Last week, a magistrate judge in the Eastern District of Virginia held that a breach report prepared by Mandiant (a digital forensics investigator, among other things) in response to the Capital One data breach was not protected by the attorney work product doctrine.
The Zoom videoconferencing platform has been a constant fixture in recent news as the coronavirus pandemic has caused businesses around the world to flock to it, exposing significant cybersecurity and privacy concerns. These concerns drew the attention of the New York State Attorney General’s Office (“NYAG”), which initiated an investigation into the company’s cybersecurity practices in March, following a massive surge in use. The NYAG’s investigation came to a conclusion on May 7, 2020, when it reached a settlement with Zoom that will require Zoom, among other things, to enhance its practices around cybersecurity and data privacy.
As we previously detailed, the coronavirus pandemic has expanded opportunities for nefarious actors to exploit the digital vulnerabilities of individuals, local governments, industries, organizations, and essential services as they rapidly adapt to the public health crisis. Recent reports have confirmed that attacks and cyber scams associated with the pandemic are in fact on the rise.
Over the past month, many have discovered video chat and conferencing apps such as Zoom and Houseparty, using them for both business and to keep connected to friends and family during this period of global social distancing. Increased usage of these apps has also resulted in close scrutiny of their privacy practices by the public and government authorities. Indeed, Zoom has been hit with eight class actions that were recently consolidated, while separate plaintiffs sued the owners of Houseparty. A core allegation among those suits is that, without notice or consent, these apps provided user data to third parties (e.g., Facebook). Both the Houseparty complaint and a majority of the Zoom complaints allege violations of the California Consumer Privacy Act (CCPA), making these cases among the first with the potential to test the contours of the nascent but expansive privacy law. If the CCPA claims in these suits survive, it could signal the beginning of a substantial increase in class actions claiming CCPA violations.
On March 21, 2020—just as the COVID-19 crisis began upending our way of life—New York State’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act went into effect fully. The SHIELD Act, which amends New York’s 2005 breach notification law to “keep pace with current technology,” was signed into law on July 25, 2019 by Governor Andrew Cuomo. The first phase of the Act went into effect in October 2019, and its second phase took effect last month.
We have previously written about the thorny questions surrounding the Computer Fraud and Abuse Act (“CFAA”), including how its ambiguous language concerning what computer use is “authorized” has divided the Circuits and how its provisions are, and are not, applied by prosecutors in practice. The Supreme Court declined to address the circuit split in 2017, but yesterday the Court granted cert in Van Buren v. United States to squarely resolve the issue.
Governmental Organizations Across the Globe Warn of Enhanced Cyber Threat Environment Related to COVID-19
In recent weeks, we have seen growing threats to cybersecurity and privacy from malicious actors seeking to exploit the COVID-19 pandemic. As companies transition their employees to remote working and focus their efforts on core business continuity, hackers are actively targeting companies’ cloud-based remote connectivity, lack of multi-factor authentication, and potentially insecure digital infrastructure to exploit vulnerabilities. The need for robust cybersecurity measures is more pressing than ever, and governmental organizations are issuing calls to action.
As businesses increasingly shift to remote working environments, the COVID-19 public health pandemic presents new cybersecurity challenges each day. As we discussed in our earlier post, hackers are actively targeting companies’ cloud-based remote connectivity, lack of multi-factor authentication, and potentially insecure digital infrastructure to exploit lax cyber-hygiene. As companies struggle to maintain business continuity, the need for robust cyber security measures is more pressing than ever.
In response to the COVID-19 pandemic, on March 17, 2020, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) issued a notification of enforcement discretion, announcing that it would not impose civil penalties for HIPAA violations “against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency” (the “Notification”). The Notification is important because, ordinarily, providing telehealth services does not modify a covered entity’s obligations under HIPAA. If a covered entity’s provision of telehealth services involves protected health information (“PHI”), that entity must meet the same HIPAA Privacy, Security, and Breach Notification requirements that apply to in-person health services. OCR’s Notification is clear that “this exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.” The Notification supplements an earlier OCR bulletin detailing the application of the HIPAA Privacy Rule during an outbreak of infectious disease.
Businesses, consumers, and regulators continue to grapple with balancing privacy, cybersecurity, and the response to the COVID-19 pandemic. Last week, this blog explored the increased cyber risks that the pandemic poses to businesses, providing guidance on how businesses can navigate that risk. Yesterday, we reported on a joint letter filed by more than 30 industry groups to the California Attorney General (“AG”) requesting a delay in enforcement of the California Consumer Privacy Act (“CCPA”) due to the burdens that COVID-19 is placing on businesses. Enforcement of the CCPA is currently scheduled to commence as early as July 1, 2020. Earlier this week, Consumer Reports, a consumer advocacy group, urged the AG to reject industry efforts to delay enforcement of the CCPA.
