Privacy & Cybersecurity Update - July 2018

by Skadden, Arps, Slate, Meagher & Flom LLP

Skadden, Arps, Slate, Meagher & Flom LLP

In this month's edition of our Privacy & Cybersecurity Update, we examine California's new sweeping privacy law, two U.S. agencies' report on "botnet" threats and the European Parliament's call to suspend the Privacy Shield. We also take a look at the Second Circuit's decision on insurance coverage involving email spoofing, IBM's yearly study detailing the global costs of data breaches and the EU's agreement with Japan on data protection.

California Enacts Sweeping New Privacy Law

US Departments of Commerce and Homeland Security Bank on Awareness and Voluntary Initiatives to Curb ‘Botnet’ Threat

European Parliament Calls to Suspend EU-US Privacy Shield

Second Circuit Holds That Computer Fraud Coverage Is Triggered by Fraudulent Transfer Resulting From Email Spoofing Scam

The Global Cost of a Data Breach Increases in 2018

EU and Japan Reach Bilateral Deal on Data Protection

California Enacts Sweeping New Privacy Law

California has passed a far-reaching new privacy law that will have a significant impact on any company that does business in California and holds information about its residents.

The state of California has enacted the California Consumer Privacy Act (CCPA), which is by far the broadest and most comprehensive privacy law enacted in the United States to date. Due to come into effect in January 2020, the law will impact any organization collecting or storing data about California residents, and may effectively set the floor for nationwide privacy protection since organizations may not want to maintain two privacy frameworks – one for California residents and one for all other citizens. In general, the CCPA will give consumers more information and control over how their data is being used and requires companies to be more transparent in their handling of personal information.

For more information on the CCPA and its impact – including a comparison with the EU’s General Data Protection Regulation – please see our July 11 Insights article.

US Departments of Commerce and Homeland Security Bank on Awareness and Voluntary Initiatives to Curb ‘Botnet’ Threat

The Department of Commerce and the Department of Homeland Security have released a report on the dangers posed by “botnets” and certain proposals to address those dangers.

On May 30, 2018, the Department of Commerce and the Department of Homeland Security released “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats” (the Report).1 The Report identified five goals to improve global resilience to “botnet” attacks and suggested voluntary, industry-driven standards and awareness campaigns to achieve these objectives.


The Report confirmed the widespread view that the expanding array of poorly protected internet of things (IoT) devices reaching the market has dramatically increased the potential for automated, distributed threats, which are launched through networks of devices known as “botnets.” These devices typically are compromised without their owners’ knowledge. Attackers use botnets to launch attacks on other systems, and to create additional botnets. In the past two years, high-profile botnets like Mirai and Reaper have exploited known code vulnerabilities and weak passwords to compromise tens of thousands of devices. Responding to these threats in May 2017, President Trump issued an executive order directing the secretaries of Commerce and Homeland Security to find ways of “dramatically reducing threats perpetrated by automated and distributed attacks.”

The Report framed the challenge of mitigating this threat as one of implementation rather than technological inadequacy. Services that disrupt distributed denial-of-service attacks, security development tools like fuzzers and static analyzers, and network control opportunities offered by the most recent new Internet Protocol (IPv6) can greatly mitigate the botnet threat. However, awareness and adoption of these tools is limited.

Mitigating Botnet Attacks Through Awareness and Voluntary Collaboration

The Report identified five objectives for encouraging the uptake of botnet mitigation strategies and technologies:

  • creating an adaptable, sustainable and secure technology marketplace;
  • promoting infrastructure innovation;
  • encouraging innovation in “edge devices,” which are internet-connected devices that serve as network entry points;
  • supporting coalitions across communities addressing the botnet threat; and
  • increasing awareness and education.

The Report recommended voluntary, industry-led awareness and cooperation initiatives as the best way to achieve these goals.

