CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘cyber’

South Dakota Introduces Data Breach Notification Legislation

Posted on: February 14th, 2018

By: Kacie L. Manisco

On January 23, 2018, South Dakota’s Senate Attorney Judicial Committee unanimously voted in favor of introducing data breach notification legislation. Senate Bill 62 would require an “Information Holder,” i.e., a person or business conducting business in South Dakota that owns or retains computerized personal or protected information, to notify South Dakota residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The law would require notification within 45 days from the discovery of the breach, unless notification would impede a criminal investigation. Moreover, when there is a breach affecting more than 250 South Dakota residents, the Information Holder would be required to notify the state’s Attorney General and all consumer reporting agencies of the timing, distribution and content of the breach notification.

The Bill defines a “breach” as “the acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises security, confidentiality, or integrity of personal or protected information maintained by the information holder.”

The Bill further empowers the South Dakota Attorney General’s office to investigate and enforce violations. The Attorney General would be authorized to impose criminal penalties for the failure to disclose a breach as an unfair or deceptive practice under South Dakota’s Deceptive Trade Practices and Consumer Protection law. In addition, the Attorney General could impose a civil penalty of $10,000 per day per violation and recover attorneys’ fees and costs associated with any action brought against the Information Holder.

Currently, Alabama and South Dakota are the only two states in the United States without data breach notification statutes. If the South Dakota legislation passes, Alabama may soon be the only state lacking a data breach notification law.

If you have any questions or would like more information, please contact Kacie Manisco at [email protected].

FTC Finds Data Security Practices Unreasonable, Even Without Evidence of Unauthorized Access

Posted on: September 30th, 2016

By: Matt Foree

Recently, the Federal Trade Commission (“FTC”) issued a significant decision in which it held that LabMD, a former clinical laboratory, engaged in “unfair” practices in violation of Section 5 of the FTC Act because it failed to provide reasonable and appropriate security for personal information stored on its computer network.  The FTC held that LabMD’s “failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users.”  The FTC also found that LabMD left the data “freely available, for 11 months, leading to the unauthorized disclosure of the information.”  Significantly, the FTC reached its decision even though there was no evidence that consumer information was accessed by unauthorized persons.

The case centered on an analysis of whether LabMD’s practices were likely to cause substantial injury to consumers. The FTC stated that, “[i]n determining whether a practice is ‘likely to cause a substantial injury,’ we look to the likelihood or probability of the injury occurring and the magnitude or seriousness of the injury if it does occur.”  In issuing its decision, the FTC also restated its position on reasonableness:  “The touchstone of the FTC’s approach to data security is reasonableness: a company’s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.”

Applying these principles, the FTC found that “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.”  Specifically, “it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.” The FTC concluded that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n)” such that disclosure of data caused substantial injury.

LabMD has filed a Motion to Stay the effective date of the FTC Order pending review by a United States Court of Appeals, which is currently pending before the FTC.

The FTC’s decision sets forth an interesting precedent for violations under Section 5 of the FTC Act.  The decision expands the FTC’s ability to find violations of Section 5 without the need for evidence of access by unauthorized persons, which portends that the number of enforcement actions taken by the FTC will increase.

Sixth Circuit Becomes Latest Court to Find Standing in a Data Breach Lawsuit

Posted on: September 23rd, 2016

By: David Cole

The majority of lawsuits filed by consumers over data breaches in recent years have been successfully defended by arguments that the plaintiffs lacked standing to bring the lawsuit. To have standing, a plaintiff must be able to show that he or she has suffered injury that is “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” Clapper v. Amnesty Intern. USA, ___ U.S. ___, 133 S. Ct. 1138, 1146 (2013). Based on this rule, businesses have successfully argued that the mere theft personal information does not result in any actual injury that is sufficient to confer standing, absent some evidence that the personal information has been misused. While this continues to be a strong argument in most jurisdictions, a few cases decided within the past year may indicate a shift in the way courts analyze this issue. Earlier this month, the Sixth Circuit became the latest court to join this trend.

In its decision in Galaria v. Nationwide Mut. Ins. Co., no. 15-3386 (6th Cir. Sept. 12, 2016), the U.S. Court of Appeals for the Sixth Circuit held that plaintiffs had standing to assert claims arising from hackers’ alleged theft of their personal information, even though there are no allegations that the information has been misused. The lawsuit is based on a 2012 data breach in which hackers stole data that Nationwide collected for underwriting life insurance policies. Plaintiffs received written notice of the data breach, which explained that hackers had stolen data including the names, dates of birth, marital status, genders, occupations, employers, Social Security numbers, and driver’s license numbers of individuals who applied for insurance. Nationwide provided all affected individuals one year of free credit monitoring and identity-theft protection insurance. Based on those protections and plaintiffs’ failure to allege any actual misuse of their stolen information, the district court granted Nationwide’s motion to dismiss for lack of standing.

