Category: Marketing & Consumer Privacy
Cyber Briefing: Second "Envelope" Lawsuit Against Aetna, Yahoo to Answer for 1.5 Billion Hacked Accounts and Eighth Circuit Weighs In, Again, on Standing
As we head into the new week, here’s a quick summary of major data security developments from around the country.
A Pennsylvania man has filed a class action lawsuit against Aetna Inc., accusing it of violating his privacy rights when the insurer mailed him prescription information in an envelope with a large, clear window that disclosed instructions for filling HIV medication.
Two legal advocacy groups have accused Aetna Inc. – the Hartford-based healthcare company – of “gross” breaches of privacy and confidentiality including violations of federal healthcare law when a third-party vendor inadvertently disclosed the HIV status of thousands of the insurer’s customers in a mass mailing.
Judge Sides with Government over Google in the Latest Battle Rematch over the Territorial Reach of the SCA
Another federal judge has rejected the U.S. Court of Appeals for the Second Circuit’s interpretation of the Stored Communications Act (SCA), and has ordered Google to hand over customer email traffic—wherever located—to U.S. law enforcement. More than a year ago, the Second Circuit held that Microsoft Corp. was not required to produce customer emails stored on foreign servers in response to an SCA warrant. Since then, the Second Circuit’s ruling has been rejected by three different federal courts around the country.
Another Rematch Between Tech Companies and the Government over the Territorial Reach of the Stored Communications Act
Lawyers for the tech community are gearing up for argument next month in the U.S. District Court in San Francisco, seeking to overturn another magistrate’s order that requires digital information stored outside of the U.S. to be turned over in response to a U.S. search warrant.
The Federal Trade Commission (FTC) – often criticized for not providing clear guidance as to what the agency considers reasonable data security – announced on Friday that it would publish a weekly blog discussing “lessons learned” from data security investigations that were closed without a formal enforcement action.
In the aftermath of two powerful global ransomware attacks, a Michigan-based medical equipment provider has disclosed that hackers “encrypted our data files” and accessed more than 500,000 patient records in what is believed to be the largest reported ransomware attack on health care information.
In a consequential test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit will hear argument tomorrow in a case that will determine whether the agency must show a concrete consumer injury as an element of an enforcement action, just as private plaintiffs have been required to do for years.
We previously posted about a case before the New York Court of Appeals that concerned whether Facebook has the legal standing to challenge search warrants seeking its users’ data. In April, the court sided with the Manhattan District Attorney’s office and rejected Facebook’s challenge. The three opinions by the judges—particularly the concurrence by Judge Jenny Rivera—provide insight into this evolving area of law.
Does Facebook Have the Right to Challenge Search Warrants Seeking Facebook Users’ Data? New York’s Highest Court Hears Argument
Facebook is the latest social media giant to push back on law enforcement efforts to seek user information. On Tuesday, the New York Court of Appeals heard oral argument in a case focusing on whether Facebook has the right—or legal standing—to challenge bulk search warrants issued by the Manhattan District Attorney’s office for its users' data. The case is In re 381 Search Warrants Directed to Facebook, Inc. and Dated July 23, 2013.
The U.S. Securities and Exchange Commission is reportedly looking into whether two data breaches at Yahoo!, Inc. should have been disclosed earlier. In a front page article today, the Wall Street Journal reported that “people familiar with the matter” say the SEC is investigating whether Yahoo!’s disclosures complied with the securities laws.
On Wednesday, Yahoo! disclosed that more than 1 billion of its users’ personal information was exposed in a newly discovered cyber-attack, making it the largest data breach reported to date. The breach apparently took place in August of 2013.
The aftermath of Yahoo’s data breach has raised a number of questions from customers, law enforcement, and most recently six U.S. Senators.
In the midst of its acquisition by Verizon Communications Inc., Yahoo Inc. disclosed what looks like one of the largest reported thefts of user information in U.S. history.
This week, in the first post-Spokeo circuit court decision to address standing in a data breach class action, the Sixth Circuit joined the Seventh Circuit in holding that plaintiffs whose sensitive personal information has been obtained by hackers have Article III standing to sue based on the risk of future fraud and identity theft.
Banner Health recently announced that hackers may have gained “unauthorized access to patient information” and “payment card data” from approximately 3.7 million patients, health plan members, food and beverage customers, and physicians. The breach has been reported as the largest for a hospital in 2016.
FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data
In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.
In a ruling issued this morning, the Federal Trade Commission found that LabMD, the defunct Atlanta-based cancer detection lab, failed to protect patient information and is liable for unfair data security practices. The Commission’s ruling reverses an Initial Decision by an administrative law judge (ALJ) that had dismissed the FTC charges against LabMD.
