Is there standing to bring a lawsuit when an employee’s personal information is mistakenly circulated to all employees at the company? A recent decision addressed exactly this question. In McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021), the Second Circuit affirmed the district court in finding that the harm plaintiffs alleged (an increased risk of identity theft) was too speculative and remote to satisfy the injury-in-fact requirement of Article III standing. However, the court did not completely shut the door on this theory of harm, holding that an “increased risk” of identity theft could, under certain circumstances, qualify as an injury-in-fact for purposes of Article III standing. In doing so, the Second Circuit aligned with a number of its sister circuits which had previously recognized the potential validity of this approach.
On April 14, 2021, the New York Department of Financial Services (“DFS”) announced a cybersecurity settlement with insurance company National Securities Corporation, which suffered four separate breaches, two of which went unreported in violation of 23 NYCRR § 500.17(a). The settlement not only includes a monetary penalty but also mandates increased training and implementation of security tools, and underscores the urgency of addressing cybersecurity threats and DFS’s increasing enforcement activity for non-compliance with its cyber regulations.
Companies that do business in New York or with New Yorkers could soon face an onslaught of biometric privacy-related litigation, courtesy of New York Assembly Bill 27, the Biometric Privacy Act (“BPA”). Currently pending before the legislature, the bill is modeled on Illinois’ Biometric Information Privacy Act (“BIPA”) and, like that law, would impose a set of rules businesses must follow when collecting biometric information. Critically, the BPA would create a private right of action for those “aggrieved” by violations of the law.
Recent Developments in the State Data-Privacy Landscape: Is Federal Involvement the Best Way Forward?
With a dizzying array of state privacy laws on the horizon, the prospect of a federal solution has come into sharp focus. Rather than a patchwork of regional legislation, a comprehensive national framework would potentially govern the precautions that companies must take when electronically collecting, using and storing customers’ personal information, regardless of where in the country the company—or the consumer—is located. That is the current situation in the European Union under the General Data Protection Regulation (GDPR), and has been for many years. It might one day be the case in the United States as well, if advocates of omnibus federal data privacy legislation have their way.
Beeple, Top Shots, and the Blockchain of Collectibles: Securing the Value of an Original Digital Asset
A cryptocurrency entrepreneur recently paid $69.3 million for Beeple’s Everydays: The First 5,000 Days at a Christie’s auction. That record-breaking price purchased a work of art that can be seen only on a computer and the image of which, in large part, is available for use and enjoyment by anyone with an internet connection because the work is a non-fungible token, or NFT. NFTs have quickly caught the attention of the art world and beyond, touching the mainstream with the NBA Top Shot craze and its $250 million plus marketplace for visual highlights of NBA games. The company behind NBA Top Shot, Dapper Labs, recently raised $250 million at a $2 billion valuation. And the larger market for NFTs has grown from $42 million in 2017 to $338 million by the end of 2020. But for intangible assets whose value is largely driven by the creation of an original work only in cyberspace, owners and investors need to think carefully about what they own and how to protect their digital acquisitions.
The recent SolarWinds attack alerted the world to the risk of a cyber supply chain attack—an attack through or on your company’s vendors or suppliers. It is increasingly clear that even if you take all the right steps to secure your own computer systems, your company—and your company’s data—is only as secure as the weakest link among your suppliers. This risk includes attacks that might infect your computer systems, as well as the risk that your suppliers’ businesses will be disrupted.
On Tuesday, the United States Supreme Court heard oral argument in TransUnion LLC v. Sergio L. Ramirez, No. 20-297, focusing on whether a class of individuals who experience a risk of harm that never materializes have standing to sue. Although the case itself does not involve a data breach, the Court’s answer to the standing question could have significant implications for the viability of data breach class action lawsuits moving forward.
In the wake of a data breach, counsel will often require the assistance of a forensic firm in order to provide legal advice to their client. The forensic analysis—which is often memorialized in a report to counsel—is crucial for counsel in understanding what occurred and formulating legal strategy relating to potential litigation and breach notification issues. For the same reasons, details of those forensic analyses and any related investigative reports are very likely to be the subject of a discovery request from plaintiffs if and when litigation ensues. Indeed, the requests for such reports are frequently a flashpoint in litigation that can determine the strength or weakness of the plaintiff’s case. Defendants typically object to producing these reports on the grounds that they fall under the attorney-client privilege and work-product protection.
