Category: Marketing & Consumer Privacy
A little over two weeks ago, T-Mobile became the latest victim of a cyberattack when more than 50 million of their customers’ data was stolen. In the ensuing weeks, three class action suits have been filed against the telephone carrier alleging a range of violations. Included in two of them are alleged violations of the California Consumer Privacy Act, one of them includes alleged violations of the Washington State Consumer Protection Act, and the third fails to allege any violations of state data security laws. Three House Representatives pointed to the breach as a reminder as to why there needs to be a national privacy and data security law. One such bill is the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act.
Earlier this year, New York City passed a law restricting the collection and/or use of biometric technology by certain businesses. The new law goes into effect July 9, meaning applicable businesses have a couple more weeks to prepare themselves for its requirements. Businesses need only look to similar laws in other states, particularly Illinois, for a glimpse at the litigation that may come should they fail to abide by the new law’s provisions.
As we previously detailed, the coronavirus pandemic has expanded opportunities for nefarious actors to exploit the digital vulnerabilities of individuals, local governments, industries, organizations, and essential services as they rapidly adapt to the public health crisis. Recent reports have confirmed that attacks and cyber scams associated with the pandemic are in fact on the rise.
The aftermath from one of the largest data breaches in U.S. history is nearing the end, as the presiding judge approved a proposed class action settlement resolving claims arising from Equifax’s September 2017 data breach. As previously reported, approximately 147.9 million U.S. consumers’ personal information was compromised by that breach.
Last month, the Food & Drug Administration (FDA) issued a long-awaited revision to its Policy for Device Software Functions and Mobile Medical Applications Medical App - Guidance for Industry and Food and Drug Administration Staff (the Guidance). The revised Guidance was among several newly announced policies aimed at advancing the FDA’s digital health initiative that promotes innovation, while also permitting efficient and up-to-date regulatory oversight.
This past week, The Home Depot, Inc. became the latest business hit with a class action lawsuit for their use of facial recognition security cameras allegedly in violation of the Illinois Biometric Information Privacy Act. If successful, Home Depot faces statutory damages of up to $5,000 for each time a shopper’s information was collected in violation of BIPA.
It’s been a tough week for the healthcare industry.
Just days after Quest Diagnostics reported a breach at a third-party vendor affecting approximately 11.9 million of its patients, LabCorp disclosed that a breach at the same vendor exposed the personal and financial data of 7.7 million of its customers.
The federal government’s record for effective cyber defenses of its own websites has not been stellar over the past few years. Federal government agencies ranging from the Office of Personnel Management to the National Archives have suffered data breaches, as have nearly a dozen other agencies.
In a ruling with wide-spread implications, the Illinois Supreme Court on Friday upheld a consumer’s right to sue companies for collecting biometric data – such as finger prints and iris scans – without disclosing how such information will be used.
A federal appeals court is giving Google and the Justice Department more time to work out their differences in a standoff over whether the tech giant must hand over customer emails stored outside of the United States.
Last week, the U.S. Court of Appeals for the Eighth Circuit affirmed the district court’s approval of a $17 million settlement between Target Corp. and consumers whose credit card data was compromised in the 2013 data breach. In one of the largest data breaches to hit U.S. retailers, hackers stole information from 40 million credit and debit cards during the 2013 holiday season.
The LabMD data security case is anything but dull. An 8-year (and counting) fight with the U.S. Federal Trade Commission, a U.S. House of Representatives Oversight and Government Reform Committee investigation into allegations of government overreach and collusion, a key witness granted governmental immunity and multiple related civil lawsuits scattered around the country.
Yesterday, we reported that the Department of Justice has asked the U.S. Supreme Court to remand its dispute with Microsoft Corp. concerning access to customer emails stored abroad to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot. The government argued that the newly enacted “CLOUD” Act clarifies prior law and makes clear that information stored abroad can, under certain circumstances, be subject to a domestic warrant. The government added that it obtained a new warrant for Microsoft to turn over the requested information in the days following the CLOUD Act’s passage.
We’ve written several times about the landmark dispute between the U.S. government and Microsoft Corp. over access to a customer’s emails stored in Ireland. Now, a month after the U.S. Supreme Court heard oral argument on the government’s appeal, the Justice Department has asked the Court to remand the case to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot.
Is the risk of future harm enough to satisfy Article III standing in a data breach suit? That’s the question courts of appeals around the country are wrestling with now – and reaching opposing results. The U.S. Court of Appeals for the Ninth Circuit is the latest to wade into this debate on data breach standing in its recent opinion, In re Zappos.Com, Inc., Customer Data Security Breach Litigation.
