Archives: Data Breach

Everyone loves a good courtroom drama.  So just imagine this pitch: henchmen of an evil dictator hack their way into a movie studio computer system.  Once inside, they steal the most sensitive personal information of the studio’s stars, executives and employees.  Their most intimate secrets, spilled over the Internet.  Who can help these poor souls?  Why, the brave and hard working class action lawyers, that’s who.  Through grit, pluck and lawyerly derring-do, our intrepid heroes soon bring the evil wrongdoers to justice.  Think “The Manchurian Candidate” meets “Erin Brockovitch.”

But real life is rarely like the movies, even when it involves the movies.  Yes, Sony Pictures Entertainment (“SPE”) did suffer a cyberattack that disclosed employees’ personally identifiable information (“PII”).  The data breach was allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un.  And class action litigation predictably followed.  But the evil wrongdoers who faced the wrath of class counsel?  Alas, the hackers were inconveniently beyond the reach of our legal system and, thus, unavailable to answer for their crime.  So SPE, the studio victimized by the hack, would have to do. Continue Reading It’s A Wrap! Sony Pictures Data Breach Case Settles Without A Hollywood Ending For The Plaintiff Class

Yesterday, we reviewed the staggering numbers in California Attorney General Kamala Harris’ 2016 Data Breach Report.california-flag-graphic

In addition to providing a comprehensive analysis of four years of data breaches, the report provides what is an answer to the vexing question of what her office considers to be “reasonable security.”

Continue Reading California by the Numbers (Part 2): How to Stay out of the 2017 Report

The U.S. Office of Personnel Management (OPM) announced that hackers have stolen the personal information of approximately 4 million current and former federal employees, including names, birthdates and social security numbers.  OPM serves as the human resources department -and holds employee records – for the entire federal government, ranging from security clearances to the identities of covert CIA agents.  Every federal agency is potentially affected by this breach.  Notifications to affected employees will begin going out on Monday, June 8th, via email or US mail.  OPM will provide credit monitoring, identity theft insurance and recovery services for 18 months to affected individuals.

OPM is working with the Department of Homeland Security’s Computer Emergency Readiness Team – CERT – and the FBI to assess the full extent of the breach.  Early reports suggest that the breach originated in China.

Compounding the pain for OPM and the affected individuals is the revelation in OPM’s website  notice that the agency recently implemented an “aggressive effort” to update its network security.  Unfortunately, this effort only revealed the hack, but was not implemented in time to prevent it.

OPM’s breach follows a highly publicized IRS data breach, in which hackers accessed the personal information of 100,000 taxpayers and used it to file false refund requests.  In 2014 alone, the US Postal Service, White House, National Weather Service and US Department of State were all victims of cyber-attacks, some of them suspected of originating in China.

As of now, federal data breach numbers pale in comparison to private sector breaches, but it will be interesting to see if these incidents create a credibility problem for federal regulators, who can’t seem to keep their own systems secure.  According to Mark Robinson, a former federal prosecutor and cyber defense litigator at Mintz Levin:

At a minimum, the government’s own inability to keep it’s cyber security house in order will be used defensively by private companies breach victims as a glowing example of how easily hackers can get in to even the most fortified government controlled computer systems.

It will also be interesting to see if this breach results in private litigation on behalf of affected employees, particularly those whose safety and ability to do their jobs depends on the secrecy of their identities.  According to Kevin McGinty, Mintz Levin privacy class action litigator:

As day follows night, class actions typically follow data breaches.  Here, most OPM employees would have a difficult time alleging any injury sufficient to confer standing to sue.  The most plausible harm that could flow from this data breach, identity theft, is addressed by the services already being offered by OPM.  Unless a would-be litigant could allege some additional and imminent risk of harm that would not be covered by the services that OPM is offering, a private lawsuit would be likely to face dismissal for lack of standing.

We will have more on this story as it evolves.

Written by Adam Veness

Wyndham Hotel & Resorts LLC (“Wyndham”) has filed a Motion to Dismiss the Federal Trade Commission’s (the “FTC”) Complaint against it, which alleges that Wyndham committed unfair and deceptive acts related to three data security breaches that Wyndham has suffered since 2008.  More information about the FTC’s Complaint can be seen in an earlier blog post here.

The Wyndham counter-volley takes an interesting approach.  In its Motion, Wyndham argues that the FTC lacks authority under Section 5 of the FTC Act to regulate data security standards.  Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.”  Notably, Wyndham does not dispute that the FTC may bring enforcement actions against companies that make “deceptive” statements to consumers, i.e., misleading statements in a company’s privacy policy.  Wyndham contends, however, that the FTC is overextending its authority to regulate “unfair” acts or practices by attempting to regulate data security standards for the private sector.

As an example, Wyndham lists various statutes that grant the FTC explicit authority to regulate data security standards in specific contexts:

  •  The Fair Credit Reporting Act – imposes requirements for the collection, disclosure, and disposal of data collected by consumer reporting agencies;
  • The Gramm-Leach-Bliley Act – mandates data-security requirements for financial institutions; and
  •  The Children’s Online Privacy Protection Act – requires websites to establish and maintain reasonable procedures to protect the confidentiality and security of information gathered from children.

