RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Posts Tagged ‘data breach’

Client Update – MS Exchange Server Mass-Hack

Posted on: April 28th, 2021

By: John Ghose

In March 2021, government and private sector sources estimated that 30,000 U.S. organizations, and 100,000 organizations worldwide, were hacked by a Chinese state-sponsored group known as Hafnium.  The mass-hack exploited previously unknown “zero-day” vulnerabilities of Microsoft Exchange on-premises products as far back as January 6, 2021. (You can read more about this vulnerability in our prior post here.)  Since then, FMG’s cyber attorneys have worked on numerous MS Exchange matters and helped clients with their investigations of and responses to these incidents.  This client update provides initial reporting on what we have learned about this massive cybersecurity event.

The good news is that, from what we have seen initially, the threat actors exploiting the MS Exchange vulnerabilities have mostly probed without accessing or exfiltrating data. There are exceptions, of course, but in most cases our forensic partners have found China Chopper web shells – malicious interfaces that enable remote access and control to a web server – installed on affected systems, but have not found correlating system activities indicating access to or acquisition of data.  A likely explanation for this result is that the state-sponsored hackers were checking to see if the web shells were present and accessible, but had not yet performed additional activities by the time clients responded to the vulnerability. 

That said, organizations should remain vigilant.  Cybersecurity researchers believe that, when Microsoft reported the vulnerability, with attack details and patching instructions, non-state-sponsored hackers reverse engineered the patch to discover and exploit the vulnerabilities on unpatched systems.  Indeed, several weeks after the MS Exchange vulnerability was discovered, tens of thousands of affected systems remained unpatched.  Although the FBI recently conducted an unusual operation whereby it got court approval to issue commands forcing removal of these malicious web shells, systems that remain unpatched are still vulnerable to re-installation and exploitation.  There also is a new, albeit crude, strain of ransomware – DearCry – being used to exploit the MS Exchange vulnerability, which you can read about here

Based on past experience with zero-day vulnerabilities, we believe it could be six to eight months before experts truly understand the full impact of the MS Exchange vulnerability.  In the meantime, if you need assistance with this or other cybersecurity or incident response matters, please contact one of FMG’s Data Security, Privacy & Technology attorneys.

Collect Now, Pay Later: PA Federal Court Ruling Imposes Duty On Retailers Upon Collecting Payment Data

Posted on: January 27th, 2021

By: Justin Boron and Courtney Mazzio

The eye that retail businesses must thread to avoid data breach class actions just got a little narrower in Pennsylvania.

In a decision issued this month in In re Rutter’s Data Sec. Breach Litig., No. 1:20-cv-382 (M.D. Pa. Jan. 5, 2021), a Pennsylvania federal court judge denied a motion to dismiss and held—for the first time under Pennsylvania law—that retailers and other businesses who collect credit and debit card information owe a duty of care to protect their customers’ information from unauthorized access by hackers.

The district court’s decision expanded on the duty to protect employee privacy data that the Pennsylvania Supreme Court recognized in the employment context in Dittman v. UPMC, 196 A.3d 1036, 1038 (Pa. 2018).  Like in Dittman, the district court drew on traditional tort principles and reasoned that the retailer owed a duty because it took the affirmative step toward protecting consumer data—much like a rescuer has a duty of care by taking affirmative steps toward rescuing someone.

The decision also exemplifies the way in which courts have become more comfortable with the burgeoning area of law involving technology, electronically stored personal data, and the unique, and ever-expanding, threats from hackers.  In the recent past, courts struggled to fit data breaches into a cognizable claim, primarily because they involved some unknown, third party actor and lacked the clear physical or monetary injuries that exist in other legal contexts.

As a result, defense litigators could rely on a steady stream of decisions to cut off data breach class actions at the outset—well before the case reached costly discovery and class certification phases.  But the Rutter’s opinion sends the message that courts are tackling a difficult subject matter area by analogizing to traditional tort and contract principles and shaping the legal doctrines around the unique technology context.

How the duty will take shape—and what specific protective measures will be required to fulfill it—is not clear from the decision and will likely evolve as cases arise.  That puts businesses at a disadvantage because—absent legislative intervention—there is no clear standard for what a retailer can do to avoid liability as a result of third-party data breaches.

