Category: In the News

A little over two weeks ago, T-Mobile became the latest victim of a cyberattack when more than 50 million of their customers’ data was stolen.  In the ensuing weeks, three class action suits have been filed against the telephone carrier alleging a range of violations.  Included in two of them are alleged violations of the California Consumer Privacy Act, one of them includes alleged violations of the Washington State Consumer Protection Act, and the third fails to allege any violations of state data security laws.  Three House Representatives pointed to the breach as a reminder as to why there needs to be a national privacy and data security law.  One such bill is the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act.

As the national landscape of data privacy laws evolves, New York may be poised to follow California in passing legislation that creates new data rights for New York consumers.  New York is no stranger to this field.  The New York Department of Financial Services’ cybersecurity regulation was the first of its kind in the nation, aimed specifically at the banking and insurance industries.  The Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act continued the trend beyond the financial services industry, heightening breach disclosure requirements and imposing enhanced rules for businesses holding the personal data of New York residents.  And New York’s Governor, Andrew Cuomo, recently proposed a 2021 budget bill that contemplates a comprehensive data privacy law, the New York Data Accountability and Transparency Act (“NYDAT”), which would vastly expand the scope of New York’s privacy protections, creating an East Coast analogue to California’s CCPA.

As we previously described and as reflected in the rapidly increasing number of cyber-attacks since its start, the COVID-19 pandemic has triggered a shift in working practices that hackers and other bad actors are using to their advantage.  Recent studies show a 273% percent rise in large-scale data breaches in the first quarter of 2020, compared to prior-year statistics, and a 109% year-over-year increase in ransomware attacks in the United States through the first half of 2020.  This post will focus specifically on ransomware attacks targeting researchers working on a COVID-19 vaccine and how these attacks have evolved since the start of the pandemic.

Last week, a magistrate judge in the Eastern District of Virginia held that a breach report prepared by Mandiant (a digital forensics investigator, among other things) in response to the Capital One data breach was not protected by the attorney work product doctrine. 

Over the past month, many have discovered video chat and conferencing apps such as Zoom and Houseparty, using them for both business and to keep connected to friends and family during this period of global social distancing. Increased usage of these apps has also resulted in close scrutiny of their privacy practices by the public and government authorities. Indeed, Zoom has been hit with eight class actions that were recently consolidated, while separate plaintiffs sued the owners of Houseparty. A core allegation among those suits is that, without notice or consent, these apps provided user data to third parties (e.g., Facebook). Both the Houseparty complaint and a majority of the Zoom complaints allege violations of the California Consumer Privacy Act (CCPA), making these cases among the first with the potential to test the contours of the nascent but expansive privacy law. If the CCPA claims in these suits survive, it could signal the beginning of a substantial increase in class actions claiming CCPA violations.

The aftermath from one of the largest data breaches in U.S. history is nearing the end, as the presiding judge approved a proposed class action settlement resolving claims arising from Equifax’s September 2017 data breach.  As previously reported, approximately 147.9 million U.S. consumers’ personal information was compromised by that breach.

This past week, The Home Depot, Inc. became the latest business hit with a class action lawsuit for their use of facial recognition security cameras allegedly in violation of the Illinois Biometric Information Privacy Act.  If successful, Home Depot faces statutory damages of up to $5,000 for each time a shopper’s information was collected in violation of BIPA.

The New York State Senate recently passed The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, leaving only the Governor’s signature as the final step to the SHIELD Act becoming the country’s newest—and one of the most stringent—breach notification laws.  Given Governor Cuomo’s previous support for robust cybersecurity protections, New York may soon join a growing number of states beefing up their notification statutes.

The federal government’s record for effective cyber defenses of its own websites has not been stellar over the past few years. Federal government agencies ranging from the Office of Personnel Management to the National Archives have suffered data breaches, as have nearly a dozen other agencies.

The New York Times featured an op-ed last week written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement.” In the op-ed, Mr. Newman discusses how the January 2019 settlement “marked the first time that shareholders have been awarded monetary damages in a derivative lawsuit related to a data breach.” Mr. Newman notes, “the settlement signals that director and officer liability for cybersecurity oversight is entering new and potentially perilous territory.”

To read the full article, click here.

With full implementation of New York’s groundbreaking cybersecurity regulation only six weeks away, the state’s top banking regulator took the opportunity to praise the many financial institutions that have adopted systems to better protect consumers from cybercrime.

