Privacy & Cybersecurity Update - September 2019

Skadden, Arps, Slate, Meagher & Flom LLP

In this month's edition of our Privacy & Cybersecurity Update, we examine five amendments to the California Consumer Privacy Act, the EU Court of Justice's rulings on the "Right to Be Forgotten" and what qualifies as a joint controller, as well as a Welsh court's precedent-setting ruling on facial recognition technology. We also take a look at a Texas federal judge's ruling to stay a case involving coverage on a phishing scam dispute and a Maryland federal judge's order requiring Marriott to publicly release a PFI report.

Five Amendments to the California Consumer Privacy Act on Governor’s Desk

CJEU Holds That ‘Right to be Forgotten’ Only Applies to Searches in the EU

CJEU Rules on Interpretation of Joint Controller

UK Court Decides on the Use of Facial Recognition Technology

Federal Judge Puts Dispute Involving Multimillion-Dollar Phishing Scam Coverage on Hold

Marriott Ordered to Publicly Release Forensic Report in Cybersecurity Class Action Lawsuit

Five Amendments to the California Consumer Privacy Act on Governor’s Desk

The California State Assembly and Senate passed five of the many proposed bills seeking to clarify the California Consumer Privacy Act (CCPA) before it goes into effect on January 1, 2020. Gov. Gavin Newsom has until October 13, 2019, to sign or veto the bills.

As the 2019 California legislative session drew to a close, the legislature passed five amendments to the CCPA that must be signed or vetoed by the governor by October 13, 2019. While the amendments provide some clarity on certain issues, as well as some relief for companies that have only employees and not any consumers who are California residents, many of the more significant amendments that had been proposed by privacy advocates and businesses were not passed.

Exclusion of Certain Employee-Related Information

Under Amendment AB25, many of the CCPA requirements would not apply until January 1, 2021, for job applicants, employees, contractors, medical staff members, owners, officers and directors (the latter five roles also would become newly defined terms), provided their information is used solely in the context of their current or former role with a business. Although the definition of “contractors” is likely meant to include independent contractors working for a business, it is defined broadly as a natural person who provides any service to a business pursuant to a written contract. The amendment also would exclude personal information that qualifies as the emergency contact information of that individual, provided it is collected and used solely in the context of having an emergency contact on file. Finally, the amendment would exclude the personal information of relatives of an individual whose information is collected and retained for the purpose of administering benefits, provided the information is used solely for that purpose. The following CCPA provisions would still go into effect on January 1, 2020, for these individuals:

  • the obligation to notify these individuals about the categories of personal information that the business collects and the purposes for which the information is used, at or before the point of collection;
  • consent would still be required to collect additional categories of personal information or to use previously collected personal information for new purposes; and
  • these individuals could still assert a claim under the CCPA’s private right of action for cybersecurity incidents.

Exclusion of Employees of Business Partners and Business Clients

Similar to AB25, under Amendment AB135 many of the CCPA requirements would not apply until January 1, 2021, including when personal information is transmitted in business-to-business written or verbal communications or transactions relating to due diligence, or providing or receiving a product or service to or from the other business, and the personal information concerns an employee, owner, director, officer or contractor of that business. That individual would still be entitled to their right to nondiscrimination and right to opt out of the sale of such personal information. Such individuals could still exercise their private right of action under the law.

Verified Consumer Request (VCR)

While the California attorney general must still release guidance on the meaning of a verified consumer request (VCR), AB25 provides some additional guidance on VCRs, stating that a business, when responding to a VCR, may require authentication of the consumer that is reasonable in light of the nature of the personal information requested. The amendment also prohibits a business from requiring consumers to create a new account with the business in order to submit a VCR. However, if the consumer already maintains an account with the business, then the business may require the consumer to submit a request through that account. This change would be especially beneficial for consumer-facing companies reliant on online contacts.

The amendments also would permit the attorney general to establish rules and procedures on how to process and comply with VCRs for specific pieces of personal information relating to a household in order to address obstacles to implementation and privacy concerns. The current version of the CCPA contains minimal guidance on navigating the complexities of requests related to households as compared to a natural person, so this represents another important area for businesses to track going forward.

