Archives: Data Breach

Subscribe to Data Breach

Updated at 8:50 pm GMT on 16 December 2015.

The new General Data Protection Regulation is effectively a “done deal” following the final trilogue meeting on December 15.  One might assume based on UK media coverage that the biggest change in EU privacy law is that kids under 16 will need their parent’s consent to sign up for social media services and apps.  As much consternation as that will cause at the breakfast table, it’s really the least of our worries.

It will take some time to process the new Regulation, and of course we don’t have the complete, official version yet (please read the important caveat at the end of this summary), but here are the key features of the Regulation in bullet point form so we can start mapping out the new legal landscape.  This summary focuses more on what’s new than what has stayed in place; generally speaking, rights of data subjects that existed under the Directive also exist under the Regulation.  On the other hand, the burdens on data controllers and processors have substantially increased. We’ll explore all of this in more detail over the coming weeks. Continue Reading The General Data Protection Regulation in Bullet Points

As the year winds down, we look back with a mixture of nostalgia and queasiness on the major Health Insurance Portability and Accountability Act (HIPAA) events that defined 2015. Incredibly large data breaches became disturbingly routine, calling into question the ability of insurers and providers to protect their increasingly large troves of sensitive health information. We also saw the release of an Office of Inspector General (OIG) report that was highly critical of the Federal government’s ability to effectively enforce HIPAA, followed almost immediately by signs of more aggressive enforcement from the Office for Civil Rights (OCR), perhaps in response. We waited for commencement of the second round of HITECH-mandated audits, but it never came. As regulated entities prepare for a new year of regulatory challenges, we review the highlights — and lowlights — of HIPAA 2015, and prepare for what’s to come in 2016.

Massive Data Breaches

The year began inauspiciously, with one of the largest data breaches to ever hit the U.S. health care industry. We are, of course, referring to the theft of approximately 80 million personal records from health insurer Anthem Inc. The theft spanned over 14 states, and included names, birthdates, email addresses, Social Security numbers, and other personal data. The Anthem breach, however, was not an isolated incident. There were at least four other multi-million record data breaches affecting the health care industry in 2015, including:

Premera Blue Cross (11 million individuals affected)

Carefirst BlueCross BlueShield (1.1 million individuals affected)

UCLA Health (4.5 million individuals affected)

Excellus (10 million individuals affected)

One common thread throughout these breaches, beyond their sheer magnitude, is the inability of the entities to quickly identify and report the breach. For example, Excellus hired a security firm to conduct a forensic analysis of its computer system. The analysts concluded that their breach had occurred as early as December of 2013. UCLA Health faced similar delays in identifying their breach. One reason for this may be a result of another common thread: the advanced nature of the attacks. While not independently verified, a number of the affected entities have reported that the acts were “very sophisticated.” While the culprits of these mega-breaches have not been identified by name, many suspect state sponsorship of the attacks by China. Continue Reading HIPAA and Health Care Data Privacy – 2015 in Review

The years-long saga of the Federal Trade Commission’s suit against Wyndham Hotels over data breaches that occurred at least as early as April 2008 is finally coming to an end with a proposed settlement filed today with the court.  The original complaint, which is summarized in this post from 2012, alleged that Wyndham’s claims to use “standard industry practices” and “commercially reasonable efforts” to protect customers’ personal information were deceptive, and its actual practices unfair, in light of the company’s lax security practices.  Wyndham argued that the FTC lacks the authority to police data security practices, but in August 2015 the Third Circuit found against Wyndham, holding that the FTC’s authority to take action against a company’s unfair practices extends to enforcement of data security practices.

The proposed settlement, which is in effect for 20 years, reached between Wyndham and the FTC provides the first notice to companies of what they should expect from the FTC in the event of a data breach due to a failure to maintain reasonable data security standards.  The various settlement provisions are similar to those imposed in cases brought by the FTC over misrepresentations in privacy policies (as opposed to this case, which involved a suit over the laxity of the company’s actual data security practices).

