Report Warns Legal Departments to Prepare for More Cross-Border Cybersecurity Incidents
New report from Mayer Brown highlights key issues that companies and legal departments should expect to confront in responding to cross-border cyber incidents, from managing multinational forensics investigations and global legal risks to strategically engaging with law enforcement in different jurisdictions, preserving privilege and dealing with the extraterritorial application of data privacy and security laws.
February 06, 2019 at 03:35 PM
5 minute read
2018 provided further evidence that no company, no matter how big or small or where it is headquartered, is immune when it comes to a data breach. Just ask Facebook, Marriott, British Airways and T-Mobile, to name a few of the major businesses that were compromised.
Unsurprisingly, cross-border cybersecurity incidents are expected to continue to rise this year, which means legal departments, especially those embedded in companies with an international reach, need to be prepared for a range of diverse challenges, according to a new report from Mayer Brown.
“If you have a global footprint, there's a very good chance that you're going to have to think about managing incidents on a global basis going forward,” said Stephen Lilley, a partner in Mayer Brown's Washington, D.C., office, who contributed to the firm's “2019 Outlook: Cybersecurity and Data Privacy” report.
“Most of our clients are facing multinational incidents and more of the incidents we're facing have multinational aspects,” he added. “U.S. data breaches that have implications in Europe are becoming more and more common. Even some of the more straightforward incidents that we see have multinational aspects at this point.”
The report highlights key issues that companies should expect to confront in responding to cross-border cyber incidents, from managing multinational forensics investigations and global legal risks to strategically engaging with law enforcement in different jurisdictions, preserving privilege and dealing with the extraterritorial application of data privacy and security laws.
In the wake of a cross-border cyber incident, a company should act quickly to identify the geographic locations that have been affected and determine what data has been corrupted as part of the breach. Next, the company is going to have to consider the diverse legal issues that pop up in different jurisdictions and prepare to manage competing legal interests across borders.
A company's primary legal risk might be in one country, such as the jurisdiction where it is headquartered, but the underlying breach might have occurred in a different country. In that situation, the company should consider “where are all the issues going to play out and how do I address this in a way that prioritizes the response based on the level of risk I face?” Lilley said. His practice focuses on interrelated litigation, regulatory and policy challenges.
“An easy pitfall to make is to let one jurisdiction drive the response without having stepped back and looked at the full range of issues that you're going to have to face and the full range of jurisdictions that are going to be implicated,” he added.
Working with law enforcement agencies in different countries poses another hurdle that companies and in-house counsel would be wise to approach strategically, which could involve deciding which agencies to work with and the potential trade-offs, including losing control over certain aspects of the process and confidentiality, according to the report.
“You need to have people who understand the market and the law enforcement agencies,” Lilley said. “It's very difficult to engage with European law enforcement from the U.S., for example.”
The report further notes that many countries recognize attorney-client privilege, but the level of protection varies in application and scope. Some jurisdictions, for instance, provide fewer protections for in-house counsel work product.
As more jurisdictions throughout the world adopt data privacy laws, including the EU's General Data Protection Regulation and Brazil's new general data protection law, businesses should be evaluating the “full range of legal regimes to which they may be subject to and which supervisory authorities they will be required to coordinate with,” the report states.
Data breaches are happening across a wide range of industry sectors, but the industries that are heavily regulated, such as financial services, face a more difficult path after an incident, according to Matthew Bisanz, a financial services and regulatory enforcement associate at Mayer Brown in Washington, D.C.
“There's an increased complexity because there likely is a regulator in every jurisdiction who will have their own standard and timing requirements,” he said. “That can be more complicated than an industry where there is no end-to-end regulatory framework.”
Read More:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFinancial Watchdog Alleges Walmart Forced Army of Gig-Worker Drivers to Receive Pay Through High-Fee Accounts
GC Pleads Guilty to Embezzling $7.4 Million From 3 Banks
In Lawsuit, Ex-Google Employee Says Company’s Layoffs Targeted Parents and Others on Leave
6 minute readGC With Deep GM Experience Takes Legal Reins of Power Management Giant
2 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250