The Report urged industry to lead the development of voluntary IoT and network baseline standards, including by leading the development of “suites of voluntary standards, specifications, and security mechanisms” that reduce the vulnerability of IoT devices to botnet attacks. It also suggested developing best-practice frameworks tailored toward helping smaller enterprises mitigate the botnet threat. Finally, the Report encouraged industry to work with government to promote these standards internationally.

The Report suggested that industry launch business-to-business and consumer-facing awareness and information-sharing efforts. These efforts must be broad-based and involve discussions among internet service providers, the cybersecurity community and the broader industry, in discussions about information sharing protocols, domestic and international botnet threats, and the uptake of cybersecurity technology.

For consumers, the Report recommended the creation of voluntary cybersecurity labeling programs and information tools to promote more informed device shopping. These efforts, modeled on certification programs like the 5-Star Safety and Energy Star ratings, would be designed to reorient IoT manufacturers’ market incentives by encouraging consumers to make purchase decisions with cybersecurity in mind.

While voluntary industry efforts are the centerpiece of the Report, the federal government is expected to be the first mover. To spur cross-sector cooperation, the Report urged the Departments of Commerce and Homeland Security to develop a “prioritized road map” of action items. This show of commitment would be intended to boost industry’s confidence that its own investments in voluntary initiatives will be productive. At the same time, the Report urged the federal government to “lead by example” by strengthening the resilience of its networks and drawing on its procurement spending to encourage best practices in IoT development.

Taking a dim view of broad regulatory efforts, the Report doubted that “one size fits all” rules for IoT devices could promote security without rapidly being rendered obsolete. Instead, the Report suggested that “sector-specific regulatory agencies” would be better equipped to promote product security within their industries. The Report cited the FDA’s medical device guidelines as an example of how sector-specific regulatory agencies can promote cybersecurity and regulatory certainty for manufacturers. The Report also recommended the use of sector-specific agencies, such as the federal Department of Health and Human Services, for industry-specific enforcement actions.

The Report also urged the Federal Trade Commission (FTC) to police commercial deception and unreasonable security practices in the IoT market through its “unfair practices” authority under Section 5 of the FTC Act. For over 15 years, the FTC has been using this authority to bring actions against companies that engaged in particularly poor cybersecurity practices, developing a “quasi-common law” set of standards in this area. We reported in our October 2017 Privacy and Cybersecurity Update2 that, based on statements from then-acting FTC Chairman Maureen Ohlhausen, the FTC would likely take a light touch in cybersecurity matters while “refraining from imposing general standards.” The Report endorsed that rejection of general cybersecurity standards but seemed to envision a broad enforcement role for the FTC.

Key Takeaways

For companies that develop and market IoT devices and other botnet targets, the Report suggests the federal government generally will not promulgate specific regulations in the near-term, relying instead on industry players to address the threat through voluntary, industry-led initiatives – with the possible exception of certain specific sectors, such as medical devices. Should they fail to do so, however, public and political pressure may drive regulators to take more aggressive steps in this area.

European Parliament Calls to Suspend EU-US Privacy Shield

The European Parliament has passed a nonbinding resolution calling on the European Commission to suspend the EU/U.S. Privacy Shield arrangement.

On July 5, 2018, the European Parliament passed a nonbinding resolution calling on the European Commission to suspend the Privacy Shield, a data-sharing arrangement between the EU and the U.S., unless the U.S. is “fully compliant” with the arrangement’s terms by September 1, 2018. The vote approved the Motion for Resolution presented by the European Parliament Committee on Civil Liberties, Justice and Home Affairs (the Committee) on June 12, 2018, which addressed the protection of EU citizens’ personal data.3


In 2016, the United States and the European Commission adopted the EU-U.S. Privacy Shield, a self-certification program designed to enable companies in the U.S. to receive personal data from the EU and the three European Economic Area member states — Norway, Liechtenstein and Iceland. Under the Privacy Shield, companies self-certify their adherence to seven broad data privacy principles. Although enacted when the EU Data Protection Directive was in effect, the Privacy Shield still applies under the set General Data Protection Regulation (GDPR).