On appeal, however, the plaintiffs successfully argued that the district court did not fully appreciate the injury they had suffered. Because hackers target personal information for the very purpose of misusing it, plaintiffs argued that the risk of injury was neither speculative nor remote. And, even absent actual misuse of data, plaintiffs argued that instituting credit monitoring and other protections against identity theft imposed a cost in time and money on affected individuals. The Sixth Circuit agreed, holding that the criminals’ intentional theft of plaintiffs’ personal information created an immediate, serious, and tangible risk that compelled plaintiffs to take protective action, resulting in concrete injury sufficient to give them standing.

The decision in Galaria may reflect an increasing willingness of courts to find standing where personal information has been stolen. The ruling follows two recent cases from the U.S. Court of Appeals for the Seventh Circuit which found standing in data breach lawsuits even without allegations that the plaintiffs’ stolen information had been misused. See Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). In Remijas, for example, the Seventh Circuit concluded that “customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” Similarly, in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), the Ninth Circuit found standing because the plaintiffs alleged a sufficiently “credible threat of real and immediate harm” as a result of the theft of a laptop containing their unencrypted personal data.

Businesses and insurance carriers should be mindful of these decisions and the shifting legal landscape they may represent. It is possible that if more cases survive early challenges to standing, more of them will be filed. While litigation arising from data breaches has, for the most part, been limited to large-scale breaches at big businesses, a change in judicial perspective about standing in the context of data breaches could give rise to more claims on a smaller scale. All of this underscores the importance of working with experienced legal counsel to properly respond to a data breach when it occurs and being proactive before a breach occurs to review your data security policies and practices, as well as your incident response procedure, to make sure you are well-positioned to protected against and respond to a data breach. In all of these areas, our attorneys in our Cyber Liability, Data Security & Privacy practice group are here to help.

 

Sprouts Farmers Market Faces Class Action Lawsuit After Falling Prey to Phishing Scam

Posted on: May 24th, 2016

By:  Kacie Manisco

Sprouts Farmers Market, Inc. is one of the latest companies to fall prey to the recent series of phishing scams targeting employee W-2 data. As a result, the company has found itself defending against a class action lawsuit filed by employees and former employees whose personally identifiable information (“PII”) information was disclosed to the scammers, including Social Security numbers, full names, addresses and wage tax statements.

The common type of Internet scam involved in the Sprouts case is known as “phishing.”  This occurs when a hacker tries to trick a victim into divulging confidential information by masquerading as a trustworthy person making a legitimate request. Earlier this year, the IRS warned companies through a public advisory that there has been a 400% increase in phishing attacks reported so far.

According to the complaint against Sprouts that was filed on April 20, 2016 in the U.S. District Court for the Southern District of California, an email that was believed to be from a senior executive of the company allegedly asked a payroll employee for the 2015 W-2 statements from all Sprouts employees. The payroll employee believed the request was legitimate and complied by sending the requested information in response to the email before Sprouts realized that it was a phishing scam. Approximately 21,000 W-2s were disclosed, and the complaint alleges that the scammers have since used employees’ PII to fraudulently apply for tax refunds and open credit cards.

The complaint sets forth causes of action for negligence, violation of California Civil Code sections 1708.80 et seq. (including California’s data breach law), and unfair business practices in violation of California Business and Professions Code section 17200, alleging that Sprouts failed to properly safeguard information, and concealed that fact from its employees. The class members further allege that, while Sprouts offered 12 months of credit monitoring service, the service it chose does not protect against identity theft, and only notifies the consumer after identity theft or other fraudulent activity has occurred.

We will continue to monitor the case, so check back here for updates.  In the meantime, the Sprouts case highlights the danger of phishing scams and the extreme importance of educating your workforce about them.  Employees need to be informed about how to recognize phishing emails and told to not respond to them or click on any links or attachments they contain. In addition, it is a best practice for businesses to require verbal confirmation from the requesting person, either by telephone or in person, before any funds are transferred or confidential information is sent in response to an email request.

IRS Says Identity Theft Protection is No Longer Taxable

Posted on: January 22nd, 2016

By: David Cole

The Internal Revenue Service (IRS) recently announced that it will treat identity theft protection as a non-taxable, non-reportable benefit, even when offered proactively before any data breach, and regardless of whether it is offered by an employer to employees, or by other businesses (such as retailers) to their customers.

The announcement comes only four months after an earlier announcement by the IRS that it would take the same approach with regard to identity theft protection offered to employees or customers in the wake of a data breach.   In the earlier announcement, the IRS requested public comments from providers of identity protection services on whether they provide such services other than as a result of a data breach, and in response received comments indicating that businesses are proactively providing identity theft protection to employees as a benefit, because many businesses view a data breach as “inevitable” rather than as a remote risk.

As a result, businesses and employers that offer identity theft protection, either as a proactive benefit to employees or as a remedial measure to affected individuals after a data breach, do not have to report the value of such services on a Form W-2 (provided to an employee) or Form 1099-MISC (provided to a customer or other non-employee).  Similarly, individuals receiving such services do not have to report their  value in their gross income.  However, proceeds received under an identity theft insurance policy will be treated under existing tax provisions applicable to insurance benefits.  In addition, tax-exempt treatment will not apply to cash provided to an employee or customer in lieu of identity protection services.