Categories & Search

A Cautionary Tale: UK Intelligence Data Found on Thumb Drive in London Street

Not all cybersecurity risks are the stuff of super-secret code hacks or high-tech digital attacks. One of the biggest culprits: off-the-shelf thumb drives (also known as flash drives or memory sticks) that you can purchase online, at Walmart or at your local office supply shop. Lightweight and small enough to fit in your pocket, thumb drives can store massive amounts of data.

Go

The Supreme Court Punts on Clarifying the Computer Fraud and Abuse Act

The federal Computer Fraud and Abuse Act of 1986 (“CFAA”) has generated controversy and disagreement among courts and commentators regarding the scope of its application.  The statute, 18 U.S.C. § 1030, which provides for both criminal and civil penalties, prohibits accessing a computer or protected computer “without authorization” or in a manner “exceeding authorized access.”  Courts are divided as to the meaning of these phrases, yet the U.S. Supreme Court recently declined the opportunity to resolve the circuit split that has developed, leaving the exact scope of this important statute in question.

Go

Justice Department Accuses Google of “Alarming” Tactics in Fight over SCA Search Warrant

The ongoing dispute between the government and Google concerning the company’s refusal to hand over customer data stored on foreign servers has taken an odd twist.  Now, the Justice Department is demanding that Google be sanctioned for not abiding by the court’s most recent decision—ordering it to produce data associated with 22 email accounts—and calling Google’s conduct “a willful and contemptuous disregard of various court orders.”  The case is In the Matter of the Search of Content that Is Stored at Premises Controlled by Google, No. 16-mc-80263 (N.D. Cal.).

Go

Equifax Mea Culpa: Too Little, Too Late?

Equifax Inc.’s interim CEO, Paulino do Rego Barros Jr., issued the company’s second public apology this morning for the massive data breach that has affected as many as 143 million U.S. consumers.

In a Wall Street Journal op-ed, Barros acknowledged the company’s ball drop in handling the breach and promised to “act quickly and forcefully to correct our mistakes.” He said the company will introduce a new service that would permit consumers to control access to their personal credit data.

Go

California Court Weighs in on the FTC’s Data Security Enforcement Authority

Yesterday, a District Court in Northern California weighed in on the U.S. Federal Trade Commission’s (FTC) authority to protect consumers from “unfair” and “deceptive” data security practices.  The decision, which granted in part and denied in part the defendant’s motion to dismiss, is a mixed bag for the Commission.

Go

Equifax: The Empire State Strikes Back

Today, New York Governor Andrew M. Cuomo announced that he has directed the Department of Financial Services (DFS) to issue a new regulation requiring “credit reporting agencies to register with” the DFS, as well as comply with the Department’s “first-in-the-nation cybersecurity standard.”  According to Governor Cuomo, the Equifax breach was a “wakeup call,” and New York is now “raising the bar for consumer protections” with the “hope” the DFS’s approach “will be replicated across the nation.”

Go

Equifax Week Two: It Keeps Getting Worse

The drumbeat of bad news continues for credit monitoring agency Equifax Inc., after its disclosure on September 7th of a massive data breach – compromising Social Security numbers, dates of birth and other personally identifiable information – that might affect as many as 143 million Americans.

    Go

    After Equifax: What Should the Public Do?

    As we have discussed in previous posts, Equifax Inc. suffered a cybersecurity breach potentially affecting 143 million individuals in the United States.  Although Equifax’s investigation is ongoing, the data at risk includes Social Security numbers, birth dates, and addresses.  Equifax has also said that the breach may have involved driver’s license numbers, credit card numbers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”  That leaves just about everyone asking: What should we do?

    Go

    Equifax Hack: The Morning After

    Within hours after Equifax disclosed that hackers had compromised the personal information of nearly 143 million Americans, the Atlanta-based credit reporting agency was hit with a class action lawsuit in U.S. District Court in Portland, Oregon.

    Go

    Aetna and its Vendor Face Class Action Lawsuit over HIV Disclosure

    A Pennsylvania man has filed a class action lawsuit against Aetna Inc., accusing it of violating his privacy rights when the insurer mailed him prescription information in an envelope with a large, clear window that disclosed instructions for filling HIV medication.

