DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.
It’s been a busy year for the Cyber Unit at the Securities and Exchange Commission. During 2018, the SEC brought 20 stand-alone cases related to cybersecurity, and has 225 cyber-related investigations that it deems “ongoing.” That’s according to the enforcement division’s 2018 Annual Report.
Cybersecurity has played an important role in the U.S. Securities and Exchange Commission’s regulatory agenda during the past year.
And it’s likely to become even more important in 2019.
Yesterday, the United States indicted two Iranian hackers for their roles in a series of major ransomware attacks that started in 2016 and lasted almost three years. The attacks crippled schools, hospitals, the private sector, and government agencies, causing tens of millions of dollars in damage.
The Pennsylvania Supreme Court handed the state’s employees a major legal victory last week when it decided that employers have an affirmative legal responsibility to protect the confidential information of its employees.
Here’s a striking fact. So far this year, there have been 316 healthcare data security breaches reported to the federal government. This statistic includes incidents reported by health plans, healthcare providers and healthcare clearing houses.
Lawyers don’t get a free pass when it comes to data security. In fact, ethical rules impose a series of obligations on lawyers when they or their firms are subject to a data breach.
In a significant ethics opinion issued last month, Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility provides a detailed roadmap to a lawyer’s obligations to current and former clients when they learn that they – or their firm – have been the subject of a data breach.
MGM Resorts International has hit the pause button in its gambit to shield itself from liability stemming from the October 2017 shooting at the Mandalay Bay Hotel in Las Vegas.
As we reported previously, MGM has brought more than a dozen declaratory judgment lawsuits against the victims in the deadliest mass shooting in modern U.S. history, arguing that claims against the casino giant are barred by federal law. MGM has released a statement saying it hopes to avoid years of litigation by exploring potential settlement options, and adding that “years of protracted litigation is in no one’s best interest.”
We’ve blogged previously about the patchwork of state data privacy laws, and the challenges it poses for multinational businesses. Now, U.S. companies need to beware of our neighbor to the north as well: Canada has enacted a new breach notification regulation that may have implications well beyond its geographical borders.
Starting today, Ohio businesses with written cybersecurity programs will be looking for a free pass if they are sued under state law over a data breach.
Ohio’s Data Protection Act (Senate Bill 220, Ohio Rev. Code § 1354.01, et seq.) goes into effect today, creating a safe harbor from tort liability for businesses that meet specific cybersecurity standards. The law won’t prevent litigation over a data breach, but provides an affirmative defense to companies hit with such claims if they have met the requirements of the new law. This includes adopting data security policies that conform to a number of existing industry standards including the NIST Cybersecurity Framework.
Last week, Cathay Pacific Airlines Ltd., the Hong Kong-based international airline, disclosed that a hacker had broken into its computer system and accessed personal information for as many as 9.4 million travelers, representing the world’s largest reported airline data breach to date. Following the announcement, the airline’s shares sank the lowest that they’ve been in almost 9 years – tumbling nearly 7% and losing more than $200 million of in market value.
Late last week, the Office of Civil Rights for the Department of Health and Human Services (OCR) announced a $16 million settlement with health-insurance company Anthem, Inc. The settlement amount is nearly three times larger than any prior settlement with the OCR.
The federal government’s top healthcare insurance agency has suffered an apparent data breach.
Late Friday, the U.S. Centers for Medicare and Medicaid Management (CMS) disclosed that 75,000 patient records had been compromised by hackers. Few other details have been released.
A recent data breach at Chegg Inc., the online educational technology company, serves as the most recent reminder that the education sector remains a target for hackers.
Last month, Chegg reported, on a Form 8-K disclosure filed with the Securities Exchange Commission, that it had experienced a security breach in which an “unauthorized party gained access to a Company database that hosts user data for chegg.com.”
The U.S. Securities & Exchange Commission has issued a stern warning to every financial firm and board of directors under its watchful eye: get your cybersecurity programs in shape or face the consequences.
And it’s doubtful the SEC’s admonition is limited to the financial sector.
This is the second post in our two-part series about DOJ’s revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” In the first installment, we looked at DOJ’s recommendations for preparedness. Today, we turn to the basics of data breach incident response and a list of DOJ’s “don’ts” when dealing with a hacker.
The Food and Drug Administration is stepping up its game with respect to the cybersecurity of medical devices.
On Monday, the agency announced its launch of a preparedness and response “playbook” to address threats to medical device cybersecurity. The move cited an uptick in cyber-attacks and the potential for bad actors to exploit medical devices.
The U.S. Department of Justice is increasing its outreach to the private sector on all things cyber.
Last week, the DOJ’s Criminal Division held a cybersecurity roundtable to discuss challenges in handling data breach investigations. As part of the roundtable discussion, the DOJ issued revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” The Best Practices guidance, summarized below, is the result of the DOJ’s outreach efforts concerning ways in which the government can work more effectively with the private sector to address cybersecurity challenges. The goal of the roundtable discussion, which started in 2015, is to foster and enhance cooperation between law enforcement and data breach victims, and to also encourage information sharing.