Last November, California voters approved Proposition 24, enacting the California Privacy Rights Act (“CPRA”). The CPRA amends the California Consumer Protection Act (“CCPA”), which was already the most sweeping consumer data protection law in the U.S. Wondering what you should know about California’s new Privacy Rights Act? We dug into the new law and identified the five biggest changes.
In a win for data privacy defendants, Walmart secured a ruling that favors a narrow interpretation of the California Consumer Privacy Act (CCPA). In Gardiner v. Walmart Inc. et al, 4:20-cv-04618-JSW, a Walmart customer, Lavarious Gardiner, sued the retail company under the CCPA for failing to implement and maintain reasonable and appropriate security procedures and practices to protect information he gave to Walmart to create an account on the company’s website. As a result of an alleged, undisclosed data breach, Gardiner claimed that his personal information had been subject to unauthorized exfiltration on Walmart’s website, and sold on the dark web, exposing him to purportedly ongoing risk of financial fraud and identity theft. Gardiner’s complaint also included a summary of the results of a security scan of the Walmart website, which purported to show vulnerabilities in that website. Moreover, in a somewhat unusual twist, Gardiner claimed that he had in his possession “communications with the hackers which state that the accounts they are selling are real accounts that belong to Walmart customers.” Despite the allegations in the complaint, Walmart had never disclosed any breach and the complaint did not allege when any such breach occurred. Gardiner also brought claims for negligence, breach of contract, and violations of the UCL, all of which were dismissed for failure to plead cognizable injury
New York’s Department of Financial Services (“DFS”) announced on Wednesday, March 3, 2021, that an independent mortgage lender, Residential Mortgage Services Inc. (“RMS”), has agreed to pay a $1.5 million fine to the agency in a settlement resulting from violations of its Cybersecurity Regulation. This is just the second enforcement action brought by DFS under the Cybersecurity Regulation, which was the first of its kind nationally.
The question of standing has proven to be a tricky one in data breach litigation. (See our prior coverage here and here). Last week a federal district court in Maryland rejected a proposed class action brought by Marriott guests related to a data breach suffered by the hotel chain in early 2020, finding that the plaintiffs did not have Article III standing because they could not trace any alleged injury to particular actions or inactions by Marriott. This decision is an important reminder that the fact of a breach is not itself sufficient to confer standing, even where personal data is improperly accessed. In other words, even though a company that had your data suffered a data breach, you may not have been injured by its actions.
On Tuesday, March 2, 2021, Virginia became the second U.S. state to enact a broad data privacy regime after Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law. Virginia follows California, which became the first state to pass a comprehensive data privacy law, the California Consumer Privacy Act (CCPA), in June 2018. The CCPA became operative January 1, 2020 after several amendments necessary for its implementation, which we previously covered here and here. (California is set to enact another privacy law entitled the California Privacy Rights Act (CPRA) - to update the CCPA in November 2020.) There is also a raft of other state privacy laws in the pipeline, and Virginia’s new law aligns with a trend toward states ratcheting up broadly applicable privacy-related legal obligations.
As the national landscape of data privacy laws evolves, New York may be poised to follow California in passing legislation that creates new data rights for New York consumers. New York is no stranger to this field. The New York Department of Financial Services’ cybersecurity regulation was the first of its kind in the nation, aimed specifically at the banking and insurance industries. The Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act continued the trend beyond the financial services industry, heightening breach disclosure requirements and imposing enhanced rules for businesses holding the personal data of New York residents. And New York’s Governor, Andrew Cuomo, recently proposed a 2021 budget bill that contemplates a comprehensive data privacy law, the New York Data Accountability and Transparency Act (“NYDAT”), which would vastly expand the scope of New York’s privacy protections, creating an East Coast analogue to California’s CCPA.