    Go

    Healthcare Insurer Rebuked for Exposing Policyholders’ HIV Status

    Two legal advocacy groups have accused Aetna Inc. – the Hartford-based healthcare company – of “gross” breaches of privacy and confidentiality including violations of federal healthcare law when a third-party vendor inadvertently disclosed the HIV status of thousands of the insurer’s customers in a mass mailing.

    Go

    8th Circuit Finds Standing in Data Breach Case but Dismisses on Pleading Deficiencies

    In one of the first federal appellate court rulings following the Ninth Circuit’s decision in Robins v. Spokeo, the Eighth Circuit delivered a pyrrhic victory for customers victimized by a data breach.  In Kuhns v. Scottrade, the Eighth Circuit ruled that, although the plaintiff had established standing to pursue a claim against Scottrade, Inc. resulting from a data breach that occurred in 2013, the customer failed to sufficiently allege that the brokerage firm breached its contractual obligations and affirmed dismissal of the case.

    Go

    Deadline to Meet DFS Cyber Regulation Is Monday

    Banks, insurance companies and other financial institutions have only a few days left to comply with the first wave of requirements under New York’s controversial new cybersecurity regulation.

    Go

    Judge Sides with Government over Google in the Latest Battle Rematch over the Territorial Reach of the SCA

    Another federal judge has rejected the U.S. Court of Appeals for the Second Circuit’s interpretation of the Stored Communications Act (SCA), and has ordered Google to hand over customer email traffic—wherever located—to U.S. law enforcement.  More than a year ago, the Second Circuit held that Microsoft Corp. was not required to produce customer emails stored on foreign servers in response to an SCA warrant.  Since then, the Second Circuit’s ruling has been rejected by three different federal courts around the country.

    Go

    SEC Watch: “Observations” from SEC’s Cybersecurity 2 Initiative

    Last week, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its “Observations from Cybersecurity Examinations” conducted pursuant to OCIE’s “Cybersecurity 2 Initiative.”  A copy of the summary is available here.  This is a follow-on to an earlier series of examinations (the “Cybersecurity 1 Initiative”) conducted in 2014.

    Go

    DFS Cyber Regulation Countdown: Who Should Certify Compliance?

    Companies subject to New York’s Department of Financial Services (DFS) new cybersecurity regulation should be preparing to comply with the first round of requirements by the upcoming August 28th deadline: enacting a cybersecurity program and policies, implementing user access privileges, designating a Chief Information Security Officer (CISO), employing qualified personnel, and implementing an incident response plan.

    Go

    Hackers Target the Bottom Line: Business Operations and Earnings

    Over the past several years, we have witnessed a fundamental shift in orchestrated cyber-attacks from hacking credit card data and healthcare information to targeting businesses, their operations and bottom lines.

    Go

    Follow the Money and Beware the Extra “L”: First Department Sustains Claims against Fund Administrator After Hackers Grab Millions

    A legal feud is underway between the world’s biggest hedge fund administrator and a former client over an email scam that resulted in hackers stealing millions in client funds.  And not surprisingly, the time-honored tradition of finger pointing is on full display as each party accuses the other of employing sub-par internal controls and lackluster cybersecurity standards.  

    Go

    ABA Panel on “Cybersecurity for Law Firms: Does Size Matter?”

    In conjunction with the American Bar Association’s Annual Meeting in New York next month, the ABA will feature a panel on “Cybersecurity for Law Firms: Does Size Matter?” The panel will discuss current cybersecurity threats facing law firms of all sizes, and will include perspectives from the U.S. Department of Justice, a forensics firm, and in-house counsel at a professional liability insurer.

    Go

    DFS Cyber Compliance Nightmare?

    Detailed survey results indicate compliance is far from reach

    New York’s powerful Department of Financial Services (DFS) upended cybersecurity regulation with its new and sweeping “Cybersecurity Requirements for Financial Services Companies,” which took effect on March 1, 2017.  But is the financial industry ready and equipped to comply with this detailed regulation?  According to a recent survey published by Ponemon Institute and sponsored by Fasoo, the answer is an unequivocal “no.”

