Privacy and Data Security

Businesses, consumers, and regulators continue to grapple with balancing privacy, cybersecurity, and the response to the COVID-19 pandemic. Last week, this blog explored the increased cyber risks that the pandemic poses to businesses, providing guidance on how businesses can navigate that risk. Yesterday, we reported on a joint letter filed by more than 30 industry groups to the California Attorney General (“AG”) requesting a delay in enforcement of the California Consumer Privacy Act (“CCPA”) due to the burdens that COVID-19 is placing on businesses. Enforcement of the CCPA is currently scheduled to commence as early as July 1, 2020. Earlier this week, Consumer Reports, a consumer advocacy group, urged the AG to reject industry efforts to delay enforcement of the CCPA.

In response to the COVID-19 pandemic, the New York Department of Financial Services (DFS) recently extended by 45 days the deadline for companies to certify compliance with the DFS cybersecurity regulation.  The annual certification is now due on June 1, 2020. 

This is the fourth post in our series discussing the practical impact of the California Attorney General’s regulations to the California Consumer Privacy Act (CCPA). See our previous CCPA posts here.

The CCPA took effect on January 1, 2020, and already a putative class action has been filed, albeit over a data breach that allegedly occurred before the CCPA’s effective date. In addition, although the statute is now operative, its implementing regulations remain in flux. On February 7, 2020, the California Attorney General (AG) issued a notice of modification to the proposed regulations originally issued in October 2019. And on March 11, 2020, the AG released a second set of modifications. These modifications—published in a clean and redline version—contain important updates clarifying notice requirements, consumer request acceptance and response obligations, service provider responsibilities, and when discrimination related to financial incentives is permissible.

The aftermath from one of the largest data breaches in U.S. history is nearing the end, as the presiding judge approved a proposed class action settlement resolving claims arising from Equifax’s September 2017 data breach.  As previously reported, approximately 147.9 million U.S. consumers’ personal information was compromised by that breach.

As we recently reported on this blog, the California Attorney General (AG) released long-awaited draft regulations to the California Consumer Privacy Act (CCPA). This is the second installment in a series of posts discussing the regulations most relevant to companies as they determine whether they are covered under the law and how to comply. This post discusses business practices for receiving and verifying consumer requests to delete or opt-out, and for disclosure of specific information, referred to in the regulations as “requests to know.”

On October 11, 2019, the California Attorney General released its long-anticipated Notice of Proposed Rulemaking Action and the text of its proposed regulations for the California Consumer Privacy Act (CCPA), along with an Initial Statement of Reasons for the proposed regulations.  The documents are not a short read, with the proposed regulations covering 24 pages, the Notice 16 pages, and the Statement of Reasons another 47 pages. 

Earlier this month, YouTube and its parent company, Google, entered into a record $170 million proposed settlement to resolve allegations brought by the Federal Trade Commission (FTC) and the New York Attorney General (NYAG) under the federal Children’s Online Privacy Protection Act (COPPA). According to the complaint in the case, YouTube collected personal information on video channels directed to children without parental consent using persistent identifiers that can track individuals across the Internet. This is the largest penalty to date in a COPPA enforcement action.

It has been thirty years since the Securities and Exchange Commission (the “SEC”) significantly revised Regulation S-K, which sets forth reporting requirements for public companies. The SEC is now taking a fresh look at the rules, proposing for public comment amendments to modernize the description of business, legal proceedings, and risk factor disclosures that public companies must make. This represents a good opportunity to revisit key disclosure requirements—including Items 503(c) (now Item 105), 101, and 103—that are the subject of the revised guidance and that potentially impact reporting obligations associated with cybersecurity.

On August 28, 2019, almost a month after Paige A. Thompson was arrested based on allegations that she hacked into servers rented by Capital One Financial Corporation, a criminal indictment was returned charging her with one count each of computer and wire fraud, as well as forfeiture allegations.  The indictment includes new allegations that, in addition to hacking Capital One’s data, Thompson illegally accessed and copied data from more than 30 different entities that rented or contracted servers at an unnamed cloud-computing company at which she previously worked.  The indictment provides additional details concerning Thompson’s hacking scheme.  According to the indictment, Thompson used devices that allowed her to scan servers rented or contracted by Capital One and other entities at the cloud-computing company.  From the scans, Thompson was able to identify servers that had firewall misconfigurations, which she then exploited to obtain security credentials that allowed her to access and copy the entities’ data.  In addition to copying the data, Thompson also used the stolen computing power of the servers to mine cryptocurrency—in a scheme colloquially known as “cryptojacking.” 

