The Wall Street Journal recently reported that well-known cybersecurity startup Tanium, Inc. had been inadvertently exposing one of its clients’ sensitive data during product demonstrations. Unbeknownst to the Tanium client—the non-profit El Camino Hospital, in Santa Clara County, California—Tanium had been giving prospective customers a look inside of El Camino’s secure network to show how well its cybersecurity software worked. Not only did Tanium give the presentation “hundreds of times,” it also posted videos of the demonstration on its public website. All of this was without El Camino’s permission.
Data Security Law BlogVisit the Full Blog
DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.
A recently introduced bipartisan bill seeks to provide state and local authorities with additional resources to assist in the fight against cybersecurity threats. Last month, Senators John Cornyn (R-Tex.), Patrick Leahy (D-Vt.), and Ted Cruz (R-Tex.) introduced the National Cybersecurity Preparedness Consortium Act, which would authorize the Department of Homeland Security to work with non-profit consortia to assist state and local governments with their cybersecurity preparedness and response efforts. House Representative Joaquin Castro (D-Tex.) introduced a companion bill the same day.
The U.S. Securities and Exchange Commission is reportedly looking into whether two data breaches at Yahoo!, Inc. should have been disclosed earlier. In a front page article today, the Wall Street Journal reported that “people familiar with the matter” say the SEC is investigating whether Yahoo!’s disclosures complied with the securities laws.
On Wednesday, Yahoo! disclosed that more than 1 billion of its users’ personal information was exposed in a newly discovered cyber-attack, making it the largest data breach reported to date. The breach apparently took place in August of 2013.
The aftermath of Yahoo’s data breach has raised a number of questions from customers, law enforcement, and most recently six U.S. Senators.
This week, in the first post-Spokeo circuit court decision to address standing in a data breach class action, the Sixth Circuit joined the Seventh Circuit in holding that plaintiffs whose sensitive personal information has been obtained by hackers have Article III standing to sue based on the risk of future fraud and identity theft.
There’s no denying it: Pokémon GO is a phenomenon.
The smartphone game, in which players use their mobile device camera and GPS to capture, battle, and train virtual creatures, was released in the United States on July 6th. In a month, it has shot to the top of the App Store charts to become the biggest mobile game in U.S. history. Within just days of its release, Pokémon GO already had surpassed app giants like Twitter and Tinder in number of downloads and active users, with more than 25 million users playing each day.
The U.S. International Trade Commission (“ITC”) last week launched an investigation into United States Steel Corporation’s (“U.S. Steel”) complaint that Chinese hackers stole trade secret information—including proprietary methods for making lightweight steel—on behalf of Chinese steel producers.
Today, the U.S. Supreme Court decided one of the Term’s most closely watched cases: Spokeo, Inc. v. Robins. The 6-2 decision, while far from sweeping, creates a hurdle for plaintiffs in “no-injury” class actions.
Earlier today, President Obama issued an Executive Order creating a Commission on Enhancing National Cybersecurity within the Department of Commerce. The commission “will make detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices.”
After several fits and starts, Congress finally passed the Cyber Information Sharing Act of 2015 (CISA) as part of the omnibus budget bill. President Obama signed the bill into law on December 18, 2015.
Last month, the Federal Trade Commission’s Chief Administrative Law Judge dismissed the Commission’s long-running data security case against LabMD because it failed to prove that there was an actual or reasonably imminent threat of injury to consumers. In the matter of LabMD, Dkt. No. 9357, Initial Decision (Nov. 13, 2015). The issue of consumer “injury” has loomed large in the world of data privacy litigation since private plaintiffs began bringing class action lawsuits arising from data breaches. Whether those cases are brought by individuals in their own name or on behalf of a putative class, courts have struggled with the question of what constitutes injury sufficient to successfully prosecute a claim.
Today, Target and a class of banks that issued credit cards that were compromised in the Target data breach announced they have reached a $39.4 million settlement.
Last Monday, the Supreme Court heard argument in Spokeo, Inc. v. Robins, one of this Term’s closest-watched cases, especially in the data-privacy field. While attempting to “read the tea leaves” from oral argument can be treacherous, the justices’ questions offered a fascinating window into their thinking.
Picture this: A criminal defendant is indicted for three counts related to the possession of methamphetamine, and federal prosecutors obtain a warrant for the defendant’s iPhone. But the iPhone is passcode protected, and the prosecutors can’t break the code. During their investigation, the prosecutors learn that someone has sent a command to the target phone that will cause the iPhone’s contents to be erased if the device is connected to a network and powered on. The prosecutors approach Apple and request that Apple unlock the iPhone so that they can execute their warrant. Must Apple comply with this request?
On September 22, the Securities and Exchange Commission (SEC) announced that it had entered into a settlement order with R.T. Jones Capital Equities Management, Inc., a St. Louis-based registered investment adviser, over the firm’s failure to establish cybersecurity policies and procedures. This investigation and settlement are the latest in the Commission’s ongoing efforts to regulate cybersecurity for investment advisers.
Spokeo, Inc. v. Robins—which involves the question of whether Congress, by authorizing a private right of action based on a violation of a federal statute, can confer Article III standing upon a plaintiff who has suffered no concrete harm—is one of the most eagerly anticipated decisions from the Supreme Court’s October 2015 term. The petitioner’s and respondent’s primary briefing have now been filed with the Court, offering a glimpse into the arguments that we will see at oral argument in the fall. Significantly, in their briefing, Spokeo and Robins both emphasize the potential impact of this decision not only for the future of privacy and data-breach litigation, but also for the scope of the federal courts’ Article III jurisdiction in general.
In recent weeks, there have been several developments in some of the major data security class action suits.