RSS Feed LinkedIn Twitter Facebook
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Supreme Court Declines to Hear Data Breach Standing Case

Posted on: February 23rd, 2018

By: Amy C. Bender

The ongoing issue of when a plaintiff has grounds (“standing”) in data breach cases saw another development this week when the U.S. Supreme Court declined to weigh in on the debate.

CareFirst, a BlueCross BlueShield health insurer, suffered a cyberattack in 2014 that was estimated to have exposed data of 1.1 million customers. Affected customers filed a federal class action lawsuit in the District of Columbia claiming CareFirst failed to adequately safeguard their personal information. CareFirst asked the court to dismiss the case, arguing that, since the customers had not alleged their stolen personal data had actually been misused or explained how it could be used to commit identity theft, the customers had not suffered an injury sufficient to give them standing to sue and the court therefore lacked jurisdiction to hear the case. The court agreed with CareFirst and dismissed the case. Notably, in this particular breach, CareFirst maintained the hackers had not accessed more sensitive information such as the customers’ Social Security or credit card numbers, and the court found the customers had not alleged or shown how the hackers could steal the customers’ identities without that information. In other words, the mere risk to the customers of future harm in the form of increased risk of identity theft was too speculative.

The customers appealed this decision, and the appellate court reversed, finding the district court had read the customers’ complaint too narrowly. The appellate court reasoned that the customers actually had asserted their Social Security and credit card numbers were included in the compromised data and that they had sufficiently alleged a substantial risk of future injury.

In response, CareFirst filed a petition with the Supreme Court asking it to review the appellate decision. This would have been the first pronouncement on this issue from the high court in a data breach class action lawsuit, a move long-awaited by lower courts, lawyers, and their clients in order to gain more clarity on the application of prior decisions like Spokeo in the specific context of data breach litigation. However, the Supreme Court denied the request (without explanation, as is typical).

As we have reported here and here, courts continue to grapple with the contours of standing in data breach cases. We will continue to monitor and report on developments in this still-evolving area of the law.

If you have any questions or would like more information, please contact Amy Bender at [email protected].


South Dakota Introduces Data Breach Notification Legislation

Posted on: February 14th, 2018

By: Kacie L. Manisco

On January 23, 2018, South Dakota’s Senate Attorney Judicial Committee unanimously voted in favor of introducing data breach notification legislation. Senate Bill 62 would require an “Information Holder,” i.e., a person or business conducting business in South Dakota that owns or retains computerized personal or protected information, to notify South Dakota residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The law would require notification within 45 days from the discovery of the breach, unless notification would impede a criminal investigation. Moreover, when there is a breach affecting more than 250 South Dakota residents, the Information Holder would be required to notify the state’s Attorney General and all consumer reporting agencies of the timing, distribution and content of the breach notification.

The Bill defines a “breach” as “the acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises security, confidentiality, or integrity of personal or protected information maintained by the information holder.”

The Bill further empowers the South Dakota Attorney General’s office to investigate and enforce violations. The Attorney General would be authorized to impose criminal penalties for the failure to disclose a breach as an unfair or deceptive practice under South Dakota’s Deceptive Trade Practices and Consumer Protection law. In addition, the Attorney General could impose a civil penalty of $10,000 per day per violation and recover attorneys’ fees and costs associated with any action brought against the Information Holder.

Currently, Alabama and South Dakota are the only two states in the United States without data breach notification statutes. If the South Dakota legislation passes, Alabama may soon be the only state lacking a data breach notification law.

If you have any questions or would like more information, please contact Kacie Manisco at [email protected].

Cybersecurity Deadlines Approaching for Banking, Insurance, and Financial Services Companies

Posted on: February 8th, 2018

By: David A. Cole

Businesses that are subject to the New York Department of Financial Services (“DFS”) cybersecurity regulations should be aware of upcoming compliance deadlines. Don’t be fooled—these regulations may apply to your business even if you’re not located in New York. The DFS cybersecurity regulations broadly apply to any business “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] Banking Law, the Insurance Law or the Financials Services Law.” A full description of entities covered is listed on the DFS website.

Earlier this summer, covered entities had to meet an initial deadline requiring them to: (1) designate a Chief Information Security Officer; (2) establish a cybersecurity program; and (3) develop a written cybersecurity policy. Now, DFS has issued a press release to remind covered entities of another upcoming deadline under the cybersecurity regulations. By February 15, 2018, covered entities must submit a statement to DFS certifying their compliance with the regulations.  The certification must be submitted through DFS’ online cybersecurity portal.  A proposed certification of compliance form is attached as Appendix A to the regulations.

In addition, by March 1, 2018 (the one year anniversary of the cybersecurity regulations), covered entities must submit their first annual written report to their boards, governing bodies, or other appropriate individual/committee.   Also by this deadline, covered entities are required to have in place:

  • Regular cybersecurity awareness training;
  • Continuous monitoring or period penetration testing and vulnerability assessments;
  • Multi-factor authentication controls; and,
  • A process for the completion of written and documented periodic risk assessments of information systems in conformance with written policies and procedures.