Wyndham asserts that the FTC’s authority to regulate data security standards is limited to specific circumstances, and that Section 5 of the FTC Act does not provide the FTC with the broad authority upon which it relied in bringing its enforcement action against Wyndham.

As further support for its claim, Wyndham cites the FTC’s Report to Congress in 2000 (the “Report”).  In the Report, the FTC admitted that it “lacks authority to require firms to adopt information practice policies or to abide by the fair information practice principles on their Web sites, or portions of their Web sites, not directed to children.”  What’s more, in the Report, the FTC asked Congress to enact broader legislation requiring websites to “take reasonable steps to protect the security of the information they collect from consumers” and “provide an implementing agency with the authority to promulgate more detailed standards pursuant to the Administrative Procedure Act.”

The implications of Wyndham’s Motion are far-reaching.  Indeed, if the court finds for Wyndham and dismisses the FTC’s enforcement action, the FTC will likely have a tough road ahead when attempting to settle future claims with companies that have suffered from data breaches as a result of inadequate data security standards.  Such a ruling for Wyndham could potentially provide enough ammunition to prompt Congress to step in and grant the FTC the authority that it requested over a decade ago in the Report.  Wyndham’s Motion brings to light a possible gap in the FTC’s authority to regulate data security standards, despite all of the settlements that the FTC has made with companies on the basis of that authority.

This is an argument worth watching.  Stay tuned.

Can you identify the major problems lurking in this one short paragraph?  We’ve given you some help.

The UCLA Health System has notified more than 16,000 patients of the theft of their PHI during a home invasion of a former employee.  The PHI was contained on an external computer hard drive and although the information was encrypted, the password, which was written on a piece of paper near the hard drive, is also missing.  The stolen information included names, addresses, and health information, however it did not include social security numbers or financial information.

This is “bulletin board material” for privacy professionals who deal with complaints relating to security requirements.  Save it.  Print it.

The Securities and Exchange Commission (SEC) has issued guidance to public companies with respect to disclosure relating to cybersecurity and data breach risks.    This release is from the Commission’s Division of Corporation Finance and is not a rule or regulation — but it is clear that public companies that ignore the advice in the Disclosure Guidance and fail to assess and disclose material cybersecurity risks could face regulatory and legal action.

A full discussion of the Disclosure Guidance has been prepared in a Mintz Levin Client Advisory and is here.

A key point from an information management perspective is that the plain language of the Guidance can only be interpreted as calling for particular and specific (non-generic) disclosure if the risk of cyber attack or data breach is reasonably likely to be material to a public company.   The Guidance discusses not only what is thought of in terms of privacy and data breaches, but also cyber attacks that could result in the theft of material intellectual property.  The SEC staff gave as an example: 

if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition.

A company can only make accurate disclosure of risks if a risk assessment is undertaken to determine if, and what, disclosure is required.   Directors and officers outside the traditional information technology/security management circle will need to pay greater attention to these potential disclosure issues.

The Guidance may impact the traditional breach notification process as well.  Companies may now need to analyze not only whether notice to impacted individuals is necessary, but also whether shareholders should be getting a disclosure in financial statements and whether other SEC filings (such as a Form 8-K) should be made in connection with a data breach.

Senate Judiciary Committee Chairman Patrick Leahy (D-VT) Introduces Data Security Bill

Written by Julie Babayan

Senate Judiciary Committee Chairman Patrick Leahy (D-VT) has introduced a data security bill that would require certain business entities that store personal data to implement data privacy and security programs, modeled after those established for financial institutions to protect customer information.  Notably, the bill provides for a national standard for breach notification and tough criminal penalties, including up to five years in prison, for individuals who intentionally conceal the fact that a data breach has occurred when the breach causes economic damage to one or more persons.  The bill also requires data brokers that are not already subject to privacy and data security obligations under existing laws, such as the Fair Credit Reporting Act and Gramm-Leach-Bliley, to disclose to an individual upon request all personal electronic records regarding that individual, and to notify an individual under certain circumstances where a party has taken an adverse action based on the broker’s data.  In a provision relevant to government contractors, the bill would require the General Services Administration to consider a contractor’s history of data breaches and data privacy and security programs when awarding contracts of more than $500,000.

While Leahy has introduced a version of the bill in every session of Congress since 2005, he noted in a statement that recent data breaches, like those at Sony, Epsilon and Lockheed Martin, as well as Google’s announcement of an “apparent state-sponsored cyberattack” on Gmail from China, emphasize the need for a national strategy on privacy and cybersecurity. 

Certain provisions in the bill mirror suggestions in the May 12, 2011 Obama Administration Cybersecurity Legislative Proposal, such as the bill’s breach notification provision, as well as a provision updating the Computer Fraud and Abuse Act so that attempted computer hacking and conspiracy to commit computer hacking are subject to the same criminal penalties as the underlying offenses.

UPDATE — link to interesting article from Channel Insider.

