Uber suffered a data breach in 2014 resulting in the compromise of more than 50,000 drivers’ personal information, including back account and social security numbers. Drivers brought a class action suit in federal court in the U.S. District Court for the Northern District of California. On May 10, a judge tossed the suit for a third time for lack of standing because the two named plaintiffs failed to allege that they suffered an injury in fact. Continue Reading Uber Catches Break in Data Breach Class Action
In a recent post, we discussed the Canadian Cabinet’s announcement that Canada’s new data breach regulations go into effect on November 1, 2018. Despite announcing the effective date, Canada had not yet finalized these regulations. However, on April 18, 2018, Canada unveiled the Breach of Security Safeguard Regulations: SOR/2018-64 (“Regulations”).
To highlight some of the finer points, in order to trigger notification requirements, the Regulations require organizations to determine if a data breach poses a “real risk of significant harm” to any individual had their information accessed in the breach. If an organization meets this harm threshold, then the affected organization must notify the Privacy Commissioner of Canada, as well as the affected individuals. Continue Reading Canada Releases New Data Breach Regulations
In August, 2017, the Federal Trade Commission (“FTC”) proposed a settlement agreement with Uber stemming from its investigation of a 2014 data breach due to Uber’s “unreasonable security practices”. The lengthy investigation found that Uber’s employees were accessing customer’s personal information, and that there were security lapses in Uber’s third-party cloud storage service. That settlement agreement required Uber to implement a “comprehensive privacy program”; however, the agreement was withdrawn by the FTC and amended recently. Why, you ask? Uber experienced a second data breach in 2016, while the investigation from the 2014 breach was well underway. The 2016 breach was a result of those same security lapses in the third-party cloud storage service and Uber waited over one year to report that second breach. Uber’s handling of the second breach continued its trail of misconduct, clearly demonstrating that the company had not learned its lesson. Continue Reading Uber Goes 0-2 in Data Breach Notifications
On March 28, Alabama’s governor signed into law a data breach notification law. It is the last state in the country to do so, closely trailing South Dakota. Fifteen years ago, California was the first state to enact a data breach notification law. The Alabama law applies to electronically stored “sensitive personally identifying information.” Such information involves a name plus at least one of the following: SSN, government issued identification number, financial account number, medical information, health insurance policy or identification, or email address and password that would permit access to an account containing any sensitive personally identifying information. Generally, notification to residents affected by a breach must be made within 45 days, although there are some exceptions. The law takes effect on May 1.
Yesterday, South Dakota’s Governor signed into law “An Act to provide for the notification related to a breach of certain data and to provide a penalty therefor.” Under the Act, when a “breach of system security” involves personal or protected information, the holder of the information must notify affected residents within 60 days and, if more than 250 individuals are affected, the holder must notify the state attorney general. The definition of personal information includes health information and certain other employer-specific identifying information. “Protected information” means information necessary to access an online account tied to financial account information. Alabama is now the only state without a law addressing data breach notification although such legislation is currently pending in that state.
The Equifax data breach saga continues, this time with civil and criminal charges for insider trading lodged against Jun Ying, Equifax’s former Chief Information Officer of its U.S. Information Solutions business unit. The criminal indictment pursued by federal prosecutors and the civil complaint filed by the Securities and Exchange Commission both allege that Ying exercised all of his vested stock options and sold them, for approximately $950,000, within mere days of learning of Equifax’s breach, and before the breach had become public. By doing so, he allegedly avoided more than $117,000 in losses. They allege that, within three days of learning of the breach, Ying had begun googling—well, using Bing— to search for information about how much Experian’s stock had fallen after its breach back in 2015, and then executed his Equifax trades an hour later. Although Equifax had taken measures to prevent employees who knew about the breach from trading in its stock, somehow those measures had failed to prevent the trades by Ying.
Two courts. Two days. Two different results. On March 7, on remand from the U.S. Court of Appeals for the Eighth Circuit, a federal district court judge in Minnesota granted a motion to dismiss a consumer class action suit involving a 2014 data breach affecting over 1,000 grocery stores. The court found that the allegations of possible future identity theft or fraud because of the breach were not sufficient to establish a substantial risk of future harm. Continue Reading The Standing Struggle in Data Breach Litigation Continues
Yahoo agreed to pay shareholders $80 million to settle a federal securities class action suit, as detailed in the parties’ March 2, 2018 proposed settlement agreement filed with the court. In that suit, the shareholders claimed that Yahoo failed to disclose a number of data breaches affecting more than 3 billion users, which caused Yahoo’s stock prices to fall. One of the named plaintiffs is not participating in the settlement. This was one of the first federal securities lawsuits arising out of a data breach. Several others have followed. If the court approves the settlement, it will be the first recovery in a shareholder lawsuit based on a data breach and certainly will encourage other such suits in the future.
On February 16, 2018, the U.S. Supreme Court denied certiorari to review CareFirst’s appeal of the U.S. Court of Appeals, D.C. Circuit’s decision in Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017). The D.C. Circuit held that the threat of harm from a data breach is enough to satisfy the “injury in fact” standing requirement. Other circuit courts of appeal have reached the opposite conclusion. Unfortunately, the U.S. Supreme Court will not be addressing that circuit split this session. See our previous entry on the CareFirst case.
Yesterday, OCR announced its $3.5 million settlement with Fresenius Medical Care Holdings (“Fresenius”) to resolve alleged HIPAA violations. While the large settlement figure alone is eye-catching, the underlying facts require the complete attention of HIPAA covered entities. OCR is sending a message about HIPAA Security Rule compliance.
Five Fresenius entities in five different states suffered five completely separate but relatively common breaches. Each breach involved stolen or missing equipment. No one breach involved records of more than 500 patients. In fact, combined, the total number of patients impacted was 521. As a reminder, the $5.5 million settlement this time last year with Memorial Health Care System involved the records of 115,143 individuals. Continue Reading $3.5 M OCR Settlement for Five Breaches Affecting Fewer Than 500 Patients Each