Report Links Cyberattacks on U.S. Companies to Chinese Military

Posted by Kristi Cercone on February 20, 2013

On Tuesday, the U.S. cybersecurity firm Mandiant released a 60-page report detailing the activities of a hacking collective it claims has direct ties to China’s military. The firm has linked the collective to cyberattacks on more than 140 organizations across 20 industries worldwide since 2006.

Mandiant claims the activity—carried out by a group called the “comment crew”—can be traced to four networks near Shanghai, with some of the activity occurring in a nondescript building on Datong Road—the headquarters of Unit 61398, a secret wing of the People’s Liberation Army.

The report notes that the hackers have a “well-defined attack methodology,” that has enabled them to steal large volumes of intellectual property, including technology blueprints, proprietary manufacturing processes and business plans.

In the wake of the report, two recent victims of cyberattacks—The New York Times and The Wall Street Journal—have published editorials that are outwardly critical of China. Both publications pressed President Obama to confront China more aggressively and publicly on its cyber espionage.

ICO fines Sony £250,000 following the 2011 Playstation Network Platform data breach

Posted by Ezra Steinhardt on January 25, 2013

On 24 January 2013, the UK Information Commissioner’s Office (ICO) announced that Sony Computer Entertainment Europe Limited (Sony) would be fined £250,000 following a data breach of the Playstation Network.  The breach occurred in 2011 when hackers accessed the personal details of “millions” of Playstation Network customers, including names, dates of birth, passwords, and other categories of data. 

Following an investigation, the ICO declared that the breach had been “preventable” had software been kept up to date, and stated that “[Sony] is a business that should have known better”. 

The monetary penalty notice redacts key details of the breach -- such as the precise number of Sony Playstation accounts affected -- but nevertheless reveals interesting details about how the ICO reached the decision to fine Sony £250,000, that other companies should take note of.

In particular, the notice cites aggravating factors, including, for example, the “vast amount” of personal data affected, and the ICO’s belief that Sony “should have been aware of the software vulnerability” that led to the breach.  The notice also cites mitigating factors, that presumably reduced the scale of the fine, including, for example, the complexity of the Sony Playstation Network, a lack of previous security breaches, the fact that no complaints were received by Sony after the breach, and Sony's behaviour following the breach (Sony voluntarily reported the breach to the ICO, informed data subjects, and fully cooperated in the investigation).

A short Youtube video of David Smith, Deputy Commissioner and Director of Data Protection at the ICO, commenting about the breach, was also released, and is available here.

Florida Data Security Claims Survive Motion to Dismiss

Posted by Josephine Liu on October 23, 2012

Last week, Judge Ungaro of the Southern District of Florida granted in part and denied in part a motion to dismiss in Burrows v. Purchasing Power, LLC.  The court found that the plaintiff had asserted a plausible claim under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA), granted the plaintiff leave to amend his claims for negligence and common-law invasion of privacy, and dismissed without leave to amend his claims under the Stored Communications Act (SCA) and Florida Constitution.

According to the Amended Complaint, defendant Winn-Dixie Stores, Inc. transferred employees’ personally identifiable information (PII) to a third-party service provider named Purchasing Power, which allows employees to purchase goods via automatic payroll deductions.  The Amended Complaint alleges that a Purchasing Power employee inappropriately accessed the Winn-Dixie employees’ PII, and that Winn-Dixie learned about the data breach in October 2011 but failed to notify employees until January 2012.  Plaintiff Patrick Burrows, who was a Winn-Dixie employee, claimed that an unknown person used his compromised PII to file a false tax return under his name, leaving him unable to collect his tax refund. 

Continue Reading

Australian Government Launches Discussion Paper on Privacy Breach Notification

Posted by Shamma Iqbal on October 19, 2012

By Shamma Iqbal and Fredericka Argent

This month, following an inquiry by the Australian Law Reform Commission (“ALRC”) into the effectiveness of the Australian Privacy Act 1988, the Australian government launched a discussion paper which calls for views from the public on whether a mandatory data breach notification scheme should be introduced in Australia. This scheme refers to a legally-binding obligation to provide notice to the relevant authority and any affected persons where the party in charge of protecting personal information unlawfully or accidentally breaches their security obligations -- for example by destruction, loss or unauthorised disclosure of information. The paper recognises the importance of a data breach reporting requirement in light of the increasing amount of personal data held by public and private organizations in Australia, often in electronic form, which are vulnerable to theft and loss.

