Follow: Email

This article originally appeared in Global Data Review on March 29, 2019

Last year, the US passed legislation expanding the geographic reach of certain legal process, including search warrants, issued to technology providers seeking customer data. Under the Clarifying Lawful Overseas Use of Data (CLOUD) Act, warrants issued by US courts can force certain types of providers to disclose customer data stored anywhere in the world.

Notably, the CLOUD Act does not affect only US technology providers. The legislation covers all providers of defined technology services, so long as they are subject to US jurisdiction and in possession, custody or control of the data sought.  This article describes the CLOUD Act, addresses scenarios in which technology providers based outside the US may be subject to the legislation, and identifies mechanisms for challenging legal process issued under the Act.


Continue Reading Reaching for the CLOUD

[This article also was published in Law360.]

In March 2017, Rep. Tom Graves, R-Ga., introduced a draft bill titled the Active Cyber Defense Certainty Act. The bill would amend the Computer Fraud and Abuse Act to enable victims of cyberattacks to employ “limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.”[1] More specifically, the ACDC would empower individuals and companies to leave their own network to ascertain the perpetrator (i.e., establish attribution), disrupt cyberattacks without damaging others’ computers, retrieve and destroy stolen files, monitor the behavior of an attacker, and utilize beaconing technology.[2] An updated, bipartisan version of the bill was introduced by Rep. Graves and Rep. Kyrsten Sinema, D-Ariz., in October 2017.[3]


Continue Reading Litigation Options For Post-Cyberattack ‘Active Defense’

Covington’s Alex Berengaut and Kate Goodloe today hosted a webinar on the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act.  The CLOUD Act was signed into law in March and creates a new framework for government access to data held by technology companies worldwide.  The webinar, hosted with DataGuidance, is available here.  The webinar

In a decision that defines how the Fourth Amendment applies to information collected in the digital age, the Supreme Court today held that police must use a warrant to obtain from a cell phone company records that detail the location and movements of a cell phone user.  The opinion in Carpenter v. United States limits the application of the third-party doctrine, holding that a warrant is required when an individual “has a legitimate privacy interest in records held by a third party.”

The 5-4 decision, written by Chief Justice John Roberts, emphasizes the sensitivity of cell phone location information, which the Court described as “deeply revealing” because of its “depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection.”  Given its nature, “the fact that such information is gathered by a third party does not make it any less deserving of Fourth Amendment protection,” the Court held.
Continue Reading Supreme Court’s Carpenter Decision Requires Warrant for Cell Phone Location Data

Last summer, Marcus Hutchins, the security researcher who stopped the “WannaCry” malware attack, was arrested and charged for his role in allegedly creating and conspiring to sell a different piece of malware, known as Kronos.  As we have previously discussed on this blog, however, the indictment was notable for its lack of allegations connecting Hutchins

Last August, the Department of Justice arrested and indicted Marcus Hutchins, the security researcher who accidentally discovered the “kill switch” that stopped the “WannaCry” malware attack.  Hutchins was not charged for anything to do with WannaCry, but rather for creating and conspiring to sell a different piece of malware, the “Kronos Banking trojan.”  Apart from

On March 23, 2018, Congress passed, and President Trump signed into law, the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which creates a new framework for government access to data held by technology companies worldwide.

The CLOUD Act, enacted as part of the Consolidated Appropriations Act, has two components.

Part I:  Extraterritorial Reach