New York is emerging as the nation’s de facto top data security regulator.
FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data
In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.
Starting today, Ohio businesses with written cybersecurity programs will be looking for a free pass if they are sued under state law over a data breach.
Ohio’s Data Protection Act (Senate Bill 220, Ohio Rev. Code § 1354.01, et seq.) goes into effect today, creating a safe harbor from tort liability for businesses that meet specific cybersecurity standards. The law won’t prevent litigation over a data breach, but provides an affirmative defense to companies hit with such claims if they have met the requirements of the new law. This includes adopting data security policies that conform to a number of existing industry standards including the NIST Cybersecurity Framework.
Long and Wyndham Road: The Federal Trade Commission Extends Section 5 Unfairness to Regulate Data Security
In a surprising development, Wyndham Worldwide Corporation settled a long running dispute last week with the Federal Trade Commission that arose from three data breaches Wyndham suffered between 2008-2010. After an investigation that required Wyndham to produce more than one million pages of information, the FTC filed suit against Wyndham in the District Court of New Jersey under, among other legal basis, the unfairness prong of Section 5 of the FTC Act.
More State Data Security Regulation: North Carolina Bill Penalizes Unreasonable Data Security Practices and Requires Rapid Notification
In a post-Equifax environment, state-level data security regulation is on the rise. And in many instances, state regulatory regimes are getting tougher.
The Federal Trade Commission will host a one day-conference in Chicago at Northwestern’s Pritzker School of Law on June 15, 2016. This event will be the fourth of the FTC’s Start with Security Events nationwide, which build on its publication of the same title Start with Security: A Guide for Business, released last June.
Yesterday, a District Court in Northern California weighed in on the U.S. Federal Trade Commission’s (FTC) authority to protect consumers from “unfair” and “deceptive” data security practices. The decision, which granted in part and denied in part the defendant’s motion to dismiss, is a mixed bag for the Commission.
On December 13, the software and service provider SolarWinds announced that its Orion software platform had been the target of a sophisticated cyber attack that may have resulted in malicious code being pushed to as many as 18,000 customers. The SolarWinds software is used by many corporate and not-for-profit entities of all sizes to monitor the health of their IT networks. Although the details of this breach are still unfolding, based on the information currently available, Orion users who updated their software between March and June of this year are potentially affected.
Second in a two-part series.
Last week, in the first part of this series, we examined several key aspects of New York’s proposed data security law, Stop Hacks and Improve Data Security Act or SHIELD Act. In our second and final installment, we discuss three additional aspects of the proposed law.
California is leading the pack. Once again.
On Friday, Governor Jerry Brown signed into law SB 327, the first- ever state legislation aimed at governing Internet of Things (IoT) devices.
A recent federal appellate ruling delivered a significant blow to invasion of privacy claims based on facial recognition technology used to scan users’ faces that are then put on their personalized players “in-game,” allowing them to play side-by-side with basketball stars in a popular video game.
The U.S. Federal Trade Commission (“FTC”) has filed suit against Taiwan-based D-Link Corporation and D-Link Systems, Inc. (collectively, “D-Link”), manufacturers and sellers of home networking devices including routers, cameras, baby monitors, and video recorders. The lawsuit claims that D-Link failed to take reasonable steps to protect its devices from known and foreseeable risks of unauthorized access.
First in a two-part series.
As we reported last week, New York Attorney General Eric T. Schneiderman has introduced a bill aimed at protecting New Yorkers from data breaches.
Digital Divide Deepens: Tech Community Backs Second Circuit in Clash with Magistrates over Reach of U.S. Warrants
The technology community took aim at a recent federal magistrate’s ruling that ordered Google Inc. to comply with search warrants seeking customer emails stored on servers abroad, calling the decision “an impermissible extraterritorial application of U.S. law.” In rejecting a recent federal appeals court decision in a similar case in favor of Microsoft Corp., U.S. Magistrate Thomas J. Reuter in Philadelphia ruled that transferring emails from a foreign server to the U.S. was not tantamount to a seizure beyond American borders. The technology companies urged the court to reject the “fiction that such a foreign search and seizure is a domestic act….”
