Data Breaches

A federal judge in the Northern District of Illinois has denied Neiman Marcus Group LLC’s (“Neiman”) motion to dismiss a consumer class action lawsuit arising from a December 2013 data breach at the retailer that exposed about 350,000 credit cards.  As we previously reported, the plaintiffs sued Neiman alleging various claims arising from fraudulent

By Ani Gevorkian

The issues of data breach notification and data security issued received a fair amount of attention in the House this week:  On Wednesday, the House Energy and Commerce Subcommittee on Trade approved one data breach bill, and on Thursday, Rep.  Jim Langevin (D-RI), co-chairman of the House Cybersecurity Caucus, announced the release of another.

The bill approved on Wednesday—the Data Security and Breach Notification Act—is sponsored by Reps. Michael Burgess (R-TX),  Marsha Blackburn (R-TN),  and Peter Welsh (D-VT).  It would require companies to maintain reasonable security practices and inform customers within 30 days if their data might have been stolen during a breach.  It would also empower the Federal Trade Commission (“FTC”) to enforce the bill’s rules.
Continue Reading House Focuses on Data Breach Bills

By Mark Young and Tom Jackson

On February 20, 2015, the Information Commissioner’s Office (“ICO”) fined Staysure.co.uk Ltd (“Staysure”), an online travel insurer, £175,000 for failing to protect its customers’ personal data.  In addition to technical vulnerabilities, the ICO took into account Staysure’s lack of security policies and practices when levying the fine.

In short, Staysure had failed to implement processes to ensure that key software updates were applied, leading to vulnerabilities in the company’s IT systems.  As a result, hackers gained access to customers’ personal details, medical data, and payment card information, including over 100,000 sets of credit card details relating to more than 90,000 individual customers.  These stolen details were then used in relation to more than 5,000 fraudulent transactions.
Continue Reading ICO Fines Insurance Company £175k for Data Security Breach, Criticising Lack of Policies

By Meena Harris and Caleb Skeath

  1. Data Breaches
  • Studies show increase.  Amidst a flurry of high-profile breaches during 2014, several studies confirmed that data breaches as a whole have risen significantly over the past few years.  The California Attorney General released a study showing a 28% increase in breaches in 2013 as compared to 2012.  Another study, which examined the volume of data breaches during the first quarter of 2014, found an increase of 233% compared to the same time period in 2013.
  • State laws.  In April, Kentucky became the 47th state to enact a data breach notification law.  Florida and Iowa each amended their data breach notification laws in 2014 to, among other changes, enhance regulator notification requirements.  California amended its data breach notice law to expand the types of information covered and to require certain companies to provide one year of free credit monitoring to affected individuals (although the statutory language on the latter point is subject to multiple interpretations).
  • Federal legislation.  Numerous data breach bills, including the Data Security Breach Notification Act of 2014 and the Personal Data Protection and Breach Accountability Act, were introduced in Congress, although none passed during 2014.  The Senate Judiciary Committee, the Senate Commerce Committee, and the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, among others, held hearings during 2014 to discuss the need to address data breaches and the possibility of enacting federal legislation.
  • Federal enforcement.  In the enforcement arena, the Federal Trade Commission (“FTC”), the Department of Health and Human Services (“HHS”), and state attorneys general pursued enforcement action during 2014 against companies that had suffered data breaches.  The Securities and Exchange Commission also announced in April that it would conduct over 50 cybersecurity examinations of publicly traded companies.  The Federal Communications Commission (“FCC”), for its part, levied a $10 million fine in October against two telecommunications carriers for exposing customer data, which represented the FCC’s first enforcement action in the wake of a data breach.
  • Continued attention in 2015.  Legislative interest in data breach issues has only increased in early 2015.  Since President Obama proposed national data breach legislation, additional data breach notification bills have been introduced in the House and Senate.  The House Subcommittee on Commerce, Manufacturing, and Trade also held a hearing on crafting a national data breach bill, debating the harm that should trigger notification obligations and the appropriate window for providing notifications.


Continue Reading Top 10 U.S. Privacy Developments of 2014

The U.S. Senate Committee on Commerce, Science, and Transportation held a hearing on February 11, 2015, entitled The Connected World: Examining the Internet of Things.  The panelists included Justin Brookman, director of the Consumer Privacy Project at the Center for Democracy and Technology; Adam Thierer, a senior research fellow at George Mason University’s Mercatus Center; Lance Donny, CEO of OnFarm; Douglas Davis, Vice President and General Manager of Intel’s Internet of Things Group, and Michael Abbott, General Partner at Kleiner Perkins Caufield & Byers.