California is leading the pack. Once again.
On Friday, Governor Jerry Brown signed into law SB 327, the first- ever state legislation aimed at governing Internet of Things (IoT) devices.
Is legalized sports betting the next big thing in cybercrime?
When the U.S. Supreme Court last spring struck the Professional and Amateur Sports Protection Act – the law that barred most states from allowing sports betting – the floodgates opened and everyone seeking to profit from legalized sports gaming staked out their turf. Five states have already passed laws to allow sports betting and 18 others will soon follow suit. The most recent state to open its doors to legalized sports wagering, West Virginia, even plans to allow online sports wagering.
Should a public company’s cyber and breach disclosure practices matter to Wall Street and socially-responsible investment funds?
That’s the vexing question posed in a blog post by Audit Analytics, the Massachusetts-based financial research firm.
Socially-responsible investment funds – called ESG funds that focus on environmental, social and governance practices – rely on sustainable, socially conscious investing principles. ESG portfolio managers consider issues beyond a company’s financial standing before jumping into an investment position such as environmental compliance, working conditions, executive pay and diversity efforts. Audit Analytics asks whether cybersecurity should be added to this list of investment criteria.
Student data is a treasure trove for hackers.
In a recent FBI Alert, the agency warned that the rapid growth of educational technologies combined with the increased collection of student information is the proverbial disaster waiting to happen.
In Accenture’s 2018 State of Cyber Resilience for Banking & Capital Markets study, the consulting firm reported the rate at which cyber-attacks on banking and capital markets firms are successful dropped from 36 percent in 2017 to 15 percent in 2018. Despite the improvement, one in seven cyber-attacks remain successful – begging the broader question of what else, if anything, banks and capital market firms could be doing to protect themselves from attack?
Many big data and technology companies consider “bug bounty” programs – incentive-based initiatives that reward “ethical” hackers who report data security bugs or vulnerabilities – attractive and cost-effective tools for weeding out security flaws.
The healthcare industry has been in the sights of hackers for some time. But a recent survey found that the biggest threat in the sector comes from within.
Verizon has just released its Protected Health Information Data Breach Report and found that 58% of the data security incidents in the industry came from insiders, a number higher than in any other industry. The study is based on an analysis of almost 1400 incidents during 2016-2017 in 27 countries. Almost 75% of the incidents occurred in the U.S.
As California’s legislative session came to a close late last month, the state’s lawmakers passed SB-1121, approving a series of tweaks to the California Consumer Privacy Act of 2018 or CCPA, the far-ranging data privacy law enacted earlier this summer. The new bill now heads to the governor for consideration.
Memories of the massacre of dozens of concertgoers at a Las Vegas music festival last year are unlikely to fade soon. In the deadliest shooting in U.S. history, Stephen Paddock killed 58 people and wounded hundreds from his perch within the Mandalay Bay hotel, owned by MGM Resorts International.
A legal battle is now underway over liability for the shooting and the first ever legal test of a little known federal law – the Support Antiterrorism by Fostering Effective Technologies Act of 2002 or SAFETY Act – will start later this month in a San Francisco courtroom. The SAFETY Act was enacted after the Sept. 11th terrorist attacks to provide different levels of legal protection for companies that developed antiterrorism technologies – including cybersecurity technologies and programs – and then passed a rigorous process administered by the U.S. Department of Homeland Security.
By today, financial institutions are required to meet their next deadline for compliance with New York’s cybersecurity law. The regulation – enacted in March 2017 –includes a series of rolling deadlines that require banks and insurance companies covered by the law to meet varying data security requirements.
It seems like a victimless crime. Toss out an old computer or post it for sale on the Internet for a few bucks. Not a big deal, right?
Not so fast.
Public companies worried about cybersecurity risk would be well served to pay attention to a recent crackdown by the U.S. Securities and Exchanges Commission on the use of automated technology to detect investment advisor fraud.
A recent settlement with Ameriprise Financial Services Inc., a registered investment adviser and broker dealer, suggests that the Commission isn’t inclined to look the other way when a technology failure goes undetected. In the world of cybersecurity, does this mean that a company’s blind faith in technology to safeguard its network and sensitive information might open it up to liability?
A federal appeals court is giving Google and the Justice Department more time to work out their differences in a standoff over whether the tech giant must hand over customer emails stored outside of the United States.
It’s that time again. The third compliance deadline for New York’s sweeping new cybersecurity regulation is less than three weeks away.
That means five new requirements must be in place by September 4, 2018.
Did LabMD, the now-defunct cancer testing company, expose sensitive patient information with shoddy data security practices as U.S. regulations have charged, or was the company victimized by a private forensics firm extorting it for business? This raises the troubling question of whether the entire case against LabMD was built on a false premise.