On March 2, the Consumer Financial Protection Bureau (“CFPB”) issued its first Consent Order against a company for flawed data security practices in violation of the Consumer Protection Act’s prohibition on unfair, deceptive, or abusive acts or practices concerning a consumer financial product or service. The Order signals the CFPB’s decision to prioritize data security issues, its willingness to pursue companies even before a breach occurs, and its scrutiny of companies’ representations about their data security practices. The Order also provides some guidance as to the types of data security policies and practices the CPFB considers important.
In a long-running and highly contentious data security enforcement action against LabMD, a small medical testing laboratory, the Federal Trade Commission was handed a stunning defeat late Friday. In a 92-page Initial Decision, Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s case against LabMD – after a full administrative trial – based on the Commission’s failure to prove it was “likely” that consumers had been substantially injured in two alleged data security incidents dating back nearly seven years.
The aftermath from one of the largest data breaches in U.S. history is nearing the end, as the presiding judge approved a proposed class action settlement resolving claims arising from Equifax’s September 2017 data breach. As previously reported, approximately 147.9 million U.S. consumers’ personal information was compromised by that breach.
Last week, a federal district judge in California shot down Facebook, Inc.’s second attempt to dismiss a putative class action alleging that its facial recognition software violates the Illinois Biometric Privacy Act (BIPA). The court found that plaintiffs had standing to proceed under the U.S. Supreme Court’s ruling in Spokeo, Inc. v. Robbins because the alleged BIPA violation was sufficient to give rise to a “concrete injury” for purposes of bringing suit.
Last month’s terror attacks in Paris have re-ignited the long-standing debate between national security and privacy advocates over whether technology companies should be required to provide the government special access to encrypted communications that travel on the internet, such as instant messages.
In this occasional series, the chair of Patterson Belknap’s privacy and data security group, Craig A. Newman, interviews thought leaders – from both the public and private sectors – about the growing threat of cyber-attacks in the U.S. and abroad. In our first installment, we had the privilege of interviewing Glenn S. Gerstell, General Counsel of the National Security Agency, about the agency’s cybersecurity role and priorities. As one of our nation’s preeminent intelligence agencies, the NSA helps protect and defend U.S. systems that contain classified information or are critical to the U.S. military or intelligence functions.
The transition of power from President Barack Obama to President-Elect Donald Trump is underway. Although President-Elect Trump did not lay out specific policy prescriptions about data privacy or consumer protection during his candidacy, his recent choice of Dr. Joshua D. Wright to lead transition efforts at the Federal Trade Commission provides some hints as to the direction the agency may take under a Trump administration.
Cyber Briefing: Second "Envelope" Lawsuit Against Aetna, Yahoo to Answer for 1.5 Billion Hacked Accounts and Eighth Circuit Weighs In, Again, on Standing
As we head into the new week, here’s a quick summary of major data security developments from around the country.
The Internet of Things (IoT) encompasses any object or device that connects to the Internet to automatically send and/or receive data. This includes common office equipment, such as networked printers and photocopiers, devices that remotely or automatically adjust lighting or HVAC, security systems, such as security alarms and Wi-Fi cameras. Personal wearable devices that employees often bring to work, including fitness devices like Jawbone and Fitbit, smart watches like the Apple Watch and Android Wear, and Google Glass, are also part of the IoT. The IoT has grown very rapidly in recent years as technology companies create more devices with wireless internet capabilities and sensors, and internet access has become more widely available. The analyst firm Gartner estimates that 4.9 billion connected “things” are in use today and projects that number will rise to 25 billion by 2020.
Microsoft’s blockbuster acquisition of LinkedIn earlier this month—a deal where concerns for privacy and data security loomed large—provides a glimpse into the growing trend of including separate privacy and data security representations in merger and acquisition agreements. Because the trend is so recent, there is no consensus or standard practice at this point for drafting these representations. The LinkedIn privacy and data security representation is a good example of the evolving nature of these representations.