The fight over the privacy of electronic communications and the government’s ability to reach emails stored abroad in criminal investigations has finally moved to the U.S. Supreme Court.
A recent federal appellate ruling delivered a significant blow to invasion of privacy claims based on facial recognition technology used to scan users’ faces that are then put on their personalized players “in-game,” allowing them to play side-by-side with basketball stars in a popular video game.
Court Rejects DOJ’s Depiction of Google as “Willful and Contemptuous” Tactics in Ongoing Battle over SCA Search Warrant
A federal judge in California has agreed to hold Google in contempt for not following his order to turn over data stored overseas. The order is largely symbolic, however, since a contempt order is required for Google to appeal the ruling.
The Supreme Court is poised to finally answer the question that’s been plaguing federal courts across the country: must U.S. tech companies comply with warrants issued under the Stored Communications Act (“SCA”) that demand information from customer accounts that is stored on servers in a foreign country?
The ongoing dispute between the government and Google concerning the company’s refusal to hand over customer data stored on foreign servers has taken an odd twist. Now, the Justice Department is demanding that Google be sanctioned for not abiding by the court’s most recent decision—ordering it to produce data associated with 22 email accounts—and calling Google’s conduct “a willful and contemptuous disregard of various court orders.” The case is In the Matter of the Search of Content that Is Stored at Premises Controlled by Google, No. 16-mc-80263 (N.D. Cal.).
Cyber Briefing: Second "Envelope" Lawsuit Against Aetna, Yahoo to Answer for 1.5 Billion Hacked Accounts and Eighth Circuit Weighs In, Again, on Standing
As we head into the new week, here’s a quick summary of major data security developments from around the country.
A Pennsylvania man has filed a class action lawsuit against Aetna Inc., accusing it of violating his privacy rights when the insurer mailed him prescription information in an envelope with a large, clear window that disclosed instructions for filling HIV medication.
Two legal advocacy groups have accused Aetna Inc. – the Hartford-based healthcare company – of “gross” breaches of privacy and confidentiality including violations of federal healthcare law when a third-party vendor inadvertently disclosed the HIV status of thousands of the insurer’s customers in a mass mailing.
Judge Sides with Government over Google in the Latest Battle Rematch over the Territorial Reach of the SCA
Another federal judge has rejected the U.S. Court of Appeals for the Second Circuit’s interpretation of the Stored Communications Act (SCA), and has ordered Google to hand over customer email traffic—wherever located—to U.S. law enforcement. More than a year ago, the Second Circuit held that Microsoft Corp. was not required to produce customer emails stored on foreign servers in response to an SCA warrant. Since then, the Second Circuit’s ruling has been rejected by three different federal courts around the country.
Another Rematch Between Tech Companies and the Government over the Territorial Reach of the Stored Communications Act
Lawyers for the tech community are gearing up for argument next month in the U.S. District Court in San Francisco, seeking to overturn another magistrate’s order that requires digital information stored outside of the U.S. to be turned over in response to a U.S. search warrant.
The Federal Trade Commission (FTC) – often criticized for not providing clear guidance as to what the agency considers reasonable data security – announced on Friday that it would publish a weekly blog discussing “lessons learned” from data security investigations that were closed without a formal enforcement action.
In the aftermath of two powerful global ransomware attacks, a Michigan-based medical equipment provider has disclosed that hackers “encrypted our data files” and accessed more than 500,000 patient records in what is believed to be the largest reported ransomware attack on health care information.
In a consequential test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit will hear argument tomorrow in a case that will determine whether the agency must show a concrete consumer injury as an element of an enforcement action, just as private plaintiffs have been required to do for years.
We previously posted about a case before the New York Court of Appeals that concerned whether Facebook has the legal standing to challenge search warrants seeking its users’ data. In April, the court sided with the Manhattan District Attorney’s office and rejected Facebook’s challenge. The three opinions by the judges—particularly the concurrence by Judge Jenny Rivera—provide insight into this evolving area of law.
Does Facebook Have the Right to Challenge Search Warrants Seeking Facebook Users’ Data? New York’s Highest Court Hears Argument
Facebook is the latest social media giant to push back on law enforcement efforts to seek user information. On Tuesday, the New York Court of Appeals heard oral argument in a case focusing on whether Facebook has the right—or legal standing—to challenge bulk search warrants issued by the Manhattan District Attorney’s office for its users' data. The case is In re 381 Search Warrants Directed to Facebook, Inc. and Dated July 23, 2013.