Limiting the Catch-All in the Definition of Personal Information

Under the CCPA, information is "personal information" if it is capable of being associated with, or could be reasonably linked, directly or indirectly, to a particular consumer or household. This definition was seen as extremely broad given today’s advanced data mining technology. AB874 slightly narrows the definition by stating that the information must be "reasonably capable" of being associated with a particular consumer or household. Additionally, the amendment would specifically exclude de-identified or aggregate consumer information from the definition of personal information. The treatment of such information is somewhat unclear under the CCPA as currently written.

Expanding the Publicly Available Information Exclusion

The CCPA currently excludes “publicly available” information from personal information. However, a business can only rely on that exception if it is using the information “for a purpose that is compatible with the purpose for which the data is maintained and made available in the government records.” Amendment AB874 would strike the “compatible purpose” requirement; meaning that a business could rely on that exception even if it used the publicly available information for a different purpose.

The Recall and Warranty Deletion Exception, and the Vehicle and Ownership Information Sale Exception

Under Amendment AB1146, a business could decline a consumer’s personal information deletion request where retention of the personal information is required to fulfill the terms of a written warranty or product recall conducted in accordance with federal law. While the remainder of the amendment is directed toward vehicles, this deletion exception is not expressly limited to the vehicle context.

In addition, under this amendment, consumers would not have a right to opt out where vehicle information or ownership information is retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer for the purpose of effectuating, or in anticipation of effectuating, a repair covered by a warranty or recall. To remain within this exception, the new motor vehicle dealer and vehicle manufacturer could not sell, share or use the information for any other purpose. As a result, the same information could be subject to CCPA requirements where dealers use the information for other purposes, such as marketing or standard maintenance reminders. Vehicle information is defined as vehicle information number, make, model, year and odometer reading. Ownership information is defined as the name(s) of the registered owner(s) and their respective contact information.

Fair Credit Reporting Act (FCRA) Exception

The amendments clarify that, except for the private right of action for data breaches, the CCPA does not apply to an activity involving the collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by (1) a consumer reporting agency; (2) a furnisher of information (as set forth in Section 1681s-2 of Title 15 of the United States Code) who provides information for use in a consumer report; and (3) a user of a consumer report. This exception would apply only to the extent that such activity by that agency, furnisher or user is subject to regulation under the FCRA and the information is not otherwise used, communicated, disclosed or sold, except as authorized by the FCRA.

Clarification to Notice Requirement

AB1146 also clarifies matters regarding the notice elements required in any privacy policy or description of California consumers’ rights. The amendment confirms that the business need only describe (1) the categories of personal information it has collected about consumers generally (as opposed to the particular consumer viewing the privacy policy or description of rights) and (2) indicate that consumers have a general right to request the specific pieces of personal information that a business has collected about them, as opposed to requiring the actual specific pieces of information to appear in the privacy policy or description of rights.

Exemptions Clarification

AB1146 clarifies that a business is not required to (1) collect personal information that it would not otherwise collect in the ordinary course of its business, (2) retain personal information for longer than it would otherwise retain such information in the ordinary course of business, or (3) re-identify or otherwise link information that is not maintained in a manner that would be considered personal information. Currently, the CCPA only includes the language in (3) above.

Right to Nondiscrimination

AB1146 clarifies that for purposes of deciding whether a business is discriminating against those who exercise their data privacy rights, it is the value provided to the business, and not the value to the consumer, that is taken into account when determining whether differences are reasonably related to the value of consumer’s data. As a result, businesses could charge consumers a different price or rate, or provide a different level or quality of goods or services to the consumer, if such differences were reasonably related to the value provided to the business by the consumer’s data. Additionally, businesses could offer a different price, rate, level, or quality of goods or services to the consumer if the price or difference were directly related to the value provided to the business by the consumer’s data.

Private Right of Action

The amendments clarify that class action lawsuits can be brought only for data breaches pursuant to California’s data breach notification law if the personal information was nonencrypted and nonredacted. As currently drafted, the personal information only needs to be nonencrypted or nonredacted.