A federal court recently added additional wrinkles to one of the most important aspects of responding to a data breach: a forensic investigative report. The court ordered a law firm to turn over a report produced by a forensics firm engaged by the law firm’s counsel in the wake of a cyber incident. Experienced cyber counsel know that protecting the confidentiality of work product—including investigative reports—is critical in the aftermath of a breach and in ensuing litigation; this decision makes clear that companies and their counsel need to be as deliberate as ever to maintain the integrity of all appropriate legal privileges during a fast-moving breach response.
As remote learning continues to play a critical role in the world’s pandemic response, cybercriminals see another opportunity for exploitation. The Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) recently issued an Advisory warning of cyber-attacks to K-12 educational institutions. The Advisory reports that in August and September, ransomware incidents targeting K-12 education reported to the MS-SAC made up 57% of all reported ransomware incidents, up from 28% reported from January through July.
The growing threat from ransomware is forcing organizations to re-think their cyber risk mitigation strategy. As private organizations and governments look ahead to 2021 and the risks they face in an increasingly uncertain world, ransomware will no doubt rank high on any list. Ransomware attacks involve the use of malware that encrypts the victim’s computing system, rendering files and data inaccessible until a demand for payment is met, and a decryption key is provided.
On December 13, the software and service provider SolarWinds announced that its Orion software platform had been the target of a sophisticated cyber attack that may have resulted in malicious code being pushed to as many as 18,000 customers. The SolarWinds software is used by many corporate and not-for-profit entities of all sizes to monitor the health of their IT networks. Although the details of this breach are still unfolding, based on the information currently available, Orion users who updated their software between March and June of this year are potentially affected.
The United States Supreme Court heard oral argument on Monday in Van Buren v. United States, No. 19-783, a landmark case involving a key provision of the Computer Fraud and Abuse Act (“CFAA”). At issue was whether a person who is authorized to access information on a computer for certain purposes violates CFAA if that person accesses the same information for unauthorized reasons. The Court’s decision has the potential to resolve an important circuit split on the interpretation of CFAA and to define the contours of a hotly debated anti-hacking statute that applies to both criminal prosecutions and civil actions.
As we previously reported, companies across the globe increasingly have been targeted by cyber criminals during the COVID-19 pandemic. Just last month, a major U.S. healthcare provider, United Health Services (“UHS”), suffered a ransomware attack, crippling its digital networks and forcing many UHS-owned facilities to rely on offline backups and paper charts to provide health care. The attack on UHS is one of the latest incidents in a trend of increasing ransomware attacks, a type of cyberattack in which cyber criminals use malware to block access to the victim’s computer system to extract a monetary payment. Ransomware victims are already faced with difficult decisions regarding payment and business continuity. But the underlying risk associated with such payments runs deeper, in no small part because cyber criminals are almost universally anonymous. A recent advisory (the “Advisory”) from the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) provides guidance on ransomware payments that may implicate U.S. sanctions. The Advisory makes clear that parties that pay or facilitate ransomware payments may face substantial legal consequences if a payment is made to a party subject to U.S. sanctions, whether the payor knows of those sanctions or not.
The Cybersecurity and Infrastructure Security Agency (CISA) teamed up with the Federal Bureau of Investigation (FBI) to issue a joint warning of cyber-attacks emanating from Iran and targeting U.S. federal agencies and businesses. These hackers target vulnerabilities in virtual private networks (VPNs), which organizations use to allow remote network access. Once the hackers gain access through a VPN, they export data, sell access to the network, and have the ability to install ransomware. This is just the latest example of criminals exploiting vulnerabilities associated with the current remote working environment.
As we previously described and as reflected in the rapidly increasing number of cyber-attacks since its start, the COVID-19 pandemic has triggered a shift in working practices that hackers and other bad actors are using to their advantage. Recent studies show a 273% percent rise in large-scale data breaches in the first quarter of 2020, compared to prior-year statistics, and a 109% year-over-year increase in ransomware attacks in the United States through the first half of 2020. This post will focus specifically on ransomware attacks targeting researchers working on a COVID-19 vaccine and how these attacks have evolved since the start of the pandemic.
