Categories & Search

Category: In the News

The Warning Behind the Numbers: New York’s 2017 Data Breach Report

On its face, last week’s report that the number of data breaches reported last year to New York’s Attorney General spiked to an all-time high of 1,583 – up 23 percent from 2016 – was not good news.

But behind the numbers are even more disturbing trends. Start with the fact that hacking – the handy work of outside intruders – was the leading cause of reported breaches last year, accounting for 44 percent of reported breaches. Hacking also accounted for nearly 95 percent of all personal information exposed. In second place was employee error or negligence, which represented 25 percent of last year’s reported breaches.

Go

Former Equifax Exec Charged with Insider Trading: Underscores Need for Trading Halt Plans

The Equifax hack has taken another twist – one that raises questions that every public company should consider.

Last week, federal prosecutors charged Equifax’s former Chief Information Officer, Jun Ying, with insider trading for allegedly dumping nearly $1 million in stock before the massive Equifax breach went public. He also faces civil charges filed by the U.S. Security and Exchange Commission (SEC).

Go

DFS Issues Compliance Certificate “Reminder”

Last week, the New York Department of Financial Services (DFS) sent notices to companies that had not yet certified their compliance with the DFS Cybersecurity Regulation. DFS not-so-gently reminds companies to submit a Notice of Exemption or a Certificate of Compliance. A copy of that notice is now available online.

Go

Facebook Loses Second Attempt to Dismiss Biometric Data Class Action

Last week, a federal district judge in California shot down Facebook, Inc.’s second attempt to dismiss a putative class action alleging that its facial recognition software violates the Illinois Biometric Privacy Act (BIPA). The court found that plaintiffs had standing to proceed under the U.S. Supreme Court’s ruling in Spokeo, Inc. v. Robbins because the alleged BIPA violation was sufficient to give rise to a “concrete injury” for purposes of bringing suit.

Go

The New York Times Features Op-Ed by Craig Newman: “Can the United States Search Data Overseas?”

On February 27, 2018, The New York Times featured an op-ed written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “Can the United States Search Data Overseas?” Mr. Newman discusses the critical question in United States v Microsoft, which is pending before the Supreme Court:  should the U.S. law enforcement have access to emails stored outside the country? He argues that the fundamental problem of storing data across borders will not be solved by this case, and that legislative action is necessary to properly govern “the vast stores of electronic data that move seamlessly across international borders.”

Go

The DFS Effect: Cyber Meets Sarbanes Oxley

Today, financial institutions with ties to New York are spending their Valentine’s Day learning how to use the New York State Department of Financial Services (DFS) web portal.

Almost a year ago, the DFS unveiled one of the most aggressive efforts in the nation to crack down on cybercrime in the banking and insurance industries. And by tomorrow, more than 3,000 firms are required to file through the agency’s online portal their first ever compliance certificate, swearing that their organization has satisfied the first phase of requirements under the state’s new cybersecurity regulation.

Go

Education Department Toughens Tone on Cyber and Threatens to Pull Funding for Non-Compliance

Recently-issued guidance from the U.S. Department of Education (ED) threatens to “yank” Title IV funding for post-secondary institutions lacking appropriate data security safeguards. The guidance comes as the risk of educational data breaches has intensified, as we have previously reported. The stakes are even higher now that ED has put Title IV recipients on notice that, beginning in fiscal year 2018, they may be subject to compliance audits regarding their data security programs.

Go

“Legally Reprehensible”: Senate Chastises Uber’s Conduct in 2016 Data Breach

On Tuesday, a Senate subcommittee grilled Uber’s Chief Information Security Officer, John Flynn, over a 2016 data breach that affected nearly 57 million drivers and riders. At the hearing, Uber faced backlash from lawmakers for its “morally wrong and legally reprehensible” conduct that “violated not only the law but the norm of what should be expected.”

Go

A (Secondary) Education in Data Security

On January 18, 2018, the New York State Education Department (“NYSED”) announced that one of its vendors, Questar Assessment, experienced a data breach resulting in the unauthorized disclosure of personal information from students in five different New York schools. While the data breach reportedly affected only a small number of students that had registered for online testing in spring 2017, it nonetheless exposed sensitive personally identifiable information from those students.  And despite its narrow scope, this breach potentially threatens public (and parent) confidence in the security of sensitive student information at a time when New York schools are moving more and more of their activities online.

Go

A Teachable Moment: Hospital Goes Public after Making Ransom Payment

It’s unusual for victims of ransomware to publicly acknowledge that they have paid hackers to go away. But a regional hospital in Indiana has made public its experience last week with a “sophisticated criminal group” as a teachable moment for other institutions faced with the vexing choice of whether to give in to the ransom demands of cybercriminals.

Go

Federal Appeals Court Slams Data Breach Privilege Claim

In the most recent object lesson in a data breach privilege case, a federal appeals court has ordered a Michigan-based mortgage lender to turn over privileged forensic investigatory documents after the investigator’s conclusions were revealed in discovery.

Go

Equifax Must Turn Over NY Breach Data This Week

New York State regulators won’t be letting Equifax, Inc. off-the-hook any time soon for last year’s massive data breach that affected more than 145 million Americans.