Consumer Access Requirement Clarifications and Electronic Relationship Exception

Amendment AB1564 would clarify that a business must make available to consumers two or more designated methods for submitting requests relating to the “Right to Request Disclosure of Information Collected” and the “Right to Disclosure of Information Sold,” including, at a minimum, a toll-free telephone number. Additionally, if the business maintains a website, it must make the website available to consumers to submit requests for information required to be disclosed. The current wording of the CCPA only requires businesses to make a website address available. In addition, where a business operates (1) exclusively online and (2) has a direct relationship with a consumer from whom it collects personal information, that business only is required to provide an email address for submitting such requests. This amendment could save businesses substantial financial expense and operational complexity if they are not otherwise organized to process consumer contacts via telephone. Notably, businesses that fall into this category would still be required to make their websites available for consumers to submit requests, in addition to providing an email address.

CJEU Holds That ‘Right to be Forgotten’ Only Applies to Searches in the EU

The Court of Justice of the European Union (CJEU) has ruled that the requirement for a search engine operator to delist search results as a result of a successful “right to be forgotten” request does not automatically apply outside of the EU.


European Union law provides that data subjects may, in certain circumstances, have their personal data erased under what is known as a “right to be forgotten” request (RTBF). This right has now been codified by Article 17 of the European Union Regulation (EU) 2016/679 (GDPR).

The CJEU previously held in 2014 that the operator of a search engine is a data controller with regard to the processing of data carried out for an online search.1 As a result, operators of a search engine are required, following an RTBF request by an individual, to delist links to an individual's personal information where the information is “inadequate, irrelevant or no longer relevant, or excessive.2

Following the 2014 ruling, Google only delisted links accessed through Google’s EU domains, such as “” or “” The French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), adopted the view that following a successful RTBF request, Google should delist applicable search results across all domains worldwide. In light of Google’s continued failure to do so, the CNIL imposed a €100,000 fine. Google appealed this decision before the French Conseil d'État (the Council of State acting as the supreme court for administrative claims in France), arguing that the RTBF could not be applied outside of the EU’s jurisdiction, and to do so would potentially compel search engine operators to contravene the laws of other jurisdictions. In turn, the Conseil d'Etat referred a number of questions regarding the territorial scope of the RTBF to the CJEU.

The CJEU’s Decision

In line with the advocate general’s opinion, the CJEU held that, following a successful RTBF request, Google, as the search engine operator, is not required by EU law to delist links to the relevant personal information on all of its domains globally. Rather, EU law only requires that delisting occurs across all EU member states.

The CJEU reached that decision by considering that:

  • the EU seeks to guarantee a high level of protection of personal data within the union.3 In a globalized world, and with the internet being a global network, the listing of a link to personal information that those outside of the EU have access to could have a substantial effect on an individual within the EU. In light of this, the global delisting of personal information, subject to a successful RTBF request, would be the most effective way for the EU to guarantee a high level of protection of personal data. However, many jurisdictions outside of the EU do not recognize a RTBF or apply such a right differently;
  • the rights to privacy and protection of personal data must be balanced against other fundamental rights, particularly the freedom of information; and
  • the wording of the RTBF legislation4 and broader data protection legislation does not envision that the RTBF would have a territorial scope beyond the EU. For instance, there are no means of cooperation established between the EU and non-EU states, as there are between EU member state supervisory authorities, to come to a joint decision on the balance of a data subject’s right to privacy and protection of personal data against the interest of the public to have access to that information.

While the CJEU made clear that EU law does not require delisting globally, it also does not prohibit it. Consequently, an EU member state supervisory or judicial authority may still decide that it is appropriate to order a search engine operator, such as Google, to carry out a global delisting.

The CJEU also explained that search engine operators must take measures to ensure the effective protection of the data subject’s fundamental rights to privacy and the protection of personal data. This means that the measures taken by the search engine operator must have the effect of preventing, or at least “seriously discouraging,”5 internet users in the EU from gaining access to links connected to a successful RTBF action. The CJEU is likely concerned about the risk of individuals within the EU circumventing the delisting of search results by simply using a search engine domain name outside of the EU, such as by using “” instead of “” This can be prevented, for example, by using geo-blocking. a technique that limits access to internet content depending on the geographic location of the user, such that a person located in France searching for delisted information on the domain would still not receive the delisted links.

