A new survey by the Ponemon Institute reports that less than half of the financial institutions covered by New York’s sweeping new cybersecurity regulation say they will “likely” meet next February’s compliance deadline. And even more stunning is the fact that only 13% of those institutions surveyed reported “with certainty” that they would be in full compliance with the regulation by next year.
In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.
Faced with an approaching August 28th deadline, the more than 3,000 financial institutions that do business in New York should be knee-deep in implementing the first wave of requirements under the State’s sweeping and unprecedented cybersecurity regulation.
Justice Shirley Kornreich recently issued one of the few New York state court decisions that address the Computer Fraud and Abuse Act (“CFAA”). Spec Simple, Inc. v. Designer Pages Online LLC, No. 651860/2015, 2017 BL 160865 (N.Y. Sup. Ct. May 10, 2017). The CFAA criminalizes both accessing a computer without authorization and exceeding authorized access and thereby obtaining information from any protected computer. Id. at *3 (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA also provides a civil cause of action to any person who suffers damage or loss because of a violation of the CFAA. Id. at *4 (citing 18 U.S.C. § 1030(g)). As discussed below, the decision provides a helpful look into the interpretation of CFAA claims in the future.
We previously posted about a case before the New York Court of Appeals that concerned whether Facebook has the legal standing to challenge search warrants seeking its users’ data. In April, the court sided with the Manhattan District Attorney’s office and rejected Facebook’s challenge. The three opinions by the judges—particularly the concurrence by Judge Jenny Rivera—provide insight into this evolving area of law.
The Federal Trade Commission’s (FTC) sprawling and contentious legal battle with now-defunct medical testing company LabMD recently turned especially personal when a federal court allowed LabMD (and its former CEO) to proceed with claims against two of the three FTC attorneys who handled the FTC’s investigation and prosecution of LabMD.
The National Association of Insurance Commissioner’s (NAIC) model cybersecurity law will take center stage later this week at the group’s annual meeting in Denver.
Digital Divide Deepens: Tech Community Backs Second Circuit in Clash with Magistrates over Reach of U.S. Warrants
The technology community took aim at a recent federal magistrate’s ruling that ordered Google Inc. to comply with search warrants seeking customer emails stored on servers abroad, calling the decision “an impermissible extraterritorial application of U.S. law.” In rejecting a recent federal appeals court decision in a similar case in favor of Microsoft Corp., U.S. Magistrate Thomas J. Reuter in Philadelphia ruled that transferring emails from a foreign server to the U.S. was not tantamount to a seizure beyond American borders. The technology companies urged the court to reject the “fiction that such a foreign search and seizure is a domestic act….”
While courts and the Federal Rules of Evidence take an increasingly pragmatic approach to the question of when inadvertent disclosure of privileged information results in waiver, a recent federal magistrate’s ruling serves as a potent warning that use of a file-sharing site—without sufficient safeguards—may constitute a waiver. Harleysville Insurance Co. v. Holding Funeral Home, Inc., No. 1:15-cv-00057 (W.D. Va. Feb. 9, 2017) is the first published decision to find that the use of a file-sharing site to exchange potentially privileged information constituted a waiver of the attorney-client privilege and work product protection—because the company failed to password protect its transmission.
Back in December of last year, we reported that for the first time, a U.S. law firm – Johnson & Bell, a mid-sized Chicago firm – was publicly named in a class action data security lawsuit. Last month, the firm obtained a significant victory in the case.
Does Facebook Have the Right to Challenge Search Warrants Seeking Facebook Users’ Data? New York’s Highest Court Hears Argument
Facebook is the latest social media giant to push back on law enforcement efforts to seek user information. On Tuesday, the New York Court of Appeals heard oral argument in a case focusing on whether Facebook has the right—or legal standing—to challenge bulk search warrants issued by the Manhattan District Attorney’s office for its users' data. The case is In re 381 Search Warrants Directed to Facebook, Inc. and Dated July 23, 2013.
The United States Court of Appeals for the Third Circuit recently ruled that a data breach class action may proceed on the basis of a Fair Credit Reporting Act (FCRA) violation alone, even where the putative class members do not allege that they were actually harmed by the breach. The ruling, which both relies on and distinguishes the Supreme Court’s recent analysis of FCRA standing in Spokeo v. Robins, suggests that at least in the Third Circuit, “injury” from a data breach may be presumed from the fact of the breach itself. This, in turn, could have the effect of expanding potential liability for any consumer-facing entity that suffers a breach.
Today, the U.S. Court of Appeals for the Eighth Circuit vacated the class action settlement between Target Corp. and consumers whose card data was compromised in the company’s 2013 data breach.
Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland. That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.
The U.S. Securities and Exchange Commission is reportedly looking into whether two data breaches at Yahoo!, Inc. should have been disclosed earlier. In a front page article today, the Wall Street Journal reported that “people familiar with the matter” say the SEC is investigating whether Yahoo!’s disclosures complied with the securities laws.