The Privacy Shield replaced the previous data sharing structure between the EU and U.S. known as the Safe Harbor, which the Court of Justice of the European Union invalidated in October 2015 in Schrems v. Data Protection Commissioner. In the Schrems decision, the court found that the Safe Harbor failed to adequately protect the privacy of EU citizens, mainly due to the U.S. government’s ability to access personal data for national security purposes. The Privacy Shield aimed to remedy the perceived inadequacies of the Safe Harbor by imposing certain restrictions on the collection of EU personal data by the U.S. government and appointing an ombudsman to oversee such collection practices. After the Privacy Shield’s adoption, many privacy advocates criticized the replacement framework for failing to address the governmental surveillance concerns raised in Schrems.4

The Resolution

In their resolution, members of the European Parliament (MEPs) echoed the Civil Liberties Committee’s recent criticism and pointed to the recent Cambridge Analytica scandal to demonstrate the ineffectiveness of the Privacy Shield. Particularly, the European Parliament noted that although this disclosure occurred before the Privacy Shield was in place, Cambridge Analytica’s affiliate company SCL Elections is listed on the Privacy Shield register. MEPs emphasized a greater need for monitoring under the agreement, particularly when “data is used to manipulate political opinion or voting behavior.”

MEPs also echoed the Committee’s concern about the recent adoption by the U.S. of the Clarifying Lawful Overseas Use of Data (CLOUD) Act in March 2018, which grants U.S. and foreign police services access to personal data across borders. The European Parliament indicated that this new U.S. law, which essentially provides a loophole to the Privacy Shield and the Schrems decision, runs into direct conflict with EU data protection laws, and may have serious implications for EU citizens.

The European Parliament also expressed apprehension about the executive order signed by President Trump in January 2017, commonly referred to as the “Enhancing Public Safety” order, which stripped privacy protections from non-U.S. citizens. MEPs argued that the substance of the order indicates “the intention of the U.S. executive to reverse the data protection guarantees previously granted to EU citizens and to override the commitments made towards the EU during the Obama Presidency.” The European Parliament is likely referring to Presidential Policy Directive 28, an Obama-era directive that backed extending privacy protections to non-U.S. nationals in regard to warrantless surveillance.

In addition, MEPs explicitly criticized the U.S. Department of Commerce (DOC) in its review of Privacy Shield certification applications, expressing concern that the DOC has not been requesting copies of agreements used by certified companies with third parties to ensure compliance, despite the availability of this option under the Privacy Shield. The European Parliament concluded that there is no effective control over whether certified companies actually comply with the Privacy Shield provisions.

Notably, in Europe only the European Commission can revoke the Privacy Shield, so the European Parliament’s resolution is nonbinding. However, an annual review of the Privacy Shield is due in September, which presents an opportunity for the Commission to reconsider the arrangement in light of Parliament’s resolution and the introduction of GDPR to implement more restrictive safeguards.

Effect of Suspension

Members of the Commission have publicly stated that, while the concerns surrounding the Privacy Shield are valid, a suspension may be premature and could result in panic and legal uncertainty. A complete suspension of the Privacy Shield would result in reverberating disruption across the world economy, in that many major companies rely on the agreement to run their businesses effectively.

Should the Privacy Shield be suspended, companies will need to find alternative lawful mechanisms to transfer data between the U.S. and the EU. One option is for companies to incorporate EU-approved contractual clauses between transferors and transferees to facilitate data transfers. An option for affiliated companies is to adopt binding corporate rules for data transfers. At any rate, companies that rely on the Privacy Shield would be wise to begin considering backup plans for cross-border data transfers should the Privacy Shield be suspended by the European Commission.

Key Takeaways

Although a sweeping suspension of the EU-U.S. Privacy Shield is unlikely to take effect within the next few months, the European Parliament’s passage of the suspension resolution indicates deep concerns with the existing arrangement. U.S. companies currently relying on the Privacy Shield would be well-advised to seek alternative solutions to lawfully transferring data across borders.