As we previously reported, Capital One Financial Corporation announced in July 2019 a major data security breach when an individual gained unauthorized access to personal information about Capital One credit card customers. According to the Office of the Comptroller of the Currency (“OCC”), which regulates large U.S. banks, Capital One has now agreed to pay an $80 million fine to resolve claims related to the incident.
The New York Department of Financial Services (“DFS”) recently initiated its first enforcement action against a company for violating DFS’s first-in-the-nation cybersecurity regulation. As our readers know, we have written quite a few posts and articles about the regulation. And as we’ve warned, with the regulation now in full effect, covered companies should expect DFS’s Cybersecurity Division to start cracking down on companies that haven’t complied.
Well before the California Attorney General’s power to enforce the California Consumer Privacy Act (CCPA) commenced on July 1, 2020, as we have recently reported, private plaintiffs had already jumped into the fray, suing companies like Zoom and Houseparty for alleged violations of the CCPA. We noted that if one of these private lawsuits were to survive a motion to dismiss, it could lead to a substantial increase in class action litigation under the CCPA. Another putative class action under the CCPA that was filed on June 11, 2020 against Minted, Inc.—the popular online stationery, art, and home décor company—joins the growing list of private CCPA lawsuits and adds another wrinkle to this new area of law.
After over 18 months of private mediation, MGM Resorts International has finally dismissed a series of declaratory judgment actions the company brought against victims of the Route 91 Harvest Festival shooting. Those cases stem from the October 2017 Las Vegas shooting in which Stephen Paddock killed 58 people and wounded hundreds more from his hotel room in the Mandalay Bay hotel, owned by MGM. That event resulted in thousands of threatened legal actions against MGM by victims of the shooting, accusing the Mandalay Bay hotel of providing insufficient security, which allowed Paddock to open fire on concertgoers from his hotel room.
Last week, a magistrate judge in the Eastern District of Virginia held that a breach report prepared by Mandiant (a digital forensics investigator, among other things) in response to the Capital One data breach was not protected by the attorney work product doctrine.
The Zoom videoconferencing platform has been a constant fixture in recent news as the coronavirus pandemic has caused businesses around the world to flock to it, exposing significant cybersecurity and privacy concerns. These concerns drew the attention of the New York State Attorney General’s Office (“NYAG”), which initiated an investigation into the company’s cybersecurity practices in March, following a massive surge in use. The NYAG’s investigation came to a conclusion on May 7, 2020, when it reached a settlement with Zoom that will require Zoom, among other things, to enhance its practices around cybersecurity and data privacy.
As we previously detailed, the coronavirus pandemic has expanded opportunities for nefarious actors to exploit the digital vulnerabilities of individuals, local governments, industries, organizations, and essential services as they rapidly adapt to the public health crisis. Recent reports have confirmed that attacks and cyber scams associated with the pandemic are in fact on the rise.
Over the past month, many have discovered video chat and conferencing apps such as Zoom and Houseparty, using them for both business and to keep connected to friends and family during this period of global social distancing. Increased usage of these apps has also resulted in close scrutiny of their privacy practices by the public and government authorities. Indeed, Zoom has been hit with eight class actions that were recently consolidated, while separate plaintiffs sued the owners of Houseparty. A core allegation among those suits is that, without notice or consent, these apps provided user data to third parties (e.g., Facebook). Both the Houseparty complaint and a majority of the Zoom complaints allege violations of the California Consumer Privacy Act (CCPA), making these cases among the first with the potential to test the contours of the nascent but expansive privacy law. If the CCPA claims in these suits survive, it could signal the beginning of a substantial increase in class actions claiming CCPA violations.
On March 21, 2020—just as the COVID-19 crisis began upending our way of life—New York State’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act went into effect fully. The SHIELD Act, which amends New York’s 2005 breach notification law to “keep pace with current technology,” was signed into law on July 25, 2019 by Governor Andrew Cuomo. The first phase of the Act went into effect in October 2019, and its second phase took effect last month.