 

Back in March, we reported on a massive and sophisticated attack on RSA Security’s well-known SecurID tokens, used by millions of corporate workers to access sensitive corporate networks.  Yesterday, the security unit of EMC Corp. posted a letter to customers on its website, acknowledging for the first time that intruders had breached its systems at defense contractor Lockheed Martin Corp.   In an interview with the Wall Street Journal [registration may be required], RSA Chairman Art Coviello said that the company is offering to replace SecurID tokens “for virtually every customer we have.”

Reuters first reported on a “tenacious” external cyberattack on the Lockheed Martin systems and those of several other US defense contractors on May 27.    The Reuters piece first raised the spectre that the stolen RSA tokens were at the root of the attack:

The hackers learned how to copy the security keys with data stolen from RSA during a sophisticated attack that EMC disclosed in March, according to the source.

EMC declined to comment on the matter, as did executives at major defense contractors.

Rick Moy, president of NSS Labs, an information security company, said the original attack on RSA was likely targeted at its customers, including military, financial, governmental and other organizations with critical intellectual property.

 

The “security press” has been also ruminating for some days now about whether the compromise of the RSA security tokens was actually at the core of the Lockheed Martin breach.  Some good reading:  New York Times on May 27,  The Raw Story on May 27, Reuters on May 27, InfoSecurity on May 30.

 

Our Friday feature is back!

  •  FTC Imposes Largest Civil Penalty Ever for Violation of Children’s Online Privacy Protection Act (COPPA) – Magic Kingdom Subsidiary Pays Up

The Chairman of the Federal Trade Commission, Jon Leibowitz, said:  It’s the law, it’s the right thing to do, and, as today’s settlement demonstrates, violating COPPA will not come cheap.

Amidst allegations that a major online game developer – a subsidiary of Disney Enterprises, Inc. – illegally collected and disclosed personal information from hundreds of thousands of children under age 13, the FTC yesterday released a consent judgment against Playdom, Inc. and one of its executives imposing a $3 million dollar civil penalty – the largest civil penalty ever for violation of COPPA.

According to the FTC complaint, Playdom, Inc., a developer of online multiplayer games, and the company’s Chief Executive Officer, Howard Marks, operated approximately 20 online virtual world websites that enabled users to access online games and other activities.  The FTC alleged that in over 1.2 million instances, defendants collected, used or disclosed the personal information of children in violation of COPPA.  Specifically, the complaint asserted that the defendants (1) collected children’s personal information and enabled children to publicly disclose their personal information through personal profile pages and community forums, which contradicted statements made by the defendants in their privacy policy, (2) used a privacy notice that “did not clearly, completely, or accurately” disclose all of the defendants’ information collection, use and disclosure practices for children, (3) failed to provide parents with a direct notice of their information practices prior to the collection, use and disclosure of children’s personal information, and (4) did not obtain verifiable consent from parents prior to such information processing, as required by the FTC rules implementing COPPA.

More reading:

Mercury News

Bloomberg News

  • Lawrence, Massachusetts Alley Reveals Hundreds of Illegally Dumped Personal Records

When you see a story like this, the reaction is “There oughta be a law!”   In this case, there is.   Despite the Massachusetts law (M.G.L 93H) establishing standards for “proper” disposal of records containing personal information – and setting civil penalties for “improper” disposal —  a public alley in Lawrence, Massachusetts is the resting place for many garbage bags overflowing with sensitive personal information and dumped papers in clear view, including blank checks, Social Security cards, and patient records from a doctor’s office.  According to published and broadcast reports, after discovery of the dumping, many of the bags had been removed from the alley by unknown persons.  Lawrence officials are still investigating – but there has been no comment from the Massachusetts Attorney General’s office (charged with enforcing the Massachusetts statute) on the matter.

  • PIN Pad Tampering Probe at Michaels Craft Stores Expands

Texas-based arts and crafts store Michaels announced that besides Chicago, PIN pads in 19 additional states were tampered with. Michaels released a statement on May 4 stating its Chicago-area customers should monitor their accounts as a result of PIN pad tampering in area stores.

Although Michaels identified less than 90 PIN pads that were affected, it removed 7,200 similar PIN pads from stores nationwide as a cautionary measure. It intends to replace the removed PIN pads within 15 days. The company again urged customers to monitor their bank accounts and to inform their financial institutions if they discover unusual activity.

The states affected are Colorado, Delaware, Georgia, Iowa, Illinois, Massachusetts, Maryland, North Carolina,  New Hampshire, New Jersey, New Mexico, Nevada, New York, Ohio, Oregon, Pennsylvania, Rhode Island, Utah, Virginia and Washington.

More reading – BankInfoSecurity

Last week, we introduced the “Privacy Webinar Wednesday” educational series with Data Privacy and Security Issues for the Not-for-Profit:  201 CMR 17.00, PCI, and Other Acronyms You Should Know.  It was incredibly well-received – over 150 registrants.   We’ll be presenting various privacy and security issues on the first Wednesday of the month.

In case you missed it, the replay is available here.

The next Webinar Wednesday program in our series is scheduled for Wednesday, June 1Privacy and Security Under HIPAA/HITECH In an Age of Heightened Enforcement.   Registration information will be posted here when available.