Key Takeaways

The CJEU has recognized that the requirement for a search engine operator to de-list search results as a result of a successful RTBF request does not have automatic extraterritorial application. This is mainly because (1) a RTBF is not recognized by all jurisdictions globally, and where it is recognized, jurisdictions may apply it differently, and (2) the EU’s data protection legislation does not envisage extraterritorial application of the RTBF. However, there is no prohibition of a global application of the RTBF by a EU member state if appropriate, and search engine operators must at least “seriously discourage” internet users in the EU from gaining access to de-listed search results.

CJEU Rules on Interpretation of Joint Controller

The CJEU held that a website operator may be a joint controller with the provider of a social media plug-in.


In Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW e.V.,6 the CJEU furthered its broad interpretation of the definition of a “controller” as used in EU data protection law. This interpretation is critical since many of the General Data Protection Regulation (GDPR) obligations apply to data controllers. The CJEU held that a website operator that has embedded a social media plug-in on its site could be a “controller,” jointly with the provider of the social media plug-in. As a result of the ruling, website operators: (1) are subject to the duties to inform individuals from whom they process personal data pursuant to the GDPR; (2) will require a joint controller arrangement with the provider of the social media plug-in;7 and (3) are subject to the possibility that a data subject may exercise their privacy rights against either the website operator or the social media plug-in provider (usually by reaching out to the contact point designated by the joint controllers).8


Fashion ID, a German online retailer, embedded the Facebook “like” button (the plug-in) on its website. For the plug-in to work, the browser of a visitor to the Fashion ID website had to transmit to Facebook the IP address of the visitor’s computer, as well as the browser’s technical data. The browser did this automatically and without the visitor’s knowledge. It also occurred regardless of whether the visitor was a Facebook member or had clicked on the plug-in.

In light of these facts, a German consumer protection association sought an injunction against Fashion ID arguing that the use of the plug-in resulted in a breach of applicable data protection legislation because of Fashion ID’s failure to inform visitors of such processing. The German court then referred a number of questions to the CJEU.

The CJEU’s Decision

The CJEU held, in keeping with the court's previous expansive interpretations of the term “controller”9, that Fashion ID could be considered a controller jointly with Facebook because they collectively determined the purposes and means of the processing of the personal data. They jointly determined the means that provided the platform on which the plug-in was hosted, as Fashion ID was the website operator. They also determined the purposes of processing in concert with one another as Fashion ID wanted “likes” on Facebook as a way of advertising, while Facebook wanted web traffic from which it could collect data for its own commercial purposes (subject to the limitations set out below).

However, the CJEU did limit the extent of Fashion ID's responsibility to the stages of the processing operation in which the company actually was a controller, namely the collection and subsequent transmission of the personal data. The court ruled that Fashion ID had no control over what data was transmitted by the visitor’s browser to Facebook and over what Facebook decided to do with that data.

In its decision, the CJEU made two important points regarding joint controllers. First, Fashion ID’s obligation to inform visitors about the processing of their data at the time of collection was limited, in the court's view, to only include the stages of the processing in which it was a controller. It was therefore up to Facebook to inform the site's visitors of any processing of their data beyond the collection and transmission of it by Fashion ID. Second, where data processing is to be based on legitimate interest, it is necessary for the joint controllers to have a legitimate interest that is not overridden by the rights of the data subject.10

Key Takeaways

The court's ruling shows that: (1) the CJEU continues to adopt a broad interpretation of “joint controller”; (2) website operators will have to ensure that they enter into a joint controller arrangement with plug-in service providers to address responsibility and liability issues in relation to the joint processing of personal data; and (3) website operators will have to ensure that they provide visitors with appropriate notice of processing relating to plug-ins. In light of this decision, website operators may need to update their privacy notices.

UK Court Decides on the Use of Facial Recognition Technology

In Bridges v. South Wales Police a Welsh court set a precedent for use of Automated Facial Recognition (AFR) technology by law enforcement.

