This week’s disclosure that a 2013 data breach may have affected all 3 billion Yahoo accounts then in existence could alter the scope of the consolidated data breach cases currently pending against Yahoo in the federal court in San Francisco. In the wake of the court’s August 30 order denying Yahoo’s motion to dismiss the case, the parties have been in the process of negotiating a schedule for discovery and motion practice. The parties had been due to make their joint scheduling submission to the Court today. However, just last night, Judge Lucy Koh issued an order postponing the submission deadline in order to allow the parties to address the impact of Yahoo’s recent disclosure. The court ordered Yahoo to “disclose to Plaintiffs available information regarding the recent data breach disclosure by October 6, 2017, so that the Joint Case Management Statement can propose a realistic amended case schedule.” The court also directed that Yahoo “expedite its production of discovery regarding the recent data breach disclosure and include a proposal to do so” in the parties’ joint scheduling submission, which is now due to be submitted on October 11, 2017.

Continue Reading 3 Billion Compromised Yahoo Accounts May Yield Largest Plaintiff Class Ever

As data breaches dominate national headlines it remains important as ever for businesses to invest in security and to be ready to respond if a breach occurs.  Part of your preparedness program should be staying current on data breach legislation at the state level and we are here to help with a new installment of our “Mintz Matrix,” a detailed survey of U.S. state data breach notification laws.

There have been a few notable developments since we last published an update of the Mintz Matrix and below we have provided a snapshot of these changes.  Before reading on please download a copy of our September 2017 edition of the Mintz Matrix by clicking here. Continue Reading The Mintz Matrix – September 2017

Earlier this month, an appellate panel of the federal DC Circuit unanimously held that individuals affected by a healthcare insurer’s data breach in 2014 could pursue claims against the insurer stemming from the cyberattack. In the process, the panel deepened a circuit split on the question of whether data breach victims have standing to pursue claims based solely on exposure of their sensitive personal information, while also adding significant risk of cyber-liability for companies that collect and store medical records of individuals.

In Attias v. CareFirst, Inc., the plaintiffs asserted claims on behalf of a purported class of one million customers of CareFirst, Inc. (“CareFirst”), a healthcare insurer in the Washington, DC metro area. In the 2014 cyberattack, hackers penetrated 22 computers and compromised the identifying health data of one million customers, including customer names, addresses, email addresses, subscriber ID numbers, and Social Security numbers. The plaintiffs did not allege that they had suffered any direct financial injury as a result of their identifying health data being exposed, but did allege they suffered an “increased risk of identity theft” as a result of CareFirst’s alleged negligent conduct. The district court granted CareFirst’s motion to dismiss, which asserted that the plaintiffs lacked standing to bring their alleged claims because they had not asserted either a present injury arising from the data breach or a “high enough likelihood of future injury.” Continue Reading D.C. Circuit Holds Cyber-Theft of Customers’ Medical Identifying Information Created Sufficient Increased Risk of Harm to Establish Standing

 

If you are one of the many businesses licensed by the New York Department of Financial Services (DFS), and cannot avail yourself of the (very) limited exemptions, you must be ready for the first compliance transition date for the stringent DFS cybersecurity regulations – August 28, 2017.

Just in case you’d forgotten, the DFS cybersecurity regulations became effective March 1, 2017 and you can refresh your memory here. Continue Reading Are You Ready for the New York August 28th Compliance Deadline?  

If you are a retailer with locations in New Jersey, you will need to review your procedures in anticipation of a new law effective October 1, 2017. 

New Jersey Governor Chris Christie has signed the Personal Information Privacy and Protection Act (we can now add #PIPPA to the alphabet soup of privacy acronyms…..), which limits the ability of retailers to collect PII scanned from customer driver’s licenses and identification cards and restricts the usage of any PII collected for the purposes identified in the Act.

Within recent years, retailers have commonly started a practice of scanning the barcodes on customer ID cards to verify the authenticity of an ID presented, verify identity when credit cards are used, or to prevent and control fraudulent merchandise return practices (or to identify consumers who abuse return policies).

Under PIPPA, retailers will only be permitted to scan ID cards to:

  • Verify the card’s authenticity or the person’s identity, if the customer pays for goods or services with a method other than cash; returns an item; or requests a refund or exchange.
  • Verify the customer’s age when providing age-restricted goods or services to the customer.
  • Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the retailer uses a fraud prevention company or service.
  • Establish or maintain a contractual relationship.
  • Record, retain, or transmit information as required by state or federal law.
  • Transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by federal laws, including the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Fair Debt Collection Practices Act.
  • Record, retain, or transmit information by a covered entity under HIPAA and related regulations.

PIPPA prohibits retailers from sharing the information with marketers or other third parties that are unknown to consumers.   It is unlikely that an online privacy notice describing sharing of scanned ID information with third parties would comply with PIPPA.  In-store notice of any such practices will likely be required.

