamental Rights and the European Convention on Human Rights; The EDPS confirms the âred linesâ set out in the earlier EDPB-EDPS joint opinion, stating that several uses of AI should be prohibited because they pose unacceptable risks to fundamental rights â including the use of AI for social scoring, categorizing individuals from biometrics, and individual risk assessments for law enforcement purposes; The new opinion also reiterates the view that national Data Protection Authorities should be designated as the national supervisory authorities, on account of their expertise in AI-related legislation. Simultaneously, the EDPS emphasizes the need for cooperation between these national authorities and other oversight authorities to ensure that AI systems are trustworthy, safe, and compliant with EU legislation in the field of their deployment; The EDPS stresses the need for clarity with regards to âhigh-risk AI systemsâ and regarding other notions, such as âproviderâ and âdevelopmentâ; The EDPS emphasizes that AI systems already in use at the date of applicability of the AI Act should not be exempted from its scope and should be required to comply with the AI Act requirements from its date of applicability; The EDPS welcomes its various proposed roles as notified body in the context of pre-market control (conformity assessment), market surveillance authority in the context of post-market control, and competent authority for the supervision of the development, provision or use of AI systems by EUIs; The EDPS emphasizes that the proposed AI Office, a new EU body that would support the harmonized application of the AI Act, must be independent if it is to strengthen enforcement in the EU and prevent providers of AI systems from engaging in âforum shoppingâ. It highlights the need to strengthen cooperation between the AI office and the EDPS in its role of AI supervisor. It expresses regret that it currently lacks voting rights on the AI Officeâs management board, while national supervisory authorities have these voting rights; The EDPS recommends introducing the right to lodge a complaint before the competent supervisory authority, and to an effective judicial remedy against a decision of the authority before which a complaint has been brought (specifying the competences of the EDPS as a supervisory authority); and finally, The EDPS suggests providing, notably in case of the use of high-risk AI systems, the right to obtain human intervention and to contest the output of the decision-making, as well as a right to an explanation from the deployer of the AI system regarding any decisions significantly affecting the user. In short, with its recent opinion, the EDPS aims to provide more specific advice as to how its tasks, duties and powers set out in the AI Act could be further clarified, as well as further recommendations on how to ensure effective enforcement of the AI Act through a true âEuropean approachâ. We will continue to monitor the developments in this matter and keep you informed of any further updates. We would like to thank Arthur Focquet, Associate, for his contribution to this alert.









