In a consent order with financial regulators from eight states, Equifax Inc. yesterday agreed to put in place a number of basic data security safeguards – apparently lacking until now – to prevent another massive breach. The order lists specific actions that Equifax must take to improve its data security environment including conducting a comprehensive risk assessment that considers “foreseeable threats and vulnerabilities” to sensitive information and the way the company plans on defending against those threats.
Healthcare organizations take note: not following your own data security rules can be costly, very costly. And the more time it takes to comply, the faster the fines stack up.
Patterson Belknap lawyers Craig A. Newman and George S. Soussou edited and contributed to the first Bloomberg Law Domestic Privacy Profile: New York. This comprehensive guide provides an overview of applicable laws and regulations, regulatory authorities and enforcement, risk management, and emerging issues and outlook for privacy and data security in New York state. Newman is a litigation partner and chairs the firm’s privacy and data security practice. Soussou is an associate in the firm’s litigation group.
To view the publication, please click here.
Last week, the U.S. Court of Appeals for the Eighth Circuit affirmed the district court’s approval of a $17 million settlement between Target Corp. and consumers whose credit card data was compromised in the 2013 data breach. In one of the largest data breaches to hit U.S. retailers, hackers stole information from 40 million credit and debit cards during the 2013 holiday season.
More and more companies are paying up – and paying more – to so-called “ethical” hackers who report data security bugs or vulnerabilities for a bounty.
A report released last week by Bugcrowd, a crowdsourced cybersecurity firm, says that companies are now dolling out more than ever in bug bounties. But what are bug bounty programs, and why should companies care?
In a closely watched test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit late yesterday sided with LabMD and threw out the agency’s long-running case against the defunct cancer testing lab, finding the agency’s use of a vague and broad-brush consent decree was unenforceable.
It didn’t take long for New York’s interim Attorney General to send a strong message to the business community about the importance of data security.
In a press release yesterday, interim New York Attorney General Barbara Underwood threw her support behind New York’s proposed SHIELD Act – Stop Hacks and Improve Electronic Data Security – which was introduced late last year and imposes data security safeguard requirements on businesses that hold sensitive information of New York residents.
The concert and event ticketing company, Ticketfly, is working to get its systems back online after a cyber-attack last week. Ticketfly has confirmed the hack but has released little information.
A federal judge in New York has dismissed LabMD’s lawsuit against a former United States Attorney – which charged her with ethics violations and engaging in a cover-up over her role in an U.S. Federal Trade Commission data security enforcement action – on jurisdictional grounds.
For thousands of financial institutions and insurance companies covered by New York DFS’s sweeping data security regulation, the countdown to yet another deadline has begun. Those companies will remember last August, when DFS’s first transition period ended, and the same companies know that they had to first certify their compliance with the regulation to DFS only months ago, in February.
In one of the first major tests of the Illinois biometric data privacy law, Facebook is headed to trial this summer over allegations that the social media giant unlawfully collects user data with its photo tagging function. Last week, U.S. District Judge James Donato denied cross motions for summary judgment in a class action pending in Northern California, noting the “multitude of fact disputes in the case.”
Many believe that blockchain technology will revolutionize the way humans interact, in business and beyond. Though cryptocurrency is the topic du jour, blockchains can do much more than just enable digital currencies: they can be used to transform the way we store and manage many kinds of data, from real property and voting records to intellectual property licenses and medical information, and more. If blockchain is mainstreamed, courts will inevitably be faced with disputes arising out of the differences between blockchain and current methods of managing transactional data.
Professional athletes, teams, and leagues have embraced wearable technology. But as this new technology becomes ubiquitous, a new category of valuable—and personally sensitive—data has emerged, raising novel data security issues and incentives for would-be hackers.
The insurance industries in South Carolina and Rhode Island may soon be required to adopt formal data security safeguards, a movement sparked by the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. The model law, which NAIC adopted in October 2017, establishes minimum standards for data security applicable to insurance providers. It is part of a growing body of state-level cybersecurity legislation, including the New York State Department of Financial Services regulation issued in March 2017. We blogged about the model law back in January.
Legendary investor Warren Buffett’s portfolio won’t be scooping up shares of insurers that underwrite cyber insurance.
At Berkshire Hathaway’s 2018 Annual Shareholders Meeting over the weekend, Buffett called cyber “unchartered territory” and said the fall-out and business risks from cyber-attacks are “going to get worse, not better.”
The LabMD data security case is anything but dull. An 8-year (and counting) fight with the U.S. Federal Trade Commission, a U.S. House of Representatives Oversight and Government Reform Committee investigation into allegations of government overreach and collusion, a key witness granted governmental immunity and multiple related civil lawsuits scattered around the country.
The U.S. Securities and Exchange Commission’s $35 million settlement announced this week over the Yahoo! data breach provides an object lesson in the consequences of failing to publicly disclose a major cyber-attack.