On September 4, 2019, the Divisional Court in Cardiff, Wales, dismissed an application for judicial review brought by a civil liberties campaigner against the use of AFR technology by the South Wales Police (SWP). The SWP has taken the national lead on testing and conducting trials of AFR use in the U.K., with the trials funded by grants from the U.K. government. This is the first time that the legal implications of facial recognition technology have been considered in any court in the world, and sets a potentially important precedent for the use of AFR by law enforcement bodies.


Edward Bridges, a member of the public supported by Liberty, a civil liberties organization, challenged the lawfulness of the SWP’s overall use of AFR technology, in addition to two separate occasions where AFR technology was used while he was present. Both instances involved the SWP's use of its pilot AFR Locate technology during its trial phase. Bridges' claims fell under a range of both European and British human rights and data protection laws, including the European Convention on Human Rights (ECHR), the U.K. Data Protection Act (DPA) (both under the 1998 act and the current act of 2018) and the Equality Act of 2010.

The Technology

Over the past several years there have been many technological advancements in the field of forensic policing, with each advancement triggering new civil liberties concerns, resulting in the implementation of specific legislative measures to balance the line between effective policing tools and the protection of privacy and civil liberties. The U.K. courts have historically taken the position that "law enforcement agencies should take full advantage of the available modern technology and forensic science."11

AFR is a new technology that allows images to be taken and processed to extract facial biometric data, which is then compared with images stored on a database for a specific purpose. AFR Locate specifically is intended to identify persons who are on a watchlist created by police forces across the country to help detect and prevent crime. The SWP has deployed the technology in public spaces to pinpoint individuals who could be connected with criminal activities.

Currently, the use of AFR technology is controversial from a data protection standpoint. The U.K.’s data protection authority, the Information Commissioner’s Office (the ICO), is currently conducting an investigation into the trial use of such technology by the police, and Information Commissioner Elizabeth Denham has publicly expressed concerns regarding the rollout of AFR. Specifically, the ICO notes that police forces have not fully demonstrated their compliance with applicable data protection laws, including the processes by which watchlists are collated and by which images are utilized.

The Court’s Ruling

Bridges was concerned that his photo may have been taken by AFR from a police van while he was Christmas shopping. His primary arguments claimed that there is no legal basis for the use of AFR Locate, and that there is not currently any sufficient legal framework that outlines the safeguards in place for the use of AFR. In response to the first submission, the court noted that the SWP and the U.K. government rely on the police's common law powers as sufficient authority to use these new technologies. Those common law principles enforce a duty on police constables to detect and prevent crime, which includes the power to use, retain and disclose imagery of individuals for the purposes of detecting crime. In this case, the court concluded that the police's common law powers were a sufficient legal basis for the use of AFR Locate.

As for Bridges' submission in relation to the legal framework, the court concluded that there was a clear and sufficient legal framework in place governing when, and how, AFR Locate may be used. The fact that the technology is new does not mean it automatically falls outside the scope of the existing regulations or that it is necessary to create a bespoke legal framework for its use.

The legal framework comprises primary legislation (e.g. the DPA 1998 and its successor, the DPA 2018) and secondary legislation (in the form of codes of practice issued under primary legislation) and the SWP's own policing policies. According to the court, the cumulative effect of each of these different sources is sufficient to satisfy that the use of AFR is in "accordance with the law."

Interplay Between Data Protection Legislation and AFR Technology

Bridges contended that the use of AFR was contrary to the DPA 1998 and the DPA 2018. Despite the facts of the case occurring prior to the implementation of the DPA 2018, the court assessed the use of AFR as if the DPA 2018 had been in full force and effect at the time. Data protection rules apply to all operations which involve the retention or use of personal data.

The court concluded that the use of AFR Locate met the requirements of the first data protection principle (DPA 2018 Section 4(4)) on the basis that the information was processed for the SWP's legitimate interests to prevent and detect crime, as set out above. The court held that the processing of biometric data was necessary for the SWP to successfully identify persons on its criminal watchlist.