We have previously written about the thorny questions surrounding the Computer Fraud and Abuse Act (“CFAA”), including how its ambiguous language concerning what computer use is “authorized” has divided the Circuits and how its provisions are, and are not, applied by prosecutors in practice. The Supreme Court declined to address the circuit split in 2017, but yesterday the Court granted cert in Van Buren v. United States to squarely resolve the issue.
Governmental Organizations Across the Globe Warn of Enhanced Cyber Threat Environment Related to COVID-19
In recent weeks, we have seen growing threats to cybersecurity and privacy from malicious actors seeking to exploit the COVID-19 pandemic. As companies transition their employees to remote working and focus their efforts on core business continuity, hackers are actively targeting companies’ cloud-based remote connectivity, lack of multi-factor authentication, and potentially insecure digital infrastructure to exploit vulnerabilities. The need for robust cybersecurity measures is more pressing than ever, and governmental organizations are issuing calls to action.
As businesses increasingly shift to remote working environments, the COVID-19 public health pandemic presents new cybersecurity challenges each day. As we discussed in our earlier post, hackers are actively targeting companies’ cloud-based remote connectivity, lack of multi-factor authentication, and potentially insecure digital infrastructure to exploit lax cyber-hygiene. As companies struggle to maintain business continuity, the need for robust cyber security measures is more pressing than ever.
In response to the COVID-19 pandemic, on March 17, 2020, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) issued a notification of enforcement discretion, announcing that it would not impose civil penalties for HIPAA violations “against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency” (the “Notification”). The Notification is important because, ordinarily, providing telehealth services does not modify a covered entity’s obligations under HIPAA. If a covered entity’s provision of telehealth services involves protected health information (“PHI”), that entity must meet the same HIPAA Privacy, Security, and Breach Notification requirements that apply to in-person health services. OCR’s Notification is clear that “this exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.” The Notification supplements an earlier OCR bulletin detailing the application of the HIPAA Privacy Rule during an outbreak of infectious disease.
Businesses, consumers, and regulators continue to grapple with balancing privacy, cybersecurity, and the response to the COVID-19 pandemic. Last week, this blog explored the increased cyber risks that the pandemic poses to businesses, providing guidance on how businesses can navigate that risk. Yesterday, we reported on a joint letter filed by more than 30 industry groups to the California Attorney General (“AG”) requesting a delay in enforcement of the California Consumer Privacy Act (“CCPA”) due to the burdens that COVID-19 is placing on businesses. Enforcement of the CCPA is currently scheduled to commence as early as July 1, 2020. Earlier this week, Consumer Reports, a consumer advocacy group, urged the AG to reject industry efforts to delay enforcement of the CCPA.
On March 17, 2020, a group of thirty-two trade associations and two corporations formally requested that the California Attorney General (AG) delay enforcement of the California Consumer Privacy Act (CCPA) until January 2, 2021, due to the ongoing COVID-19 pandemic. The trade associations represent leading companies in a wide range of industries, including healthcare and pharmaceuticals, transportation, logistics, advertising, insurance, entertainment, real estate, banking and finance, and technology.
In response to the COVID-19 pandemic, the New York Department of Financial Services (DFS) recently extended by 45 days the deadline for companies to certify compliance with the DFS cybersecurity regulation. The annual certification is now due on June 1.
In recent years, cyber-attacks have continued to increase in number and scope, with businesses facing ever-growing threats from ransomware, distributed denial-of-service attacks, and phishing schemes. Ransomware attacks alone saw a 41 percent increase in 2019 from 2018, with more than 200,000 organizations and city governments suffering attacks. Today, all eyes are on the spread of COVID-19, both in the U.S. and globally. Unfortunately, as the world focuses on public health and economic uncertainty, cyber criminals see opportunities for exploitation.
This is the fourth post in our series discussing the practical impact of the California Attorney General’s regulations to the California Consumer Privacy Act (CCPA). See our previous CCPA posts here.
