Category: Employment/Workplace Privacy
The Cybersecurity and Infrastructure Security Agency (CISA) teamed up with the Federal Bureau of Investigation (FBI) to issue a joint warning of cyber-attacks emanating from Iran and targeting U.S. federal agencies and businesses. These hackers target vulnerabilities in virtual private networks (VPNs), which organizations use to allow remote network access. Once the hackers gain access through a VPN, they export data, sell access to the network, and have the ability to install ransomware. This is just the latest example of criminals exploiting vulnerabilities associated with the current remote working environment.
As we previously detailed, the coronavirus pandemic has expanded opportunities for nefarious actors to exploit the digital vulnerabilities of individuals, local governments, industries, organizations, and essential services as they rapidly adapt to the public health crisis. Recent reports have confirmed that attacks and cyber scams associated with the pandemic are in fact on the rise.
Professional athletes, teams, and leagues have embraced wearable technology. But as this new technology becomes ubiquitous, a new category of valuable—and personally sensitive—data has emerged, raising novel data security issues and incentives for would-be hackers.
A data breach of the National Football League Players Association’s (“NFLPA”) website has exposed the personal information of nearly 1,200 players and agents.
The Federal Trade Commission (FTC) – often criticized for not providing clear guidance as to what the agency considers reasonable data security – announced on Friday that it would publish a weekly blog discussing “lessons learned” from data security investigations that were closed without a formal enforcement action.
In the aftermath of two powerful global ransomware attacks, a Michigan-based medical equipment provider has disclosed that hackers “encrypted our data files” and accessed more than 500,000 patient records in what is believed to be the largest reported ransomware attack on health care information.
Yesterday morning, the United States Court of Appeals for the Eleventh Circuit, sitting in Miami, heard oral argument in the case of LabMD, Inc. v. Federal Trade Commission, No. 16-16270.
For purposes of this post, we presume readers are familiar with this case, which we’ve blogged about extensively since the Federal Trade Commission lodged an Administrative Complaint against LabMD back in 2013. Briefly, the core question on appeal is whether the FTC overstepped its authority under Section 5(n) of the Federal Trade Commission Act (codified at 15 U.S.C. § 45(n)) when it initiated an enforcement action against LabMD, a Georgia medical testing lab, after certain patient data files were apparently misappropriated, but no patent data actually fell into the wrong hands, and no individual patient suffered any cognizable injury, such as identity theft.
In a consequential test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit will hear argument tomorrow in a case that will determine whether the agency must show a concrete consumer injury as an element of an enforcement action, just as private plaintiffs have been required to do for years.
Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland. That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.
The Electronic Frontier Foundation (“EFF”) and the American Civil Liberties Union (“ACLU”) have weighed in on Facebook’s high-profile dispute with a social media aggregation company over whether it had unlawfully accessed Facebook’s computers. The EFF and ACLU warned the Ninth Circuit that the panel’s ruling for Facebook risks chilling important investigations and makes “potential criminals out of millions of ordinary Americans on the basis of innocuous online behavior.” The case is Facebook, Inc. v. Power Ventures, Inc., No. 13-17102.
When Is Using a Computer a Crime? Rehearing Sought on Ninth Circuit’s “Distressingly Unclear” Answer
Facebook recently won a landmark victory in the Ninth Circuit against a company that accessed Facebook’s computers to help users manage their social network accounts. Now the company, Power Ventures, Inc., says that the Ninth Circuit’s decision risks creating “widespread confusion” about when it is a crime to use a computer to access a website.
There’s no denying it: Pokémon GO is a phenomenon.
The smartphone game, in which players use their mobile device camera and GPS to capture, battle, and train virtual creatures, was released in the United States on July 6th. In a month, it has shot to the top of the App Store charts to become the biggest mobile game in U.S. history. Within just days of its release, Pokémon GO already had surpassed app giants like Twitter and Tinder in number of downloads and active users, with more than 25 million users playing each day.
In April 2016, the sensitive personal medical information of NFL players was stolen from the car of a trainer who had left the files in a backpack in his locked car. In 2014, Safeway, Inc. settled charges brought by the State of California stemming from an investigation concerning the improper disposal of hard copies of customer information. In 2014, an insurance company was exposed when maintenance workers who were supposed to move four boxes of member records between floors, instead threw them out. In 2011, sensitive information regarding an NYPD task force was found in a Manhattan trash can.
For months, the technology and business communities have been waiting anxiously for a Federal appeals court ruling on whether American companies can be forced to turn over customer information to U.S. law enforcement when that information is stored on servers abroad. It’s the result of a legal appeal filed last year by Microsoft Corporation that was argued before the U.S. Court of Appeals for the Second Circuit more than seven months ago.
A U.S. appeals court yesterday held that a traditional corporate general liability policy triggered an insurer’s duty to defend a class action lawsuit alleging that a medical records company failed to properly secure patient records on its server.
Faced with the prospect of overturning a decision by one of its own administrative law judges, the Federal Trade Commission on Tuesday explored ways in which to render a narrow decision. The argument was the most recent chapter in the long running data security enforcement action against LabMD, the now defunct medical testing laboratory.
The Internet of Things (IoT) encompasses any object or device that connects to the Internet to automatically send and/or receive data. This includes common office equipment, such as networked printers and photocopiers, devices that remotely or automatically adjust lighting or HVAC, security systems, such as security alarms and Wi-Fi cameras. Personal wearable devices that employees often bring to work, including fitness devices like Jawbone and Fitbit, smart watches like the Apple Watch and Android Wear, and Google Glass, are also part of the IoT. The IoT has grown very rapidly in recent years as technology companies create more devices with wireless internet capabilities and sensors, and internet access has become more widely available. The analyst firm Gartner estimates that 4.9 billion connected “things” are in use today and projects that number will rise to 25 billion by 2020.
Following yesterday’s news that Experian Plc, the world’s largest consumer credit monitoring firm, suffered a massive data breach, exposing the personal information of some 15 million people, the post-breach fall out has already started. The Connecticut Attorney General’s office has announced that is launching an investigation into the breach.
We are pleased to announce the launch of Data Security Law Blog, Patterson Belknap’s newest resource for the latest news, analysis and thought leadership in the critical area of privacy and cybersecurity law.