Hackers have managed to break into the accounts of 100 sellers at Amazon.com. The hackers funneled money from the seller’s accounts—either from sales or loans—into their own bank accounts after stealing seller credentials. It is not clear how much money was stolen in the incident.
Department of Health and Human Services Cracks Down on Vendor Oversight in Recent Hospital Settlements
From the rise in ransomware attacks to inadvertent disclosure of information by subcontractors, the health services industry is reminded that a potential consequence of a data breach is the threat of a regulatory enforcement action. In what may be a sign of things to come, the Department of Health and Human Services (DHHS) is scrutinizing both “covered entities” and “business associates” under the authority of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
Faced with the prospect of overturning a decision by one of its own administrative law judges, the Federal Trade Commission on Tuesday explored ways in which to render a narrow decision. The argument was the most recent chapter in the long running data security enforcement action against LabMD, the now defunct medical testing laboratory.
Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland. That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.
A recent study asked high net worth investors which of the following issues they were most concerned about: terrorism, data security, or a major illness. The most prevalent response might surprise you. Seventy-two percent of the investors surveyed ranked data security as their top concern, followed by terrorism and then a major illness.
In response to the COVID-19 pandemic, on March 17, 2020, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) issued a notification of enforcement discretion, announcing that it would not impose civil penalties for HIPAA violations “against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency” (the “Notification”). The Notification is important because, ordinarily, providing telehealth services does not modify a covered entity’s obligations under HIPAA. If a covered entity’s provision of telehealth services involves protected health information (“PHI”), that entity must meet the same HIPAA Privacy, Security, and Breach Notification requirements that apply to in-person health services. OCR’s Notification is clear that “this exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.” The Notification supplements an earlier OCR bulletin detailing the application of the HIPAA Privacy Rule during an outbreak of infectious disease.
Recent Developments in the State Data-Privacy Landscape: Is Federal Involvement the Best Way Forward?
With a dizzying array of state privacy laws on the horizon, the prospect of a federal solution has come into sharp focus. Rather than a patchwork of regional legislation, a comprehensive national framework would potentially govern the precautions that companies must take when electronically collecting, using and storing customers’ personal information, regardless of where in the country the company—or the consumer—is located. That is the current situation in the European Union under the General Data Protection Regulation (GDPR), and has been for many years. It might one day be the case in the United States as well, if advocates of omnibus federal data privacy legislation have their way.
Memories of the massacre of dozens of concertgoers at a Las Vegas music festival last year are unlikely to fade soon. In the deadliest shooting in U.S. history, Stephen Paddock killed 58 people and wounded hundreds from his perch within the Mandalay Bay hotel, owned by MGM Resorts International.
A legal battle is now underway over liability for the shooting and the first ever legal test of a little known federal law – the Support Antiterrorism by Fostering Effective Technologies Act of 2002 or SAFETY Act – will start later this month in a San Francisco courtroom. The SAFETY Act was enacted after the Sept. 11th terrorist attacks to provide different levels of legal protection for companies that developed antiterrorism technologies – including cybersecurity technologies and programs – and then passed a rigorous process administered by the U.S. Department of Homeland Security.
Court Rejects DOJ’s Depiction of Google as “Willful and Contemptuous” Tactics in Ongoing Battle over SCA Search Warrant
A federal judge in California has agreed to hold Google in contempt for not following his order to turn over data stored overseas. The order is largely symbolic, however, since a contempt order is required for Google to appeal the ruling.
The ongoing dispute between the government and Google concerning the company’s refusal to hand over customer data stored on foreign servers has taken an odd twist. Now, the Justice Department is demanding that Google be sanctioned for not abiding by the court’s most recent decision—ordering it to produce data associated with 22 email accounts—and calling Google’s conduct “a willful and contemptuous disregard of various court orders.” The case is In the Matter of the Search of Content that Is Stored at Premises Controlled by Google, No. 16-mc-80263 (N.D. Cal.).