On March 17, 2020, a group of thirty-two trade associations and two corporations formally requested that the California Attorney General (AG) delay enforcement of the California Consumer Privacy Act (CCPA) until January 2, 2021, due to the ongoing COVID-19 pandemic. The trade associations represent leading companies in a wide range of industries, including healthcare and pharmaceuticals, transportation, logistics, advertising, insurance, entertainment, real estate, banking and finance, and technology.
In response to the COVID-19 pandemic, the New York Department of Financial Services (DFS) recently extended by 45 days the deadline for companies to certify compliance with the DFS cybersecurity regulation. The annual certification is now due on June 1.
In recent years, cyber-attacks have continued to increase in number and scope, with businesses facing ever-growing threats from ransomware, distributed denial-of-service attacks, and phishing schemes. Ransomware attacks alone saw a 41 percent increase in 2019 from 2018, with more than 200,000 organizations and city governments suffering attacks. Today, all eyes are on the spread of COVID-19, both in the U.S. and globally. Unfortunately, as the world focuses on public health and economic uncertainty, cyber criminals see opportunities for exploitation.
This is the fourth post in our series discussing the practical impact of the California Attorney General’s regulations to the California Consumer Privacy Act (CCPA). See our previous CCPA posts here.
The CCPA took effect on January 1, 2020, and already a putative class action has been filed, albeit over a data breach that allegedly occurred before the CCPA’s effective date. In addition, although the statute is now operative, its implementing regulations remain in flux. On February 7, 2020, the California Attorney General (AG) issued a notice of modification to the proposed regulations originally issued in October 2019. And on March 11, 2020, the AG released a second set of modifications. These modifications—published in a clean and redline version—contain important updates clarifying notice requirements, consumer request acceptance and response obligations, service provider responsibilities, and when discrimination related to financial incentives is permissible.
Last week, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a list of recommendations for institutions to enhance their cybersecurity preparedness and operational resiliency. These observations – based upon the examination of thousands of SEC registrants – serve as a lens into the likely subjects of future SEC examinations.
The aftermath from one of the largest data breaches in U.S. history is nearing the end, as the presiding judge approved a proposed class action settlement resolving claims arising from Equifax’s September 2017 data breach. As previously reported, approximately 147.9 million U.S. consumers’ personal information was compromised by that breach.
On January 1, 2020, the California Consumer Privacy Act (CCPA) becomes operative. As we reported last month, the California Attorney General (AG) released long-awaited draft regulations to the CCPA. This is the third installment in a series of posts discussing the regulations most relevant to companies as they determine whether they are covered under the law and how to comply. This post discusses the key regulations on business verification of requests made by consumers and the non-discrimination provision of the CCPA.
As we recently reported on this blog, the California Attorney General (AG) released long-awaited draft regulations to the California Consumer Privacy Act (CCPA). This is the second installment in a series of posts discussing the regulations most relevant to companies as they determine whether they are covered under the law and how to comply. This post discusses business practices for receiving and verifying consumer requests to delete or opt-out, and for disclosure of specific information, referred to in the regulations as “requests to know.”
As we recently reported on this blog, the California Attorney General (AG) released long awaited draft regulations to the California Consumer Privacy Act (CCPA). The regulations provided clarity on several provisions in the law, while also failing to answer some open questions. In a series of upcoming blog posts, we will discuss the regulations most directly relevant to companies as they determine whether they are covered under the law and how to comply. This first post discusses the notices and privacy policies described in detail in the proposed regulations.
On October 11, 2019, the California Attorney General released its long-anticipated Notice of Proposed Rulemaking Action and the text of its proposed regulations for the California Consumer Privacy Act (CCPA), along with an Initial Statement of Reasons for the proposed regulations. The documents are not a short read, with the proposed regulations covering 24 pages, the Notice 16 pages, and the Statement of Reasons another 47 pages.
Last month, the Food & Drug Administration (FDA) issued a long-awaited revision to its Policy for Device Software Functions and Mobile Medical Applications Medical App - Guidance for Industry and Food and Drug Administration Staff (the Guidance). The revised Guidance was among several newly announced policies aimed at advancing the FDA’s digital health initiative that promotes innovation, while also permitting efficient and up-to-date regulatory oversight.
Earlier this month, YouTube and its parent company, Google, entered into a record $170 million proposed settlement to resolve allegations brought by the Federal Trade Commission (FTC) and the New York Attorney General (NYAG) under the federal Children’s Online Privacy Protection Act (COPPA). According to the complaint in the case, YouTube collected personal information on video channels directed to children without parental consent using persistent identifiers that can track individuals across the Internet. This is the largest penalty to date in a COPPA enforcement action.
