Articles Posted in International Law

Every ransomware attack requires the victims to make a hard decision – whether or not to pay the ransom. The decision is often made on the basis of past mistakes – failure to implement basic security (such as not implementing multi-factor authentication), failure to train personnel in recognizing phishing, or failure to establish and maintain an effective backup protocol. Lack of backups is often the deciding factor – if a company cannot reinstall systems and recover lost data, it may feel that it has no choice except to pay the ransom.

Why You Shouldn’t Pay. Even if that were the case, paying the ransom may be the wrong decision. Here’s why:

  • Paying the Ransom May Be Illegal. Federal and some state and local governments have rules against paying ransom to bad actors because it funds support for illegal activities. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) oversees these incidents, and the International Emergency Economic Powers Act and the Trading with the Enemy Act have strict rules against foreign financial engagement, and it is illegal to conduct a transaction with any person on the OFAC’s Specially Designated Nationals and Blocked Persons List. As it happens, hackers are often on the list. Violations of the sanctions rules can result in civil penalties, and even jail time.

Ransom payments made to individuals and entities on the list can include cases where the victim is unaware that their payments violate these laws; the government can seek civil penalties even if the victims didn’t know the payments were illegal.

Continue reading

Shrems II – Groundhog Day, All Over Again

Past is Prologue

One of the keys to the European’s Union data protection regime has been the prohibition against transferring personal data from EU countries to jurisdictions that do not have regimes that, in the determination of the EU, provide adequate protection to consumers. Beginning in 2000 the U.S. – EU Safe Harbor Framework allowed U.S. companies to certify their compliance with EU data protection requirements, and facilitated the transfer of data between the EU and the U.S. On October 6, 2015, the Court of Justice of the European Union, the European Union’s highest court, overturned the Safe Harbor Framework. In response, the EU and the U.S., primarily through the Department of Commerce, developed International Safe Harbor Privacy Principles, commonly called the “Privacy Shield,” and a more robust framework was adopted, allowing substantially the benefits of the Safe Harbor.

On July 16, 2020, the CJEU held that the EU-U.S. Privacy Shield arrangement — which includes more than 53,000 participating companies — is invalid. The CJEU said in a press release that, in the court’s view, “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities … are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.” The Court also said that the United States ombudsman is neither independent enough, nor has adequate authority, to provide an effective cause of action to guarantee the protections under EU laws and regulations.

In particular, the court said that the ombudsperson mechanism in the U.S. — a role created by the Privacy Shield arrangement — “does not provide data subjects with any cause of action before a body which offers guarantees” at the level of EU law. The CJEU said the ombudsperson, which sits under the U.S. Department of State, is neither empowered nor independent at an adequate level.

Impact of the Decision

Like the invalidation of the Safe Harbor, the rejection of the Privacy Shield is likely to create substantial disruptions in data transfers, a key to international trade, until a resolution is found. It is hard to overstate the significance of this decision. The U.S. Commerce Department estimates that the value of the transatlantic economic market at $7.1 trillion, and that a multitude of companies, large and small, rely on the ability to transfer personal, employee and other data from the EU to the U.S. The impact on individual firms will be wide: Continue reading

On August 5, 2019, Marriott International announced that it had taken a $126 million charge in the second quarter, primarily as a result of the data breach it announced in 2018.  Coincidentally, on July 9, 2019, The United Kingdom’s Information Commissioner’s Office (ICO), which enforces the General Data Protection Regulation (GDPR) in the UK, announced that it intends to impose a fine of £99,200,396 ($123,705,870) on Marriott for last year’s data breach.

As was widely reported, in November 2018, Marriott disclosed that hackers accessed the Starwood guest reservation database since 2014. Initially, the company said hackers stole the details of roughly 500 million hotel guests, which the hotel chain later corrected to 383 million following a more complete investigation.  Still, 383 million records is nothing to be laughed at.

The hackers stole a breathtaking array of sensitive data:

  • 383 million guest records
  • 5 million encrypted passport numbers
  • 25 million unencrypted passport numbers
  • 1 million encrypted payment card numbers
  • 385,000 card numbers that were still valid at the time of the breach

What went wrong? What can be distilled from Marriott’s experience that other companies can apply in their efforts to comply with the GDPR?

For JMBM’s Hotel Law Blog, I have outlined some important lessons learned, particularly for U.S. companies with business with Europe. To read the blog, see Cybersecurity Lawyer: Lessons from Marriott’s $123 million GDPR fine.

— Bob Braun


Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

In their column, Top 10 cybersecurity predictions for the new year, Robert Braun and Michael Gold, co-chairs of JMBM’s Cybersecurity & Privacy Group offer predictions on federal privacy legislation (they won’t pass any and if by chance they do, it won’t work), data localization (more companies will have to decide whether to maintain services in foreign jurisdictions or leave those markets), governance (companies will get finally  get real about enforcing written cybersecurity policies), and more.

Published by the Daily Journal, you can read the column here.


About JMBM’s JMBM’s Cybersecurity & Privacy Group
JMBM’s Cybersecurity & Privacy Group counsels clients in a wide variety of industries, including retail, aerospace, health care, utilities, sports, media, and professional services such as accounting firms, law firms, business management firms and family offices. We represent clients in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity & Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

About the Daily Journal
The Daily Journal is California’s largest legal newspaper. Published daily, it includes breaking news and exclusive coverage of California legal affairs, California law firm news, updates on business transactions, and special reports throughout the year.

Robert E. Braun and Michael A. Gold are co-chairs of the Cybersecurity & Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP.

Contact Bob Braun at or +1 310.785.5331.
Contact Mike Gold at or +1 310.201.3529.

JMBM’s Cybersecurity & Privacy Group is pleased to announce that the Group’s Co-Chair, Michael A. Gold, will be participating as a panelist for the webinar Bristows Legally Speaking! Data protection and information security in EU, India and California – what next?

Sponsored by the London-based law firm Bristows, the webinar is open to C-suite executives, Chief IT officers, in-house counsel, and others whose companies are doing business in California, Britain, the EU, or India.

Date: Tuesday, October 30, 2018
Time: 9:00 AM – 10:00 AM Pacific

No registration fee is required. Register here.

Panelists include:

Robert Bond, Partner and Notary Public at Bristows LLP, London
Salman Waris, Partner at TechLegis Advocates & Solicitors, Delhi
Michael Gold, Partner at Jeffer Mangels Butler & Mitchell LLP, Los Angeles

Topics that will be explored include:

  • Draft data protection law in India
  • California data privacy laws explained
  • Overview of US privacy laws
  • Comparisons with EU laws
  • What else is on the global horizon for data protection?

We invite you to join us for this informative webinar. Register now!

Co-chairs of the Jeffer Mangels Cybersecurity and Privacy Group, Robert E. Braun and Michael A. Gold, discuss Impact of international privacy laws on U.S. companies. The other videos in this 4-part series include: Why companies need a cybersecurity training program; First steps to take when there’s a data breach at your company; and Cybersecurity for middle market companies.
Continue reading

The Safe Harbor

For 15 years, the Safe Harbor Framework has provided a way for U.S. companies to comply with the EU Data Protection Directive.  Under the directive, transfers of personal data from the EU to a non-EU country are prohibited unless the receiving country can assure an adequate level of protection for the data.  While a number of countries do comply – among them Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay – the United States does not.  The Safe Harbor Framework was developed by the United States Department of Commerce and the European Commission as a mechanism to address the EU law’s adequacy standard. U.S. businesses voluntarily participate in the Framework and thereby comply with its terms.
Continue reading