The US District Court for the Eastern District of Virginia recently ordered Capital One to produce a forensic investigation report in multi-district litigation arising out of a cyber incident that Capital One had announced in July 2019. The court found that the report was not protected by the work product doctrine as Capital One had not shown that "but for" the litigation, the report would not have been prepared in substantially the same form.
During the coronavirus outbreak, many employers around the world are seeking to prioritise the wellbeing and safety of their employees by asking them to work remotely instead of risking exposure while commuting and working in populated office spaces. Organisations must consider increased risks to the security of their networks, systems and data during this time.
New York Governor Andrew Cuomo recently signed into law a pair of bills establishing new requirements for businesses that process certain personal information relating to New York residents. The changes include expanding the scope of information covered by New York's data breach notification law. Businesses maintaining the private information of New York residents will now be required to develop reasonable safeguards within their organisation as part of a new reasonable security requirement.
In a legislative environment charitably described as challenging, the fact that the Senate recently passed cybersecurity legislation by unanimous consent is noteworthy and highlights the bipartisan nature of this issue. The bill requires the newly-formed Department of Homeland Security teams to provide assistance to public and private entities, on request, to prepare for and respond to cyber-related incidents, including (among other things) restoring services after a cyber incident.