As readers of the Data Security Blog will know, the California Consumer Privacy Act (“CCPA”) becomes operative on January 1, 2020. The CCPA is the most sweeping consumer privacy law in the United States, covering most for-profit businesses that do business in California and collect the personal information of “consumers,” meaning California residents.
SEC’s Proposed Revisions to Regulation S-K Will Minimally Impact Cybersecurity Disclosure Requirements
It has been thirty years since the Securities and Exchange Commission (the “SEC”) significantly revised Regulation S-K, which sets forth reporting requirements for public companies. The SEC is now taking a fresh look at the rules, proposing for public comment amendments to modernize the description of business, legal proceedings, and risk factor disclosures that public companies must make. This represents a good opportunity to revisit key disclosure requirements—including Items 503(c) (now Item 105), 101, and 103—that are the subject of the revised guidance and that potentially impact reporting obligations associated with cybersecurity.
This past week, The Home Depot, Inc. became the latest business hit with a class action lawsuit for their use of facial recognition security cameras allegedly in violation of the Illinois Biometric Information Privacy Act. If successful, Home Depot faces statutory damages of up to $5,000 for each time a shopper’s information was collected in violation of BIPA.
On August 28, 2019, almost a month after Paige A. Thompson was arrested based on allegations that she hacked into servers rented by Capital One Financial Corporation, a criminal indictment was returned charging her with one count each of computer and wire fraud, as well as forfeiture allegations. The indictment includes new allegations that, in addition to hacking Capital One’s data, Thompson illegally accessed and copied data from more than 30 different entities that rented or contracted servers at an unnamed cloud-computing company at which she previously worked. The indictment provides additional details concerning Thompson’s hacking scheme. According to the indictment, Thompson used devices that allowed her to scan servers rented or contracted by Capital One and other entities at the cloud-computing company. From the scans, Thompson was able to identify servers that had firewall misconfigurations, which she then exploited to obtain security credentials that allowed her to access and copy the entities’ data. In addition to copying the data, Thompson also used the stolen computing power of the servers to mine cryptocurrency—in a scheme colloquially known as “cryptojacking.”
On May 6, 2019, Magistrate Judge Gorenstein issued an order that should be a wake-up call for attorneys contemplating hiring and sharing privileged communications with an outside public relations firm. This decision also has wider implications, especially for companies engaging a forensic consultant to assist in responding to a cyber incident or data breach.
The California Consumer Privacy Act (CCPA) has significantly altered the potential consequences of a data breach under California law by permitting California consumers to bring civil suits for statutory damages, Cal. Civ. Code § 1798.150(a)(1), and to seek statutory damages of between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” Id. § 1798.150(a)(1)(A). The ability to seek statutory damages is in addition to injunctive or declaratory relief. Id. § 1798.150(a)(1)(B),(C).
Last Thursday, Governor Cuomo signed New York’s latest data security bill – the Stop Hacks and Improve Electronic Data Security, or “SHIELD” Act. The Act, which we have followed on this blog since November 2017, imposes new notification obligations on businesses managing private data when a security breach occurs. Capital One’s recent breach underscores the significance of the changing regulatory landscape, as both businesses and the government attempt to navigate and protect against large-scale cybersecurity attacks, and the importance of understanding notification obligations, should those efforts fail.
Last Thursday, Slack Technologies, Inc. (Slack) announced that it would reset passwords for a number of accounts compromised by a security breach that occurred more than four years ago, in March 2015. Slack—a fast-growing messaging service that launched in 2014 and went public last month—provided little explanation for its delay in action and minimized the scope of the incident, claiming that it only affected a small percentage of current Slack users. The narrow scope and timing of Slack’s disclosure raise interesting questions about the heightened scrutiny public companies now face when dealing with cybersecurity incidents.
The U.S. Office of Personnel Management (“OPM”) made headlines when several hacks of confidential data came to light in 2015, intrusions that compromised the personal data of over 20 million individuals. On July 21, 2019, in AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), Nos. 17-5217, 17-5232, 2019 U.S. App. LEXIS 18609 (D.C. Cir. June 21, 2019), a divided panel of the United States Court of Appeals for the D.C. Circuit breathed new life into litigation stemming from those breaches and injected yet another piece into the growing puzzle surrounding constitutional standing in breach litigation. The case had previously been dismissed after a district court held that the plaintiffs lacked standing based on their failure to allege concrete injuries. In a divided opinion, the D.C. Circuit panel reversed, holding that the plaintiffs’ allegations of potential future harm were sufficient for the case to move forward.
The New York State Senate recently passed The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, leaving only the Governor’s signature as the final step to the SHIELD Act becoming the country’s newest—and one of the most stringent—breach notification laws. Given Governor Cuomo’s previous support for robust cybersecurity protection, New York may soon join a growing number of states beefing up their notification statutes.
