Categories & Search

Category: In the News

Equifax Mea Culpa: Too Little, Too Late?

Equifax Inc.’s interim CEO, Paulino do Rego Barros Jr., issued the company’s second public apology this morning for the massive data breach that has affected as many as 143 million U.S. consumers.

In a Wall Street Journal op-ed, Barros acknowledged the company’s ball drop in handling the breach and promised to “act quickly and forcefully to correct our mistakes.” He said the company will introduce a new service that would permit consumers to control access to their personal credit data.

Go

Equifax: The Empire State Strikes Back

Today, New York Governor Andrew M. Cuomo announced that he has directed the Department of Financial Services (DFS) to issue a new regulation requiring “credit reporting agencies to register with” the DFS, as well as comply with the Department’s “first-in-the-nation cybersecurity standard.”  According to Governor Cuomo, the Equifax breach was a “wakeup call,” and New York is now “raising the bar for consumer protections” with the “hope” the DFS’s approach “will be replicated across the nation.”

Go

Equifax Week Two: It Keeps Getting Worse

The drumbeat of bad news continues for credit monitoring agency Equifax Inc., after its disclosure on September 7th of a massive data breach – compromising Social Security numbers, dates of birth and other personally identifiable information – that might affect as many as 143 million Americans.

    Go

    After Equifax: What Should the Public Do?

    As we have discussed in previous posts, Equifax Inc. suffered a cybersecurity breach potentially affecting 143 million individuals in the United States.  Although Equifax’s investigation is ongoing, the data at risk includes Social Security numbers, birth dates, and addresses.  Equifax has also said that the breach may have involved driver’s license numbers, credit card numbers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”  That leaves just about everyone asking: What should we do?

    Go

    Equifax Hack: The Morning After

    Within hours after Equifax disclosed that hackers had compromised the personal information of nearly 143 million Americans, the Atlanta-based credit reporting agency was hit with a class action lawsuit in U.S. District Court in Portland, Oregon.

    Go

    Aetna and its Vendor Face Class Action Lawsuit over HIV Disclosure

    A Pennsylvania man has filed a class action lawsuit against Aetna Inc., accusing it of violating his privacy rights when the insurer mailed him prescription information in an envelope with a large, clear window that disclosed instructions for filling HIV medication.

    Go

    Healthcare Insurer Rebuked for Exposing Policyholders’ HIV Status

    Two legal advocacy groups have accused Aetna Inc. – the Hartford-based healthcare company – of “gross” breaches of privacy and confidentiality including violations of federal healthcare law when a third-party vendor inadvertently disclosed the HIV status of thousands of the insurer’s customers in a mass mailing.

    Go

    8th Circuit Finds Standing in Data Breach Case but Dismisses on Pleading Deficiencies

    In one of the first federal appellate court rulings following the Ninth Circuit’s decision in Robins v. Spokeo, the Eighth Circuit delivered a pyrrhic victory for customers victimized by a data breach.  In Kuhns v. Scottrade, the Eighth Circuit ruled that, although the plaintiff had established standing to pursue a claim against Scottrade, Inc. resulting from a data breach that occurred in 2013, the customer failed to sufficiently allege that the brokerage firm breached its contractual obligations and affirmed dismissal of the case.

    Go

    Deadline to Meet DFS Cyber Regulation Is Monday

    Banks, insurance companies and other financial institutions have only a few days left to comply with the first wave of requirements under New York’s controversial new cybersecurity regulation.

    Go

    SEC Watch: “Observations” from SEC’s Cybersecurity 2 Initiative

    Last week, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its “Observations from Cybersecurity Examinations” conducted pursuant to OCIE’s “Cybersecurity 2 Initiative.”  A copy of the summary is available here.  This is a follow-on to an earlier series of examinations (the “Cybersecurity 1 Initiative”) conducted in 2014.

    Go

    DFS Cyber Regulation Countdown: Who Should Certify Compliance?

    Companies subject to New York’s Department of Financial Services (DFS) new cybersecurity regulation should be preparing to comply with the first round of requirements by the upcoming August 28th deadline: enacting a cybersecurity program and policies, implementing user access privileges, designating a Chief Information Security Officer (CISO), employing qualified personnel, and implementing an incident response plan.

    Go

    Hackers Target the Bottom Line: Business Operations and Earnings

    Over the past several years, we have witnessed a fundamental shift in orchestrated cyber-attacks from hacking credit card data and healthcare information to targeting businesses, their operations and bottom lines.

    Go

    Follow the Money and Beware the Extra “L”: First Department Sustains Claims against Fund Administrator After Hackers Grab Millions

    A legal feud is underway between the world’s biggest hedge fund administrator and a former client over an email scam that resulted in hackers stealing millions in client funds.  And not surprisingly, the time-honored tradition of finger pointing is on full display as each party accuses the other of employing sub-par internal controls and lackluster cybersecurity standards.  

    Go

    DFS Cyber Compliance Nightmare?

    Detailed survey results indicate compliance is far from reach

    New York’s powerful Department of Financial Services (DFS) upended cybersecurity regulation with its new and sweeping “Cybersecurity Requirements for Financial Services Companies,” which took effect on March 1, 2017.  But is the financial industry ready and equipped to comply with this detailed regulation?  According to a recent survey published by Ponemon Institute and sponsored by Fasoo, the answer is an unequivocal “no.”

    Go

    DFS Issues Additional Guidance for Cyber Regulation Compliance

    New York’s Department of Financial Services (DFS) has issued additional guidance for compliance with the state’s sweeping cybersecurity regulation that went into effect earlier this year.  Companies covered by the regulation must comply with the first round of requirements by August 28th.

