This week’s disclosure that a 2013 data breach may have affected all 3 billion Yahoo accounts then in existence could alter the scope of the consolidated data breach cases currently pending against Yahoo in the federal court in San Francisco. In the wake of the court’s August 30 order denying Yahoo’s motion to dismiss the case, the parties have been in the process of negotiating a schedule for discovery and motion practice. The parties had been due to make their joint scheduling submission to the Court today. However, just last night, Judge Lucy Koh issued an order postponing the submission deadline in order to allow the parties to address the impact of Yahoo’s recent disclosure. The court ordered Yahoo to “disclose to Plaintiffs available information regarding the recent data breach disclosure by October 6, 2017, so that the Joint Case Management Statement can propose a realistic amended case schedule.” The court also directed that Yahoo “expedite its production of discovery regarding the recent data breach disclosure and include a proposal to do so” in the parties’ joint scheduling submission, which is now due to be submitted on October 11, 2017.
Earlier this month, an appellate panel of the federal DC Circuit unanimously held that individuals affected by a healthcare insurer’s data breach in 2014 could pursue claims against the insurer stemming from the cyberattack. In the process, the panel deepened a circuit split on the question of whether data breach victims have standing to pursue claims based solely on exposure of their sensitive personal information, while also adding significant risk of cyber-liability for companies that collect and store medical records of individuals.
In Attias v. CareFirst, Inc., the plaintiffs asserted claims on behalf of a purported class of one million customers of CareFirst, Inc. (“CareFirst”), a healthcare insurer in the Washington, DC metro area. In the 2014 cyberattack, hackers penetrated 22 computers and compromised the identifying health data of one million customers, including customer names, addresses, email addresses, subscriber ID numbers, and Social Security numbers. The plaintiffs did not allege that they had suffered any direct financial injury as a result of their identifying health data being exposed, but did allege they suffered an “increased risk of identity theft” as a result of CareFirst’s alleged negligent conduct. The district court granted CareFirst’s motion to dismiss, which asserted that the plaintiffs lacked standing to bring their alleged claims because they had not asserted either a present injury arising from the data breach or a “high enough likelihood of future injury.” Continue Reading D.C. Circuit Holds Cyber-Theft of Customers’ Medical Identifying Information Created Sufficient Increased Risk of Harm to Establish Standing
Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data….This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
–Acting Federal Trade Commission Chair Maureen K. Oldhausen, In the Matter of Uber Technologies, Inc., Consent Order
To read more about this important FTC Consent Order and its implications for all companies with respect to privacy policies and the promises made to users/consumers, check out this Mintz Levin Privacy Alert.
Snatching victory of a sort from the jaws of defeat, shareholders who brought a derivative action alleging that the 2014 Home Depot data breach resulted from officers’ and directors’ breaches of fiduciary duties have reached a settlement of those claims. As previously reported in this blog, that derivative action was dismissed on November 30, 2016. That dismissal followed on the heels of dismissals of derivative actions alleging management breaches of fiduciary duties in connection with the Wyndham and Target data breaches. Despite that discouraging precedent, the Home Depot shareholder plaintiffs noticed an appeal from the trial court’s order of dismissal. The parties subsequently resumed settlement discussions that had broken off in the fall of 2016, on the eve of argument and decision of Home Depot’s motion to dismiss. On April 28, 2017, the parties submitted a joint motion disclosing and seeking preliminary approval of the proposed settlement. If approved, the proposed settlement would result in dismissal of the shareholders’ appeal and an exchange of mutual releases, thereby terminating the fiduciary claims arising from the Home Depot data breach. Continue Reading Appeal in Home Depot Data Breach Derivative Action Results in Settlement of Corporate Governance Claims
What does your TV-watching history say about you? According to a recent lawsuit against VIZIO, Inc., it might be more than you think! One of the world’s largest sellers of “smart” televisions has recently paid a $2.2 million settlement following charges by the Federal Trade Commission and the Office of the New Jersey Attorney General that it was unlawfully tracking and selling 11 million consumers’ viewing data. The resulting court order has important repercussions for both consumers and smart TV producers. Continue Reading Who is Watching you Watch TV? If You Have VIZIO … Your TV Might Be Watching You
When hackers steal consumer data, injury to consumers is not a foregone conclusion. This is particularly so where credit and debit card numbers are stolen. Banks, not consumers, bear the cost of fraudulent charges. Consumers’ credit ratings are unaffected by such charges, and stolen payment card numbers cannot be used to steal consumers’ identities. As a result, it can be difficult for consumers in payment card data breach cases to prove damages or injury. Continue Reading Ruling Vacating Target Consumer Class Settlement Highlights The Problem Of Standing In Data Breach Cases
The U.S. Federal Trade Commission (“FTC”) has filed a lawsuit against device manufacturer D-Link for allegedly deceiving the marketplace about the security of its products and, in turn, unfairly placing customer privacy at risk.