As the home of Facebook and other tech giants, California recently found itself in the center of a data privacy firestorm. In response to this and other controversies emanating from Silicon Valley’s technology community, California enacted a far-ranging data privacy law, the California Consumer Privacy Act of 2018. Despite its California origins, however, the law could have significant effects on New York-based businesses as well.
It is not enough for companies to establish policies and procedures designed to prevent the misuse of material nonpublic information. Companies must also enforce those policies and procedures.
That’s the lesson from the U.S. Securities and Exchange Commission's recent settlement with Mizuho Securities USA LLC (“Mizuho”), a broker-dealer, for the firm’s failure to safeguard customer information.
Did LabMD, the now-defunct cancer testing company, expose sensitive patient information with shoddy data security practices as U.S. regulations have charged, or was the company victimized by a private forensics firm extorting it for business – raising the troubling question of whether the entire case against LabMD was built on a false premise.
Firm partner and chair of our privacy group, Craig A. Newman, authored an Op-Ed for The Wall Street Journal on a federal appeals court ruling that could force reform of the Federal Trade Commission’s long-standing view of its authority in data security enforcement. “The FTC cannot responsibly oversee companies’ data security without first safeguarding the integrity of its own process,” wrote Newman.
Last week, MGM Resorts International filed nine pre-emptive lawsuits against the victims of last year’s mass shooting at the Mandalay Bay Hotel in Las Vegas. MGM, owner of the Mandalay, is asking federal courts around the country to declare that the company is not liable “for any claim for injuries arising out of or related to” the mass attack.
It’s become almost routine. A public company suffers a data breach at the hands of hackers, its stock price slides and the securities fraud class action lawsuits pile on.
As we recently reported, it’s a new trend in securities fraud class actions. Shareholders claim that public companies have improperly inflated their stock value either by failing to timely disclose data security incidents or latent vulnerabilities that rendered the company’s systems susceptible to a cyberattack.
California’s landmark digital privacy law – signed into law late last week – is the most sweeping consumer data protection law in the U.S. The California Consumer Privacy Act of 2018 or CCPA promises to give consumers unprecedented control over their personal information including the right to know what information companies are collecting about them and how it is used.
California threw down the proverbial gauntlet last night and enacted a sweeping new digital privacy law aimed at giving the state’s consumers more control over their personal information.
In a consent order with financial regulators from eight states, Equifax Inc. yesterday agreed to put in place a number of basic data security safeguards – apparently lacking until now – to prevent another massive breach. The order lists specific actions that Equifax must take to improve its data security environment including conducting a comprehensive risk assessment that considers “foreseeable threats and vulnerabilities” to sensitive information and the way the company plans on defending against those threats.
Healthcare organizations take note: not following your own data security rules can be costly, very costly. And the more time it takes to comply, the faster the fines stack up.
Last week, the U.S. Court of Appeals for the Eighth Circuit affirmed the district court’s approval of a $17 million settlement between Target Corp. and consumers whose credit card data was compromised in the 2013 data breach. In one of the largest data breaches to hit U.S. retailers, hackers stole information from 40 million credit and debit cards during the 2013 holiday season.
Patterson Belknap lawyers Craig A. Newman and George S. Soussou edited and contributed to the first Bloomberg Law Domestic Privacy Profile: New York. This comprehensive guide provides an overview of applicable laws and regulations, regulatory authorities and enforcement, risk management, and emerging issues and outlook for privacy and data security in New York state. Newman is a litigation partner and chairs the firm’s privacy and data security practice. Soussou is an associate in the firm’s litigation group.
To view the publication, please click here.
More and more companies are paying up – and paying more – to so-called “ethical” hackers who report data security bugs or vulnerabilities for a bounty.
A report released last week by Bugcrowd, a crowdsourced cybersecurity firm, says that companies are now dolling out more than ever in bug bounties. But what are bug bounty programs, and why should companies care?
In a closely watched test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit late yesterday sided with LabMD and threw out the agency’s long-running case against the defunct cancer testing lab, finding the agency’s use of a vague and broad-brush consent decree was unenforceable.
It didn’t take long for New York’s interim Attorney General to send a strong message to the business community about the importance of data security.
In a press release yesterday, interim New York Attorney General Barbara Underwood threw her support behind New York’s proposed SHIELD Act – Stop Hacks and Improve Electronic Data Security – which was introduced late last year and imposes data security safeguard requirements on businesses that hold sensitive information of New York residents.
The concert and event ticketing company, Ticketfly, is working to get its systems back online after a cyber-attack last week. Ticketfly has confirmed the hack but has released little information.
A federal judge in New York has dismissed LabMD’s lawsuit against a former United States Attorney – which charged her with ethics violations and engaging in a cover-up over her role in an U.S. Federal Trade Commission data security enforcement action – on jurisdictional grounds.
For thousands of financial institutions and insurance companies covered by New York DFS’s sweeping data security regulation, the countdown to yet another deadline has begun. Those companies will remember last August, when DFS’s first transition period ended, and the same companies know that they had to first certify their compliance with the regulation to DFS only months ago, in February.