Second Circuit Holds That Computer Fraud Coverage Is Triggered by Fraudulent Transfer Resulting From Email Spoofing Scam

In a highly anticipated decision, the U.S. Court of Appeals for the Second Circuit, applying New York law, recently held that an insurance policy’s computer fraud coverage extends to losses resulting from an email spoofing scam.

On July 6, 2018, the Second Circuit affirmed a district court decision in favor of cloud-based service provider Medidata Solutions, Inc., concluding that its computer fraud insurer Federal Insurance Company (Federal) must cover a $4.8 million loss suffered after Medidata fell victim to an email spoofing scam that caused it to fraudulently wire money overseas.5

The Email Spoofing Scam and Medidata’s Insurance Claim

The lawsuit, discussed in our March 2018 Privacy & Cybersecurity Update,6 arose from events in September 2014, when a Medidata employee received an email from a fraudster posing as the company’s president explaining that an attorney copied on the email (in fact another fraudster) would be contacting the employee for assistance with a transaction. The email appeared legitimate – it contained the president’s email address, name and picture. Following telephone and email communications with the fake attorney and approval from legitimate Medidata officers, the employee wired $4.8 million overseas to the fraudsters.

After discovering that it had fallen victim to a spoofing scam, Medidata made a claim under its “Executive Protection” policy issued by Federal. The policy provided coverage for a variety of risks, including “direct loss[es]” suffered by Medidata as a result of “Computer Fraud,” defined to include the “fraudulent entry of Data into . . . a Computer System” and the “fraudulent . . . change to Data elements or program logic of a Computer System.” Federal denied coverage on the basis that there was no manipulation of Medidata’s computers and Medidata “voluntarily” transferred the funds.

The District Court Finds Coverage

Medidata sued Federal in the U.S. District Court for the Southern District of New York. The district court sided with Medidata, relying on the New York Court of Appeals’ decision in Universal American Corp. v. National Union Fire Insurance Co. of Pittsburgh, Pa.,7 which interpreted the phrase “fraudulent entry” of data, as used in a computer fraud policy, as a “violation of the integrity of the computer system through deceitful and dishonest access.” Applying a broad reading of Universal, the court held that “the fraud on Medidata falls within the kind of ‘deceitful and dishonest access’ imagined by the New York Court of Appeals” because the fraudster used a computer code to alter a series of emails to make them appear as though they originated from Medidata’s president. The court also held that the fraud resulted in a “direct loss,” pointing out that the Medidata employee sent the money as a direct result of the fraudster’s emails. Federal appealed.

The Second Circuit Affirms

In a brief Summary Order, a three-judge panel of the U.S. Court of Appeals for the Second Circuit affirmed the district court’s decision, concluding “that the plain and unambiguous language of the policy covers the losses incurred by Medidata here.” The court reasoned that while no hacking incident occurred, “the fraudsters nonetheless crafted a computer-based attack that manipulated Medidata’s email system.” Because the spoofing code enabled the fraudsters to send messages that appeared to be from senior Medidata employees, “the attack represented a fraudulent entry of data into the computer system, as the spoofing code was introduced into the email system.” The attack also made a change to a data element because “the email system’s appearance was altered by the spoofing code to misleadingly indicate the sender.”

The court found Federal’s reliance on the Universal decision to be misplaced, concluding that the decision actually supported coverage for Medidata’s losses. In Universal, the court explained, the computer service was only incidentally involved because the company happened to use a computer as opposed to paper to process fraudulent health care insurance claims. Here, by contrast, the fraudsters compromised the email system itself by changing the emails’ appearance, resulting in a “violation of the integrity of the computer system through deceitful and dishonest access.”