The U.S. Federal Trade Commission (“FTC”) has filed suit against Taiwan-based D-Link Corporation and D-Link Systems, Inc. (collectively, “D-Link”), manufacturers and sellers of home networking devices including routers, cameras, baby monitors, and video recorders. The lawsuit claims that D-Link failed to take reasonable steps to protect its devices from known and foreseeable risks of unauthorized access.
Firing the opening salvo in its appeal of one of the most controversial data security decisions by the U.S. Federal Trade Commission in years, LabMD accused the agency of overstepping its authority and “destroy[ing] [the] small medical testing company” in the process.
On Wednesday, Yahoo! disclosed that more than 1 billion of its users’ personal information was exposed in a newly discovered cyber-attack, making it the largest data breach reported to date. The breach apparently took place in August of 2013.
Yesterday, the Federal Trade Commission (“FTC”) announced a settlement with the owners of “dating site” AshleyMadison.com, arising from a July 2015 data breach that received broad media coverage. According to a proposed order filed in the District Court for the District of Columbia, the operators of the website are also simultaneously settling with thirteen states—including New York—and the District of Columbia.
Last week marked the first time a U.S. law firm was publicly named in a class action data security lawsuit. Originally filed in April 2016, the class action complaint in Shore v. Johnson & Bell, Ltd., 16-cv-4363 (N.D. Ill.), was unsealed last week after months of back-and-forth over whether the alleged security flaws had been patched. The complaint accuses Johnson & Bell, a mid-sized Chicago firm, of “systematically exposing confidential client information and storing client data without adequate security.” The lawsuit makes no claim that any client information has been stolen or misused. Even so, the filing of this complaint amplifies the risks already facing law firms – including reputational – at a time when data security is a top concern for law firms and their clients.
The transition of power from President Barack Obama to President-Elect Donald Trump is underway. Although President-Elect Trump did not lay out specific policy prescriptions about data privacy or consumer protection during his candidacy, his recent choice of Dr. Joshua D. Wright to lead transition efforts at the Federal Trade Commission provides some hints as to the direction the agency may take under a Trump administration.
The Electronic Frontier Foundation (“EFF”) and the American Civil Liberties Union (“ACLU”) have weighed in on Facebook’s high-profile dispute with a social media aggregation company over whether it had unlawfully accessed Facebook’s computers. The EFF and ACLU warned the Ninth Circuit that the panel’s ruling for Facebook risks chilling important investigations and makes “potential criminals out of millions of ordinary Americans on the basis of innocuous online behavior.” The case is Facebook, Inc. v. Power Ventures, Inc., No. 13-17102.
The fight between the Federal Trade Commission and LabMD, the defunct medical testing lab, entered a new chapter late yesterday. In a 13-page ruling, the U.S. Court of Appeals for the Eleventh Circuit said that LabMD’s appeal presented “a serious legal question” as to the Commission’s interpretation of Section 5 of the FTC Act and that any enforcement of the agency’s order should be stayed until the appellate process had run its course.
The aftermath of Yahoo’s data breach has raised a number of questions from customers, law enforcement, and most recently six U.S. Senators.
In the midst of its acquisition by Verizon Communications Inc., Yahoo Inc. disclosed what looks like one of the largest reported thefts of user information in U.S. history.
This week, in the first post-Spokeo circuit court decision to address standing in a data breach class action, the Sixth Circuit joined the Seventh Circuit in holding that plaintiffs whose sensitive personal information has been obtained by hackers have Article III standing to sue based on the risk of future fraud and identity theft.
Banner Health recently announced that hackers may have gained “unauthorized access to patient information” and “payment card data” from approximately 3.7 million patients, health plan members, food and beverage customers, and physicians. The breach has been reported as the largest for a hospital in 2016.
Several recent federal court decisions have added guidance on the still-unsettled question of when a plaintiff has Article III standing to sue based on a data breach or other data security or privacy event. These cases—Attias v. CareFirst, Inc. (D.D.C.), Wood v. J. Choo USA, Inc. (S.D. Fla.), and Guarisma v. Microsoft (S.D. Fla.)—offer somewhat mixed guidance for defendants in class action privacy-related lawsuits looking to use a standing challenge as a quick escape.
When Is Using a Computer a Crime? Rehearing Sought on Ninth Circuit’s “Distressingly Unclear” Answer
Facebook recently won a landmark victory in the Ninth Circuit against a company that accessed Facebook’s computers to help users manage their social network accounts. Now the company, Power Ventures, Inc., says that the Ninth Circuit’s decision risks creating “widespread confusion” about when it is a crime to use a computer to access a website.
FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data
In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.
On July 21st, Patterson Belknap and Berkeley Research Group hosted a Practising Law Institute (PLI) briefing on law firm cybersecurity.
