Data Security Law Blog

Visit the Full Blog

DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.

Corporate Behavior, Hackers and Socially-Responsible Investing

Should a public company’s cyber and breach disclosure practices matter to Wall Street and socially-responsible investment funds?

That’s the vexing question posed in a blog post by Audit Analytics, the Massachusetts-based financial research firm.

Socially-responsible investment funds – called ESG funds that focus on environmental, social and governance practices – rely on sustainable, socially conscious investing principles.  ESG portfolio managers consider issues beyond a company’s financial standing before jumping into an investment position such as environmental compliance, working conditions, executive pay and diversity efforts. Audit Analytics asks whether cybersecurity should be added to this list of investment criteria.

Go

FBI Warns Student Data at Risk

Student data is a treasure trove for hackers.

In a recent FBI Alert, the agency warned that the rapid growth of educational technologies combined with the increased collection of student information is the proverbial disaster waiting to happen.

Go

Study Shows Banks Block 80% of Cyberattacks … But is that Enough?

In Accenture’s 2018 State of Cyber Resilience for Banking & Capital Markets study, the consulting firm reported the rate at which cyber-attacks on banking and capital markets firms are successful dropped from 36 percent in 2017 to 15 percent in 2018. Despite the improvement, one in seven cyber-attacks remain successful – begging the broader question of what else, if anything, banks and capital market firms could be doing to protect themselves from attack?

Go

Part II: Hidden Costs of Bug Bounty Programs

Many big data and technology companies consider “bug bounty” programs – incentive-based initiatives that reward “ethical” hackers who report data security bugs or vulnerabilities – attractive and cost-effective tools for weeding out security flaws.

Go

Healthcare in the Cross Hairs: Insider Threat

The healthcare industry has been in the sights of hackers for some time. But a recent survey found that the biggest threat in the sector comes from within.

Verizon has just released its Protected Health Information Data Breach Report and found that 58% of the data security incidents in the industry came from insiders, a number higher than in any other industry. The study is based on an analysis of almost 1400 incidents during 2016-2017 in 27 countries. Almost 75% of the incidents occurred in the U.S.

Go

California Legislature Makes Last-Minute Changes to New Data Privacy Law

As California’s legislative session came to a close late last month, the state’s lawmakers passed SB-1121, approving a series of tweaks to the California Consumer Privacy Act of 2018 or CCPA, the far-ranging data privacy law enacted earlier this summer. The new bill now heads to the governor for consideration.

Go

In Search of Immunity: MGM Fights to Define SAFETY Act Protection

Memories of the massacre of dozens of concertgoers at a Las Vegas music festival last year are unlikely to fade soon. In the deadliest shooting in U.S. history, Stephen Paddock killed 58 people and wounded hundreds from his perch within the Mandalay Bay hotel, owned by MGM Resorts International.

A legal battle is now underway over liability for the shooting and the first ever legal test of a little known federal law – the Support Antiterrorism by Fostering Effective Technologies Act of 2002 or SAFETY Act – will start later this month in a San Francisco courtroom. The SAFETY Act was enacted after the Sept. 11th terrorist attacks to provide different levels of legal protection for companies that developed antiterrorism technologies – including cybersecurity technologies and programs – and then passed a rigorous process administered by the U.S. Department of Homeland Security.

Go

NY Cyber Law Hits 3rd Deadline: Toughest Yet to Come

By today, financial institutions are required to meet their next deadline for compliance with New York’s cybersecurity law. The regulation – enacted in March 2017 –includes a series of rolling deadlines that require banks and insurance companies covered by the law to meet varying data security requirements.

Go

Obsolete Device Woes: What To Do?

It seems like a victimless crime. Toss out an old computer or post it for sale on the Internet for a few bucks. Not a big deal, right?

Not so fast.

Go

Cyber Lessons From the SEC?

Public companies worried about cybersecurity risk would be well served to pay attention to a recent crackdown by the U.S. Securities and Exchanges Commission on the use of automated technology to detect investment advisor fraud.

A recent settlement with Ameriprise Financial Services Inc., a registered investment adviser and broker dealer, suggests that the Commission isn’t inclined to look the other way when a technology failure goes undetected. In the world of cybersecurity, does this mean that a company’s blind faith in technology to safeguard its network and sensitive information might open it up to liability?

Go

New York Cyber Deadline “Reminder” Issued by DFS

It’s that time again. The third compliance deadline for New York’s sweeping new cybersecurity regulation is less than three weeks away.

