A recent study asked high net worth investors which of the following issues they were most concerned about: terrorism, data security, or a major illness. The most prevalent response might surprise you. Seventy-two percent of the investors surveyed ranked data security as their top concern, followed by terrorism and then a major illness.
Several recent federal court decisions have added guidance on the still-unsettled question of when a plaintiff has Article III standing to sue based on a data breach or other data security or privacy event. These cases—Attias v. CareFirst, Inc. (D.D.C.), Wood v. J. Choo USA, Inc. (S.D. Fla.), and Guarisma v. Microsoft (S.D. Fla.)—offer somewhat mixed guidance for defendants in class action privacy-related lawsuits looking to use a standing challenge as a quick escape.
Craig A. Newman will moderate “Preparing a Cybercrime Incident Response Plan” at the ILTACON 2016 Annual Educational Conference on August 29th in Washington, D.C.
Craig A. Newman will moderate “Preparing a Cybercrime Incident Response Plan” at the ILTACON 2016 Annual Educational Conference on August 29th in Washington, D.C. ILTACON is the annual conference for law firms and legal departments sponsored by the International Legal Technology Association. Meticulous and thoughtful planning is required when putting together an organization’s data breach incident response plan, especially in today’s environment. Craig will lead a panel of data security experts in walking through case studies of data security breaches with a special focus on doing so in a way that manages an organization’s litigation, governance and regulatory risk. For additional information, please visit the event website.
When Is Using a Computer a Crime? Rehearing Sought on Ninth Circuit’s “Distressingly Unclear” Answer
Facebook recently won a landmark victory in the Ninth Circuit against a company that accessed Facebook’s computers to help users manage their social network accounts. Now the company, Power Ventures, Inc., says that the Ninth Circuit’s decision risks creating “widespread confusion” about when it is a crime to use a computer to access a website.
There’s no denying it: Pokémon GO is a phenomenon.
The smartphone game, in which players use their mobile device camera and GPS to capture, battle, and train virtual creatures, was released in the United States on July 6th. In a month, it has shot to the top of the App Store charts to become the biggest mobile game in U.S. history. Within just days of its release, Pokémon GO already had surpassed app giants like Twitter and Tinder in number of downloads and active users, with more than 25 million users playing each day.
Ransomware attacks at hospitals and other healthcare facilities have dramatically increased over the last several years, putting healthcare providers in the uncomfortable position of having to consider paying thousands of dollars to regain access to vital medical records. Indeed, one recent study concluded that hospitals are hit with 88% of all ransomware attacks nationwide.
On July 21st, Patterson Belknap and Berkeley Research Group hosted a Practising Law Institute (PLI) briefing on law firm cybersecurity.
FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data
In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.
In a ruling issued this morning, the Federal Trade Commission found that LabMD, the defunct Atlanta-based cancer detection lab, failed to protect patient information and is liable for unfair data security practices. The Commission’s ruling reverses an Initial Decision by an administrative law judge (ALJ) that had dismissed the FTC charges against LabMD.
On the Move and At Risk: Safeguards for Mitigating Mobile Device Vulnerabilities While Traveling Overseas
Employees use their smartphones as a key tool for accessing information during a work day – especially when outside the office and traveling on business. While smartphones, tablets, laptops and other devices may increase productivity by facilitating work flow and communications, a wireless mobile device and related data may be exploited by cybercriminals, and this risk increases significantly when overseas. Organizations often overlook this increased vulnerability to business, customer, and client data when personnel use their mobile devices to conduct business while travelling outside the United States. Organizations can mitigate the risk of compromising confidential information, intellectual property, and other sensitive data by adopting best practices for personnel travelling in other countries.
A new set of federal banking regulations are on the horizon aimed at helping financial institutions put in place minimum compliance standards to prevent future cyber-attacks. Bloomberg Law has reported that the Federal Reserve, along with the Office of the Comptroller of Currency (“OCC”) and the Federal Deposit Insurance Corp. (“FDIC”), are working together to develop the standards.
The leadership team at Target Corp. has one less legal claim to worry about today from the company’s headline-making 2013 data breach. And in an unusual twist, the shareholders who filed a series of derivative actions against Target’s directors and officers have waived the symbolic “white flag” by agreeing that the cases could be dropped so long as they were able to come back to Court to recover their legal fees.
On June 29, 2016, the Bank for International Settlements’ (BIS) Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO) issued “Guidance on cyber resilience for financial market infrastructures” (Cyber Guidance), the first set of concrete recommendations following the 2012 CPMI-IOSCO Principles for Financial Market Infrastructure (PFMI).
Last week, the U.S. Department of Homeland Security (“DHS”) and the U.S. Department of Justice (“DOJ”) provided guidance on an open question in the Cybersecurity Information Sharing Act (“CISA”): What type of information may companies share under CISA?
