The Cabinet in Ottawa quietly proclaimed on March 26, 2018 that the official implementation date for Canada’s much-needed and long-awaited mandatory data breach notification laws will be November 1, 2018. Oddly enough, the regulations regarding notification have not yet been finalized. Continue Reading Canada’s Data Breach Notification Law Goes Into Effect November 1, 2018
In the wake of the Facebook and Cambridge Analytica scandal, another social media company, Grindr, a gay dating app, has come under scrutiny for its sharing of sensitive personal information with third parties. In particular, Norwegian research outfit SINTEF, after analyzing Grindr’s traffic, alleges that Grindr shares its users’ disclosed HIV status and last tested date , GPS location and other demographic profile information with third parties.
On March 28, Alabama’s governor signed into law a data breach notification law. It is the last state in the country to do so, closely trailing South Dakota. Fifteen years ago, California was the first state to enact a data breach notification law. The Alabama law applies to electronically stored “sensitive personally identifying information.” Such information involves a name plus at least one of the following: SSN, government issued identification number, financial account number, medical information, health insurance policy or identification, or email address and password that would permit access to an account containing any sensitive personally identifying information. Generally, notification to residents affected by a breach must be made within 45 days, although there are some exceptions. The law takes effect on May 1.
On March 16, a year and a half after hearing oral argument, the D.C. Circuit Court of Appeals issued a long-awaited decision overturning two of the Federal Communications Commission’s (FCC) far-reaching interpretations of the Telephone Consumer Protection Act of 1991 (TCPA). A number of regulated entities filed an action against the FCC challenging several of the FCC’s conclusions in a 2015 order related to cell phones. Continue Reading D.C. Circuit Reins in FCC’s Overbroad TCPA Interpretations
Facebook is the subject of a recent media blitz due to the allegations that 50 million people had their information improperly disclosed to Cambridge Analytica, a data research firm that may have played a role in the 2016 election.
The premise of the allegations is that Cambridge Analytica sent out a personality test to roughly 270,000 of Facebook’s users, stating that it would use the test for academic purposes. However, allegedly, Cambridge Analytica collected the personal information not only of those who replied to the survey, but also of all of those individuals’ Facebook “friends.” By doing so, the 270,000 users extrapolated to 50 million users. Continue Reading Facebook In Hot Water With Latest Privacy Missteps
Yesterday, South Dakota’s Governor signed into law “An Act to provide for the notification related to a breach of certain data and to provide a penalty therefor.” Under the Act, when a “breach of system security” involves personal or protected information, the holder of the information must notify affected residents within 60 days and, if more than 250 individuals are affected, the holder must notify the state attorney general. The definition of personal information includes health information and certain other employer-specific identifying information. “Protected information” means information necessary to access an online account tied to financial account information. Alabama is now the only state without a law addressing data breach notification although such legislation is currently pending in that state.
The Federal Bureau of Investigation and the Department of Homeland Security issued a joint Technical Alert late last week to warn that Russian government-based hackers are actively targeting U.S. utilities, other critical infrastructure, aviation, manufacturing, and commercial facilities. The alert reports that the Russian hackers are initially obtaining access to suppliers or third-party vendors as “staged targets,” waiting for an opening, and then accessing their ultimate “intended target” utilizing malware and spear phishing techniques. Once the hackers gain access to the intended target, they conduct reconnaissance and collect information on the industrial control systems. The hackers use that information to take control of those systems, allowing them to conduct multiple, simultaneous shutdowns in a coordinated attack to deny necessary services such as electricity and water. These attacks highlight the necessity for third-party and vendor due diligence. See our Three Minute Check-In Series here to learn more.
*Brad Davis is a Legal Intern in the Privacy and Cybersecurity Practice Group of Murtha Cullina LLP.
The Equifax data breach saga continues, this time with civil and criminal charges for insider trading lodged against Jun Ying, Equifax’s former Chief Information Officer of its U.S. Information Solutions business unit. The criminal indictment pursued by federal prosecutors and the civil complaint filed by the Securities and Exchange Commission both allege that Ying exercised all of his vested stock options and sold them, for approximately $950,000, within mere days of learning of Equifax’s breach, and before the breach had become public. By doing so, he allegedly avoided more than $117,000 in losses. They allege that, within three days of learning of the breach, Ying had begun googling—well, using Bing— to search for information about how much Experian’s stock had fallen after its breach back in 2015, and then executed his Equifax trades an hour later. Although Equifax had taken measures to prevent employees who knew about the breach from trading in its stock, somehow those measures had failed to prevent the trades by Ying.
Two courts. Two days. Two different results. On March 7, on remand from the U.S. Court of Appeals for the Eighth Circuit, a federal district court judge in Minnesota granted a motion to dismiss a consumer class action suit involving a 2014 data breach affecting over 1,000 grocery stores. The court found that the allegations of possible future identity theft or fraud because of the breach were not sufficient to establish a substantial risk of future harm. Continue Reading The Standing Struggle in Data Breach Litigation Continues
Yahoo agreed to pay shareholders $80 million to settle a federal securities class action suit, as detailed in the parties’ March 2, 2018 proposed settlement agreement filed with the court. In that suit, the shareholders claimed that Yahoo failed to disclose a number of data breaches affecting more than 3 billion users, which caused Yahoo’s stock prices to fall. One of the named plaintiffs is not participating in the settlement. This was one of the first federal securities lawsuits arising out of a data breach. Several others have followed. If the court approves the settlement, it will be the first recovery in a shareholder lawsuit based on a data breach and certainly will encourage other such suits in the future.