The California Consumer Privacy Act (CCPA) has significantly altered the potential consequences of a data breach under California law by permitting California consumers to bring civil suits for statutory damages, Cal. Civ. Code § 1798.150(a)(1), and to seek statutory damages of between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” Id. § 1798.150(a)(1)(A). The ability to seek statutory damages is in addition to injunctive or declaratory relief. Id. § 1798.150(a)(1)(B),(C).

Last Thursday, Slack Technologies, Inc. (Slack) announced that it would reset passwords for a number of accounts compromised by a security breach that occurred more than four years ago, in March 2015. Slack—a fast-growing messaging service that launched in 2014 and went public last month—provided little explanation for its delay in action and minimized the scope of the incident, claiming that it only affected a small percentage of current Slack users. The narrow scope and timing of Slack’s disclosure raise interesting questions about the heightened scrutiny public companies now face when dealing with cybersecurity incidents.

The New York State Senate recently passed The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, leaving only the Governor’s signature as the final step to the SHIELD Act becoming the country’s newest—and one of the most stringent—breach notification laws.  Given Governor Cuomo’s previous support for robust cybersecurity protections, New York may soon join a growing number of states beefing up their notification statutes.

Patterson Belknap Webb & Tyler LLP is deeply saddened to announce the passing of our partner and friend Craig A. Newman, the founding editor of the Data Security Law Blog. Craig was a litigation partner with Patterson Belknap from 2015 to 2019 and served as chair of the Firm’s Privacy & Data Security practice. He was a source of wisdom, warmth and humor, and will be missed. More information can be found on the Firm’s website here.

Illinois is set to become the 29^th state that will require data breaches affecting more than 500 residents to be reported to the state’s attorney general.

Hackers have managed to break into the accounts of 100 sellers at Amazon.com. The hackers funneled money from the seller’s accounts—either from sales or loans—into their own bank accounts after stealing seller credentials. It is not clear how much money was stolen in the incident.

As we’ve discussed in previous posts, the SAFETY Act has the potential to serve as a valuable tool for companies looking to mitigate risk from cyber-terrorism. This is part two of a three-part series; be sure to read part one, which describes how the SAFETY Act applies to cybersecurity.

In its first official statement about the CLOUD Act – the Clarifying Lawful Overseas Use of Data Act – the U.S. Department of Justice has published a white paper, “Promoting Public Safety, Privacy and the Rule of Law Around the World:  The Purpose and Impact of the CLOUD Act,” discussing its view on the law enacted in March 2018. The CLOUD Act, established revised procedures for government requests for data held by technology companies outside of the U.S.

The federal government’s record for effective cyber defenses of its own websites has not been stellar over the past few years. Federal government agencies ranging from the Office of Personnel Management to the National Archives have suffered data breaches, as have nearly a dozen other agencies.

When you think about reporting a healthcare data breach to authorities, family-owned furniture manufacturers nestled in the serenity of North Carolina aren’t exactly at the top of the list.

The incoming chief of New York’s top financial services regulator called cybersecurity “the number one threat facing all industries and governments globally” during a speech on Friday, April 12, 2019 at the Association of the Bar of the City of New York.

The nation’s top law enforcement agency is rebooting its cybercrime capabilities.

In an effort to keep up with the evolving threats against property, critical infrastructure and human life posed by cyber-attacks –especially those launched by foreign adversaries – the Federal Bureau of Investigation is seeking to reposition its priorities and fortify its capacity to fight cybercrime.

Almost weekly, it seems there is another news article about a bug bounty program sponsored by a major corporation where an amateur hacker – often a teenager – is paid a sizeable sum of money for finding a bug in a company’s operating system or code. Often, these articles describe just how much money these teens make from bug bounty programs; one headline from March 12, 2019 describes how bug bounty programs have made “one teen a millionaire hacker.” In another from February 2019, Apple paid a 14-year-old hacker an undisclosed sum after he found a security flaw in FaceTime.