The paper analyses the pros and cons of introducing a mandatory data breach notification scheme, weighing up arguments such as the onerous costs of compliance and the effectiveness of the current voluntary guidelines issued by the Office of the Australian Information Commissioner (“OAIC”) against the positive effects of a legally-binding scheme, such as:

• Allowing the affected person to mitigate the consequences of the breach;

• Providing an incentive for organizations holding personal information to adequately secure information;

• Enabling data breach incidents to be tracked and information on breaches to be provided in the public interest; and

• Maintaining public confidence in the legislative privacy regime.

Continue Reading

Texas Data Breach Amendment Takes Effect; Connecticut On Deck

Posted by Steve Satterfield on September 08, 2012

This week, the much talked-about amendments to Texas’s breach notice statute took effect.  We previously blogged about these amendments, which are unprecedented in scope.  With the amendments, the Texas statute now requires entities doing business in Texas to notify “any individual” whose “sensitive personal information” is acquired in a breach (unless the information is encrypted).  The statute makes clear that the “individuals” who must be notified include not only Texas residents but also “residents . . . [of] another state that does not require [the breached entity] to notify the individual of a breach.”  This provision appears intended to require notice to be provided to affected residents of the four states without breach notice laws: Alabama, Kentucky, New Mexico and South Dakota.

No other state breach notice statute purports to require notice to non-state residents.  So this feature of the amendments alone renders them unprecedented, but as our previous post noted, the statute might be construed to require notice to non-residents even in states that have breach notice laws

Connecticut also recently amended its breach notice law.  Under the amended version of the statute (which takes effect on October 1, 2012), entities that are required to notify Connecticut residents of a data breach must also notify the Connecticut Attorney General.  Notably, the Attorney General must be notified “not later than the time when notice is provided to the resident.”  Connecticut joins more than a dozen other states that have regulator notice requirements.

Data Security Top Concern of Directors, GCs

Posted by Steve Satterfield on August 20, 2012

A recent surveyof public company directors and general counsel reveals that data security risk is the top legal concern among both key governance groups.  According to the 12th annual Law and the Boardroom Study by Corporate Board Member and FTI Consulting, 48% of directors and 55% of general counsel noted data security as their principal legal concern, putting the issue ahead of concerns such as operational risk, company reputation, and internal controls.  The survey notes that concerns about data security have become particularly urgent in recent years.  2012 marks the first time data security has topped the survey’s list, and the level of concern has nearly doubled in the past four years; in 2008, only 25% of directors and 23% of GCs noted data security as major area of risk. 

Given this level of concern, it is somewhat surprising that, according to the study, fewer than half of the directors surveyed said their companies had a formal incident response plan.  We have noted before the crucial importance of an incident response plan for redressing the legal and reputational risks that may arise from data security incidents.  (David Fagan and I wrote a short piece for Corporate Counsel on incident response that provides some general tips on this topic.)

It’s also worth noting the Federal Trade Commission recently has suggested in a consent-decree action that failure to maintain an incident response plan could constitute an unreasonable data security practice and thereby run afoul of Section 5’s prohibition against unfair and deceptive trade practices.  The Commission’s recent complaint against EPN, Inc. noted that the company “failed to provide reasonable and appropriate security for personal information on its computers and networks [by] . . . [f]or example, not hav[ing] an incident response plan.” 

The FTC's Lawsuit Against Wyndham

Posted by Steve Satterfield on July 01, 2012

By Ryan Mowery

Last week, the FTC filed suit in federal court against global hospitality firm Wyndham Worldwide Corporation in connection with a series of data breaches affecting Wyndham and its subsidiaries between 2008 and 2010.  The complaint alleges that Wyndham misrepresented the security measures it employed to protect consumers’ personal information and that consumers were harmed by Wyndham’s failures to provide reasonable security for that information.  The FTC asserts that the alleged misrepresentations amounted to “deception” in violation of Section 5 of the FTC Act, while the failure to employ reasonable security measures violated the FTC Act’s prohibition against “unfair” acts. 

Continue Reading

Sen. Toomey's Federal Breach Notification Bill Would Preempt More Restrictive State Laws

Posted by Shelton Abramson on June 28, 2012

Sen. Pat Toomey (R-PA) recently introduced a bill in the United States Senate that would establish a federal breach notification requirement for certain companies and preempt state breach notification laws that are currently in effect for 46 states.  The Data Security and Breach Notification Act of 2012, S.3333, would require companies that “collect and maintain personal information of individuals to secure such information and to provide notice to such individuals in the case of a breach of security.”  Toomey cited the “messy patchwork of 46 different state laws” that companies must account for in responding to a data breach, and asserted that, by preempting those laws, his bill would “establish a single reasonable standard for information security and breach notification practices.”