Those provisions include Wyndham agreeing to undertake the following:

  • • Establishment a comprehensive information security program to protect credit card data, which must include risk assessments, reasonable safeguards, and regular monitoring for the next 20 years;
  • • Annual information security audits and independent assessments of its compliance with the Payment Card Industry Data Security Standard (PCI DSS) over the next 20 years;
  • • Obtain the certification of an independent certified assessor before implementing any “significant change” to its data security practices that the change would not cause it to fall out of compliance;
  • • Provide all assessments to FTC;
  • • Keep records relied on to prepare each annual assessment for three years; and
  • • Submit to compliance monitoring by the FTC.

Notably, and different from the settlements of privacy-related cases, Wyndham will not be required to pay a fine.

The recent data breach of Hong Kong-based electronic toy manufacturer VTech Holdings Limited (“VTech” or the “Company”) is making headlines around the world for good reason: it exposed sensitive personal information of over 11 million parents and children users of VTech’s Learning Lodge app store, Kid Connect network, and PlanetVTech in 16 countries! VTech’s Learning Lodge website allows customers to download apps, games, e-books and other educational content to their VTech products, the Kid Connect network allows parents using a smartphone app to chat with their children using a VTech tablet, and PlanetVTech is an online gaming site. As of December 3rd, VTech has suspended all its Learning Lodge sites, the KidConnect network and thirteen other websites pending investigation. Continue Reading Happy Holidays: VTech data breach affects over 11 million parents and children worldwide

Two years after the massive holiday season theft of customers’ payment card data from Target point of sale terminals, the Target data breach litigation appears to be entering its final act.  On Tuesday, December 1, Target entered into a settlement agreement with a class of banks and financial institutions that issued the credit and debit cards that were compromised in the 2013 event.  The settlement was the result of negotiations following closely on the heels of an order by the court certifying a card issuer class.  This last settlement resolves card issuers’ claims that were not previously resolved in Target’s August 2015 settlement with Visa, which provided $67 million to resolve claims made by Visa card issuing banks under Visa’s fraud resolution process.  Also separate from this settlement is the $10 million settlement of the claims of consumers whose cards were compromised by the data theft, which Target concluded with the consumer class in March 2015. Continue Reading Target and Card Issuers Reach Final Data Breach Settlement

To take a step back from our continuing analysis of the situation and developments in Europe,  there are other things going on in the privacy and data security world!   Our October Wednesday Webinar is coming up and we will take a walk on the wild side:  data security litigation.    Registration is open now! Read more – Continue Reading Wednesday Webinar: Tricks, But No Treats – A Halloween Visit to the Frightening World of Data Security Litigation

As reported on Friday in the Krebs on Security blog, online broker Scottrade had sent an e-mail to customers earlier that day stating that it recently had learned from law enforcement officials that Scottrade was one of a number of financial services companies that had been victimized by data thieves.  That very same day saw the first class action complaint arising from the breach was filed in federal court in San Diego.  Given the haste of the filing, the complaint unsurprisingly offers little more than conjecture about what took place.  Plaintiff’s allegations parrot facts reported by Brian Krebs – that the breach was detected by government investigators, did not compromise or access Scottrade’s trading platform, and appeared only to have resulted in the theft of names and addresses, despite hackers apparently having access to customers’ Social Security Numbers.  Thus, even though it was unclear whether Social Security Numbers had been stolen, Scottrade offered free credit monitoring to affected customers.  Beyond alleging that the breach occurred and that Scottrade’s credit monitoring offer provided inadequate relief, the complaint has nothing specific to say about the breach.  Instead, it speculates that Scottrade might have been targeted by the same hackers who stole data from J.P. Morgan in 2014 – itself an event discussed in the Krebs report on the Scottrade breach.  Plaintiff flatly alleges that Scottrade breached the industry standard of care in allowing the breach to occur, but does not allege precisely how Scottrade failed to do so.

The threadbare complaint against Scottrade illustrates the pitfalls of trying to be a “first mover” whenever a data breach occurs.  Until more is known about how the breach occurred and how, if at all, it affected Scottrade customers, it will not be possible to allege a plausible theory under which Scottrade may be held responsible for the breach.

This Is The End?