Microsoft’s blockbuster acquisition of LinkedIn earlier this month—a deal where concerns for privacy and data security loomed large—provides a glimpse into the growing trend of including separate privacy and data security representations in merger and acquisition agreements. Because the trend is so recent, there is no consensus or standard practice at this point for drafting these representations. The LinkedIn privacy and data security representation is a good example of the evolving nature of these representations.
State and federal regulators are turning their attention to the lead generation and data aggregation business – firms that compile massive databases of detailed consumer information ranging from spending and dieting habits to political affiliation.
The Federal Trade Commission has decided to put off until late July a decision about whether to overturn a ruling by the agency’s chief administrative law judge in the closely watched data security action against LabMD, the Atlanta-based medical detection firm. In a one-paragraph order issued late yesterday, the Commission extended the deadline for decision until July 28th “in order to give full consideration to the issues presented by the appeal in this proceeding.”
In part II of our interview with LabMD CEO Michael Daugherty, we discuss the Federal Trade Commission’s much anticipated decision in this long-running data security enforcement action.
In April 2016, the sensitive personal medical information of NFL players was stolen from the car of a trainer who had left the files in a backpack in his locked car. In 2014, Safeway, Inc. settled charges brought by the State of California stemming from an investigation concerning the improper disposal of hard copies of customer information. In 2014, an insurance company was exposed when maintenance workers who were supposed to move four boxes of member records between floors, instead threw them out. In 2011, sensitive information regarding an NYPD task force was found in a Manhattan trash can.
The Federal Trade Commission is expected to issue a ruling later this month in the LabMD case, a closely watched data security case that focuses on the scope and reach of Section 5 of the FTC Act.
Morgan Stanley Smith Barney LLC has agreed to pay $1 million to settle U.S. Securities and Exchange Commission charges that it failed to protect customer information. In an Order issued today, Morgan Stanley agreed to settle charges – without admitting or denying them – that a former employee accessed and transferred data regarding 73,000 accounts to his personal server. The SEC Order states that the former employee’s server was hacked by a third-party and that some of the customer information was offered for sale online.
We have recently written about the increasing importance of cybersecurity as an aspect of risk management for nonprofits in light of the proliferation of data security breaches across different sectors.
Has North Korea struck again? Do its recent attacks signal a shift from those motivated by political retribution to those motivated by financial gain? What does this mean for financial institutions?
The U.S. International Trade Commission (“ITC”) last week launched an investigation into United States Steel Corporation’s (“U.S. Steel”) complaint that Chinese hackers stole trade secret information—including proprietary methods for making lightweight steel—on behalf of Chinese steel producers.
We have previously written about the ongoing debate regarding the proposed EU-U.S. Privacy Shield. The European Parliament has now added its voice to those who say that the current proposal is inadequate.
The chair of the U.S. Securities and Exchange Commission warned that cybersecurity is the biggest risk facing our financial system today. At an industry conference yesterday, SEC Chair Mary Jo White said that major exchanges, clearing houses and other players in the financial system did not have cyber defenses in place that aligned with the risks they faced.
Today, the U.S. Supreme Court decided one of the Term’s most closely watched cases: Spokeo, Inc. v. Robins. The 6-2 decision, while far from sweeping, creates a hurdle for plaintiffs in “no-injury” class actions.
Come Back With a Warrant: Proposed Rule Change Expands the Government’s Ability to Access Electronically Stored Information in Criminal Investigations
On April 28, 2016 the United States Supreme Court proposed a modification to Federal Rule of Criminal Procedure 41 that significantly alters the manner in which the government can obtain search warrants to access computer systems and electronically stored information that will no doubt have an effect on hackers and hacking victims alike. The modification will go into effect on December 1, 2016, barring Congressional intervention.
For the second time this year, SWIFT is reporting another cyber-attack on a commercial bank. In a notice issued this morning, SWIFT said that attackers with a “deep and sophisticated knowledge of specific operational controls” attempted to submit fraudulent messages to the SWIFT network to transfer large amounts of cash from an unidentified bank.
We live in an era of increasingly prevalent cybercrime, and nonprofits are in the crosshairs. Harvard University, Penn State University and two BlueCross BlueShield entities are just a few nonprofit organizations that reported cyberattacks in 2015, breaches to their data security systems ultimately compromising thousands of personal, confidential and proprietary records.
The Federal Trade Commission will host a one day-conference in Chicago at Northwestern’s Pritzker School of Law on June 15, 2016. This event will be the fourth of the FTC’s Start with Security Events nationwide, which build on its publication of the same title Start with Security: A Guide for Business, released last June.
More than a year and a half ago, Home Depot announced that it had been a victim of one of the largest data breaches in U.S. history. Media outlets reported that the breach had affected Home Depot’s customers who had made purchases using the company’s self-checkout terminals.
With European regulators continuing to debate the current proposal for the EU-U.S. Privacy Shield, the fate of the new trans-Atlantic data framework is becoming murkier by the day. Rapprochement may still be a possibility, but over the past week, we have seen parties on both sides preparing for an extended fight. The Privacy Shield is one of the most significant issues in global cybersecurity today.