The panel similarly rejected Federal’s contention that Medidata did not sustain a “direct loss” as a result of the email scam. “It is clear to us that the spoofing attack was the proximate cause of Medidata’s losses,” as the chain of events “was initiated by the spoofed emails, and unfolded rapidly following their receipt.” Although the Medidata employees had to take actions to effectuate the transfer following receipt of the spoofed emails, those actions were not “sufficient to sever the causal relationship between the spoofing attack and the losses incurred,” the court reasoned.

Key Takeaways

The issue of whether losses resulted from email spoofing scams has been increasingly litigated in recent years. While some courts have determined that such losses are covered, other courts have concluded that spoofing scams do not trigger computer fraud coverage either because the losses resulted from voluntary transfers of funds by insureds (as opposed to hacking incidents) or because the insureds took intervening steps to wire funds to the fraudsters, thereby breaking the causal chain. The Second Circuit flatly rejected such restrictive readings of the policy at issue in the Medidata case.

The Second Circuit’s decision may be valuable for policyholders in future coverage disputes regarding losses arising from spoofing scams and other forms of social engineering fraud. The decision also may cause insurers to revisit and clarify the scope of coverage intended for such incidents.

The Global Cost of a Data Breach Increases in 2018

An IBM study reported that the average cost of a data breach globally is $3.86 million, a 6.4 percent increase from the 2017 report.

On July 11, 2018, IBM Security announced that the average cost to companies resulting from a data breach increased to $3.86 million in 2018. This amount is a 6.4 percent increase over the average cost of a breach in 2017. The study, titled “The 2018 Cost of a Data Breach Study” (the Study),8 was based on in-depth interviews with nearly 500 companies that experienced a data breach and an analysis of hundreds of cost factors surrounding a breach, including technical investigations, recovery, notifications, legal and regulatory activities, and cost of lost business and reputation.

Significant Findings

The U.S. experienced the highest average data breach cost at almost $8 million per data breach. The Study speculates that this deviation is due in part to notification costs, which are five times the global average. The Middle East also fell on the high end of the spectrum, suffering from the highest proportion of malicious or criminal attacks, which are the most expensive type of breach to identify and address.

In addition, the average cost for each lost or stolen record containing sensitive information also increased by 4.8 percent from last year, rising to $148 per record. The Study also found that the average total cost of a breach ranges from $2.2 million for incidents with fewer than 10,000 compromised records to $6.9 million for incidents with more than 50,000 compromised records.

The Study also found that companies that operate in the health care or financial services spheres have the highest overall per capita mean for data breach costs. Highly regulated industries, such as health care and finance, often incur additional costs in the instance of a data breach because of fines and penalties, consulting on regulatory requirements, and activities such as credit monitoring or reissuing accounts, which may be required by regulations. As a result, data breaches that impact health care services cost the affected company $408 per compromised record, a cost nearly three times higher than the cross-industry average.

Further, for the first time, the Study calculated the cost associated with “mega breaches” – breaches ranging from 1 million to 50 million records lost – and projected that these breaches cost companies between $40 million and $350 million, respectively. For these large-scale breaches, the biggest expense category was associated with lost business. Researchers also found that the vast majority of these mega breaches stemmed from malicious and criminal attacks, as opposed to system glitches or human error, and the average time to detect and contain a mega breach was almost 100 days longer than a small-scale breach.

Methods for Reducing Costs of a Data Breach

The Study found that the cost of a breach is heavily impacted by the amount of time spent containing a data breach, as well as investments in technologies that speed response time. Companies that contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days.

The amount of lost or stolen records also impacts the cost of a breach. The Study noted that having an incident response team was the top cost-saving factor, reducing the cost by $14 per compromised record. In addition, companies that used an artificial intelligence platform for cybersecurity reduced the cost by $8 per compromised record and organizations that had extensively deployed automated security technologies saved over $1.5 million on the total cost of a breach.

