Categories & Search

Industry: Consumer Products

COVID-19 Cyber Risks Continue to Grow

As we previously detailed, the coronavirus pandemic has expanded opportunities for nefarious actors to exploit the digital vulnerabilities of individuals, local governments, industries, organizations, and essential services as they rapidly adapt to the public health crisis. Recent reports have confirmed that attacks and cyber scams associated with the pandemic are in fact on the rise.

Go

Privacy Suits Against Zoom and Houseparty Test the CCPA’s Private Right of Action

Over the past month, many have discovered video chat and conferencing apps such as Zoom and Houseparty, using them for both business and to keep connected to friends and family during this period of global social distancing. Increased usage of these apps has also resulted in close scrutiny of their privacy practices by the public and government authorities. Indeed, Zoom has been hit with eight class actions that were recently consolidated, while separate plaintiffs sued the owners of Houseparty. A core allegation among those suits is that, without notice or consent, these apps provided user data to third parties (e.g., Facebook). Both the Houseparty complaint and a majority of the Zoom complaints allege violations of the California Consumer Privacy Act (CCPA), making these cases among the first with the potential to test the contours of the nascent but expansive privacy law. If the CCPA claims in these suits survive, it could signal the beginning of a substantial increase in class actions claiming CCPA violations.

Go

Court Approves Historic Equifax Data Breach Settlement

The aftermath from one of the largest data breaches in U.S. history is nearing the end, as the presiding judge approved a proposed class action settlement resolving claims arising from Equifax’s September 2017 data breach.  As previously reported, approximately 147.9 million U.S. consumers’ personal information was compromised by that breach.

Go

CCPA Update: California Attorney General Releases Proposed Regulations

On October 11, 2019, the California Attorney General released its long-anticipated Notice of Proposed Rulemaking Action and the text of its proposed regulations for the California Consumer Privacy Act (CCPA), along with an Initial Statement of Reasons for the proposed regulations.  The documents are not a short read, with the proposed regulations covering 24 pages, the Notice 16 pages, and the Statement of Reasons another 47 pages. 

Go

Amendments to the California Consumer Privacy Act: Six Clarifications

As readers of the Data Security Blog will know, the California Consumer Privacy Act (“CCPA”) becomes operative on January 1, 2020.  The CCPA is the most sweeping consumer privacy law in the United States, covering most for-profit businesses that do business in California and collect the personal information of “consumers,” meaning California residents. 

Go

New York’s SHIELD Act Heads to the Governor’s Desk

The New York State Senate recently passed The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, leaving only the Governor’s signature as the final step to the SHIELD Act becoming the country’s newest—and one of the most stringent—breach notification laws.  Given Governor Cuomo’s previous support for robust cybersecurity protections, New York may soon join a growing number of states beefing up their notification statutes.

Go

GAO Backs “Comprehensive” Privacy Legislation

A recent report by the Government Accountability Office (GAO) is recommending that Congress adopt comprehensive federal data privacy legislation. The GAO’s proposal is, in part, meant to address limitations of the current privacy regulatory landscape, which is mostly piecemeal, industry-specific regulation at both the federal and state levels. The GAO’s 56-page report follows more than a year of interviews with officials from various federal agencies that have taken active roles in data security issues, including the Federal Trade Commission (FTC), Federal Communications Commission, and the Consumer Financial Protection Bureau, as well as stakeholders from industry and academia.

Go

State Attorney General Starts Rulemaking Process for California Consumer Privacy Act

Yesterday, by e-mail and on its website, the California Department of Justice (DOJ) announced that it would hold “six statewide forums to collect feedback” in advance of the rulemaking process for the California Consumer Privacy Act (CCPA).  The announcement did not include proposed rules or regulations, which must be adopted by July 1, 2020.

Go

Part 2: More from DOJ on Cyber Investigations and Breach Preparedness

This is the second post in our two-part series about DOJ’s revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.”  In the first installment, we looked at DOJ’s recommendations for preparedness.  Today, we turn to the basics of data breach incident response and a list of DOJ’s “don’ts” when dealing with a hacker.

Go

Part 1: DOJ Weighs In on Cyber Investigations & Breach Preparedness

The U.S. Department of Justice is increasing its outreach to the private sector on all things cyber.

Last week, the DOJ’s Criminal Division held a cybersecurity roundtable to discuss challenges in handling data breach investigations. As part of the roundtable discussion, the DOJ issued revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” The Best Practices guidance, summarized below, is the result of the DOJ’s outreach efforts concerning ways in which the government can work more effectively with the private sector to address cybersecurity challenges. The goal of the roundtable discussion, which started in 2015, is to foster and enhance cooperation between law enforcement and data breach victims, and to also encourage information sharing.

Go

Facebook Gears Up for High Stakes Biometric Trial

In one of the first major tests of the Illinois biometric data privacy law, Facebook is headed to trial this summer over allegations that the social media giant unlawfully collects user data with its photo tagging function. Last week, U.S. District Judge James Donato denied cross motions for summary judgment in a class action pending in Northern California, noting the “multitude of fact disputes in the case.”