    Go

    When Health Data Goes Missing: Largest Reported Ransomware Attack

    In the aftermath of two powerful global ransomware attacks, a Michigan-based medical equipment provider has disclosed that hackers “encrypted our data files” and accessed more than 500,000 patient records in what is believed to be the largest reported ransomware attack on health care information.

    Go

    11th Circuit Hears Oral Argument in LabMD Case

    Yesterday morning, the United States Court of Appeals for the Eleventh Circuit, sitting in Miami, heard oral argument in the case of LabMD, Inc. v. Federal Trade Commission, No. 16-16270.

    For purposes of this post, we presume readers are familiar with this case, which we’ve blogged about extensively since the Federal Trade Commission lodged an Administrative Complaint against LabMD back in 2013.  Briefly, the core question on appeal is whether the FTC overstepped its authority under Section 5(n) of the Federal Trade Commission Act (codified at 15 U.S.C. § 45(n)) when it initiated an enforcement action against LabMD, a Georgia medical testing lab, after certain patient data files were apparently misappropriated, but no patent data actually fell into the wrong hands, and no individual patient suffered any cognizable injury, such as identity theft.

    Go

    A question of harm: LabMD to face off with FTC at 11th Circuit

    In a consequential test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit will hear argument tomorrow in a case that will determine whether the agency must show a concrete consumer injury as an element of an enforcement action, just as private plaintiffs have been required to do for years.

    Go

    NYS Cyber Regulation Countdown: Continuous Monitoring

    In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

    In complying with the New York State Department of Financial Services (DFS) cybersecurity regulation, financial institutions have a choice.  They can either employ “continuous monitoring” or, instead, conduct annual “penetration testing” and bi-annual “vulnerability assessments.”

    Go

    DFS Cyber Compliance Nightmare?

    New survey reports less than half of financial firms will meet deadline

    A new survey by the Ponemon Institute reports that less than half of the financial institutions covered by New York’s sweeping new cybersecurity regulation say they will “likely” meet next February’s compliance deadline. And even more stunning is the fact that only 13% of those institutions surveyed reported “with certainty” that they would be in full compliance with the regulation by next year.

    Go

    NYS Cyber Regulation Countdown: “Risk Assessment” – Now or Later?

    In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

    Go

    Ninety Days and Counting: NY Cyber Regulation’s First Deadline

    Faced with an approaching August 28th deadline, the more than 3,000 financial institutions that do business in New York should be knee-deep in implementing the first wave of requirements under the State’s sweeping and unprecedented cybersecurity regulation.

    Go

    The Computer Fraud and Abuse Act Will Need To Wait Another Day In New York’s Commercial Division

    Justice Shirley Kornreich recently issued one of the few New York state court decisions  that address the Computer Fraud and Abuse Act (“CFAA”).  Spec Simple, Inc. v. Designer Pages Online LLC,  No. 651860/2015, 2017 BL 160865 (N.Y. Sup. Ct. May 10, 2017).  The CFAA criminalizes both accessing a computer without authorization and exceeding authorized access and thereby obtaining information from any protected computer.  Id. at *3 (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA also provides a civil cause of action to any person who suffers damage or loss because of a violation of the CFAA.  Id. at *4 (citing 18 U.S.C. § 1030(g)).  As discussed below, the decision provides a helpful look into the interpretation of CFAA claims in the future.

    Go

    The Tanium Affair Reminds Us That Cybersecurity Risks Are Everywhere

    The Wall Street Journal recently reported that well-known cybersecurity startup Tanium, Inc. had been inadvertently exposing one of its clients’ sensitive data during product demonstrations.  Unbeknownst to the Tanium client—the non-profit El Camino Hospital, in Santa Clara County, California—Tanium had been giving prospective customers a look inside of El Camino’s secure network to show how well its cybersecurity software worked.  Not only did Tanium give the presentation “hundreds of times,” it also posted videos of the demonstration on its public website.  All of this was without El Camino’s permission.

    Go

    Colorado Regulator Proposes New Cybersecurity Rules for Financial Institutions

    Increasingly, states are enacting cybersecurity regulations for financial institutions and investment advisors. Following New York’s groundbreaking regulation (which we have covered in detail here), Colorado recently proposed changes to its state securities act that would impose new cybersecurity requirements on broker-dealers and investment advisors that operate in the state. 

    Go

    Digital Divide Deepens: Tech Community Backs Second Circuit in Clash with Magistrates over Reach of U.S. Warrants

    The technology community took aim at a recent federal magistrate’s ruling that ordered Google Inc. to comply with search warrants seeking customer emails stored on servers abroad, calling the decision “an impermissible extraterritorial application of U.S. law.” In rejecting a recent federal appeals court decision in a similar case in favor of Microsoft Corp., U.S. Magistrate Thomas J. Reuter in Philadelphia ruled that transferring emails from a foreign server to the U.S. was not tantamount to a seizure beyond American borders. The technology companies urged the court to reject the “fiction that such a foreign search and seizure is a domestic act….”

    Go

    Final DFS Cybersecurity Regulation Issued

    New York’s Department of Financial Services issued its final Cybersecurity Regulation last night with an effective date of March 1, 2017. For a comparison between the previous proposal and the final regulation, please click here.

    Go

    Third Circuit Finds FCRA Violation Alone Confers Standing for Data Breach Suit

    The United States Court of Appeals for the Third Circuit recently ruled that a data breach class action may proceed on the basis of a Fair Credit Reporting Act (FCRA) violation alone, even where the putative class members do not allege that they were actually harmed by the breach.  The ruling, which both relies on and distinguishes the Supreme Court’s recent analysis of FCRA standing in Spokeo v. Robins, suggests that at least in the Third Circuit, “injury” from a data breach may be presumed from the fact of the breach itself.  This, in turn, could have the effect of expanding potential liability for any consumer-facing entity that suffers a breach.

    Go