The court also considered obligations placed on the SWP under Schedule 3 of the DPA 2018 regarding the processing of personal data by law enforcement. Specifically, they considered whether the biometric data obtained was subject to "sensitive processing" and whether the processing was "strictly necessary" for law enforcement purposes. The court confirmed that the "processing … of biometric data for the purposes of uniquely identifying an individual" would be subject to specific conditions for "sensitive processing" under the DPA 2018. The court was satisfied that the operation of AFR Locate involved sensitive processing of the biometric data of members of the public, and that the processing of such data was lawful, non-arbitrary and fair. Furthermore, the court evaluated the SWP’s data protection impact assessment and concluded that the SWP took into account appropriate technical and organizational safeguards to protect against personal data breaches. In essence, the court found that the existing legal and regulatory regime was sufficient for governing the lawful use of AFR technology.

Key Takeaways

The existing legal framework seeks to strike a balance between the protection of individual privacy rights and the prevention of crime. Whilst the police powers granted under common law empower the SWP to legally use AFR, the decision in Bridges v. South Wales Police further confirms that AFR can be integrated into law enforcement activities without any need for the establishment of a new, separate legal framework. However, the ICO, which continues to remain skeptical of AFR technology, is expected to provide further regulatory guidance in this area.

Federal Judge Puts Dispute Involving Multimillion-Dollar Phishing Scam Coverage on Hold

A Texas federal judge recently issued an order temporarily staying a property management company’s coverage action against its primary and excess crime insurers relating to a $10 million loss stemming from a phishing scam.

On August 1, 2019, the U.S. District Court for the Northern District of Texas issued an order, on the parties’ joint motion, temporarily halting property management company RealPage, Inc.’s (RealPage) coverage dispute against its primary and excess crime insurers, National Union Fire Insurance Company of Pittsburgh, Pennsylvania, (a subsidiary of AIG) and Beazley Insurance Company (Beazley), relating to a $10 million loss sustained by RealPage as a result of a phishing scam.12

The Phishing Scam and Fraudulent Funds Transfer

According to RealPage’s complaint, the company provides software and data analytics, as well as back office management services, to real estate owners and managers. One of the management services that RealPage provides is the collection of rental payments from residents of the company's property manager clients and the subsequent transfer of those payments to the clients through a web portal. RealPage allegedly uses a third-party software application to allocate and direct the resident payments received through the web portal. Once the residents make a payment through the web portal, further transfer of funds is controlled entirely by RealPage, the complaint alleges.

In May 2018, one or more unauthorized parties allegedly used a targeted phishing scheme to obtain a RealPage employee’s account credentials. The perpetrator(s) then allegedly used those credentials to access the third-party software application and change RealPage’s bank account disbursement instructions, allowing the perpetrator(s) to fraudulently divert more than $10 million in funds that the company had collected for its clients. The complaint further alleges that while some of the stolen funds were recovered, RealPage ultimately had a net loss of more than $6 million.

RealPage Seeks Coverage From its Crime Insurers; the Insurers Deny Coverage

According to the complaint, at the time of the loss, RealPage had primary and excess crime policies issued by AIG and Beazley, respectively, which provide coverage for losses arising out of various financial crimes, including computer fraud. The AIG primary policy allegedly covered loss to property that RealPage “own[s]” and “hold[s] for others whether or not [RealPage is] legally liable for the loss of such property.”

RealPage tendered the loss to AIG and Beazley. In response, AIG acknowledged that the loss triggered its policy’s computer fraud insuring agreement, but only agreed to pay a limited portion of RealPage’s losses consisting of diverted funds that AIG calculated as representing transactional fees owed to the company by its clients. According to RealPage, AIG wrongfully disclaimed coverage for the majority of the company's losses consisting of diverted funds that would have been sent to client bank accounts, claiming that RealPage did not “own” the funds or “hold the funds for others.” In response to the partial disclaimer, the company allegedly provided AIG with “clear and undisputed information” demonstrating that “RealPage was holding th[e] funds for clients … when the funds were diverted, which information demonstrated RealPage’s right to coverage.” AIG allegedly declined to withdraw its disclaimer.

The complaint further alleges that Beazley also failed to provide coverage for the loss under its excess crime policy, despite the fact that RealPage’s loss exceeded the limits of the AIG primary policy.