One silver lining to the Rutter’s decision, however, is that it re-affirmed Third Circuit precedent holding that the risk of future harm from a data breach is insufficient to make out Article III standing.  This requirement will continue to screen out many potential plaintiffs who have not suffered any injury or damages as a result of having their personal identifying information, protected health information, or account information compromised.

If you have questions or would like more information, please contact Justin Boron at [email protected] and Courtney Mazzio at [email protected].

New Jersey’s Continued Push to Expand its Data Breach and Privacy Laws

Posted on: July 1st, 2020

By: Zachary Danner

Following in the steps of California and other states considering consumer privacy legislation, New Jersey’s legislators have recently introduced a number of bills that would establish specific notification requirements for the collection and use of personally identifiable information (“PII”). While current law requires businesses to notify consumers if there is an unauthorized access to electronically stored personally PII, there is no current law in New Jersey that requires businesses to notify consumers when and if their PII is being collected or shared with a third party. There also is not an existing process for a consumer to request information about the collection or sharing of his or her PII or to request that it be destroyed.

However, there are two bills currently being considered by the New Jersey Senate and Assembly that would require specific steps by a business before collecting PII or sharing it with a third party. These bills also establish requirements for businesses handle PII that it collects from consumers to ensure its security and privacy. The following is a summary of the key provisions of each bill under consideration.

I. Senate Bill S1257

In February 2020, Senate Bill S1257, introduced by Assembly Member Troy Singleton, was referred to the Senate Commerce Committee. In short, if approved and signed, the bill would require commercial internet websites and online services to notify consumers of the collection and disclosure of PII and would allow the consumer to opt-out of the sale of their PII.

The notification to consumers prior to collection of PII must be clearly and conspicuously posted on the business’s website or online service, or in another prominently accessible location that the business maintains for consumer privacy settings, and include the following information:

  1. The categories of PII collected through the website or online service about a consumer who uses or visits the website or service;
  2. All third parties with which the operator may disclose a consumer’s PII;
  3. Whether a third party may collect PII about a consumer’s online activities over time and across different websites or online services when the consumer uses the operator’s website or online service;
  4. A description of the process for a consumer to review and request changes to any of his or her PII that is collected by the website or online service;
  5. The process by which the operator notifies consumers who use or visit the website or online service of material changes to the notification currently posted on the website; and
  6. One or more designated addresses that a consumer may use to request information under the bill.

As to selling information with third parties, the bill would require a business to provide a link on its website or online service that allows a consumer, by verified request, to opt out of the sale of the his or her PII to any third party. A consumer may request from the business information about his or her PII that was disclosed and the names and contact information of the third parties that received his or her PII. Once the request is received, the business must respond to the consumer within 60 days provide the information for all disclosures of PII that occurred in the prior 12 months. This information is to be provided free of charge.

The bill also creates protections for consumers who opt out of the sale of their PII. It specifically prohibits a business from discriminating against or penalizing a consumer who opts out. However, the business would not be prohibited from offering consumers discounts, loyalty programs, or other incentives for the sale of their PII, or from providing different services to consumers that are reasonably related to the value of the relevant data.

Lastly, the proposed legislation does not include a private right of action for alleged violations. Rather, the Attorney General is to have sole authority to enforce a violation of the statute, if it were to be adopted and put into law in its current form.

II. Assembly Bill A3255

A second similar, but even more consumer-friendly bill, was proposed to the General Assembly in February 2020. Assembly bill A3255, introduced by Assembly Member John J. Burzichelli, was referred to the Assembly’s Science, Innovation, and Technology Committee for consideration. 

This bill requires that businesses follow certain requirements concerning the collection of a consumer’s PII. Unlike Senate Bill S1257, Assembly Bill A3255 specifically prohibits a business from collecting a consumer’s PII unless a consumer affirmatively opts in to the collection. At or before the point of collection, a business that collects a consumer’s PII must inform consumers about the categories of PII to be collected and the purposes for which the categories of PII will be used. Further, the business may not collect other categories of PII or use PII collected for other purposes without providing the consumer prior notice. 

