An old saw defines insanity as doing the same thing over and over again and expecting a different result. Wendy’s shareholders recently flouted that maxim by filing a derivative action this week against officers and directors of the fast-food chain seeking recovery on behalf of the corporation for damages arising from a data breach that affected over 1,000 franchise locations between October 2015 and June 2016. Based on the results in prior data breach derivative actions, the prospects for the Wendy’s derivative claim appear dim.
The Obama White House has grappled with cybersecurity more than any administration in history: China’s 2009 hack of Google, the 2015 Office of Personnel Management breach, and the recent investigation of Russian cyberattacks during the 2016 election, to name just a few examples. In the midst of the president-elect’s transition efforts, President Obama’s administration has published what it considers to be a blueprint for enhancing the cybersecurity capabilities of government institutions and our digital consumer society today and for years beyond Inauguration Day. Continue Reading #MLWashingtonCyberWatch: White House Releases Cybersecurity Report Aimed at New Administration
Dismissal Of Home Depot Derivative Action Extends Shareholder Losing Streak
An attempt to impose liability on corporate officers and directors for data breach-related losses has once again failed. On November 30, 2016, a federal judge in Atlanta issued a 30 page decision dismissing a shareholder derivative action arising out of the September 2014 theft of customer credit card data from point-of-sale terminals in Home Depot stores. The dismissal of the Home Depot derivative action follows earlier dismissals of derivative actions arising from data breaches perpetrated against Wyndham and Target. Continue Reading A Failed Strategy: Another Derivative Action In A Data Breach Case Goes Down To Defeat
Even president-elect Donald Trump has been the victim of a data breach. Several times actually. The payment card system for his Trump Hotel Collection was infected by malware in May 2014 and 70,000 credit card numbers were compromised by the time the hack was discovered several months later. The hotel chain paid a penalty to the State of New York for its handling of that incident. The hotel chain also experienced at least two additional breaches during this past year affecting various properties. From a business perspective, Mr. Trump certainly understands the high costs of cybersecurity in dollars and distraction. But from the Oval Office, it is far less clear what the Trump Administration might do to secure our country’s digital infrastructure and prosecute cybercriminals. Equally uncertain are Mr. Trump’s views on privacy rights and how his presidency might affect federal protections for personal information and cross-border transfers of data. We do not have a crystal ball, but offer some thoughts. Continue Reading The Cyber President? What To Expect From the Trump Administration On Cybersecurity And Privacy
In its recent decision in Galaria v. Nationwide Mut. Ins. Co., no. 15-3386 (6th Cir. Sept. 12, 2016). Co., No. 15-3386 (6th Cir. Sept. 12, 2016), a divided Sixth Circuit panel held that plaintiffs had standing to assert claims arising from hackers’ alleged theft of data containing plaintiffs’ sensitive personal data, including dates of birth and Social Security numbers. In so ruling, the court became the latest to hold that hackers’ targeted theft of personal identifying information (“PII”), standing alone, creates a substantial risk of harm that is sufficient to satisfy the concrete injury requirement for standing under Article III of the United States Constitution.
The lawsuit concerned a 2012 data breach in which hackers stole data that Nationwide collected for purposes of underwriting life insurance policies. Plaintiffs were among those who received notice that hackers had stolen data containing the names, dates of birth, marital status, genders, occupations, employers, Social Security numbers and driver’s license numbers for individuals who had applied for insurance from Nationwide. Criminals are increasingly targeting PII like that stolen here because it can be used to engage in fraudulent borrowing or to file false tax returns to obtain illegal refunds, making such data valuable on the black market. However, as is true in many cases involving PII data breaches, plaintiffs did not allege that their PII had actually been misused. Also, Nationwide offered a year of free credit monitoring and identity-theft protection insurance to individuals whose information has been stolen. Based on those protections and plaintiffs’ failure to allege actual misuse of stolen data, the district court granted Nationwide’s motion to dismiss for lack of standing. Continue Reading Sixth Circuit Rules That Theft of PII from Insurance Company Results in Article III Standing
As has become typical in the data security space, there was quite a bit of activity in state legislatures over the previous year concerning data breach notification statutes. Lawmakers are keenly aware of the high profile data breaches making headlines and the increasing concerns of constituents around identity theft and pervasive cybercrime. In response, states are beefing up their data security statutes in order to provide greater protection for a broader range of data, to require notification to Attorneys General, and to speed up the timeline companies have to advise residents when their personal information has been compromised, to name a few steps. Please review our updated Mintz Matrix to make sure you understand the latest rules applicable to your business!