RealPage’s Coverage Action and the Parties’ Joint Motion to Stay

On June 5, 2019, RealPage commenced a coverage action against AIG and Beazley in the Northern District of Texas seeking a declaration that RealPage’s loss resulting from the fraud incident is covered under AIG and Beazley’s crime policies. RealPage also brought claims for breach of contract, anticipatory breach of contracts and violations of the Texas Insurance Code.

On August 1, 2019, the parties filed a joint motion to stay the proceedings for 120 days to allow time for RealPage to investigate new developments related to its damages and afford the parties an opportunity to potentially resolve at least a portion of the dispute without further litigation. Specifically, according to the motion, RealPage learned after the filing of its lawsuit that a portion of its claimed damages may be recouped from “a previously unknown source,” which “may materially affect RealPage’s claims against Defendants, as well as the amount of its damages.” On August 1, 2019, the court issued an electronic order granting the parties’ motion to stay. The case is currently stayed until December 2, 2019, at which point the stay will be automatically lifted.

Key Takeaways

It remains to be seen whether the parties will be able to resolve their dispute during the stay. Regardless, this case is a reminder that traditional crime policies may seem comprehensive, but nevertheless may fall short in the event of a cyber loss. While there are a number of non-insurance measures that a company can take to protect against the risk of cybercrime, such as information security training and protocols, insurance coverage nevertheless remains a key risk management tool. Thus, businesses should seek to tailor their crime and/or cyber policies to best fit their needs in order to increase the likelihood that coverage will be available in the event of a cyber loss. Similarly, insurers should carefully craft and review their policy forms to ensure that they are comfortable with the coverage being provided.

Marriott Ordered to Publicly Release Forensic Report in Cybersecurity Class Action Lawsuit

A Maryland federal judge's recent decree ordering the Marriott hotel chain to produce a report revealing key details about how a data breach occurred may signal a trend towards more transparency in cybersecurity litigation.

On August 30, 2019, a federal judge in Maryland ordered Marriott to make public a Payment Card Industry Forensic Investigative report (PFI report), thereby revealing potentially sensitive and inculpatory information about the company’s cybersecurity. A PFI report is the product of a forensic investigation initiated by credit card companies in the aftermath of a cybersecurity incident to assess a merchant’s compliance with industry standards for security. The judge rejected Marriott’s arguments that public release of the report would facilitate future cyberattacks, compromise its ongoing investigation and reveal confidential aspects of Marriott’s business to competitors, concluding that the First Amendment requires Marriott to produce the report.

Attacks on Marriott’s Starwood Database and Resulting Class Action Lawsuit

The litigation stems from a data breach that Marriott announced on November 30, 2018, involving unauthorized access to its Starwood brand's guest reservation database. Marriott claims the attackers stole personal data from up to 383 million guests, beginning as early as 2014.

The many lawsuits that resulted were consolidated into one multidistrict class action and divided into five tracks: government, financial institution, consumer, securities and derivative. While Marriott’s motion to dismiss in the securities and derivative tracks was pending, the judge stayed discovery in all other tracks and provisionally sealed Marriott’s motion to dismiss in the government track action, which included a copy of Marriott’s PFI report.

The Plaintiffs Seek Production of Marriott’s PFI Report

Before the deadline for amending their complaint, the plaintiffs in the securities and derivative track class actions moved to unseal Marriott’s PFI report. The plaintiffs argued that the First Amendment right to access judicial records mandated the unsealing of the PFI report, which had been filed with the court as an attachment to Marriott’s motion to dismiss in the government track action.

Marriott responded, arguing that three compelling interests outweighed plaintiffs’ right of access. First, the company claimed that releasing the PFI report would allow criminals to use it to hone their strategies and perpetrate future attacks. Second, Marriott argued it needed to protect the integrity of ongoing investigations into the breach, which could be compromised by the release of the PFI report. Finally, the company sought to prevent competitors from gaining insight into commercially sensitive information about its business practices contained in the PFI report.

The Court Orders Unsealing of the PFI Report

On August 30, 2019, the court upheld the plaintiffs’ arguments and ordered the unsealing of Marriott’s PFI report, ruling the company must produce the PFI report in its entirety, subject to any narrowly tailored redactions proposed by Marriott and upheld by a magistrate judge.