The U.S. Securities and Exchange Commission is reportedly looking into whether two data breaches at Yahoo!, Inc. should have been disclosed earlier. In a front page article today, the Wall Street Journal reported that “people familiar with the matter” say the SEC is investigating whether Yahoo!’s disclosures complied with the securities laws.
On Wednesday, Yahoo! disclosed that more than 1 billion of its users’ personal information was exposed in a newly discovered cyber-attack, making it the largest data breach reported to date. The breach apparently took place in August of 2013.
The aftermath of Yahoo’s data breach has raised a number of questions from customers, law enforcement, and most recently six U.S. Senators.
In the midst of its acquisition by Verizon Communications Inc., Yahoo Inc. disclosed what looks like one of the largest reported thefts of user information in U.S. history.
This week, in the first post-Spokeo circuit court decision to address standing in a data breach class action, the Sixth Circuit joined the Seventh Circuit in holding that plaintiffs whose sensitive personal information has been obtained by hackers have Article III standing to sue based on the risk of future fraud and identity theft.
Banner Health recently announced that hackers may have gained “unauthorized access to patient information” and “payment card data” from approximately 3.7 million patients, health plan members, food and beverage customers, and physicians. The breach has been reported as the largest for a hospital in 2016.
FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data
In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.
In a ruling issued this morning, the Federal Trade Commission found that LabMD, the defunct Atlanta-based cancer detection lab, failed to protect patient information and is liable for unfair data security practices. The Commission’s ruling reverses an Initial Decision by an administrative law judge (ALJ) that had dismissed the FTC charges against LabMD.
Last week, the U.S. Department of Homeland Security (“DHS”) and the U.S. Department of Justice (“DOJ”) provided guidance on an open question in the Cybersecurity Information Sharing Act (“CISA”): What type of information may companies share under CISA?
Microsoft’s blockbuster acquisition of LinkedIn earlier this month—a deal where concerns for privacy and data security loomed large—provides a glimpse into the growing trend of including separate privacy and data security representations in merger and acquisition agreements. Because the trend is so recent, there is no consensus or standard practice at this point for drafting these representations. The LinkedIn privacy and data security representation is a good example of the evolving nature of these representations.
The Federal Trade Commission has decided to put off until late July a decision about whether to overturn a ruling by the agency’s chief administrative law judge in the closely watched data security action against LabMD, the Atlanta-based medical detection firm. In a one-paragraph order issued late yesterday, the Commission extended the deadline for decision until July 28th “in order to give full consideration to the issues presented by the appeal in this proceeding.”
Today, the U.S. Supreme Court decided one of the Term’s most closely watched cases: Spokeo, Inc. v. Robins. The 6-2 decision, while far from sweeping, creates a hurdle for plaintiffs in “no-injury” class actions.
The Federal Trade Commission will host a one day-conference in Chicago at Northwestern’s Pritzker School of Law on June 15, 2016. This event will be the fourth of the FTC’s Start with Security Events nationwide, which build on its publication of the same title Start with Security: A Guide for Business, released last June.
A contentious legal battle over data security between the Federal Trade Commission and LabMD, a small medical testing lab, is chronicled in the latest edition of Bloomberg Businessweek. Dune Lawrence’s report raises lingering questions about the FTC’s prosecution of a now-defunct company, tampered evidence and regulatory overreach.
Yesterday, the Seventh Circuit held in Lewart v. P.F. Chang’s that customers who may have had personal information compromised in a P.F. Chang’s data breach have standing, at the motion-to-dismiss stage, to sue the company. Given the Seventh Circuit’s 2015 opinion in Remijas v. Neiman Marcus, which involved similar facts, the decision in Lewart is not particularly surprising.
When it comes to buying cyber insurance, businesses might be right in taking comfort that they have mitigated the financial risks that come with a data breach. Just not all of them.
Recent surveys tell us that cybersecurity is the top risk faced by corporate America. The Bank Director’s 2016 Risk Practices survey – out yesterday – disclosed that three quarters of bank executives and board members believe cybersecurity is their top concern. And their general counsel agree. In another recent study, general counsel said that cybersecurity was their top area of organizational risk as well.
After several fits and starts, Congress finally passed the Cyber Information Sharing Act of 2015 (CISA) as part of the omnibus budget bill. President Obama signed the bill into law on December 18, 2015.
- Page 1 of 2