That means five new requirements must be in place by September 4, 2018.

Go

LabMD Update: DC Circuit Rejects Rehearing in Suit Against FTC Lawyers

Did LabMD, the now-defunct cancer testing company, expose sensitive patient information with shoddy data security practices as U.S. regulations have charged, or was the company victimized by a private forensics firm extorting it for business? This raises the troubling question of whether the entire case against LabMD was built on a false premise.

Go

What New York Businesses Need to Know About California’s New Data Privacy Law

As the home of Facebook and other tech giants, California recently found itself in the center of a data privacy firestorm. In response to this and other controversies emanating from Silicon Valley’s technology community, California enacted a far-ranging data privacy law, the California Consumer Privacy Act of 2018. Despite its California origins, however, the law could have significant effects on New York-based businesses as well.

Go

SEC Fines Mizuho for Failing to Protect Customer Data

It is not enough for companies to establish policies and procedures designed to prevent the misuse of material nonpublic information. Companies must also enforce those policies and procedures.

That’s the lesson from the U.S. Securities and Exchange Commission's recent settlement with Mizuho Securities USA LLC (“Mizuho”), a broker-dealer, for the firm’s failure to safeguard customer information.

Go

Was LabMD Hacked? A Key Issue in Lawsuit Against FTC Lawyers

Did LabMD, the now-defunct cancer testing company, expose sensitive patient information with shoddy data security practices as U.S. regulations have charged, or was the company victimized by a private forensics firm extorting it for business – raising the troubling question of whether the entire case against LabMD was built on a false premise.

Go

Craig Newman Authors Op-Ed on FTC Cyber Authority for The Wall Street Journal

Firm partner and chair of our privacy group, Craig A. Newman, authored an Op-Ed for The Wall Street Journal on a federal appeals court ruling that could force reform of the Federal Trade Commission’s long-standing view of its authority in data security enforcement. “The FTC cannot responsibly oversee companies’ data security without first safeguarding the integrity of its own process,” wrote Newman.

Go

Las Vegas Shooting Lawsuits: How They Will Impact the Cybersecurity World

Last week, MGM Resorts International filed nine pre-emptive lawsuits against the victims of last year’s mass shooting at the Mandalay Bay Hotel in Las Vegas.  MGM, owner of the Mandalay, is asking federal courts around the country to declare that the company is not liable “for any claim for injuries arising out of or related to” the mass attack. 

Go

For $80 Million, Yahoo! Settles Shareholder Class Action Claiming Stock Price Losses from Data Breaches

It’s become almost routine. A public company suffers a data breach at the hands of hackers, its stock price slides and the securities fraud class action lawsuits pile on.

As we recently reported, it’s a new trend in securities fraud class actions. Shareholders claim that public companies have improperly inflated their stock value either by failing to timely disclose data security incidents or latent vulnerabilities that rendered the company’s systems susceptible to a cyberattack.

Go

California’s New Privacy Law: A Closer Look

California’s landmark digital privacy law – signed into law late last week – is the most sweeping consumer data protection law in the U.S. The California Consumer Privacy Act of 2018 or CCPA promises to give consumers unprecedented control over their personal information including the right to know what information companies are collecting about them and how it is used.

Go

California Enacts Sweeping Consumer Privacy Law

California threw down the proverbial gauntlet last night and enacted a sweeping new digital privacy law aimed at giving the state’s consumers more control over their personal information.

Go

Equifax Agrees to Data Breach Deal with 8 States

In a consent order with financial regulators from eight states, Equifax Inc. yesterday agreed to put in place a number of basic data security safeguards – apparently lacking until now – to prevent another massive breach.  The order lists specific actions that Equifax must take to improve its data security environment including conducting a comprehensive risk assessment that considers “foreseeable threats and vulnerabilities” to sensitive information and the way the company plans on defending against those threats. 

Go

Objections Fall Short as Appeals Court Affirms Target Settlement

Last week, the U.S. Court of Appeals for the Eighth Circuit affirmed the district court’s approval of a $17 million settlement between Target Corp. and consumers whose credit card data was compromised in the 2013 data breach. In one of the largest data breaches to hit U.S. retailers, hackers stole information from 40 million credit and debit cards during the 2013 holiday season.