The big “however” in this legislation is the restrictions on retention of the information when collected for the permitted purposes.  Under PIPPA businesses cannot retain information related to how the customer paid for the goods, whether the customer returned an item or requested a refund, and cannot store ages.   Retailers will only be permitted to collect the customer’s name, address, and date of birth; the issuing state; and the ID card number.    Any of this information collected from scanned ID cards Is required to be “securely stored” and PIPPA makes it clear that any security breach of this information is subject to New Jersey’s data breach notification law and must be reported to any affected individual and the New Jersey State Police.

And there are penalties.   PIPPA provides civil penalties of $2,500 for a first offense, and $5,000 for any subsequent offices.   Further the law allows for “any person aggrieved by a violation” to bring an action in NJ Superior Court to recover damages.

 

Despite some courts’ evident confusion about the impact of payment card theft on consumer cardholders, other courts are getting it right.  Just this week, a judge in the Northern District of Illinois issued an order dismissing the second amended complaint filed by consumer cardholders in In re Barnes & Noble Pin Pad Litig. (N.D. Ill.).  This order marked the third time that the court had dismissed the consumer cardholder claims due to lack of injury.  Here, as in every theft of credit or debit card data, the fact that consumers are held harmless for fraudulent charges on their cards means that such losses – which are borne by the issuing banks – do not result in injury to consumers sufficient to confer statutory or constitutional standing.  This leaves plaintiffs, like those in Barnes & Noble, to argue that they sustained actionable injury because of inconvenience (cards are replaced, accounts are temporarily frozen) or apprehension of potential future harm (future adverse credit impact).  The court in Barnes & Noble held the former to be insufficiently significant to allow claims under statutes requiring proof of loss, while the latter was deemed too speculative to permit standing.  Even though plaintiffs could show that they purchased credit monitoring services after the breach, the court held that money spent on attempts to mitigate future fraud are not injury that may be redressed under state unfair competition law.

Having dismissed three separate attempts to plead an actionable claim, the court dismissed the second amended complaint in Barnes & Noble with prejudice.  With this ruling, the court has provided additional support for defendants resisting consumer claims arising from theft of payment card data.

It seems as though we have been writing about this case for a lifetime.  Target Corporation’s data breach saga came one step closer to a conclusion this week.  On Tuesday, Target reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states’ investigation into the company’s 2013 data breach.   Alabama, Wisconsin, and Wyoming were not part of the settlement. Continue Reading Target Reaches $18.5 Million Dollar Settlement in Data Breach with States

Another day, another data incident.  If you use DocuSign, you’ll want to pay attention.

The provider of e-signature technology has acknowledged a data breach incident in which an unauthorized third party gained access to the email addresses of DocuSign users.   Those email addresses have now been used to launch a massive spam campaign.   By using the stolen email address database and sending “official” looking emails, cyber criminals are hoping that recipients will be more likely to click on and open the malicious links and attachments.

DocuSign’s alert to users says in part:

[A]s part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

A portion of the phish in the malicious campaign looks like this:

 

Two phishing campaigns already detected and more likely

The DocuSign Trust Center has posted alerts notifying users of two large phishing campaigns launched on May 9 and again on May 15.

The company is now advising customers NOT TO OPEN emails with the following subject lines, used in the two spam campaigns.

  • Completed: [domain name]  – Wire transfer for recipient-name Document Ready for Signature
  • Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature

We recommend that you change your DocuSign password in light of this incident as an extra measure of caution.    Also, DocuSign (and other similar services) offer two-factor authentication, and we strongly recommend that you take advantage of this extra security measure.

As always, think before you click.

Snatching victory of a sort from the jaws of defeat, shareholders who brought a derivative action alleging that the 2014 Home Depot data breach resulted from officers’ and directors’ breaches of fiduciary duties have reached a settlement of those claims.  As previously reported in this blog, that derivative action was dismissed on November 30, 2016.  That dismissal followed on the heels of dismissals of derivative actions alleging management breaches of fiduciary duties in connection with the Wyndham and Target data breaches.  Despite that discouraging precedent, the Home Depot shareholder plaintiffs noticed an appeal from the trial court’s order of dismissal.  The parties subsequently resumed settlement discussions that had broken off in the fall of 2016, on the eve of argument and decision of Home Depot’s motion to dismiss.  On April 28, 2017, the parties submitted a joint motion disclosing and seeking preliminary approval of the proposed settlement.  If approved, the proposed settlement would result in dismissal of the shareholders’ appeal and an exchange of mutual releases, thereby terminating the fiduciary claims arising from the Home Depot data breach. Continue Reading Appeal in Home Depot Data Breach Derivative Action Results in Settlement of Corporate Governance Claims