Privacy and Data Security

By today, financial institutions are required to meet their next deadline for compliance with New York’s cybersecurity law. The regulation – enacted in March 2017 –includes a series of rolling deadlines that require banks and insurance companies covered by the law to meet varying data security requirements.

Public companies worried about cybersecurity risk would be well served to pay attention to a recent crackdown by the U.S. Securities and Exchanges Commission on the use of automated technology to detect investment advisor fraud.

A recent settlement with Ameriprise Financial Services Inc., a registered investment adviser and broker dealer, suggests that the Commission isn’t inclined to look the other way when a technology failure goes undetected. In the world of cybersecurity, does this mean that a company’s blind faith in technology to safeguard its network and sensitive information might open it up to liability?

It’s that time again. The third compliance deadline for New York’s sweeping new cybersecurity regulation is less than three weeks away.

That means five new requirements must be in place by September 4, 2018.

As the home of Facebook and other tech giants, California recently found itself in the center of a data privacy firestorm. In response to this and other controversies emanating from Silicon Valley’s technology community, California enacted a far-ranging data privacy law, the California Consumer Privacy Act of 2018. Despite its California origins, however, the law could have significant effects on New York-based businesses as well.

Did LabMD, the now-defunct cancer testing company, expose sensitive patient information with shoddy data security practices as U.S. regulations have charged, or was the company victimized by a private forensics firm extorting it for business – raising the troubling question of whether the entire case against LabMD was built on a false premise.

Last week, MGM Resorts International filed nine pre-emptive lawsuits against the victims of last year’s mass shooting at the Mandalay Bay Hotel in Las Vegas.  MGM, owner of the Mandalay, is asking federal courts around the country to declare that the company is not liable “for any claim for injuries arising out of or related to” the mass attack. 

California’s landmark digital privacy law – signed into law late last week – is the most sweeping consumer data protection law in the U.S. The California Consumer Privacy Act of 2018 or CCPA promises to give consumers unprecedented control over their personal information including the right to know what information companies are collecting about them and how it is used.

In a consent order with financial regulators from eight states, Equifax Inc. yesterday agreed to put in place a number of basic data security safeguards – apparently lacking until now – to prevent another massive breach.  The order lists specific actions that Equifax must take to improve its data security environment including conducting a comprehensive risk assessment that considers “foreseeable threats and vulnerabilities” to sensitive information and the way the company plans on defending against those threats. 

Last week, the U.S. Court of Appeals for the Eighth Circuit affirmed the district court’s approval of a $17 million settlement between Target Corp. and consumers whose credit card data was compromised in the 2013 data breach. In one of the largest data breaches to hit U.S. retailers, hackers stole information from 40 million credit and debit cards during the 2013 holiday season.

More and more companies are paying up – and paying more – to so-called “ethical” hackers who report data security bugs or vulnerabilities for a bounty.

A report released last week by Bugcrowd, a crowdsourced cybersecurity firm, says that companies are now dolling out more than ever in bug bounties. But what are bug bounty programs, and why should companies care?

It didn’t take long for New York’s interim Attorney General to send a strong message to the business community about the importance of data security.

In a press release yesterday, interim New York Attorney General Barbara Underwood threw her support behind New York’s proposed SHIELD Act – Stop Hacks and Improve Electronic Data Security – which was introduced late last year and imposes data security safeguard requirements on businesses that hold sensitive information of New York residents.

A federal judge in New York has dismissed LabMD’s lawsuit against a former United States Attorney – which charged her with ethics violations and engaging in a cover-up over her role in an U.S. Federal Trade Commission data security enforcement action – on jurisdictional grounds.

In one of the first major tests of the Illinois biometric data privacy law, Facebook is headed to trial this summer over allegations that the social media giant unlawfully collects user data with its photo tagging function. Last week, U.S. District Judge James Donato denied cross motions for summary judgment in a class action pending in Northern California, noting the “multitude of fact disputes in the case.”