Go

Patterson Belknap and Bloomberg Law: Domestic Privacy Profile: New York

Patterson Belknap lawyers Craig A. Newman and George S. Soussou edited and contributed to the first Bloomberg Law Domestic Privacy Profile: New York.  This comprehensive guide provides an overview of applicable laws and regulations, regulatory authorities and enforcement, risk management, and emerging issues and outlook for privacy and data security in New York state.  Newman is a litigation partner and chairs the firm’s privacy and data security practice.  Soussou is an associate in the firm’s litigation group.

To view the publication, please click here.

Go

Bug Bounty Programs: What Every Organization Needs to Know

More and more companies are paying up – and paying more – to so-called “ethical” hackers who report data security bugs or vulnerabilities for a bounty.

A report released last week by Bugcrowd, a crowdsourced cybersecurity firm, says that companies are now dolling out more than ever in bug bounties. But what are bug bounty programs, and why should companies care?

Go

LabMD Wins Long-Running Data Security Case Against FTC

In a closely watched test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit late yesterday sided with LabMD and threw out the agency’s long-running case against the defunct cancer testing lab, finding the agency’s use of a vague and broad-brush consent decree was unenforceable.

Go

New York AG Throws Support Behind Proposed SHIELD Act

It didn’t take long for New York’s interim Attorney General to send a strong message to the business community about the importance of data security.

In a press release yesterday, interim New York Attorney General Barbara Underwood threw her support behind New York’s proposed SHIELD Act – Stop Hacks and Improve Electronic Data Security – which was introduced late last year and imposes data security safeguard requirements on businesses that hold sensitive information of New York residents.

Go

Another DFS Cyber Deadline Looms

For thousands of financial institutions and insurance companies covered by New York DFS’s sweeping data security regulation, the countdown to yet another deadline has begun. Those companies will remember last August, when DFS’s first transition period ended, and the same companies know that they had to first certify their compliance with the regulation to DFS only months ago, in February.

Go

Facebook Gears Up for High Stakes Biometric Trial

In one of the first major tests of the Illinois biometric data privacy law, Facebook is headed to trial this summer over allegations that the social media giant unlawfully collects user data with its photo tagging function. Last week, U.S. District Judge James Donato denied cross motions for summary judgment in a class action pending in Northern California, noting the “multitude of fact disputes in the case.”

Go

Litigating Blockchain: Not So Simple

Many believe that blockchain technology will revolutionize the way humans interact, in business and beyond.  Though cryptocurrency is the topic du jour, blockchains can do much more than just enable digital currencies:  they can be used to transform the way we store and manage many kinds of data, from real property and voting records to intellectual property licenses and medical information, and more.  If blockchain is mainstreamed, courts will inevitably be faced with disputes arising out of the differences between blockchain and current methods of managing transactional data.

Go

Wearable Technology Fits into Professional Sports

Professional athletes, teams, and leagues have embraced wearable technology.  But as this new technology becomes ubiquitous, a new category of valuable—and personally sensitive—data has emerged, raising novel data security issues and incentives for would-be hackers.

Go

Insurance Industry Cybersecurity Law Moves Closer to Becoming a Reality

The insurance industries in South Carolina and Rhode Island may soon be required to adopt formal data security safeguards, a movement sparked by the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. The model law, which NAIC adopted in October 2017, establishes minimum standards for data security applicable to insurance providers. It is part of a growing body of state-level cybersecurity legislation, including the New York State Department of Financial Services regulation issued in March 2017.  We blogged about the model law back in January

Go

Equifax Breach Costs Stack Up

How much does a data breach cost?  One independent study estimated that, on average, the cost to an organization of a data breach in the U.S. was $7.35 million in 2017.  But recent financial disclosures from Equifax Inc. show how those numbers can spiral when a worst-case scenario comes to pass.

Go

The Tale of LabMD: New lawsuits charge ethics violations and fake data breaches

The LabMD data security case is anything but dull.  An 8-year (and counting) fight with the U.S. Federal Trade Commission, a U.S. House of Representatives Oversight and Government Reform Committee investigation into allegations of government overreach and collusion, a key witness granted governmental immunity and multiple related civil lawsuits scattered around the country.

Go

Does Yahoo’s SEC Cyber Disclosure Settlement Set Enforcement Bar?

The U.S. Securities and Exchange Commission’s $35 million settlement announced this week over the Yahoo! data breach provides an object lesson in the consequences of failing to publicly disclose a major cyber-attack.

