In this episode of the Murtha Cullina Cybersecurity Three Minute Check In Series, Dena Castricone addresses whether businesses in the United States must comply with the General Data Protection Regulation (GDPR).

In August, 2017, the Federal Trade Commission (“FTC”) proposed a settlement agreement with Uber stemming from its investigation of a 2014 data breach due to Uber’s “unreasonable security practices”. The lengthy investigation found that Uber’s employees were accessing customer’s personal information, and that there were security lapses in Uber’s third-party cloud storage service. That settlement agreement required Uber to implement a “comprehensive privacy program”; however, the agreement was withdrawn by the FTC and amended recently. Why, you ask? Uber experienced a second data breach in 2016, while the investigation from the 2014 breach was well underway. The 2016 breach was a result of those same security lapses in the third-party cloud storage service and Uber waited over one year to report that second breach. Uber’s handling of the second breach continued its trail of misconduct, clearly demonstrating that the company had not learned its lesson. Continue Reading Uber Goes 0-2 in Data Breach Notifications

Yesterday the United States Court of Appeals for the Seventh Circuit weighed in on the consumer class action standing issue.  The court found that Barnes & Noble customers have standing to pursue a class action concerning the hacking of the retailer’s PIN pads.  In doing so, the Seventh Circuit reversed a district court ruling dismissing the complaint for failure to adequately plead damages.  The Court of Appeals determined that the time value of money which had been removed from plaintiffs’ accounts (even though it was ultimately returned), the costs of credit monitoring, and the time invested to create new accounts all were sufficient to provide standing. Continue Reading The Seventh Circuit Weighs In On Standing

In a report released on April 5, 2018, the Government Accountability Office (GAO) concluded that the Centers for Medicare and Medicaid Services (CMS) has not done enough to adequately protect the electronic data of Medicare beneficiaries.  There are over 59 million Medicare beneficiaries and beneficiary information contains some of the most sensitive personal information, making it very attractive to criminals.  Therefore, CMS’s protection of that data is critically important. Continue Reading GAO Says CMS Must Do More to Protect Medicare Info

The Cabinet in Ottawa quietly proclaimed on March 26, 2018 that the official implementation date for Canada’s much-needed and long-awaited mandatory data breach notification laws will be November 1, 2018.  Oddly enough, the regulations regarding notification have not yet been finalized.   Continue Reading Canada’s Data Breach Notification Law Goes Into Effect November 1, 2018

In the wake of the Facebook and Cambridge Analytica scandal, another social media company, Grindr, a gay dating app, has come under scrutiny for its sharing of sensitive personal information with third parties.  In particular, Norwegian research outfit SINTEF, after analyzing Grindr’s traffic, alleges that Grindr shares its users’ disclosed HIV status and last tested date , GPS location and other demographic profile information with third parties.

Continue Reading Grindr Grinds Users Gears by Reportedly Sharing Users’ HIV Status

On March 28, Alabama’s governor signed into law a data breach notification law.  It is the last state in the country to do so, closely trailing South Dakota.   Fifteen years ago, California was the first state to enact a data breach notification law.  The Alabama law applies to electronically stored “sensitive personally identifying information.”  Such information involves a name plus at least one of the following:  SSN, government issued identification number, financial account number, medical information, health insurance policy or identification, or email address and password that would permit access to an account containing any sensitive personally identifying information.  Generally, notification to residents affected by a breach must be made within 45 days, although there are some exceptions.  The law takes effect on May 1.

On March 16, a year and a half after hearing oral argument, the D.C. Circuit Court of Appeals issued a long-awaited decision overturning two of the Federal Communications Commission’s (FCC) far-reaching interpretations of the Telephone Consumer Protection Act of 1991 (TCPA). A number of regulated entities filed an action against the FCC challenging several of the FCC’s conclusions in a 2015 order related to cell phones.  Continue Reading D.C. Circuit Reins in FCC’s Overbroad TCPA Interpretations

Facebook is the subject of a recent media blitz due to the allegations that 50 million people had their information improperly disclosed to Cambridge Analytica, a data research firm that may have played a role in the 2016 election.

The premise of the allegations is that Cambridge Analytica sent out a personality test to roughly 270,000 of Facebook’s users, stating that it would use the test for academic purposes.  However, allegedly, Cambridge Analytica collected the personal information not only of those who replied to the survey, but also of all of those individuals’ Facebook “friends.”  By doing so, the 270,000 users extrapolated to 50 million users. Continue Reading Facebook In Hot Water With Latest Privacy Missteps

Yesterday, South Dakota’s Governor signed into law “An Act to provide for the notification related to a breach of certain data and to provide a penalty therefor.”  Under the Act, when a “breach of system security” involves personal or protected information, the holder of the information must notify affected residents within 60 days and, if more than 250 individuals are affected, the holder must notify the state attorney general.   The definition of personal information includes health information and certain other employer-specific identifying information.  “Protected information” means information necessary to access an online account tied to financial account information.  Alabama is now the only state without a law addressing data breach notification although such legislation is currently pending in that state.