The bill applies to entities that are subject to the Federal Trade Commission’s jurisdiction under Section 5 of the FTC Act, and “common carriers subject to the Communications Act of 1934.”  S.3333 would not apply to financial institutions that are covered under Title V of the Gramm-Leach-Bliley Act or covered entities that are subject to breach notification requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Continue Reading

Settlement Reached in Data Security Breach Lawsuit Against Bank

Posted by Mike Nonaka on June 20, 2012

Yesterday, Village View, Inc. reached a settlement with Professional Business Bank, a California state-chartered bank subject to regulation by the Federal Deposit Insurance Corporation (FDIC), over the company’s lawsuit against the bank arising from a data security breach.  In March 2010, Village View lost nearly $400,000 after the company’s bank account was compromised by hackers.  The company brought suit against Professional Business Bank alleging, among other claims, that the bank failed to comply with the Federal Financial Institutions Examination Council’s (FFIEC) authentication guidance from 2005 and other FDIC guidance on identify theft.  Specifically, Village View’s complaint alleged that the bank used only single factor authentication as opposed to multifactor authentication required by the FFIEC guidance.  The company announced that the settlement amount included the full amount of lost funds plus interest from the bank.   

The lawsuit and settlement are noteworthy insofar they underscore the potential significance of the FFIEC guidance, including the FFIEC’s release in 2011 of a supplement to its authentication guidance, to mitigate both regulatory and litigation risk.   

Privacy at a cost? Recent smart meter litigation in Maine

Posted by Nigel Howard on June 15, 2012

By Nigel Howard, Jessica Milner and Mark Johnson

Interesting questions are arising in relation to how to implement an “opt out” for smart meters.  In many states, customer unease about the privacy and safety concerns associated with smart meters has resulted in new legislation or regulations that give customers the ability to decline the installation of a smart meter.  However, smart meters enable energy efficiency and cost savings, so should customers that opt out have to pay more?

This question arose last month in the Maine Supreme Court in the case of Friedman v. Maine Public Utilities Commission and Central Maine Power Company. The court heard an appeal from the Maine Public Utilities Commission’s dismissal of a complaint raising concerns over smart meter technology, including privacy and security issues.

Continue Reading

Responding to a Data Breach: A Short Article on Best Practices

Posted by David Fagan on June 11, 2012

The costs associated with a data security breach can be substantial.   In addition to addressing the security issue that gave rise to the breach, companies often must assess notice obligations under federal and state law, manage public relations challenges, and work to rebuild consumer trust.   The costs--in terms of time and resources--needed to accomplish these tasks can easily reach into the millions of dollars.  Considering potential additional losses of business and customer goodwill, the overall effect of a breach can be devastating. 

Fortunately, recent studies have shown that companies can significantly mitigate the costs of a breach by putting in place strong incident response procedures.  For instance, the most recent Ponemon study on the costs of a breach reported that from 2010 to 2011, the average overall cost of a breach declined from $7.2 million to $5.5 million.  The study states that “[t]his decline suggests that organizations represented in [the] study have improved their performance in both preparing for and responding to a data breach.”    

The improvement identified in the Ponemon study aligns with our recent experience: more clients have come to us with questions about what they can do to prepare for and respond to breaches more effectively.  Although every company--and every breach--is different, we think there are about ten basic elements that a company should consider when thinking about incident response.  My colleague Steve Satterfield and I recently wrote about these elements in this article published in Corporate Counsel.  Again, there is no one-size-fits-all approach to these issues, but we thought this article might provide a useful starting point for attorneys and other information security professionals as they consider implementing or strengthening their companies’ incident response procedures.    

Vermont Amends Breach Notice Requirements

Posted by Libbie Canter on June 11, 2012

Last month, Vermont amended its breach notice requirements to add an obligation to notify the Vermont attorney general and an outside deadline to notify affected consumers.  Under the amended Vermont law, businesses generally will be required to notify the Vermont attorney general within 14 business days of a security breach and to provide the attorney general with a general description of the incident and certain other information.  Vermont law continues to require businesses to notify consumers of breaches that trigger the notification obligation “in the most expedient time possible and without unreasonable delay.”  However, the amendment imposed an outside window of 45 days to notify consumers. 

The amendments also amended the definition of “security breach.”   Prior to the amendments, “security breach” was defined as the “unauthorized acquisition or access of computerized data that compromises the security, confidentiality, or integrity” of the data.  The amended language defines a “security breach” as the “unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity” of the data.  This language is more narrow insofar as access to data is no longer sufficient to trigger a notice obligation―which is now tied only to the acquisition of data.  It is also more broad, however, insofar as either the acquisition or a reasonable belief of the acquisition of data may trigger a notification obligation. 