    Go

    DFS Issues Additional Guidance for Cyber Regulation Compliance

    New York’s Department of Financial Services (DFS) has issued additional guidance for compliance with the state’s sweeping cybersecurity regulation that went into effect earlier this year.  Companies covered by the regulation must comply with the first round of requirements by August 28th.

    Go

    When Health Data Goes Missing: Largest Reported Ransomware Attack

    In the aftermath of two powerful global ransomware attacks, a Michigan-based medical equipment provider has disclosed that hackers “encrypted our data files” and accessed more than 500,000 patient records in what is believed to be the largest reported ransomware attack on health care information.

    Go

    11th Circuit Hears Oral Argument in LabMD Case

    Yesterday morning, the United States Court of Appeals for the Eleventh Circuit, sitting in Miami, heard oral argument in the case of LabMD, Inc. v. Federal Trade Commission, No. 16-16270.

    For purposes of this post, we presume readers are familiar with this case, which we’ve blogged about extensively since the Federal Trade Commission lodged an Administrative Complaint against LabMD back in 2013.  Briefly, the core question on appeal is whether the FTC overstepped its authority under Section 5(n) of the Federal Trade Commission Act (codified at 15 U.S.C. § 45(n)) when it initiated an enforcement action against LabMD, a Georgia medical testing lab, after certain patient data files were apparently misappropriated, but no patent data actually fell into the wrong hands, and no individual patient suffered any cognizable injury, such as identity theft.

    Go

    A question of harm: LabMD to face off with FTC at 11th Circuit

    In a consequential test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit will hear argument tomorrow in a case that will determine whether the agency must show a concrete consumer injury as an element of an enforcement action, just as private plaintiffs have been required to do for years.

    Go

    NYS Cyber Regulation Countdown: Continuous Monitoring

    In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

    In complying with the New York State Department of Financial Services (DFS) cybersecurity regulation, financial institutions have a choice.  They can either employ “continuous monitoring” or, instead, conduct annual “penetration testing” and bi-annual “vulnerability assessments.”

    Go

    DFS Cyber Compliance Nightmare?

    New survey reports less than half of financial firms will meet deadline

    A new survey by the Ponemon Institute reports that less than half of the financial institutions covered by New York’s sweeping new cybersecurity regulation say they will “likely” meet next February’s compliance deadline. And even more stunning is the fact that only 13% of those institutions surveyed reported “with certainty” that they would be in full compliance with the regulation by next year.

    Go

    NYS Cyber Regulation Countdown: “Risk Assessment” – Now or Later?

    In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

    Go

    Ninety Days and Counting: NY Cyber Regulation’s First Deadline

    Faced with an approaching August 28th deadline, the more than 3,000 financial institutions that do business in New York should be knee-deep in implementing the first wave of requirements under the State’s sweeping and unprecedented cybersecurity regulation.

    Go

    The Computer Fraud and Abuse Act Will Need To Wait Another Day In New York’s Commercial Division

    Justice Shirley Kornreich recently issued one of the few New York state court decisions  that address the Computer Fraud and Abuse Act (“CFAA”).  Spec Simple, Inc. v. Designer Pages Online LLC,  No. 651860/2015, 2017 BL 160865 (N.Y. Sup. Ct. May 10, 2017).  The CFAA criminalizes both accessing a computer without authorization and exceeding authorized access and thereby obtaining information from any protected computer.  Id. at *3 (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA also provides a civil cause of action to any person who suffers damage or loss because of a violation of the CFAA.  Id. at *4 (citing 18 U.S.C. § 1030(g)).  As discussed below, the decision provides a helpful look into the interpretation of CFAA claims in the future.

    Go

    SEC Warns of Ransomware Attacks

    The U.S. Securities and Exchange Commission is asking broker-dealers, investment advisers and funds to redouble their cybersecurity efforts in wake of the global cyber-attack of the WannaCry virus that has spread to more than 150 countries, disrupting critical sectors of the world economy – from transportations systems to healthcare.

    Go