Investment advisers may want to think twice before texting clients any advice in the New Year.

In a recently issued Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) reminded investment advisers of their obligations under the Investment Advisers Act of 1940 (Advisers Act) when they or their personnel use electronic messaging for business-related communications.

This is the second post in our two-part series about DOJ’s revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.”  In the first installment, we looked at DOJ’s recommendations for preparedness.  Today, we turn to the basics of data breach incident response and a list of DOJ’s “don’ts” when dealing with a hacker.

The U.S. Department of Justice is increasing its outreach to the private sector on all things cyber.

Last week, the DOJ’s Criminal Division held a cybersecurity roundtable to discuss challenges in handling data breach investigations. As part of the roundtable discussion, the DOJ issued revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” The Best Practices guidance, summarized below, is the result of the DOJ’s outreach efforts concerning ways in which the government can work more effectively with the private sector to address cybersecurity challenges. The goal of the roundtable discussion, which started in 2015, is to foster and enhance cooperation between law enforcement and data breach victims, and to also encourage information sharing.

Many big data and technology companies consider “bug bounty” programs – incentive-based initiatives that reward “ethical” hackers who report data security bugs or vulnerabilities – attractive and cost-effective tools for weeding out security flaws.

Last week, MGM Resorts International filed nine pre-emptive lawsuits against the victims of last year’s mass shooting at the Mandalay Bay Hotel in Las Vegas.  MGM, owner of the Mandalay, is asking federal courts around the country to declare that the company is not liable “for any claim for injuries arising out of or related to” the mass attack. 

Last week, the U.S. Court of Appeals for the Eighth Circuit affirmed the district court’s approval of a $17 million settlement between Target Corp. and consumers whose credit card data was compromised in the 2013 data breach. In one of the largest data breaches to hit U.S. retailers, hackers stole information from 40 million credit and debit cards during the 2013 holiday season.

In one of the first major tests of the Illinois biometric data privacy law, Facebook is headed to trial this summer over allegations that the social media giant unlawfully collects user data with its photo tagging function. Last week, U.S. District Judge James Donato denied cross motions for summary judgment in a class action pending in Northern California, noting the “multitude of fact disputes in the case.”

The LabMD data security case is anything but dull.  An 8-year (and counting) fight with the U.S. Federal Trade Commission, a U.S. House of Representatives Oversight and Government Reform Committee investigation into allegations of government overreach and collusion, a key witness granted governmental immunity and multiple related civil lawsuits scattered around the country.

An expanded settlement by the Federal Trade Commission with ride-sharing giant Uber Technologies should serve as a lesson to other businesses about what happens when a company fails to disclose a data breach during an ongoing agency investigation.

On its face, last week’s report that the number of data breaches reported last year to New York’s Attorney General spiked to an all-time high of 1,583 – up 23 percent from 2016 – was not good news.

But behind the numbers are even more disturbing trends. Start with the fact that hacking – the handy work of outside intruders – was the leading cause of reported breaches last year, accounting for 44 percent of reported breaches. Hacking also accounted for nearly 95 percent of all personal information exposed. In second place was employee error or negligence, which represented 25 percent of last year’s reported breaches.

Last week, the New York Department of Financial Services (DFS) sent notices to companies that had not yet certified their compliance with the DFS Cybersecurity Regulation. DFS not-so-gently reminds companies to submit a Notice of Exemption or a Certificate of Compliance. A copy of that notice is now available online.

On February 27, 2018, The New York Times featured an op-ed written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “Can the United States Search Data Overseas?” Mr. Newman discusses the critical question in United States v Microsoft, which is pending before the Supreme Court:  should the U.S. law enforcement have access to emails stored outside the country? He argues that the fundamental problem of storing data across borders will not be solved by this case, and that legislative action is necessary to properly govern “the vast stores of electronic data that move seamlessly across international borders.”

Recently-issued guidance from the U.S. Department of Education (ED) threatens to “yank” Title IV funding for post-secondary institutions lacking appropriate data security safeguards. The guidance comes as the risk of educational data breaches has intensified, as we have previously reported. The stakes are even higher now that ED has put Title IV recipients on notice that, beginning in fiscal year 2018, they may be subject to compliance audits regarding their data security programs.