As we’ve written about in the past, the SAFETY Act has the potential to help companies mitigate their risk from cyber-terrorism. As previously noted, the statute has never been fully tested in courts, so the full contours of its protection remain uncertain. Nonetheless, the benefits of SAFETY Act approval may extend well beyond those mandated by Congress: to the right company, SAFETY Act approval could be a significant market differentiator and, in the right circumstances, could be a powerful tool in litigation even when the Act does not itself apply.
Patterson Belknap Webb & Tyler LLP is deeply saddened to announce the passing of our partner and friend Craig A. Newman, the founding editor of the Data Security Law Blog. Craig was a litigation partner with Patterson Belknap from 2015 to 2019 and served as chair of the Firm’s Privacy & Data Security practice. He was a source of wisdom, warmth and humor, and will be missed. More information can be found on the Firm’s website here.
It’s been a tough week for the healthcare industry.
Just days after Quest Diagnostics reported a breach at a third-party vendor affecting approximately 11.9 million of its patients, LabCorp disclosed that a breach at the same vendor exposed the personal and financial data of 7.7 million of its customers.
Illinois is set to become the 29th state that will require data breaches affecting more than 500 residents to be reported to the state’s attorney general.
Today, New York’s top financial regulator, the Department of Financial Services, announced the formation of a dedicated “Cybersecurity Division.” In a news release issued earlier today, the agency said the new division “will focus on protecting consumers and industries from cyber threats ….”
Hackers have managed to break into the accounts of 100 sellers at Amazon.com. The hackers funneled money from the seller’s accounts—either from sales or loans—into their own bank accounts after stealing seller credentials. It is not clear how much money was stolen in the incident.
Last week President Trump issued an executive order targeted at improving the quality of the federal government’s cybersecurity workforce. The executive order—which acknowledges the shortage of qualified employees for cybersecurity jobs—would implement a number of steps to strengthen and expand cyber knowledge within the federal government.
The FBI’s Internet Crime Complaint Center, better known as IC3, released its 2018 Internet Crimes Report. For those unfamiliar with the IC3, it was established by the FBI in May 2000 as a central repository for public complaints of internet-based crimes. Since its inception, IC3 has received more than 4 million complaints. To facilitate law enforcement efforts and promote public awareness, IC3 analyzes the complaints it receives and disseminates information to the public and law enforcement. Among other things, it identifies trending scams, refers scams that do not meet federal law enforcement thresholds to state and local law enforcement, and provides victim services. New in 2018, IC3 created the Recovery Asset Team to help victims of internet-facilitated schemes recover funds and the Victim Specialist-Internet Crime position to provide crisis intervention, needs assessments, and referrals.
In its first official statement about the CLOUD Act – the Clarifying Lawful Overseas Use of Data Act – the U.S. Department of Justice has published a white paper, “Promoting Public Safety, Privacy and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act,” discussing its view on the law enacted in March 2018. The CLOUD Act, established revised procedures for government requests for data held by technology companies outside of the U.S.
The Securities and Exchange Commission is warning investment firms to step up their game when it comes to following the agency’s privacy rules. In a Risk Alert issued by the Office of Compliance Inspections and Examinations (OCIE), a laundry list of compliance “deficiencies or weaknesses” were identified in recent examinations of SEC-registered investment advisers and broker dealers.
The federal government’s record for effective cyber defenses of its own websites has not been stellar over the past few years. Federal government agencies ranging from the Office of Personnel Management to the National Archives have suffered data breaches, as have nearly a dozen other agencies.
In our third and final installment on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information,” we look at other sections of the CCPA that either limit the applicability of the law’s “personal information” definition or exclude information from coverage under the law.
When you think about reporting a healthcare data breach to authorities, family-owned furniture manufacturers nestled in the serenity of North Carolina aren’t exactly at the top of the list.
Our three-part series on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information” is designed to help businesses identify whether they hold information covered under the law, while also highlighting the potential pitfalls in the definition as we await interpretative regulations from the California Attorney General and potential amendments from the state’s legislature. In Part I, we explored the breadth of the definition. We now turn to the law’s two explicit exclusions from the definition of “personal information.”
The incoming chief of New York’s top financial services regulator called cybersecurity “the number one threat facing all industries and governments globally” during a speech on Friday, April 12, 2019 at the Association of the Bar of the City of New York.
The nation’s top law enforcement agency is rebooting its cybercrime capabilities.
In an effort to keep up with the evolving threats against property, critical infrastructure and human life posed by cyber-attacks –especially those launched by foreign adversaries – the Federal Bureau of Investigation is seeking to reposition its priorities and fortify its capacity to fight cybercrime.
- Page 2 of 9