Last week, the U.S. Department of Homeland Security (“DHS”) and the U.S. Department of Justice (“DOJ”) provided guidance on an open question in the Cybersecurity Information Sharing Act (“CISA”): What type of information may companies share under CISA?
Microsoft’s blockbuster acquisition of LinkedIn earlier this month—a deal where concerns for privacy and data security loomed large—provides a glimpse into the growing trend of including separate privacy and data security representations in merger and acquisition agreements. Because the trend is so recent, there is no consensus or standard practice at this point for drafting these representations. The LinkedIn privacy and data security representation is a good example of the evolving nature of these representations.
The Federal Trade Commission has decided to put off until late July a decision about whether to overturn a ruling by the agency’s chief administrative law judge in the closely watched data security action against LabMD, the Atlanta-based medical detection firm. In a one-paragraph order issued late yesterday, the Commission extended the deadline for decision until July 28th “in order to give full consideration to the issues presented by the appeal in this proceeding.”
Today, the U.S. Supreme Court decided one of the Term’s most closely watched cases: Spokeo, Inc. v. Robins. The 6-2 decision, while far from sweeping, creates a hurdle for plaintiffs in “no-injury” class actions.
The Federal Trade Commission will host a one day-conference in Chicago at Northwestern’s Pritzker School of Law on June 15, 2016. This event will be the fourth of the FTC’s Start with Security Events nationwide, which build on its publication of the same title Start with Security: A Guide for Business, released last June.
A contentious legal battle over data security between the Federal Trade Commission and LabMD, a small medical testing lab, is chronicled in the latest edition of Bloomberg Businessweek. Dune Lawrence’s report raises lingering questions about the FTC’s prosecution of a now-defunct company, tampered evidence and regulatory overreach.
Yesterday, the Seventh Circuit held in Lewart v. P.F. Chang’s that customers who may have had personal information compromised in a P.F. Chang’s data breach have standing, at the motion-to-dismiss stage, to sue the company. Given the Seventh Circuit’s 2015 opinion in Remijas v. Neiman Marcus, which involved similar facts, the decision in Lewart is not particularly surprising.
When it comes to buying cyber insurance, businesses might be right in taking comfort that they have mitigated the financial risks that come with a data breach. Just not all of them.
Recent surveys tell us that cybersecurity is the top risk faced by corporate America. The Bank Director’s 2016 Risk Practices survey – out yesterday – disclosed that three quarters of bank executives and board members believe cybersecurity is their top concern. And their general counsel agree. In another recent study, general counsel said that cybersecurity was their top area of organizational risk as well.
After several fits and starts, Congress finally passed the Cyber Information Sharing Act of 2015 (CISA) as part of the omnibus budget bill. President Obama signed the bill into law on December 18, 2015.
At a panel during last week’s Consumer Electronics Show in Las Vegas, Edith Ramirez, chair of the Federal Trade Commission – America’s top privacy regulator – said she would not wear a Fitbit personal fitness tracker. “I don’t want my sensitive health information being shared,” she explained. And as it happens, Fitbit suffered a hack the same week. Meanwhile, U.S. healthcare regulators have recently been promoting policies that promise to aggregate and render more accessible the health data of millions – whether that data comes from consumers using personal health devices like Fitbit or patient visits to doctors or hospitals.
The legal wrangling between the Federal Trade Commission and LabMD, Inc. over data security continues.
On December 22, 2015, the FTC filed its appeal brief challenging Chief Administrative Law Judge (“ALJ”) D. Michael Chappell’s November 13, 2015 decision (the “Initial Decision”) dismissing the FTC’s complaint against LabMD, a now-defunct clinical testing laboratory alleged to have compromised the personal information of its customers. The appeal, which will be presented to the full Commission, was expected, as the FTC previously filed a Notice of Appeal shortly before Thanksgiving.
In a significant development, the FTC announced today that LifeLock, the identity theft protection company, has agreed to settle the FTC contempt charges against it for $100 million. This is the largest monetary award the FTC has ever obtained in an order enforcement action.
Long and Wyndham Road: The Federal Trade Commission Extends Section 5 Unfairness to Regulate Data Security
In a surprising development, Wyndham Worldwide Corporation settled a long running dispute last week with the Federal Trade Commission that arose from three data breaches Wyndham suffered between 2008-2010. After an investigation that required Wyndham to produce more than one million pages of information, the FTC filed suit against Wyndham in the District Court of New Jersey under, among other legal basis, the unfairness prong of Section 5 of the FTC Act.
In a long-running and highly contentious data security enforcement action against LabMD, a small medical testing laboratory, the Federal Trade Commission was handed a stunning defeat late Friday. In a 92-page Initial Decision, Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s case against LabMD – after a full administrative trial – based on the Commission’s failure to prove it was “likely” that consumers had been substantially injured in two alleged data security incidents dating back nearly seven years.
