CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Google, The Supremes & Cy Pres

Posted on: June 14th, 2018

By: Samantha Skolnick

At the end of April, the U.S. Supreme Court accepted a certiorari petition in the case Frank v. Gaos, No. 17-961, 2018 WL 324121 (U.S. Apr. 30, 2018). The Supreme Court will determine if a class-action settlement involving Google met federal law requirements when $5.3 million of the $8.5 million settlement fund was given to outside groups. The question presented: “Whether, or in what circumstances, a cy pres award of class action proceeds that provides no direct relief to class members supports class certification and comports with the requirement that a settlement binding class member must be ‘fair, reasonable, and adequate.’”

Cy pres is a doctrine where the original objective of the settlor or testator becomes impracticable, impossible and in some instances illegal to perform. Cy pres allows the Court to alter terms of the charitable trust to get as close to the original intention of the testator or settlor as to allow the trust to remain and not flounder.

The core issue in this case is whether this settlement complied with Rule 23(e)(2) which sets the requirement that proposed class action settlements be “fair, reasonable and adequate.” In certain class action situations, funds can be unclaimed when the members claims are small or the process is difficult. To prevent the unclaimed amounts from entering the defendant’s pocket, the money can be directed to other causes, charities and foundations.

Here, the class action stems from allegations that web browsers disclosed Google searches to third-party websites. Three of the named plaintiffs received $15,000 incentive awards, and the rest of the class received nothing. The cy pres award was allegedly given to organizations who promised to use the money to protect internet privacy.  The cy pres recipients included:  World Privacy Forum; Carnegie Mellon University; the Center for Information, Society and Policy at Chicago-Kent College of Law; the Berkman Center for Internet and Society at Harvard University; the Stanford Center for Internet and Society; and AARP. According to the cert petition, class members that were absent received “no relief at all in exchange for their claims—no money, no alteration of the defendant’s allegedly injurious conduct, not even coupons.”

The implications of this decision and how settlement funds are distributed particularly in class actions can be huge. Class actions span from internet privacy to self-driving cars to the on-going tobacco litigation. For now, we wait and see.

If you have any questions or would like more information, please contact Samantha Skolnick at [email protected].

A Majority of Federal Agencies Are “At Risk” For Further Data Security Incidents

Posted on: June 6th, 2018

By: Allen Sattler

The Office of Management and Budget (“OMB”) performed a cyber security risk assessment of 96 federal agencies, and it recently published its findings in the “Federal Cybersecurity Risk Determination Report and Action Plan.”  The OMB reported that only 25 of the 96 agencies assessed were adequately managing their risk.  Most agencies, 74% of them, were either “at risk” or “high risk.”  A “high risk” rating meant that the agency either did not have in place or failed to sufficiently deploy key, fundamental cybersecurity policies, processes, and tools.

The OMB performed the risk assessment in response to an Executive Order requiring that the OMB develop a plan to adequately protect the executive branch by improving its cybesecurity.  The assessment conducted by the OMB examined the agencies’ ability to identify, detect, and respond to cyber incidents.  Nearly 31,000 cyber incidents affected the 96 agencies in 2016 alone.

The OMB found that most agencies had poor situational awareness.  The OMB explained that those agencies often lacked the information and resources needed to understand or determine the tactics, techniques, and procedures being used by threat actors to exploit their systems.  For instance, in 38% of the cyber incidents analyzed, the agencies affected could not identify the method of attack used by the threat attacker.  The OMB also found that most agencies lack standardized procedures and information technology, which makes mitigating the vulnerabilities of those systems difficult.  For instance, one agency operates 62 separate email services on its systems, making it “virtually impossible” to track and inspect inbound and outbound communications to prevent attacks.  The OMB explained that if the email service is standardized, the agency can then manage the risk.  For instance, it can inspect, detect, and quarantine malicious messages, such as phishing attempts and emails that include attachments with malicious code.

The OMB also found that agencies lack the ability to detect when large amounts of data have been pulled from their systems by an outside attacker.  Only 27% of the agencies reported the ability to detect and investigate whether large amounts of data have been exfiltrated from their systems.  Also, while agencies have largely complied with policies requiring them to encrypt data in transit, less than 16% of agencies achieved their targets for encrypting data at rest.