According to a recent summary published by the National Conference of State Legislatures, more than 25 states in 2016 have introduced or are currently considering security breach notification bills or resolutions. While much legislation remains pending in statehouses across the country, statutory amendments passed in four states took effect over this past summer alone. Here is a brief summary of significant amendments to data breach notification rules in Nebraska, Nevada, Rhode Island and Tennessee. Continue Reading Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way
Last week the clothing retailer Eddie Bauer LLC issued a press release to announce that its point of sale (“POS”) system at retail stores was compromised by malware for more than six months earlier this year. The communication provided few details but did specify that the malware allowed attackers to access payment card information related to purchases at Eddie Bauer’s more than 350 locations in the United States, Canada and other international markets from January 2 until July 17, 2016. According to the company, its e-commerce website was not affected.
In an open letter posted online, Eddie Bauer’s CEO Mike Egeck explained that the company had conducted an investigation, involved third party experts and the FBI, and now is in the process of notifying customers and reviewing its IT systems to bolster security. These are customary and important steps following a security breach to mitigate harm to customers, protect against future threats, and comply with state data breach notification laws. Read on to find out more ….. Continue Reading Eddie Bauer Latest Victim of POS Malware Attack
Two recent data breach incidents in the healthcare industry prove what readers of this blog have heard all too often: KNOW THY VENDORS.
Last week, Phoenix-based Banner Health reported one of the year’s largest data breaches. Banner reported that it had suffered a massive cyberattack potentially affecting the information of 3.7 million patients, health plan members and beneficiaries, providers. This attack is notable for all companies and not just healthcare providers covered by HIPAA. Reportedly, the attack occurred through the computer systems that process food and beverage purchases in the Banner system. In the incident, according to reports, the hackers gained access to the larger systems through the point-of-sale computer system that processes food and beverage purchases. The attack was discovered on July 13, and Banner believes hackers originally gained access on June 17. Continue Reading To Protect Data: Keep Your Network Access Close, and Your Vendors Closer
In a terse two-page order, Senior District Court Judge Paul Magnuson dismissed derivative claims brought against officers and directors of Target in connection with the 2013 holiday-season data breach. The dismissed claims, brought by Target shareholders on behalf of the corporation, alleged that the data breach had resulted from management failures by the defendant officers and directors. The Target board of directors appointed a special litigation committee (“SLC”) to investigate the shareholders’ allegations and determine whether or not to pursue the claims. The SLC, composed of two newly-appointed independent directors represented by independent counsel, recommended that Target not pursue claims against the officers and directors. The SLC then moved to dismiss, as did Target and the defendant officers and directors. Plaintiffs declined to oppose and the court’s order followed. Continue Reading Fizzled Suit Against Target Officers and Directors Raises Question as to the Value of Derivative Claims in Data Breach Cases
Our latest update is available here, and it should be part of your incident response “toolbox” and part of your planning.
Some changes of note
Tennessee is our most recent state to amend its existing state data breach notification law. Last week, the Governor signed an amendment into law that takes effect on July 1, 2016:
- Joins several other states in tightening the notice period to “no later than 45 days from the discovery or notification of the breach…”
- Eliminates the “encryption safe harbor,” i.e., notification obligations are triggered even where the accessed or acquired data elements are encrypted.
- Specifically defines “unauthorized person” to include an employee “who is discovered … to have obtained personal information and intentionally used it for an unlawful purpose.”
California, Connecticut, Montana, Nevada, North Dakota, Oregon, Rhode Island, Washington and Wyoming all amended data breach laws in 2015. Some amendments signed into law in 2015 do not take effect until later this year, so make sure to note the effective dates on the Mintz Matrix when consulting various states.
What should you do now?
Spring cleaning. Given the number of changes at the state level (and no prospect for federal legislation easing this pain….), spring is a good time to review your incident response plan and data privacy policies to bring everything in line. In particular:
- Note tightened response deadlines (Rhode Island, Tennessee)
- Add identity theft prevention or identity theft mitigation services (Connecticut, California)
- Review data classification to take into account expanded definitions of personal information (Montana, Wyoming)
- Revise notice templates to comply with the new California format
As always, the Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Hat tip to the newest member of the Mintz Levin Privacy team, Michael Katz, for great work on this update!