If you need help meeting these requirements, are looking for assistance with the policies and procedures or training, or if you have any questions, please talk to one of our Data Security, Privacy & Technology attorneys. We are here to help!

Enhanced Privacy and Data Security Law on Tap for North Carolina

Posted on: February 8th, 2018

By: Paul H. Derrick

A bi-partisan privacy and data security bill will soon be rolled out in North Carolina, and its impact will be significant. North Carolina Attorney General Josh Stein and State Representative Jason Saine are co-authoring “The Act to Strengthen Identity Theft Protections.”  According to a recent press release and fact sheet, they plan to seek its introduction in the State’s General Assembly during the coming months.

The bill will bring dramatic changes to North Carolina’s existing Identity Theft Protection Act, particularly in two areas: (1) the imposition of an affirmative duty to implement and maintain data security procedures and practices; and (2) a 15-day breach notification window.  Companies that experience a data breach and have failed to maintain reasonable security practices will be deemed to have committed a per se violation of the North Carolina Unfair and Deceptive Trade Practices Act, and each person affected by the breach would constitute a separate and distinct violation of the law.  With provisions for treble damages and attorney’s fees, even for nominal violations, data breach litigation would quickly become much more lucrative for plaintiffs’ attorneys.

The proposed bill also would require companies to notify affected individuals and the Attorney General within 15 days following discovery or notification of a breach.  That is a substantial change from the current law’s requirement that notification be made “without unreasonable delay.”  Businesses will need to have a response plan already in place in the event a breach occurs, rather than waiting until the time arrives to develop a course of action.

Other provisions in the legislation update the definition of security breach to include ransomware attacks, broaden the definition of “personally identifiable information” to include medical information and insurance account numbers, allow consumers to freeze and unfreeze their credit without charge, and provide individuals with greater access to and control over their personal data.

Because it already has strong bi-partisan support, some version of the bill will almost surely be passed into law. North Carolina employers must not wait until that happens to begin preparing for it, however.  Businesses should audit their existing internal privacy and data security programs now and immediately develop meaningful and legally-compliant safeguards in any areas that are lacking.

Please contact Paul Derrick at [email protected] or anyone in FMG’s Data Security, Privacy, & Technology practice group if you would like more information on developing and implementing privacy and data security programs. We also have extensive experience in guiding organizations through data breaches and representing clients in data breach litigation.


Posted on: January 3rd, 2018

By: Daniel C. Walsh

Image result for Happy 9th Birthday to bitcoinHappy 9th Birthday to bitcoin (“BTC”), easily one of the most controversial topics of 2017 that will surely continue to inspire debate through 2018.  Nine years ago today, the very first block on the bitcoin blockchain, also known as the “Genesis Block”, was mined, resulting in a 50 BTC reward to the miner.  While that reward was worth very little in 2009, the value in today’s dollars as of the writing of this blog is a staggering $753,750.25!

Whether you believe BTC is the next great bubble or the future world currency, most people familiar with the underlying blockchain technology agree that it is here to stay.  Blockchain allows for a public, decentralized transaction ledger that eliminates the necessity for a financial middleman.  It also prevents fraud, as each transaction requires confirmation on the network by way of complex mathematical equations solved by high powered computers.  Once a transaction is included in a block on the blockchain, it is there forever, as each subsequent block in the chain builds upon and cannot disturb the last.  Think of it like that scene in Jurassic Park where the scientists show layer upon layer of amber covering the mosquito over time, preserving the contents inside.  Thankfully (hopefully?), blockchain’s amber won’t lead to the mass production of dinosaurs…

One of the many utilizations of cryptocurrency in general, and BTC specifically, is anonymous virtual transactions (as previously discussed here).  FMG’s Data Security, Privacy, and Cyber Liability practice team frequently sees this utilization in conjunction with Ransomware attacks, wherein a hacker installs malware on a company or individual’s server that holds the data hostage until a ransom is paid.  Up until now, that ransom was usually demanded in BTC.  But with the numerous “forks” in the BTC blockchain leading to alternative cryptocurrencies such as Bitcoin Cash, Bitcoin Gold, Super Bitcoin, and the recent SegWit2x upgrade, the virtual currency landscape is becoming increasingly more complex.  Adding to this confusion are the virtual currencies aimed at total anonymity, such as Monero and Zcash, which are gaining traction in Ransomware demands, and require currency conversions from BTC, often through multiple online exchanges.  Successfully navigating this minefield when dealing with a Ransomware attack is critical to the recovery and security of your data, and FMG’s Data Security, Privacy, and Cyber Liability practice team has the knowledge and experience to help you along the way.

If you have any questions or would like more information, please contact Daniel Walsh at [email protected].