Go

Avatars, Facial Scans & Virtual Basketball: Second Circuit Tosses Biometric Privacy Case

A recent federal appellate ruling delivered a significant blow to invasion of privacy claims based on facial recognition technology used to scan users’ faces that are then put on their personalized players “in-game,” allowing them to play side-by-side with basketball stars in a popular video game.

Go

CNN Features Op-Ed by Craig Newman: “Why the world needs a NATO for cyberwarfare”

On Wednesday, December 6, CNN featured an op-ed written by Craig Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “Why the world needs a NATO for cyberwarfare”. Mr. Newman discusses the increasing number of digital assaults against private industries and governments, and notes that society is still in a state of denial about the prospects of a global cyber showdown. He argues that the United States should be leading the international community in addressing cyberattacks through existing worldwide organizations by creating a cybersecurity version of NATO.

To read the full article, please click here.

Go

Inside the Stanford Breach: Sexual Assault, Disciplinary and Financial Data Exposed

A series of cybersecurity vulnerabilities at Stanford University exposed thousands of sensitive files containing details of sexual assault investigations, disciplinary actions and more. The details of what happened—and why it should be an object lesson for higher education. A special three-part blog series.

Go

Uber Breach

Uber Technologies, Inc., the latest victim of a high-profile data theft, is taking heat for its handling of the 2016 incident – first disclosed last week – in which account information for 57 million riders worldwide was stolen.  The theft was made public in a blog post written by the company’s new chief executive officer Dara Khosrowshahi.

Go

A Cautionary Tale: UK Intelligence Data Found on Thumb Drive in London Street

Not all cybersecurity risks are the stuff of super-secret code hacks or high-tech digital attacks. One of the biggest culprits: off-the-shelf thumb drives (also known as flash drives or memory sticks) that you can purchase online, at Walmart or at your local office supply shop. Lightweight and small enough to fit in your pocket, thumb drives can store massive amounts of data.

Go

Equifax Mea Culpa: Too Little, Too Late?

Equifax Inc.’s interim CEO, Paulino do Rego Barros Jr., issued the company’s second public apology this morning for the massive data breach that has affected as many as 143 million U.S. consumers.

In a Wall Street Journal op-ed, Barros acknowledged the company’s ball drop in handling the breach and promised to “act quickly and forcefully to correct our mistakes.” He said the company will introduce a new service that would permit consumers to control access to their personal credit data.

Go

Equifax: The Empire State Strikes Back

Today, New York Governor Andrew M. Cuomo announced that he has directed the Department of Financial Services (DFS) to issue a new regulation requiring “credit reporting agencies to register with” the DFS, as well as comply with the Department’s “first-in-the-nation cybersecurity standard.”  According to Governor Cuomo, the Equifax breach was a “wakeup call,” and New York is now “raising the bar for consumer protections” with the “hope” the DFS’s approach “will be replicated across the nation.”

Go

Equifax Week Two: It Keeps Getting Worse

The drumbeat of bad news continues for credit monitoring agency Equifax Inc., after its disclosure on September 7th of a massive data breach – compromising Social Security numbers, dates of birth and other personally identifiable information – that might affect as many as 143 million Americans.

    Go

    After Equifax: What Should the Public Do?

    As we have discussed in previous posts, Equifax Inc. suffered a cybersecurity breach potentially affecting 143 million individuals in the United States.  Although Equifax’s investigation is ongoing, the data at risk includes Social Security numbers, birth dates, and addresses.  Equifax has also said that the breach may have involved driver’s license numbers, credit card numbers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”  That leaves just about everyone asking: What should we do?

    Go

    Equifax Hack: The Morning After

    Within hours after Equifax disclosed that hackers had compromised the personal information of nearly 143 million Americans, the Atlanta-based credit reporting agency was hit with a class action lawsuit in U.S. District Court in Portland, Oregon.

    Go

    Aetna and its Vendor Face Class Action Lawsuit over HIV Disclosure

    A Pennsylvania man has filed a class action lawsuit against Aetna Inc., accusing it of violating his privacy rights when the insurer mailed him prescription information in an envelope with a large, clear window that disclosed instructions for filling HIV medication.

    Go

    Healthcare Insurer Rebuked for Exposing Policyholders’ HIV Status

    Two legal advocacy groups have accused Aetna Inc. – the Hartford-based healthcare company – of “gross” breaches of privacy and confidentiality including violations of federal healthcare law when a third-party vendor inadvertently disclosed the HIV status of thousands of the insurer’s customers in a mass mailing.

    Go

    8th Circuit Finds Standing in Data Breach Case but Dismisses on Pleading Deficiencies

    In one of the first federal appellate court rulings following the Ninth Circuit’s decision in Robins v. Spokeo, the Eighth Circuit delivered a pyrrhic victory for customers victimized by a data breach.  In Kuhns v. Scottrade, the Eighth Circuit ruled that, although the plaintiff had established standing to pursue a claim against Scottrade, Inc. resulting from a data breach that occurred in 2013, the customer failed to sufficiently allege that the brokerage firm breached its contractual obligations and affirmed dismissal of the case.

    Go