Key Takeaways

The Study’s findings demonstrate that data breaches continue to pose a significant financial risk to companies, and the risk is increasing. The information in the Study should help companies assess the costs and benefits associated with implementing certain procedures and technologies to prevent and respond to data breaches. For example, developing an incident response plan is a relatively low-cost step that the Study shows can have a significant impact on data breach costs. Companies should evaluate the options available to them and invest their resources accordingly.

EU and Japan Reach Bilateral Deal on Data Protection

The EU and Japan have agreed to recognize each other’s privacy laws as adequate, allowing transfers of personal information between the two regions.

On July 17, 2018, the European Union and Japan agreed to recognize each other’s data protection regimes as providing adequate personal data protections. Once finalized, the “reciprocal adequacy” decisions will allow personal data to flow between the EU and Japan without being subject to additional safeguards.

Background on Adequacy Decisions

The EU’s General Data Protection Regulation generally prohibits the transfer of personal information from the EU to a jurisdiction that does not have adequate data protection laws in place, as determined by the European Commission. Japan’s Act on the Protection of Personal Information has a similar prohibition on transferring personal information out of Japan.

If the European Commission determines that a country provides a comparable level of data protection to that provided in the EU, it may issue an “adequacy decision.” After that decision issues, personal data may flow from any country in the European Economic Area to the country subject to the adequacy decision without additional safeguards. The European Commission has adopted adequacy decisions for several countries and is currently engaged in talks with South Korea to reach an adequacy decision.

In Japan, the Personal Information Protection Commission has the authority to recognize another country’s data protection regime as having equivalent standards to those established under Japanese law. After Japan’s Personal Information Protection Commission recognizes a country as having equivalent data protection standards, personal data may flow to that country without additional safeguards otherwise required by Japanese law.

The EU-Japan Reciprocal Adequacy Decisions

The EU and Japan agreed to issue reciprocal adequacy decisions regarding each other’s data protection regimes as part of a broader trade deal between the two countries. As part of the deal, Japan agreed to implement additional safeguards for personal data, including stricter guidelines for the transfer of personal data that originated from the EU to a third country and limitations on the use of sensitive data. Japan also agreed to implement a new mechanism to allow EU residents to file complaints with Japan’s data protection authority if public authorities in Japan unlawfully access their data.

The European Commission’s press release regarding the reciprocal adequacy decisions did not outline any additional steps that the EU would need to take for Japan’s approval.

Process for Adopting Adequacy Decisions

The European Commission will adopt its decision after it has been approved by a committee composed of representatives from EU member states and the European Data Protection Board. The European Commission expects to adopt its adequacy decision by the fall of this year.

Japan also will follow its own internal approval procedures to adopt its adequacy decision with respect to the EU.

Key Takeaways

The reciprocal adequacy decisions between the EU and Japan will make it easier to exchange personal data for business purposes. Although adequacy decisions are not time-limited, companies that exchange personal data between the EU and Japan should remain aware of any developments that could impact the reciprocal adequacy decisions, including any changes under EU or Japanese law that eliminate protections for personal data.


1 A copy of the report can be found here.

2 Available here.

3 For more information regarding the Civil Liberties Committee’s criticism of the Privacy Shield, see our June 2018 Privacy and Cybersecurity Update.

4 For more information regarding criticism of the Privacy Shield, see our April 2017 Privacy and Cybersecurity Update.

5 The decision is Medidata Solutions., Inc. v. Fed. Ins. Co., No. 17-2492, 2018 WL 3339245 (2d Cir. July 6, 2018).

6 See our March 2018 Privacy & Cybersecurity Update.

7 25 N.Y.3d 675 (2015).

8 Cost of a Data Breach Studies, performed annually since 2005, are sponsored by IBM Security and conducted by Ponemon Institute, an independent institute that researches privacy, data protection and information security policy. The most recent study is available here (registration required).

Download pdf

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Skadden, Arps, Slate, Meagher & Flom LLP | Attorney Advertising

Written by:

Skadden, Arps, Slate, Meagher & Flom LLP

Skadden, Arps, Slate, Meagher & Flom LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.