While the hearing covered a variety of Internet of Things (IoT) related topics, an overarching theme the Senators contemplated was how to strike the appropriate balance between encouraging IoT innovation and protecting privacy and data security.  The opening statements of Chairman John Thune (R-SD) and Ranking Member Bill Nelson (D-FL) laid out the basic concerns underlying each side of this consideration.  Chairman Thune suggested the Committee “tread carefully and thoughtfully before stepping in with a ‘government knows best’ mentality that could halt innovation and growth” while Ranking Member Nelson called talk of overregulating a red herring and stressed that the “promise of the Internet of Things must be balanced with real concerns of privacy and the security of our networks.”  But concern about overregulation cut across party lines.  Senator Corey Booker (D-NJ), for instance, noted that government efforts in the IoT space should not “inhibit a leap in humanity.”
Continue Reading Senate Holds Internet of Things Hearing

By Caleb Skeath

Last week, Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) re-introduced the Data Accountability and Trust Act (DATA Act) in the House of Representatives.  The bill (H.R. 580), which has been introduced several times in previous years, would provide a nationwide data security standard, backed by FTC enforcement and civil penalties, as well as provisions requiring notification to affected individuals in the event of a data breach.  Meanwhile, Sens. Dianne Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR), and Bill Nelson (D-FL) introduced a similar bill, the Data Security and Breach Notification Act (S. 177) this week the Senate.  The Senate bill is also a re-introduction of a previous bill, which would provide FTC-enforced security standards and individual breach notifications.

Although the text of the DATA Act has not yet been released, a release from the bill’s sponsors stated that the bill will be “substantially similar” to prior versions.  According to the release, the bill will define “personal information” to include an individual’s name in connection with (1) a Social Security number, (2) a driver’s license, passport, or other government-issued identification number, or (3) a financial account or credit or debit card number in combination with a security code or password that would permit access to an individual’s financial account.  Commercial entities that own or process personal information would be required to implement effective information security procedures and policies to safeguard that information.  Following a breach, entities would have to notify the affected individuals, in addition to the FTC.  The FTC and state attorney generals would enforce the provisions of the bill, which would allow for civil penalties of up to $5 million for violations.  The bill’s sponsors have announced a public briefing on the bill on February 6, during which they will provide more information about the bill’s provisions.
Continue Reading Data Breach Notification Bills Introduced in House and Senate

This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation.  Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in both the House and Senate to replace with a national standard the 47 currently existing state data breach laws so far have been unsuccessful.  This activity in the House is yet another attempt to enact a federal law governing data security, and today’s hearing made clear that many practical questions still remain for lawmakers to “get it right” on a data breach bill, as Rep. Fred Upton (R-MI) said.
Continue Reading House Debates Federal Data Breach Legislation

Tomorrow at 10:00 a.m., the House Subcommittee on Commerce, Manufacturing, and Trade will hold a hearing to determine what elements should be included in federal data-breach legislation.  The following witnesses are scheduled to testify:

  • Elizabeth Hyman, Tech America Executive Vice President of Public Policy
  • Jennifer Glasgow, Acxiom Chief Privacy Officer
  • Brian Dodge, Retail Industry Leaders

By Randall Friedland

California Attorney General Kamala D. Harris yesterday released the second annual California Data Breach Report.   The report provided statistics and analysis related to data breaches that were reported to the Attorney General’s office in 2013.  The report also outlined suggested best practices and provided recommendations on ways to improve data security.

Statistics

The report documented a clear upward trend in both the number of data breaches and those affected by such breaches.  For instance, in 2013, there were 167 data breaches reported in California, which is an increase of over 28 percent from the 131 data breaches reported in 2012.  Additionally, the records containing personal information of over 18.5 million California residents were compromised in 2013—a 600 percent increase from the previous year.  Even if the two largest data breaches involving retailers were excluded from this calculation, California still experienced a 35 percent increase in the number of records affected by data breaches. 
Continue Reading California Attorney General’s Second Annual Data Breach Report Finds Dramatic Increase in Number of Data Breaches

Continuing our coverage of the flurry of bills signed into law by California Governor Jerry Brown last week, we turn now to AB 1710, an amendment to California’s data breach legislation. The data breach amendment makes three notable changes to existing laws regarding personal information privacy:

1.  Requires Companies that Maintain Personal Information to Implement and Maintain Reasonable Security Procedures and Practices.

California’s existing data breach law requires companies that own or license personal information to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information . . . .” Under existing law, the terms “own” and “license” include personal information retained as a part of a business’s internal customer accounts or for the purpose of using the information in transactions.

AB 1710 extends this requirement to companies that merely “maintain” personal information about Californians. The bill defines maintain information in the negative, as information that a business does not own or license.

For purposes of implementing and maintaining reasonable security procedures and practices, California defines “personal information” as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code. Cal. Civ. Code § 1798.81.5(d)(1).
Continue Reading California Amends Data Breach Legislation