Go

The Tale of LabMD: New lawsuits charge ethics violations and fake data breaches

The LabMD data security case is anything but dull.  An 8-year (and counting) fight with the U.S. Federal Trade Commission, a U.S. House of Representatives Oversight and Government Reform Committee investigation into allegations of government overreach and collusion, a key witness granted governmental immunity and multiple related civil lawsuits scattered around the country.

Go

Microsoft Joins Government’s Request to Render Fight over Access to Data Stored Abroad Moot

Yesterday, we reported that the Department of Justice has asked the U.S. Supreme Court to remand its dispute with Microsoft Corp. concerning access to customer emails stored abroad to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot.  The government argued that the newly enacted “CLOUD” Act clarifies prior law and makes clear that information stored abroad can, under certain circumstances, be subject to a domestic warrant.  The government added that it obtained a new warrant for Microsoft to turn over the requested information in the days following the CLOUD Act’s passage.

Go

Government Urges High Court to Moot Microsoft Email Case

We’ve written several times about the landmark dispute between the U.S. government and Microsoft Corp. over access to a customer’s emails stored in Ireland. Now, a month after the U.S. Supreme Court heard oral argument on the government’s appeal, the Justice Department has asked the Court to remand the case to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot.

Go

The Warning Behind the Numbers: New York’s 2017 Data Breach Report

On its face, last week’s report that the number of data breaches reported last year to New York’s Attorney General spiked to an all-time high of 1,583 – up 23 percent from 2016 – was not good news.

But behind the numbers are even more disturbing trends. Start with the fact that hacking – the handy work of outside intruders – was the leading cause of reported breaches last year, accounting for 44 percent of reported breaches. Hacking also accounted for nearly 95 percent of all personal information exposed. In second place was employee error or negligence, which represented 25 percent of last year’s reported breaches.

Go

“Legally Reprehensible”: Senate Chastises Uber’s Conduct in 2016 Data Breach

On Tuesday, a Senate subcommittee grilled Uber’s Chief Information Security Officer, John Flynn, over a 2016 data breach that affected nearly 57 million drivers and riders. At the hearing, Uber faced backlash from lawmakers for its “morally wrong and legally reprehensible” conduct that “violated not only the law but the norm of what should be expected.”

Go

The Supreme Court Punts on Clarifying the Computer Fraud and Abuse Act

The federal Computer Fraud and Abuse Act of 1986 (“CFAA”) has generated controversy and disagreement among courts and commentators regarding the scope of its application.  The statute, 18 U.S.C. § 1030, which provides for both criminal and civil penalties, prohibits accessing a computer or protected computer “without authorization” or in a manner “exceeding authorized access.”  Courts are divided as to the meaning of these phrases, yet the U.S. Supreme Court recently declined the opportunity to resolve the circuit split that has developed, leaving the exact scope of this important statute in question.

Go

Justice Department Accuses Google of “Alarming” Tactics in Fight over SCA Search Warrant

The ongoing dispute between the government and Google concerning the company’s refusal to hand over customer data stored on foreign servers has taken an odd twist.  Now, the Justice Department is demanding that Google be sanctioned for not abiding by the court’s most recent decision—ordering it to produce data associated with 22 email accounts—and calling Google’s conduct “a willful and contemptuous disregard of various court orders.”  The case is In the Matter of the Search of Content that Is Stored at Premises Controlled by Google, No. 16-mc-80263 (N.D. Cal.).

Go

California Court Weighs in on the FTC’s Data Security Enforcement Authority

Yesterday, a District Court in Northern California weighed in on the U.S. Federal Trade Commission’s (FTC) authority to protect consumers from “unfair” and “deceptive” data security practices.  The decision, which granted in part and denied in part the defendant’s motion to dismiss, is a mixed bag for the Commission.

Go

Equifax: The Empire State Strikes Back

Today, New York Governor Andrew M. Cuomo announced that he has directed the Department of Financial Services (DFS) to issue a new regulation requiring “credit reporting agencies to register with” the DFS, as well as comply with the Department’s “first-in-the-nation cybersecurity standard.”  According to Governor Cuomo, the Equifax breach was a “wakeup call,” and New York is now “raising the bar for consumer protections” with the “hope” the DFS’s approach “will be replicated across the nation.”

Go

After Equifax: What Should the Public Do?

As we have discussed in previous posts, Equifax Inc. suffered a cybersecurity breach potentially affecting 143 million individuals in the United States.  Although Equifax’s investigation is ongoing, the data at risk includes Social Security numbers, birth dates, and addresses.  Equifax has also said that the breach may have involved driver’s license numbers, credit card numbers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”  That leaves just about everyone asking: What should we do?

Go

8th Circuit Finds Standing in Data Breach Case but Dismisses on Pleading Deficiencies

In one of the first federal appellate court rulings following the Ninth Circuit’s decision in Robins v. Spokeo, the Eighth Circuit delivered a pyrrhic victory for customers victimized by a data breach.  In Kuhns v. Scottrade, the Eighth Circuit ruled that, although the plaintiff had established standing to pursue a claim against Scottrade, Inc. resulting from a data breach that occurred in 2013, the customer failed to sufficiently allege that the brokerage firm breached its contractual obligations and affirmed dismissal of the case.