The CCPA took effect on January 1, 2020, and already a putative class action has been filed, albeit over a data breach that allegedly occurred before the CCPA’s effective date. In addition, although the statute is now operative, its implementing regulations remain in flux. On February 7, 2020, the California Attorney General (AG) issued a notice of modification to the proposed regulations originally issued in October 2019. And on March 11, 2020, the AG released a second set of modifications. These modifications—published in a clean and redline version—contain important updates clarifying notice requirements, consumer request acceptance and response obligations, service provider responsibilities, and when discrimination related to financial incentives is permissible.
Last week, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a list of recommendations for institutions to enhance their cybersecurity preparedness and operational resiliency. These observations – based upon the examination of thousands of SEC registrants – serve as a lens into the likely subjects of future SEC examinations.
The aftermath from one of the largest data breaches in U.S. history is nearing the end, as the presiding judge approved a proposed class action settlement resolving claims arising from Equifax’s September 2017 data breach. As previously reported, approximately 147.9 million U.S. consumers’ personal information was compromised by that breach.
On January 1, 2020, the California Consumer Privacy Act (CCPA) becomes operative. As we reported last month, the California Attorney General (AG) released long-awaited draft regulations to the CCPA. This is the third installment in a series of posts discussing the regulations most relevant to companies as they determine whether they are covered under the law and how to comply. This post discusses the key regulations on business verification of requests made by consumers and the non-discrimination provision of the CCPA.
As we recently reported on this blog, the California Attorney General (AG) released long-awaited draft regulations to the California Consumer Privacy Act (CCPA). This is the second installment in a series of posts discussing the regulations most relevant to companies as they determine whether they are covered under the law and how to comply. This post discusses business practices for receiving and verifying consumer requests to delete or opt-out, and for disclosure of specific information, referred to in the regulations as “requests to know.”
As we recently reported on this blog, the California Attorney General (AG) released long awaited draft regulations to the California Consumer Privacy Act (CCPA). The regulations provided clarity on several provisions in the law, while also failing to answer some open questions. In a series of upcoming blog posts, we will discuss the regulations most directly relevant to companies as they determine whether they are covered under the law and how to comply. This first post discusses the notices and privacy policies described in detail in the proposed regulations.
On October 11, 2019, the California Attorney General released its long-anticipated Notice of Proposed Rulemaking Action and the text of its proposed regulations for the California Consumer Privacy Act (CCPA), along with an Initial Statement of Reasons for the proposed regulations. The documents are not a short read, with the proposed regulations covering 24 pages, the Notice 16 pages, and the Statement of Reasons another 47 pages.
Last month, the Food & Drug Administration (FDA) issued a long-awaited revision to its Policy for Device Software Functions and Mobile Medical Applications Medical App - Guidance for Industry and Food and Drug Administration Staff (the Guidance). The revised Guidance was among several newly announced policies aimed at advancing the FDA’s digital health initiative that promotes innovation, while also permitting efficient and up-to-date regulatory oversight.
Earlier this month, YouTube and its parent company, Google, entered into a record $170 million proposed settlement to resolve allegations brought by the Federal Trade Commission (FTC) and the New York Attorney General (NYAG) under the federal Children’s Online Privacy Protection Act (COPPA). According to the complaint in the case, YouTube collected personal information on video channels directed to children without parental consent using persistent identifiers that can track individuals across the Internet. This is the largest penalty to date in a COPPA enforcement action.
As readers of the Data Security Blog will know, the California Consumer Privacy Act (“CCPA”) becomes operative on January 1, 2020. The CCPA is the most sweeping consumer privacy law in the United States, covering most for-profit businesses that do business in California and collect the personal information of “consumers,” meaning California residents.
SEC’s Proposed Revisions to Regulation S-K Will Minimally Impact Cybersecurity Disclosure Requirements
It has been thirty years since the Securities and Exchange Commission (the “SEC”) significantly revised Regulation S-K, which sets forth reporting requirements for public companies. The SEC is now taking a fresh look at the rules, proposing for public comment amendments to modernize the description of business, legal proceedings, and risk factor disclosures that public companies must make. This represents a good opportunity to revisit key disclosure requirements—including Items 503(c) (now Item 105), 101, and 103—that are the subject of the revised guidance and that potentially impact reporting obligations associated with cybersecurity.
- Page 1 of 9