Reacting to the influx of recent, high-profile data breaches and cybersecurity attacks in the government and the private sector, the U.S. Senate earlier this week passed the controversial Cybersecurity Information Security Act of 2015 (“CISA”), S. 754. The bill, which came after more than four years of handwringing and debate, received bipartisan support and passed by an overwhelming majority vote of 74 to 21.
The Internet of Things (IoT) encompasses any object or device that connects to the Internet to automatically send and/or receive data. This includes common office equipment, such as networked printers and photocopiers, devices that remotely or automatically adjust lighting or HVAC, security systems, such as security alarms and Wi-Fi cameras. Personal wearable devices that employees often bring to work, including fitness devices like Jawbone and Fitbit, smart watches like the Apple Watch and Android Wear, and Google Glass, are also part of the IoT. The IoT has grown very rapidly in recent years as technology companies create more devices with wireless internet capabilities and sensors, and internet access has become more widely available. The analyst firm Gartner estimates that 4.9 billion connected “things” are in use today and projects that number will rise to 25 billion by 2020.
Following yesterday’s news that Experian Plc, the world’s largest consumer credit monitoring firm, suffered a massive data breach, exposing the personal information of some 15 million people, the post-breach fall out has already started. The Connecticut Attorney General’s office has announced that is launching an investigation into the breach.
Spokeo, Inc. v. Robins—which involves the question of whether Congress, by authorizing a private right of action based on a violation of a federal statute, can confer Article III standing upon a plaintiff who has suffered no concrete harm—is one of the most eagerly anticipated decisions from the Supreme Court’s October 2015 term. The petitioner’s and respondent’s primary briefing have now been filed with the Court, offering a glimpse into the arguments that we will see at oral argument in the fall. Significantly, in their briefing, Spokeo and Robins both emphasize the potential impact of this decision not only for the future of privacy and data-breach litigation, but also for the scope of the federal courts’ Article III jurisdiction in general.
Federal and state cybersecurity agencies teamed up last week for a two-day summit focused on the evolving nature of cybersecurity threats to New Jersey businesses. The event was sponsored by the U.S. Department of Homeland Security’s (“DHS”) Critical Infrastructure Cybersecurity Voluntary Program and The New Jersey Office of Homeland Security and Preparedness.
In recent weeks, there have been several developments in some of the major data security class action suits.
In a 90-minute hearing earlier today, Microsoft Corp. asked the Second Circuit Court of Appeals to reverse a district court decision forcing the technology giant to turn over customer email traffic residing on a server in Ireland. American companies with data centers located outside the U.S., as well as privacy advocates and media organizations are closely watching this case. During the argument, the Court acknowledged that the “implications of its ruling would be broad.”
With last week’s ruling by the Third Circuit Court of Appeals in FTC v. Wyndham Worldwide Corp. solidifying the Federal Trade Commission’s authority to enforce data security practices, organizations that use online computers to store customer information should take notice. Since 2005, the FTC has stepped up its enforcement efforts and has entered into more than 50 consent decrees relating to cybersecurity matters.
We are pleased to announce the launch of Data Security Law Blog, Patterson Belknap’s newest resource for the latest news, analysis and thought leadership in the critical area of privacy and cybersecurity law.
In a test of the Federal Trade Commission’s authority to police cybersecurity, the Third Circuit Court of Appeals yesterday ruled that the agency has broad power to take action against private sector companies which fail to take adequate steps to protect customer data.
In Federal Trade Commission v. Wyndham Worldwide Corporation, the Third Circuit upheld the FTC’s authority to pursue a lawsuit against the hotel and resort chain based on allegations that it failed to maintain reasonable data security standards. After three successful cyber-attacks on Wyndham’s computer networks led to the theft of thousands of customers’ records, the FTC sued Wyndham in federal court, alleging that Wyndham’s cybersecurity practices were “unfair and deceptive trade practices.” The district court denied Wyndham’s motion to dismiss, finding that the Commission had the authority to regulate data security practices. On appeal, the Third Circuit affirmed the district court’s ruling, holding that the unfairness prong of Section 5 of the FTC Act authorized the FTC to bring enforcement actions for lax data security practices.
This is the first federal appellate decision finding that the FTC has broad cybersecurity enforcement authority under Section 5 of the FTC Act. Since 2005, the FTC has settled 53 cases against companies related to data security. Wyndham is one of two companies to challenge the FTC’s authority in this area. The ruling opens the door for the FTC to commence additional enforcement actions against companies that do not employ reasonable data security practices, especially at a time when Congress has failed to pass comprehensive data security legislation.