In recent weeks, there have been several developments in some of the major data security class action suits.
A contentious legal battle over data security between the Federal Trade Commission and LabMD, a small medical testing lab, is chronicled in the latest edition of Bloomberg Businessweek. Dune Lawrence’s report raises lingering questions about the FTC’s prosecution of a now-defunct company, tampered evidence and regulatory overreach.
Back in December of last year, we reported that for the first time, a U.S. law firm – Johnson & Bell, a mid-sized Chicago firm – was publicly named in a class action data security lawsuit. Last month, the firm obtained a significant victory in the case.
Many consumers have become painfully aware of the risks that data breaches pose in a digital world. And now, their legal claims may not be ultimately decided by a judge or jury but sent off to arbitration.
These days, data breaches and cybersecurity attacks abound. With each news cycle, we’re confronted with stories about yet another big breach, at another big company, with the potential exposure of another big pool of individuals’ private personal information. Given the current threats to data privacy and cybersecurity, it’s no wonder that many companies—large and small—are taking proactive measures to guard against a data breach.
The U.S. Department of Homeland Security’s (DHS) top privacy official said today that a “clear mandate” from top management is the foundation of an organization’s ability to establish and implement an effective data security and privacy plan.
The FBI is warning the healthcare sector of a new cyber threat. In a Notification issued last week, the FBI said that it is “aware of criminal actors who are actively targeting” protected healthcare information (“PHI”) and other personally identifiable information (“PII”) from medical facilities “to intimidate, harass, and blackmail business owners.”
In a 90-minute hearing earlier today, Microsoft Corp. asked the Second Circuit Court of Appeals to reverse a district court decision forcing the technology giant to turn over customer email traffic residing on a server in Ireland. American companies with data centers located outside the U.S., as well as privacy advocates and media organizations are closely watching this case. During the argument, the Court acknowledged that the “implications of its ruling would be broad.”
A cybersecurity vulnerability at Stanford University exposed thousands of sensitive files containing details of sexual assault investigations and disciplinary actions. The story of what happened—and why it should be an object lesson for higher education. The second of a three-part series.
In a ruling issued this morning, the Federal Trade Commission found that LabMD, the defunct Atlanta-based cancer detection lab, failed to protect patient information and is liable for unfair data security practices. The Commission’s ruling reverses an Initial Decision by an administrative law judge (ALJ) that had dismissed the FTC charges against LabMD.
Federal and state cybersecurity agencies teamed up last week for a two-day summit focused on the evolving nature of cybersecurity threats to New Jersey businesses. The event was sponsored by the U.S. Department of Homeland Security’s (“DHS”) Critical Infrastructure Cybersecurity Voluntary Program and The New Jersey Office of Homeland Security and Preparedness.
Last week, the U.S. Court of Appeals for the Eighth Circuit affirmed the district court’s approval of a $17 million settlement between Target Corp. and consumers whose credit card data was compromised in the 2013 data breach. In one of the largest data breaches to hit U.S. retailers, hackers stole information from 40 million credit and debit cards during the 2013 holiday season.
The U.S. International Trade Commission (“ITC”) last week launched an investigation into United States Steel Corporation’s (“U.S. Steel”) complaint that Chinese hackers stole trade secret information—including proprietary methods for making lightweight steel—on behalf of Chinese steel producers.
Today, the U.S. Court of Appeals for the Eighth Circuit vacated the class action settlement between Target Corp. and consumers whose card data was compromised in the company’s 2013 data breach.
On Tuesday, a Senate subcommittee grilled Uber’s Chief Information Security Officer, John Flynn, over a 2016 data breach that affected nearly 57 million drivers and riders. At the hearing, Uber faced backlash from lawmakers for its “morally wrong and legally reprehensible” conduct that “violated not only the law but the norm of what should be expected.”
A series of cybersecurity vulnerabilities at Stanford University exposed thousands of sensitive files containing details of sexual assault investigations, disciplinary actions and more. The details of what happened—and why it should be an object lesson for higher education. A special three-part blog series.