Continue Reading

Supreme Court Refuses to Hear Class Action Suit Stemming From Data Breach

Posted by Kerry Monroe on May 18, 2012

Last week, the U.S. Supreme Court declined to hear an appeal of a Third Circuit Court of Appeals decision that put an end to a proposed class action lawsuit stemming from a data breach.  The suit, Reilly v. Ceridian Corp., was brought by two individuals who were among approximately 27,000 employees at 1,900 companies whose personal and financial information was contained in a payroll processing company computer system breached by an unknown hacker in December 2009.

The plaintiffs brought numerous claims, including negligence and breach of contract, against the payroll processing company and alleged that as a result of the breach they have suffered an increased risk of identity theft, incurred costs to monitor their credit activity, and suffered emotional distress.  In December 2011, the Third Circuit affirmed the lower court's ruling that the plaintiffs' claims of harm caused by the data breach were too speculative and that, as a result, the plaintiffs did not have standing to bring the suit. 

In their petition to the Supreme Court, the plaintiffs argued that the high Court should hear their case in order to resolve a conflict among several Courts of Appeals.  According to the plaintiffs, at least three Courts of Appeals have found standing in data breach cases where no resulting identity theft had occurred, on the theory that the threat of future harm or increased risk of future harm constituted injury for the purpose of establishing standing.  The Supreme Court denied the plaintiffs' petition and will not hear the case.


 

Republican Senators Introduce SECURE IT Act

Posted by Kristen Eichensehr on March 02, 2012

Yesterday Senator John McCain (R-AZ) introduced the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 (SECURE IT Act). The bill’s cosponsors include Senators Kay Bailey Hutchison (R-TX), Chuck Grassley (R-IA), Saxby Chambliss (R-GA), Lisa Murkowski (R-AK), Dan Coats (R-IN), Ron Johnson (R-WI), and Richard Burr (R-NC).

In a hearing in the Senate Committee on Homeland Security and Governmental Affairs last month, Senator McCain expressed procedural and substantive concerns about the “Cybersecurity Act of 2012,” S. 2105, which was sponsored by Senators Joseph Lieberman (I-CT), Susan Collins (R-ME), Dianne Feinstein (D-CA), and John D. Rockefeller, IV (D-WV), and he announced his intention to put forward a competing cybersecurity bill.

One of the main differences between the two bills is the amount of government regulation they envision. The Cybersecurity Act of 2012 proposes that the Department of Homeland Security (DHS) make risk-based designations of covered critical infrastructure (CCI) and establish cybersecurity performance requirements for CCI, in consultation with the CCI owners and operators. The SECURE IT Act, on the other hand, does not propose any government regulation of privately owned critical infrastructure, nor does it include identification or designation of such infrastructure. In a statement released yesterday by the co-sponsors of the SECURE IT Act, Senator Murkowski emphasized that the bill employs “a partnership approach between the government and private entities.”

Continue Reading

Class Action Filed Following Zappos Data Breach

Posted by Mali Friedman on January 19, 2012

A putative class action was filed on Monday against Amazon.com following an online hacking attack that potentially compromised the personal information of up to 24 million customers of its online shoe retailer Zappos.com.  An email sent to customers from Zappos.com’s CEO on Sunday assured users that full credit card information and other payment information was not impacted, but stated that names, email address, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and/or cryptographically scrambled passwords (but not actual passwords) may have been improperly accessed.

The complaint, filed in the United States District Court for the Western District of Kentucky (the location of the purportedly compromised servers), includes claims for violation of the Fair Credit Reporting Act, negligence, and invasion of privacy.  The complaint alleges that the named plaintiff and proposed class members now are subject to a heightened risk of identity theft and will have to spend time changing the passwords on their Zappos.com accounts as well as other accounts with the same or similar passwords.

Amendments to California, Illinois Data Breach Laws Now in Effect

Posted by Steve Satterfield on January 06, 2012

As we've previously noted (here and here), California and Illinois recently enacted amendments to their data security breach notification laws.  The amendments took effect this week. 

California’s changes are the more notable.  For example, businesses that are required by California’s breach notice statute to notify more than 500 California residents now must also notify the state attorney general.  Although more than a dozen states have laws with similar regulator notice requirements, California’s is unique in that it requires the notice to be submitted electronically.  The California attorney general has created an online reporting form that seeks basic information about the incident and a sample copy of the notice letter that is provided to individuals. 