The nation’s top securities regulator imposed the fine on Altaba Inc. — formerly Yahoo! — for not disclosing in a timely manner one of the largest reported hacks in U.S. history, the first action by the Commission for a cybersecurity disclosure violation.  Yahoo! was charged with misleading investors by waiting for almost two years to disclose the fact that hackers associated with the Russian Federation stole the personal information of hundreds of millions of Yahoo! users.

Go

Microsoft Email Case Dismissed by Supreme Court

This morning, the long-running dispute between Microsoft Corp. and the U.S. government regarding data stored abroad was resolved by the United States Supreme Court. As we’ve previously discussed, the case posed the question: must U.S. companies comply with warrants issued under the Stored Communications Act (“SCA”) that demand data stored in a foreign country? Today, the Supreme Court concluded that newly enacted legislation had effectively ended the case, making the Court’s involvement unnecessary.

Go

The New York Times Features Article by Craig Newman: “A Simple Proposal to Help Fix Corporate America’s Cybersecurity Problem”

On April 11, 2018, The New York Times featured an article written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “A Simple Proposal to Help Fix Corporate America’s Cybersecurity Problem.” Mr. Newman proposes a cybersecurity grading system as a next step to help solve the lack of information about the data security practices of businesses. A new grading system should answer basic questions such as, "Are companies on top of data security, and if hacked, do they know how to reduce the impact?"

To read the full article, click here.

Go

Microsoft Joins Government’s Request to Render Fight over Access to Data Stored Abroad Moot

Yesterday, we reported that the Department of Justice has asked the U.S. Supreme Court to remand its dispute with Microsoft Corp. concerning access to customer emails stored abroad to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot.  The government argued that the newly enacted “CLOUD” Act clarifies prior law and makes clear that information stored abroad can, under certain circumstances, be subject to a domestic warrant.  The government added that it obtained a new warrant for Microsoft to turn over the requested information in the days following the CLOUD Act’s passage.

Go

Government Urges High Court to Moot Microsoft Email Case

We’ve written several times about the landmark dispute between the U.S. government and Microsoft Corp. over access to a customer’s emails stored in Ireland. Now, a month after the U.S. Supreme Court heard oral argument on the government’s appeal, the Justice Department has asked the Court to remand the case to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot.

Go

The Warning Behind the Numbers: New York’s 2017 Data Breach Report

On its face, last week’s report that the number of data breaches reported last year to New York’s Attorney General spiked to an all-time high of 1,583 – up 23 percent from 2016 – was not good news.

But behind the numbers are even more disturbing trends. Start with the fact that hacking – the handy work of outside intruders – was the leading cause of reported breaches last year, accounting for 44 percent of reported breaches. Hacking also accounted for nearly 95 percent of all personal information exposed. In second place was employee error or negligence, which represented 25 percent of last year’s reported breaches.

Go

Q&A with Glenn S. Gerstell, National Security Agency

In this occasional series, the chair of Patterson Belknap’s privacy and data security group, Craig A. Newman, interviews thought leaders – from both the public and private sectors – about the growing threat of cyber-attacks in the U.S. and abroad.  In our first installment, we had the privilege of interviewing Glenn S. Gerstell, General Counsel of the National Security Agency, about the agency’s cybersecurity role and priorities.  As one of our nation’s preeminent intelligence agencies, the NSA helps protect and defend U.S. systems that contain classified information or are critical to the U.S. military or intelligence functions.   

Go

Ninth Circuit Wades into Growing Debate over Data Breach Standing

Is the risk of future harm enough to satisfy Article III standing in a data breach suit? That’s the question courts of appeals around the country are wrestling with now – and reaching opposing results. The U.S. Court of Appeals for the Ninth Circuit is the latest to wade into this debate on data breach standing in its recent opinion, In re Zappos.Com, Inc., Customer Data Security Breach Litigation.

Go

Former Equifax Exec Charged with Insider Trading: Underscores Need for Trading Halt Plans

The Equifax hack has taken another twist – one that raises questions that every public company should consider.

Last week, federal prosecutors charged Equifax’s former Chief Information Officer, Jun Ying, with insider trading for allegedly dumping nearly $1 million in stock before the massive Equifax breach went public. He also faces civil charges filed by the U.S. Security and Exchange Commission (SEC).

Go

DFS Issues Compliance Certificate “Reminder”

Last week, the New York Department of Financial Services (DFS) sent notices to companies that had not yet certified their compliance with the DFS Cybersecurity Regulation. DFS not-so-gently reminds companies to submit a Notice of Exemption or a Certificate of Compliance. A copy of that notice is now available online.

Go