The nation’s top securities regulator imposed the fine on Altaba Inc. — formerly Yahoo! — for not disclosing in a timely manner one of the largest reported hacks in U.S. history, the first action by the Commission for a cybersecurity disclosure violation. Yahoo! was charged with misleading investors by waiting for almost two years to disclose the fact that hackers associated with the Russian Federation stole the personal information of hundreds of millions of Yahoo! users.
An expanded settlement by the Federal Trade Commission with ride-sharing giant Uber Technologies should serve as a lesson to other businesses about what happens when a company fails to disclose a data breach during an ongoing agency investigation.
This morning, the long-running dispute between Microsoft Corp. and the U.S. government regarding data stored abroad was resolved by the United States Supreme Court. As we’ve previously discussed, the case posed the question: must U.S. companies comply with warrants issued under the Stored Communications Act (“SCA”) that demand data stored in a foreign country? Today, the Supreme Court concluded that newly enacted legislation had effectively ended the case, making the Court’s involvement unnecessary.
The New York Times Features Article by Craig Newman: “A Simple Proposal to Help Fix Corporate America’s Cybersecurity Problem”
On April 11, 2018, The New York Times featured an article written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “A Simple Proposal to Help Fix Corporate America’s Cybersecurity Problem.” Mr. Newman proposes a cybersecurity grading system as a next step to help solve the lack of information about the data security practices of businesses. A new grading system should answer basic questions such as, "Are companies on top of data security, and if hacked, do they know how to reduce the impact?"
To read the full article, click here.
Over the last year, U.S. companies have been hit with a wave of new data security regulations and agency guidance, ranging from the SEC’s Guidance on Public Company Cybersecurity Disclosures to the European Union’s General Data Protection Regulation (GDPR).
Yesterday, we reported that the Department of Justice has asked the U.S. Supreme Court to remand its dispute with Microsoft Corp. concerning access to customer emails stored abroad to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot. The government argued that the newly enacted “CLOUD” Act clarifies prior law and makes clear that information stored abroad can, under certain circumstances, be subject to a domestic warrant. The government added that it obtained a new warrant for Microsoft to turn over the requested information in the days following the CLOUD Act’s passage.
We’ve written several times about the landmark dispute between the U.S. government and Microsoft Corp. over access to a customer’s emails stored in Ireland. Now, a month after the U.S. Supreme Court heard oral argument on the government’s appeal, the Justice Department has asked the Court to remand the case to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot.
On its face, last week’s report that the number of data breaches reported last year to New York’s Attorney General spiked to an all-time high of 1,583 – up 23 percent from 2016 – was not good news.
But behind the numbers are even more disturbing trends. Start with the fact that hacking – the handy work of outside intruders – was the leading cause of reported breaches last year, accounting for 44 percent of reported breaches. Hacking also accounted for nearly 95 percent of all personal information exposed. In second place was employee error or negligence, which represented 25 percent of last year’s reported breaches.
In this occasional series, the chair of Patterson Belknap’s privacy and data security group, Craig A. Newman, interviews thought leaders – from both the public and private sectors – about the growing threat of cyber-attacks in the U.S. and abroad. In our first installment, we had the privilege of interviewing Glenn S. Gerstell, General Counsel of the National Security Agency, about the agency’s cybersecurity role and priorities. As one of our nation’s preeminent intelligence agencies, the NSA helps protect and defend U.S. systems that contain classified information or are critical to the U.S. military or intelligence functions.
Is the risk of future harm enough to satisfy Article III standing in a data breach suit? That’s the question courts of appeals around the country are wrestling with now – and reaching opposing results. The U.S. Court of Appeals for the Ninth Circuit is the latest to wade into this debate on data breach standing in its recent opinion, In re Zappos.Com, Inc., Customer Data Security Breach Litigation.
The Equifax hack has taken another twist – one that raises questions that every public company should consider.
Last week, federal prosecutors charged Equifax’s former Chief Information Officer, Jun Ying, with insider trading for allegedly dumping nearly $1 million in stock before the massive Equifax breach went public. He also faces civil charges filed by the U.S. Security and Exchange Commission (SEC).
Last week, the New York Department of Financial Services (DFS) sent notices to companies that had not yet certified their compliance with the DFS Cybersecurity Regulation. DFS not-so-gently reminds companies to submit a Notice of Exemption or a Certificate of Compliance. A copy of that notice is now available online.
With the U.S. Securities and Exchange Commission’s updated cybersecurity guidance hot off the press, let’s start the week by taking a look at public company cyberattack reporting statistics.
Six months after a massive data breach at credit reporting company Equifax, Inc. handed hackers the personal information of nearly 150 million Americans, the fallout continues. Equifax first disclosed in September that hackers used a flaw in its website software to extract the personal information of as many as 145.5 million people. The stolen data included names, Social Security numbers, birth dates, addresses, and driver’s license numbers. In just the first two months following the breach, Equifax incurred $87.5 million of expenses, and that number is now expected to grow to $439 million by the end of 2018, making this, potentially, the most expensive reported data breach to date.