Taiwan-based manufacturers D-Link Corporation and D-Link Systems, Inc. (collectively, “D-Link”) design a variety of home network devices, such as routers, IP cameras, and baby monitors. Devices such as these are susceptible to hacking when they are connected to each other and to the internet (in what is often referred to as the “Internet of Things” or “IoT”), and weak security measures therefore pose a significant security concern. Judging from D-Link’s advertisements for its products, the company is certainly aware of these risks. D-Link boasted that its routers are safe locked from hackers thanks to “Advanced Network Security,” its baby monitors and cameras assure a “Secure Connection” to protect the livestream view of a sleeping child, and promises of an “easy” and “safe” network appear repeatedly during the set up process for a D-Link device with an online interface. As the FTC explains in its lawsuit, claims like those made by D-Link are not only misleading but also dangerous.
Despite an apparent awareness of consumers’ cybersecurity concerns, the FTC alleges that D-Link neglected to build common security measures into the devices it sells. The allegations are startling: mobile app credentials were stored unsecured in plain text on consumer devices; a private company key code was accidentally made viewable online for six months; hard-coded login credentials in camera software left video feeds vulnerable to unauthorized viewers. And that’s just the beginning. More details are listed in the FTC’s complaint filed in a U.S. District Court in California on January 5, 2017. These lapses, and D-Link’s deceptive advertising, prompted the FTC to charge the company with a violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45.
As of January 10th, D-Link has denied the allegations outlined in the complaint and has retained the Cause of Action Institute as counsel to defend against the action.
The growing IoT problem
In recent years, the FTC has tried to keep pace with mounting concerns over the IoT industry by filing a handful of complaints focused on consumer protection. For example, it went after the company TRENDnet after the firm’s faulty software allowed hundreds of personal security cameras to be hacked. It also filed an action against computer parts manufacturer ASUS after its cloud services were compromised and the personal information of thousands of consumers was posted online. These isolated mistakes add up; when millions of unsecured and seemingly innocuous Wi-Fi-enabled devices join the global network, they can serve as a massive launchpad for crippling cyber-attacks like the one that overwhelmed internet traffic operator Dyn and shut down several major websites in October 2016. The efforts of the FTC are aimed at mitigating such attacks and encouraging technology developers to invest effort and resources in order to secure their IoT devices before they hit the marketplace.
Search for solutions
Both the FTC and the National Institute of Standards and Technology (NIST) have released reports offering guidelines and technical standards for building reliable security into the framework of new systems and devices. As we wrote about recently, the Obama administration had also left the Trump administration an extensive report on cybersecurity recommendations. Achieving these standards will require a combination of regular agency enforcement and greater market demand for safe, secure devices. In the meantime, some digital vigilantes are working to stop cyber-attacks before they start. Netgear, for instance, has launched a “bug bounty program” offering cash rewards of $150-$15,000 for eager hackers to track and report security gaps in its devices, applications, and APIS. Indeed, incentivizing solutions rather than quietly overlooking mistakes, and searching for loopholes in our laws, will make a substantial difference in safeguarding the IoT landscape.
An old saw defines insanity as doing the same thing over and over again and expecting a different result. Wendy’s shareholders recently flouted that maxim by filing a derivative action this week against officers and directors of the fast-food chain seeking recovery on behalf of the corporation for damages arising from a data breach that affected over 1,000 franchise locations between October 2015 and June 2016. Based on the results in prior data breach derivative actions, the prospects for the Wendy’s derivative claim appear dim.