Professional athletes, teams, and leagues have embraced wearable technology.  But as this new technology becomes ubiquitous, a new category of valuable—and personally sensitive—data has emerged, raising novel data security issues and incentives for would-be hackers.

Legendary investor Warren Buffett’s portfolio won’t be scooping up shares of insurers that underwrite cyber insurance.

At Berkshire Hathaway’s 2018 Annual Shareholders Meeting over the weekend, Buffett called cyber “unchartered territory” and said the fall-out and business risks from cyber-attacks are “going to get worse, not better.”

The LabMD data security case is anything but dull.  An 8-year (and counting) fight with the U.S. Federal Trade Commission, a U.S. House of Representatives Oversight and Government Reform Committee investigation into allegations of government overreach and collusion, a key witness granted governmental immunity and multiple related civil lawsuits scattered around the country.

An expanded settlement by the Federal Trade Commission with ride-sharing giant Uber Technologies should serve as a lesson to other businesses about what happens when a company fails to disclose a data breach during an ongoing agency investigation.

On April 11, 2018, The New York Times featured an article written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “A Simple Proposal to Help Fix Corporate America’s Cybersecurity Problem.” Mr. Newman proposes a cybersecurity grading system as a next step to help solve the lack of information about the data security practices of businesses. A new grading system should answer basic questions such as, "Are companies on top of data security, and if hacked, do they know how to reduce the impact?"

To read the full article, click here.

Yesterday, we reported that the Department of Justice has asked the U.S. Supreme Court to remand its dispute with Microsoft Corp. concerning access to customer emails stored abroad to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot.  The government argued that the newly enacted “CLOUD” Act clarifies prior law and makes clear that information stored abroad can, under certain circumstances, be subject to a domestic warrant.  The government added that it obtained a new warrant for Microsoft to turn over the requested information in the days following the CLOUD Act’s passage.

On its face, last week’s report that the number of data breaches reported last year to New York’s Attorney General spiked to an all-time high of 1,583 – up 23 percent from 2016 – was not good news.

But behind the numbers are even more disturbing trends. Start with the fact that hacking – the handy work of outside intruders – was the leading cause of reported breaches last year, accounting for 44 percent of reported breaches. Hacking also accounted for nearly 95 percent of all personal information exposed. In second place was employee error or negligence, which represented 25 percent of last year’s reported breaches.

Is the risk of future harm enough to satisfy Article III standing in a data breach suit? That’s the question courts of appeals around the country are wrestling with now – and reaching opposing results. The U.S. Court of Appeals for the Ninth Circuit is the latest to wade into this debate on data breach standing in its recent opinion, In re Zappos.Com, Inc., Customer Data Security Breach Litigation.

Last week, the New York Department of Financial Services (DFS) sent notices to companies that had not yet certified their compliance with the DFS Cybersecurity Regulation. DFS not-so-gently reminds companies to submit a Notice of Exemption or a Certificate of Compliance. A copy of that notice is now available online.

Six months after a massive data breach at credit reporting company Equifax, Inc. handed hackers the personal information of nearly 150 million Americans, the fallout continues. Equifax first disclosed in September that hackers used a flaw in its website software to extract the personal information of as many as 145.5 million people. The stolen data included names, Social Security numbers, birth dates, addresses, and driver’s license numbers. In just the first two months following the breach, Equifax incurred $87.5 million of expenses, and that number is now expected to grow to $439 million by the end of 2018, making this, potentially, the most expensive reported data breach to date.

On February 27, 2018, The New York Times featured an op-ed written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “Can the United States Search Data Overseas?” Mr. Newman discusses the critical question in United States v Microsoft, which is pending before the Supreme Court:  should the U.S. law enforcement have access to emails stored outside the country? He argues that the fundamental problem of storing data across borders will not be solved by this case, and that legislative action is necessary to properly govern “the vast stores of electronic data that move seamlessly across international borders.”