A contentious legal battle over data security between the Federal Trade Commission and LabMD, a small medical testing lab, is chronicled in the latest edition of Bloomberg Businessweek. Dune Lawrence’s report raises lingering questions about the FTC’s prosecution of a now-defunct company, tampered evidence and regulatory overreach.
Department of Health and Human Services Cracks Down on Vendor Oversight in Recent Hospital Settlements
From the rise in ransomware attacks to inadvertent disclosure of information by subcontractors, the health services industry is reminded that a potential consequence of a data breach is the threat of a regulatory enforcement action. In what may be a sign of things to come, the Department of Health and Human Services (DHHS) is scrutinizing both “covered entities” and “business associates” under the authority of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
For months, the technology and business communities have been waiting anxiously for a Federal appeals court ruling on whether American companies can be forced to turn over customer information to U.S. law enforcement when that information is stored on servers abroad. It’s the result of a legal appeal filed last year by Microsoft Corporation that was argued before the U.S. Court of Appeals for the Second Circuit more than seven months ago.
In the latest twist in the ongoing saga of the EU-U.S. Privacy Shield data transfer agreement, EU data protection authorities (commonly known as the Article 29 Working Party) stated on Wednesday that it would not affirm the adequacy of the Privacy Shield deal.
Yesterday, the Seventh Circuit held in Lewart v. P.F. Chang’s that customers who may have had personal information compromised in a P.F. Chang’s data breach have standing, at the motion-to-dismiss stage, to sue the company. Given the Seventh Circuit’s 2015 opinion in Remijas v. Neiman Marcus, which involved similar facts, the decision in Lewart is not particularly surprising.
On April 14, 2016, the U.S. Attorney for the Southern District of New York filed a civil forfeiture action seeking to recover nearly $100 million stolen from an unidentified U.S. company through a form of wire fraud or Automated Clearing House (“ACH”) fraud.
The Department of Homeland Security (“DHS”) recently issued a joint alert with the Canadian Cyber Incident Response Centre warning of two new ransomware threats behind recent well-publicized attacks against healthcare companies.
A U.S. appeals court yesterday held that a traditional corporate general liability policy triggered an insurer’s duty to defend a class action lawsuit alleging that a medical records company failed to properly secure patient records on its server.
When it comes to buying cyber insurance, businesses might be right in taking comfort that they have mitigated the financial risks that come with a data breach. Just not all of them.
By now, you’ve probably heard about the massive cyber attack that hit Bangladesh’s central bank last month, resulting in the loss of $81 million through fraudulent transfers to accounts in the Philippines. Although the size and scale of this cyber heist was unprecedented, cybercrime targeting ACH (Automated Clearing House) financial transactions is nothing new. Financially motivated hackers regularly target ACH systems.
Recent surveys tell us that cybersecurity is the top risk faced by corporate America. The Bank Director’s 2016 Risk Practices survey – out yesterday – disclosed that three quarters of bank executives and board members believe cybersecurity is their top concern. And their general counsel agree. In another recent study, general counsel said that cybersecurity was their top area of organizational risk as well.
For businesses and nonprofit organizations searching for cyber insurance, it is important to know if your coverage limits are adequate. Whether you are in the market for a new policy or renewing an existing one, you should explore whether your policy has a “sub-limit” that places limitations on your losses and liabilities that may be covered.
On March 2, the Consumer Financial Protection Bureau (“CFPB”) issued its first Consent Order against a company for flawed data security practices in violation of the Consumer Protection Act’s prohibition on unfair, deceptive, or abusive acts or practices concerning a consumer financial product or service. The Order signals the CFPB’s decision to prioritize data security issues, its willingness to pursue companies even before a breach occurs, and its scrutiny of companies’ representations about their data security practices. The Order also provides some guidance as to the types of data security policies and practices the CPFB considers important.
Faced with the prospect of overturning a decision by one of its own administrative law judges, the Federal Trade Commission on Tuesday explored ways in which to render a narrow decision. The argument was the most recent chapter in the long running data security enforcement action against LabMD, the now defunct medical testing laboratory.
On February 22, 2016, the Commodity Futures Trading Commission (“CFTC”) closed the public comment period on its recently proposed enhanced cybersecurity rules for derivatives clearing house organizations, trading platforms, designated contract markets, and swap data repositories.
U.S. v. Microsoft - What you need to know about one of the most important privacy cases of the decade
The U.S. Court of Appeals for the Second Circuit has in its hands one of the most closely-watched privacy cases in recent memory. U.S. v. Microsoft addresses an issue of critical importance to U.S. businesses — whether companies must comply with orders from the U.S. government to turn over electronic data, even when that data is stored on a server outside of the U.S. A ruling is expected any day.
Financial institutions sit atop a wealth of personal information – not to mention money. In an interconnected world in which sensitive customer information is stored on servers and in the cloud – and online and mobile banking have become the norm – the Federal Deposit Insurance Corporation (FDIC) is the latest federal regulator to warn financial institutions to make cybersecurity a top priority.
- Page 2 of 3