Settlement appears imminent in an employee class action against Sony Pictures Entertainment (“SPE”) arising from disclosure of their personally identifiable information (“PII”) in a massive data breach allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un.  A stipulation filed earlier this week by plaintiffs and SPE notified the court of the imminent settlement.  Terms of the settlement are as yet undeclared, but will become known on or before October 19, the deadline set in the stipulation for filing a motion for preliminary approval of the settlement.  Any classwide settlement will be subject to court approval after notice to members of the proposed class, who will have the right to object or to opt out of the settlement entirely. Continue Reading Sony: Stipulation Announces (but does not disclose) Employee Data Breach Class Settlement

Card-issuing banks are forging ahead with their lawsuit against Target arising from the 2013 holiday shopping season data breach.  Their July 1 motion for class certification has just been unsealed, allowing a glimpse at plaintiffs’ version of the events during November and December 2013 that resulted in theft of payment card data for 40 million Target customers.

The Target data breach occurred after hackers were able to compromise the security of a Target refrigeration vendor.  The vendor’s log-in credentials to the Target computer system provided a portal to infiltrate Target and install malware on point-of-sale (“POS”) terminals that was used to record and steal customers’ card data.  In their class certification motion, the banks focus heavily on Target’s alleged data security failings.  They claim that Target retained unencrypted card data, disregarded warnings about malware targeting POS terminals, disabled security features that purportedly would have detected the POS malware, ignored alerts generated by its malware detection software, and failed to audit the vendor’s data security practices.  Little in the allegations is new, but the allegations are calculated to demonstrate that Target acted negligently in a fashion that consistently and adversely affected the entire putative class of card issuer banks.

To certify their proposed nationwide class, the card issuers will have to establish that choice of law principles allow application of Minnesota law to card-issuing banks located in all 50 states.  Were the court to find that each bank’s claim is subject to the law of its state in which it is chartered or has its principal place of business, the numerous and substantial differences in the laws of those states could preclude adjudication of all of the banks’ claims in a single class.

Otherwise, the linchpin of plaintiffs’ argument is that this case should be tried as a class action because all of the banks suffered common harms arising from the regulatory requirements that apply to compromised cards, including costs associated with card cancellation, notice to customers, account monitoring activity, and refunds for fraudulent charges.   Plaintiffs fail, however, to address predominance issues associated with the inability to determine whether fraud losses on compromised cards arose from the Target breach, or from theft of the card data somewhere else.  In In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D 389 (D. Mass. 2007), the court held that endemic fraud levels in the payment card industry made it impossible to determine with any certainty which losses result from a data breach, thereby requiring individualized proceedings on damages that preclude class certification.  Plaintiffs allege that their expert can accurately calculate which fraud losses were attributable to the Target breach.  It is likely that Target’s opposition papers have focused on this issue and will contest the ability to trace fraud losses to the Target breach.

Finally, plaintiffs’ papers ignore the question of whether resolution of claims in the federal court is superior to use of the Visa and MasterCard dispute resolution processes.  Although the recently-announced Visa settlement had not been finalized as of the July 1 filing of plaintiff’s motion papers, the earlier unsuccessful attempt to resolve claims through the MasterCard settlement process plainly demonstrates the availability of that process to resolve card issuer data breach claims.  Plaintiffs make no attempt to address that issue either.  Given their conclusion of the Visa settlement and renewed attempts to pursue a MasterCard settlement, Target is likely to argue that the availability of such processes mean a federal court class action does not afford a superior mechanism to resolve the claims of card-issuer banks.

Target’s opposition to the class certification motion was filed on August 5 but, like plaintiffs’ motion papers, was filed under seal.  Target’s papers will not be available to the public until redactions can be made to avoid disclosure of commercially sensitive information.

Risks to sensitive data have never been greater. With the rise in cyber attacks and data breaches, outsourcing to third parties can present an exponential threat to corporations. New regulations, technologies, standards, and security threats require organizations to implement robust vendor oversight to meet and stay ahead of the latest risks and challenges from new payment methods and systems, data breaches, and cyber attacks.   Register here for our next Wednesday Webinar on this important topic and read on –   Continue Reading The Third Party Vendor Risk to Your Data – Wednesday Webinar