In a ruling issued this morning, the Federal Trade Commission found that LabMD, the defunct Atlanta-based cancer detection lab, failed to protect patient information and is liable for unfair data security practices. The Commission’s ruling reverses an Initial Decision by an administrative law judge (ALJ) that had dismissed the FTC charges against LabMD.
The leadership team at Target Corp. has one less legal claim to worry about today from the company’s headline-making 2013 data breach. And in an unusual twist, the shareholders who filed a series of derivative actions against Target’s directors and officers have waived the symbolic “white flag” by agreeing that the cases could be dropped so long as they were able to come back to Court to recover their legal fees.
The Federal Trade Commission has decided to put off until late July a decision about whether to overturn a ruling by the agency’s chief administrative law judge in the closely watched data security action against LabMD, the Atlanta-based medical detection firm. In a one-paragraph order issued late yesterday, the Commission extended the deadline for decision until July 28th “in order to give full consideration to the issues presented by the appeal in this proceeding.”
The chair of the U.S. Securities and Exchange Commission warned that cybersecurity is the biggest risk facing our financial system today. At an industry conference yesterday, SEC Chair Mary Jo White said that major exchanges, clearing houses and other players in the financial system did not have cyber defenses in place that aligned with the risks they faced.
Today, the U.S. Supreme Court decided one of the Term’s most closely watched cases: Spokeo, Inc. v. Robins. The 6-2 decision, while far from sweeping, creates a hurdle for plaintiffs in “no-injury” class actions.
A contentious legal battle over data security between the Federal Trade Commission and LabMD, a small medical testing lab, is chronicled in the latest edition of Bloomberg Businessweek. Dune Lawrence’s report raises lingering questions about the FTC’s prosecution of a now-defunct company, tampered evidence and regulatory overreach.
For months, the technology and business communities have been waiting anxiously for a Federal appeals court ruling on whether American companies can be forced to turn over customer information to U.S. law enforcement when that information is stored on servers abroad. It’s the result of a legal appeal filed last year by Microsoft Corporation that was argued before the U.S. Court of Appeals for the Second Circuit more than seven months ago.
Yesterday, the Seventh Circuit held in Lewart v. P.F. Chang’s that customers who may have had personal information compromised in a P.F. Chang’s data breach have standing, at the motion-to-dismiss stage, to sue the company. Given the Seventh Circuit’s 2015 opinion in Remijas v. Neiman Marcus, which involved similar facts, the decision in Lewart is not particularly surprising.
A U.S. appeals court yesterday held that a traditional corporate general liability policy triggered an insurer’s duty to defend a class action lawsuit alleging that a medical records company failed to properly secure patient records on its server.
When it comes to buying cyber insurance, businesses might be right in taking comfort that they have mitigated the financial risks that come with a data breach. Just not all of them.
Recent surveys tell us that cybersecurity is the top risk faced by corporate America. The Bank Director’s 2016 Risk Practices survey – out yesterday – disclosed that three quarters of bank executives and board members believe cybersecurity is their top concern. And their general counsel agree. In another recent study, general counsel said that cybersecurity was their top area of organizational risk as well.
For businesses and nonprofit organizations searching for cyber insurance, it is important to know if your coverage limits are adequate. Whether you are in the market for a new policy or renewing an existing one, you should explore whether your policy has a “sub-limit” that places limitations on your losses and liabilities that may be covered.
Faced with the prospect of overturning a decision by one of its own administrative law judges, the Federal Trade Commission on Tuesday explored ways in which to render a narrow decision. The argument was the most recent chapter in the long running data security enforcement action against LabMD, the now defunct medical testing laboratory.
U.S. v. Microsoft - What you need to know about one of the most important privacy cases of the decade
The U.S. Court of Appeals for the Second Circuit has in its hands one of the most closely-watched privacy cases in recent memory. U.S. v. Microsoft addresses an issue of critical importance to U.S. businesses — whether companies must comply with orders from the U.S. government to turn over electronic data, even when that data is stored on a server outside of the U.S. A ruling is expected any day.
Many organizations, particularly those outside of the technology sector, rely heavily on third-parties—including cyber security specialists, lawyers, and public relations firms—to help pick up the pieces after a data breach. But what happens when a third-party vendor doesn’t fix the problem?
The U.S. Department of Homeland Security’s (DHS) top privacy official said today that a “clear mandate” from top management is the foundation of an organization’s ability to establish and implement an effective data security and privacy plan.
The Privilege of PR: Application of the Attorney-Client Privilege to Crisis Communications and Public Relations in Breach Response Planning
Cyber-attacks have become a matter of everyday reality for all businesses: regardless of industry or size, it is no longer if a data breach will happen, but when. And waiting for a breach to occur before designing and implementing a cyber incidence response plan is generally a recipe for disaster.
- Page 2 of 3