Last week, a federal district judge in California shot down Facebook, Inc.’s second attempt to dismiss a putative class action alleging that its facial recognition software violates the Illinois Biometric Privacy Act (BIPA). The court found that plaintiffs had standing to proceed under the U.S. Supreme Court’s ruling in Spokeo, Inc. v. Robbins because the alleged BIPA violation was sufficient to give rise to a “concrete injury” for purposes of bringing suit.
On February 27, 2018, The New York Times featured an op-ed written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “Can the United States Search Data Overseas?” Mr. Newman discusses the critical question in United States v Microsoft, which is pending before the Supreme Court: should the U.S. law enforcement have access to emails stored outside the country? He argues that the fundamental problem of storing data across borders will not be solved by this case, and that legislative action is necessary to properly govern “the vast stores of electronic data that move seamlessly across international borders.”
Shareholders may have found a new hook for data security lawsuits.
Today, financial institutions with ties to New York are spending their Valentine’s Day learning how to use the New York State Department of Financial Services (DFS) web portal.
Almost a year ago, the DFS unveiled one of the most aggressive efforts in the nation to crack down on cybercrime in the banking and insurance industries. And by tomorrow, more than 3,000 firms are required to file through the agency’s online portal their first ever compliance certificate, swearing that their organization has satisfied the first phase of requirements under the state’s new cybersecurity regulation.
Recently-issued guidance from the U.S. Department of Education (ED) threatens to “yank” Title IV funding for post-secondary institutions lacking appropriate data security safeguards. The guidance comes as the risk of educational data breaches has intensified, as we have previously reported. The stakes are even higher now that ED has put Title IV recipients on notice that, beginning in fiscal year 2018, they may be subject to compliance audits regarding their data security programs.
On Tuesday, a Senate subcommittee grilled Uber’s Chief Information Security Officer, John Flynn, over a 2016 data breach that affected nearly 57 million drivers and riders. At the hearing, Uber faced backlash from lawmakers for its “morally wrong and legally reprehensible” conduct that “violated not only the law but the norm of what should be expected.”
On January 18, 2018, the New York State Education Department (“NYSED”) announced that one of its vendors, Questar Assessment, experienced a data breach resulting in the unauthorized disclosure of personal information from students in five different New York schools. While the data breach reportedly affected only a small number of students that had registered for online testing in spring 2017, it nonetheless exposed sensitive personally identifiable information from those students. And despite its narrow scope, this breach potentially threatens public (and parent) confidence in the security of sensitive student information at a time when New York schools are moving more and more of their activities online.
At its first conference this month, the U.S. Supreme Court will consider whether to weigh in on a Circuit split over standing to sue in the aftermath of a data breach.
More State Data Security Regulation: North Carolina Bill Penalizes Unreasonable Data Security Practices and Requires Rapid Notification
In a post-Equifax environment, state-level data security regulation is on the rise. And in many instances, state regulatory regimes are getting tougher.
Insurers: Are You Ready for More Cybersecurity Regulation? The National Association of Insurance Commissioners Model Law
At the end of last year, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law. The “purpose and intent” of the law is to “establish standards for data security and investigation and notification of data security applicable to insurance providers.”
For the several thousand financial institutions and insurance companies covered by New York’s landmark data security regulation, the first certification of compliance must be filed with the State’s Department of Financial Services in less than a month.
Excellus Court Reverses Prior Decision: Risk of Future Identity Theft Suffices to Convey Standing in Data Breach Case
A federal judge in New York has reinstated claims brought against a healthcare provider by customers whose personal information was exposed in the 2015 data breach of Excellus BlueCross Blue Shield. The breach affected the information of as many as 10.5 million individuals.
It’s unusual for victims of ransomware to publicly acknowledge that they have paid hackers to go away. But a regional hospital in Indiana has made public its experience last week with a “sophisticated criminal group” as a teachable moment for other institutions faced with the vexing choice of whether to give in to the ransom demands of cybercriminals.
On February 15th, organizations subject to the New York Department of Financial Services Cybersecurity Regulation are required to submit their first annual certification attesting to their compliance with the state’s new data security requirements.
In the most recent object lesson in a data breach privilege case, a federal appeals court has ordered a Michigan-based mortgage lender to turn over privileged forensic investigatory documents after the investigator’s conclusions were revealed in discovery.
The fight over the privacy of electronic communications and the government’s ability to reach emails stored abroad in criminal investigations has finally moved to the U.S. Supreme Court.
New York State regulators won’t be letting Equifax, Inc. off-the-hook any time soon for last year’s massive data breach that affected more than 145 million Americans.
Cybersecurity will remain at the top of New York State’s regulatory agenda this year.
The Justice Department is changing its approach to collecting data stored in the cloud.
- Page 2 of 7