The Department of Homeland Security (“DHS”) released its cybersecurity strategy on May 15, 2018. The 35-page document sets forth a plan for managing cybersecurity risks through public and private sector collaboration. By 2023, DHS seeks to have “improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure; decreasing illicit cyber activity; improving responses to cyber incidents; and fostering a more secure and reliable cyber ecosystem through a unified departmental approach, strong leadership, and close partnership with other federal and nonfederal entities.” The strategy document is broken into five pillars: risk identification; vulnerability reduction; threat reduction; consequence mitigation; and enable cybersecurity outcomes. DHS assures that it “will maintain a leadership role, collaborating with other federal agencies, the private sector, and other stakeholders, across all of its cybersecurity mission areas to ensure that cybersecurity risks are effectively managed, critical networks are protected, vulnerabilities are mitigated, cyber threats are reduced and countered, incidents are responded to in a timely way, and the cyber ecosystem is more secure and resilient.”
Dena M. Castricone is the Chair of the Privacy and Cybersecurity Practice Group. She is also a member of the Long Term Care and Health Care practice groups and the Chair of the firm’s Pro Bono Committee. Prior to joining Murtha Cullina, Dena served as a law clerk to the Chief Justice of the Rhode Island Supreme Court, Frank J. Williams. Read More
Uber suffered a data breach in 2014 resulting in the compromise of more than 50,000 drivers’ personal information, including back account and social security numbers. Drivers brought a class action suit in federal court in the U.S. District Court for the Northern District of California. On May 10, a judge tossed the suit for a third time for lack of standing because the two named plaintiffs failed to allege that they suffered an injury in fact. Continue Reading Uber Catches Break in Data Breach Class Action
In this episode of the Murtha Cullina Cybersecurity Three Minute Check In Series, Dena Castricone addresses whether businesses in the United States must comply with the General Data Protection Regulation (GDPR).
In a report released on April 5, 2018, the Government Accountability Office (GAO) concluded that the Centers for Medicare and Medicaid Services (CMS) has not done enough to adequately protect the electronic data of Medicare beneficiaries. There are over 59 million Medicare beneficiaries and beneficiary information contains some of the most sensitive personal information, making it very attractive to criminals. Therefore, CMS’s protection of that data is critically important. Continue Reading GAO Says CMS Must Do More to Protect Medicare Info
On March 28, Alabama’s governor signed into law a data breach notification law. It is the last state in the country to do so, closely trailing South Dakota. Fifteen years ago, California was the first state to enact a data breach notification law. The Alabama law applies to electronically stored “sensitive personally identifying information.” Such information involves a name plus at least one of the following: SSN, government issued identification number, financial account number, medical information, health insurance policy or identification, or email address and password that would permit access to an account containing any sensitive personally identifying information. Generally, notification to residents affected by a breach must be made within 45 days, although there are some exceptions. The law takes effect on May 1.
On March 16, a year and a half after hearing oral argument, the D.C. Circuit Court of Appeals issued a long-awaited decision overturning two of the Federal Communications Commission’s (FCC) far-reaching interpretations of the Telephone Consumer Protection Act of 1991 (TCPA). A number of regulated entities filed an action against the FCC challenging several of the FCC’s conclusions in a 2015 order related to cell phones. Continue Reading D.C. Circuit Reins in FCC’s Overbroad TCPA Interpretations
Yesterday, South Dakota’s Governor signed into law “An Act to provide for the notification related to a breach of certain data and to provide a penalty therefor.” Under the Act, when a “breach of system security” involves personal or protected information, the holder of the information must notify affected residents within 60 days and, if more than 250 individuals are affected, the holder must notify the state attorney general. The definition of personal information includes health information and certain other employer-specific identifying information. “Protected information” means information necessary to access an online account tied to financial account information. Alabama is now the only state without a law addressing data breach notification although such legislation is currently pending in that state.
Two courts. Two days. Two different results. On March 7, on remand from the U.S. Court of Appeals for the Eighth Circuit, a federal district court judge in Minnesota granted a motion to dismiss a consumer class action suit involving a 2014 data breach affecting over 1,000 grocery stores. The court found that the allegations of possible future identity theft or fraud because of the breach were not sufficient to establish a substantial risk of future harm. Continue Reading The Standing Struggle in Data Breach Litigation Continues
Yahoo agreed to pay shareholders $80 million to settle a federal securities class action suit, as detailed in the parties’ March 2, 2018 proposed settlement agreement filed with the court. In that suit, the shareholders claimed that Yahoo failed to disclose a number of data breaches affecting more than 3 billion users, which caused Yahoo’s stock prices to fall. One of the named plaintiffs is not participating in the settlement. This was one of the first federal securities lawsuits arising out of a data breach. Several others have followed. If the court approves the settlement, it will be the first recovery in a shareholder lawsuit based on a data breach and certainly will encourage other such suits in the future.
Many organizations struggle with whether to permit employees to use their own electronic devices (e.g., mobile phones, tablets, laptops) to conduct business on behalf of the organization. In addition to discovery challenges in the event of litigation, the use of individual devices can also present significant security concerns and regulatory compliance issues. In January, the Sedona Conference Working Group Series issued a public comment version of “Commentary on BYOD: Principles and Guidance for Developing Policies and Meeting Discovery Obligations.” Comments to the public comment version must be submitted by March 26, 2018. Continue Reading Welcomed Draft Commentary from the Sedona Conference on BYOD