Also noteworthy is the fact that both laws now require that notices to individuals contain specific contents, including, for example, the contact information for major consumer credit reporting agencies.  California’s law requires that the individual notice be written in “plain language,” another unprecedented requirement in this area. 

Federal Appeals Court: Risk of ID Theft Does Not Confer Standing for Data Breach Suit

Posted by Michael Beder on December 15, 2011

Employees whose personal information might have been accessed in a data breach cannot sue the breached company in federal court based only on the possibility that the breach might lead to identity theft, a federal appeals court ruled Monday.

The case, Reilly v. Ceridian Corporation, is a proposed class action brought by employees whose companies used Ceridian Corporation to process company payrolls. An unknown hacker breached Ceridian’s firewall in December 2009, potentially gaining access to payroll information such as names, Social Security numbers, birth dates and bank account numbers. However, the lawsuit did not allege that the hacker actually accessed, copied, or misused the data. Instead, the plaintiffs based their claim on their allegedly increased risk of identity theft, their emotional distress, and the credit-monitoring costs they incurred.

Continue Reading

Congress Continues to Ponder Data Security Legislation

Posted by Josephine Liu on November 03, 2011

Sen. John Rockefeller (D-WV), chair of the Senate Commerce Committee, is still working to reach consensus on the data security bill that he and Sen. Mark Pryor (D-AR) introduced in June.  A scheduled markup was canceled in September, and the committee decided not to consider the bill at yesterday’s executive session.  Nonetheless, a spokesman for Sen. Pryor said Tuesday that lawmakers are “hoping to resolve any disagreements so the bill can be on a December markup.”

The bill, S. 1207, requires firms to establish information security policies for safeguarding personal information and to provide notice in the event of a security breach. Sens. Rockefeller and Pryor are reportedly reworking the bill in the hopes of securing bipartisan support.  A draft amendment circulated last week would, among other things:

  • expressly exempt entities that are subject to information security requirements under the Gramm-Leach-Bliley Act, HIPAA or HITECH, or the Communications Act;
  • delete special requirements for information brokers;
  • restrict the remedies available to state attorneys general when bringing suit on behalf of state residents; and
  • expand the definition of “personal information” to include unique biometric data and information about an individual when combined with authentication credentials for any financial account, but eliminate the FTC’s ability to modify the definition.

As we previously discussed, data security remains a subject of interest in both chambers of Congress.  Three other data security bills were approved by the Senate Judiciary Committee in September. Rep. Mary Bono Mack (R-CA) met with other lawmakers yesterday to discuss her breach notification bill and is confident that the legislation has enough support to pass the House Energy and Commerce Committee in the next few weeks, although the decision to schedule a full committee markup will be up to committee chairman Rep. Fred Upton (R-MI).

First Circuit Holds That Mitigation Costs Are Sufficient To Support Claims in Card Breach Case

Posted by Dan Kahn on October 24, 2011

Reversing the decision of the lower court, the U.S. First Circuit Court of Appeals recently held in Anderson v. Hannaford Bros. Co. that under Maine law, claims for breach of contract and negligence can be premised on the cost of replacing credit/debit cards whose numbers had been breached and the cost of credit insurance where the card numbers had been intentionally stolen by sophisticated thieves who actually used that data for fraudulent purposes.  In reaching this conclusion, the court’s novel opinion differentiated numerous cases in which courts have held that similar claims of damages were insufficient to allow cases to move forward.  Although reaching a novel result, the First Circuit decision in Hannaford might have limited effect on future litigation because of the rather unique fact pattern on which the court of appeals’ opinion rests.

Continue Reading

SEC's Division of Corporation Finance Issues Guidance on Disclosing Cybersecurity Risks

Posted by David Fagan on October 14, 2011

By David Fagan & Steve Satterfield

Yesterday, the SEC’s Division of Corporation Finance issued a guidance document regarding public companies’ disclosure obligations relating to cybersecurity risks and breaches.  The guidance responds to a request by Sen. Jay Rockefeller that the SEC clarify its position on this increasingly important issue. 

The Division noted that as companies have turned to digital technologies to conduct their operations, cybersecurity risks--and incidents--have increased.  Although there is no disclosure requirement under the federal securities laws that specifically addresses cybersecurity, the Division explained that existing regulations may require disclosure of cyber risk assessments and the costs stemming from incidents.  It is important to note, as the Division does, that this is guidance, not a rule, regulation, or order (as some headlines have suggested).

We provide an overview of the guidance after the jump.  For additional information please see this E-Alert prepared by members of our Global Privacy & Data Security and Securities & Corporate Finance practice groups. 

 

Continue Reading

Older Posts