Go

Judge Sides with Government over Google in the Latest Battle Rematch over the Territorial Reach of the SCA

Another federal judge has rejected the U.S. Court of Appeals for the Second Circuit’s interpretation of the Stored Communications Act (SCA), and has ordered Google to hand over customer email traffic—wherever located—to U.S. law enforcement.  More than a year ago, the Second Circuit held that Microsoft Corp. was not required to produce customer emails stored on foreign servers in response to an SCA warrant.  Since then, the Second Circuit’s ruling has been rejected by three different federal courts around the country.

Go

Hackers Target the Bottom Line: Business Operations and Earnings

Over the past several years, we have witnessed a fundamental shift in orchestrated cyber-attacks from hacking credit card data and healthcare information to targeting businesses, their operations and bottom lines.

Go

When Health Data Goes Missing: Largest Reported Ransomware Attack

In the aftermath of two powerful global ransomware attacks, a Michigan-based medical equipment provider has disclosed that hackers “encrypted our data files” and accessed more than 500,000 patient records in what is believed to be the largest reported ransomware attack on health care information.

Go

A question of harm: LabMD to face off with FTC at 11th Circuit

In a consequential test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit will hear argument tomorrow in a case that will determine whether the agency must show a concrete consumer injury as an element of an enforcement action, just as private plaintiffs have been required to do for years.

Go

The Computer Fraud and Abuse Act Will Need To Wait Another Day In New York’s Commercial Division

Justice Shirley Kornreich recently issued one of the few New York state court decisions  that address the Computer Fraud and Abuse Act (“CFAA”).  Spec Simple, Inc. v. Designer Pages Online LLC,  No. 651860/2015, 2017 BL 160865 (N.Y. Sup. Ct. May 10, 2017).  The CFAA criminalizes both accessing a computer without authorization and exceeding authorized access and thereby obtaining information from any protected computer.  Id. at *3 (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA also provides a civil cause of action to any person who suffers damage or loss because of a violation of the CFAA.  Id. at *4 (citing 18 U.S.C. § 1030(g)).  As discussed below, the decision provides a helpful look into the interpretation of CFAA claims in the future.

Go

The FTC and LabMD’s Legal Battle Gets Personal: First Amendment Claims Against FTC Lawyers Survive

The Federal Trade Commission’s (FTC) sprawling and contentious legal battle with now-defunct medical testing company LabMD recently turned especially personal when a federal court allowed LabMD (and its former CEO) to proceed with claims against two of the three FTC attorneys who handled the FTC’s investigation and prosecution of LabMD.

Go

Ajit Pai and the FCC’s Role in ISP Privacy Regulation under President Trump

On January 23, 2017, President Donald Trump named Ajit Pai as Chairman of the Federal Communications Commission (FCC).  In his previous role as the senior Republican on the FCC under President Barack Obama, Mr. Pai was an outspoken critic of the agency’s decision to assert jurisdiction over Internet Service Providers (“ISPs”) and its rules governing broadband privacy.  Pai’s appointment suggests that significant changes may be on the horizon.

Go

Second Circuit Court of Appeals Denies Rehearing in Microsoft Case

Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland.  That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.

Go

Keeping Section 5 Alive: The FTC Brings Suit Against D-Link

The U.S. Federal Trade Commission (“FTC”) has filed suit against Taiwan-based D-Link Corporation and D-Link Systems, Inc. (collectively, “D-Link”), manufacturers and sellers of home networking devices including routers, cameras, baby monitors, and video recorders.  The lawsuit claims that D-Link failed to take reasonable steps to protect its devices from known and foreseeable risks of unauthorized access.

Go

“Life is Short. Have an Affair.” And Then Settle With the FTC.

Yesterday, the Federal Trade Commission (“FTC”) announced a settlement with the owners of “dating site” AshleyMadison.com, arising from a July 2015 data breach that received broad media coverage.  According to a proposed order filed in the District Court for the District of Columbia, the operators of the website are also simultaneously settling with thirteen states—including New York—and the District of Columbia.

Go

Hints of a Narrowing of the FTC’s Section 5 Authority Under a Trump Presidency

The transition of power from President Barack Obama to President-Elect Donald Trump is underway.  Although President-Elect Trump did not lay out specific policy prescriptions about data privacy or consumer protection during his candidacy, his recent choice of Dr. Joshua D. Wright to lead transition efforts at the Federal Trade Commission provides some hints as to the direction the agency may take under a Trump administration.

Go

Pokémon GO Exposes Risks of Bring-Your-Own-Device (BYOD) Policies

There’s no denying it: Pokémon GO is a phenomenon. 

The smartphone game, in which players use their mobile device camera and GPS to capture, battle, and train virtual creatures, was released in the United States on July 6th.  In a month, it has shot to the top of the App Store charts to become the biggest mobile game in U.S. history.  Within just days of its release, Pokémon GO already had surpassed app giants like Twitter and Tinder in number of downloads and active users, with more than 25 million users playing each day.

Go

FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data

In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.

Go