The findings by the OMB are alarming given that the federal government is often a prime target for attack by cyber criminals, as shown by previous, high-profile breaches.  For instance, in 2015, the Office of Personnel Management sustained a data breach that resulted in the disclosure of fingerprint data belonging to 5.6 million federal employees.

If you have any questions or would like more information, please contact Allen Sattler at [email protected].

Facebook and Twitter: More Transparency for Political Ads

Posted on: June 4th, 2018

By: Amy Bender

In the wake of the alleged Russian interference with the U.S. presidential election through targeted Facebook ads, both Facebook and Twitter now have imposed conditions for political campaign advertisements. Since there currently are no legal requirements for posting political content on private social media platforms, the platforms have the freedom – and, some say, the responsibility – to create their own policies in order to regulate the content delivered to their users. Facebook and Instagram (which Facebook owns) now require that political ads be labeled with information such as who funded the ad, the campaign budget, the number of viewers, and their demographics. The information also will be stored in a searchable archive. Twitter will require advertisers of political campaigns for federal elections to identify themselves and prove they are located in the U.S. Further, it will not allow foreign nationals to target political ads to U.S. residents. Both platforms have cited increased transparency as the basis for these changes. Facebook also has been under scrutiny since the Cambridge Analytica/user data breach incident, as we reported here.

It remains to be seen if these measures will help regulate political content and if more social media platforms will follow suit.

If you have any questions or would like more information, please contact Amy Bender at [email protected].

Lessons Learned from the SEC’s Order in the Yahoo! Data Breach Enforcement Action

Posted on: May 22nd, 2018

By: Jennifer Lee

On April 24, 2018, the SEC issued an order in the enforcement action against Altaba Inc., formerly Yahoo! Inc., and imposed a $35 million fine relating to the 2014 data breach which affected more than 500 million Yahoo! user accounts.

SEC’s Findings

The SEC found that Yahoo! violated federal securities laws by failing to disclose the 2014 data breach for almost two years. The SEC focused on the fact that despite its knowledge of the data breach, Yahoo!’s annual and quarterly reports made no mention of the data breach as a risk factor. Instead, the reports represented that the company only faced the risk of potential future data breaches that may expose its users’ personally identifiable information which may lead to litigation, loss of revenue, and damage to its reputation.

In addition, Yahoo! management’s analysis of the company’s financial condition also omitted changes to revenue that were expected to result from the public disclosure of the 2014 data breach.

Lastly, the stock purchase agreement between Yahoo! and Verizon entered into on July 23, 2016 and filed with the SEC on July 25, 2016 was misleading because it contained affirmative representations denying the existence of any significant data breaches.

The data breach was not disclosed until September 2016 in a press release filed as an attachment to a Form 8-K. After the public announcement of the data breach, Yahoo!’s stock price decrease by 3%, resulting in a $1.3 billion drop in its market cap.

Lessons Learned

Disclosures regarding cybersecurity risk factors that discuss potential incidents are misleading if they do not discuss known incidents that have already occurred. The SEC found that the omission of the 2014 data breach in the risk factor disclosures were misleading because it suggested that a significant data breach had not yet occurred, which in turn implied that any negative effects that may result from future breaches are merely speculative.

Companies should perform regular assessments of cybersecurity threats and their likely impact on the business to determine whether such issues should be disclosed as a risk factor. Regulation S-K item 303 requires companies to include trends or uncertainties reasonably likely to have a material impact on their business. Item 503(c) requires companies to disclose the most significant risk factors that make the company speculative or risky. Because cybersecurity incidents have the potential to and often do, in fact, lead to a significant depreciation in a company’s stock price and market cap, failing to perform regular assessments of cybersecurity threats and their likely impact on the business will inevitably lead companies to run afoul of Regulation S-K.

Be mindful of other state, federal, and international regulations that govern disclosure of data breaches and other cybersecurity incidents. Currently, data breach notification obligations in the United States consist of a patchwork of individual state statutes. In addition, the EU’s General Data Protection Regulation, which takes effect on May 25, 2018, contains a whole new set of rules regarding the disclosure of data breaches and other cybersecurity incidents. Companies that operate on a national or international level must be aware of their disclosure obligations under these regulatory structures and how they may affect companies’ disclosure obligations under federal securities laws.

If you have any questions or would like more information, please contact Jennifer Lee at [email protected].