The court held that the PFI report was a judicial record subject to the First Amendment right to access, not simply because it was filed in connection with Marriott’s motion to dismiss, but because the report was relied on by the parties in their pleadings and “will play a significant role in the adjudicative process by helping [him] decide whether the complaint is facially sufficient.”

The court found Marriott’s arguments insufficient to raise a compelling interest that outweighed the plaintiffs’ First Amendment right to access the PFI report. First, the court considered Marriott’s argument about preventing future attacks to be “speculative and generalized,” observing that “[u]nder this reasoning, none the details of how the Starwood database was compromised could ever be revealed, which would prevent the public from understanding how the data breach occurred in the first place …” He also rejected Marriott’s arguments that unsealing the PFI report would compromise ongoing investigations and place commercially sensitive data in the hands of Marriott’s competitors, because the company did not specify how such investigations would be compromised or why sealing the entire report was necessary to prevent competitors from accessing confidential information.13

Emphasis on Transparency

Underpinning the court’s order is an emphasis on the perceived need for transparency early in cybersecurity litigation. Granting plaintiffs access to PFI reports prior to discovery facilitates the efficient administration of class actions because it allows courts to make better-informed decisions about the validity of the claims and defenses at issue earlier in the life of the litigation. Nevertheless, such prompt and early access to PFI reports could curtail defendants’ hopes of winning early pretrial dispositive motions, while providing class action plaintiffs with a powerful evidentiary tool. PFI reports are aimed at determining whether, and to what extent, a retailer is to blame for a security incident. Thus, the report can contain inculpatory and, at best, unflattering information about the defendant that plaintiffs can use to bolster their existing claims and raise novel ones.

Key Takeaways

Companies involved in cybersecurity litigation should avoid filing their PFI report as part of any pleadings, even under seal. Marriott opened the door to the plaintiffs' First Amendment argument when it filed its PFI report as part of a motion to compel.

Nevertheless, the court’s order suggests that even if a PFI report is not filed as part of a pleading, it may still be subject to early production if the parties rely on it in their pleadings and the judge considers it useful in deciding a motion to dismiss. Given this, additional steps should be considered to mitigate the consequences of a publicly released PFI report. For example, companies may consider hiring their own forensic vendor to undertake an investigation, which may counter the PFI report produced by the merchant’s vendor. Companies also should hone their PR strategies to respond to negative press arising from the pubic release of a PFI report.

Finally, before an incident arises, companies may consider hiring a forensic vendor to produce a mock PFI report to help alert a company of potential shortcomings in its cybersecurity prior to an incident or related litigation.


1 Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, C-131/12, 13 May 2014.

2 Paragraphs 92-94, Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, C-131/12.

3 Article 16 TFEU; recitals 10, 11 and 13 of Regulation 2016/679; and recital 10 Directive 95/46.

4 Article 17 GDPR and Article 12(b) Directive 95/46/EC.

5 Paragraph 70, Google Inc. v Commission Nationale de l’Informatique et des Libertés (CNIL) Case C-507/17.

6 (Case C-40/17) (July 29 2019). While the case relates to the EU data protection laws in force prior to the introduction of the GDPR, the judgement is still of relevance given that the definitions considered are almost identical to those adopted under the GDPR.

7 Article 26(1) GDPR.

8 Article 26(3) GDPR.

9 Wirtschaftsakademie Schleswig-Holstein, C-210/16; and Jehovan todistajat, C-25/17.

10 The referring court asked whose legitimate interest between the joint controllers should be taken into account, assuming that the “legitimate interest” legal basis applied. The referring court did not request guidance on whether, in the given case, a legitimate interest actually allowed the processing of personal data to occur in the absence of the data subjects’ consent.

11 R(S) v. Chief Constable of the South Yorkshire Police [2014] 1 WLR 2196.

12 RealPage, Inc. v. Nat’l Union Fire Ins. Co of Pittsburgh, Pa., No. 3:19-cv-01350 (N.D. Tex.).

13 The full text of the court’s ruling can be read here.

Download PDF

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Skadden, Arps, Slate, Meagher & Flom LLP | Attorney Advertising

Written by:

Skadden, Arps, Slate, Meagher & Flom LLP

Skadden, Arps, Slate, Meagher & Flom LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.