If the business wants to sell a consumer’s PII to a third party, the bill requires that it provide each consumer with notice that PII may be sold and that the consumer has the “right not to opt-in” to the sale of his or her PII.  Even if a consumer initially agrees to the sale of his or her PII, the consumer can at any time rescind that authorization, and the business must immediately stop selling the consumer’s PII.

A consumer also would have the right to request information about the disclosure of his or her PII. If a business receives a verifiable request from a consumer, it must promptly take steps to disclose and deliver, free of charge, the PII that was disclosed to a third party. The information may be delivered by mail or electronically, and if provided electronically, it must be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide PII to a consumer at any time, but is not to be required to provide PII to a consumer more than twice in a 12-month period.

The bill also provides that a consumer has a right to request that a business delete any PII it has collected from the consumer. Like Senate Bill S1257, this statute would also prohibit discrimination against any consumer who chooses to opt out of the sale of his or her PII to third parties.

Any violation of the bill would constitute an unlawful practice and violation of the New Jersey Consumer Fraud Act, which would be punishable by a monetary penalty of up to $10,000 for a first offense and $20,000 for a subsequent offense. However, a grace period would be provided to the business, allowing it 30 days to cure any alleged violation after being notified of the alleged noncompliance before it is assessed a penalty.

III. Takeaways from the proposed legislation

If adopted into law, each of these statutes would change the way businesses in New Jersey operate with regard to the collection and use of consumer information. Clearly, the California Consumer Privacy Act is the model by which New Jersey and other states are now looking to model themselves. As businesses in California already know, complying with these requirements is onerous and can take time. Therefore, businesses should stay informed on the proposed legislation and be aware of New Jersey’s developing efforts to protect PII, as they could have a significant impact on their operations.

Please be sure to visit our firm’s blog for updates and other up-to-date news and analysis of data security and privacy issues. If you have questions or would like more information, please contact Zachary Danner at [email protected].

An Arbitration Clause May Present A Defense To A Data Breach Class Action – But At What Cost?

Posted on: June 10th, 2020

By: Bill Cheney

A common defense strategy in response to data privacy and security class actions is to file a motion to compel arbitration.  The arbitration forum has a number of advantages, including efficiency, speed, lower costs, expertise, and confidentiality, which makes it an attractive alternative to class litigation.  The confidentiality that can be offered by arbitration is particularly attractive in data breach class actions, as the public nature of litigation and the often media attention given to same can interfere with a company’s efforts to repair its reputation and good will.  Moreover, with the Supreme Court’s decision in Lamps Plus, Inc. v. Varela, 139 S. Ct. 1407, 203 L.Ed.2d 636 (2019), which held that a parties’ agreement to class arbitration must be explicit and may not be inferred, there is more certainty that the arbitration will be on an individual basis and allow the parties to truly realize these benefits. 

Now, however, there is a new consequence to consider before filing a motion to compel arbitration in response to a data breach class action – mass arbitration.  On April 27, 2020, United States District Judge Richard D. Bennett dismissed a class action lawsuit filed in the District of Maryland against Chegg, Inc.  The lawsuit stemmed from a 2018 data breach experienced by Chegg, Inc. Chegg, Inc. subsequently filed a Motion to Compel Arbitration and Dismiss.  Judge Bennett found that there was “no triable issue” as to whether the arbitration provision in Chegg, Inc.’s Terms of Use, requiring individual arbitration, was agreed to, and dismissed all claims and ordered the parties to proceed to arbitration.

The result appeared to be a win for Chegg, Inc.  However, in less than a month, over 15,000 demands for arbitration were filed with the American Arbitration Association on behalf of those allegedly affected by the data breach.  In filing fees alone – the American Arbitration Association requires businesses to pay a nonrefundable fee of $300 once the consumer claimant meets the filing requirements – Chegg, Inc. will now have to incur over $4,500,000. 

Mass arbitration, like this, has been on the rise in the employment context, being instituted against employers such as Uber, Chipotle and DoorDash.  Moreover, several companies specialize in locating consumers and coordinating mass arbitration claim filings.  It is now a very real potential repercussion that must be accounted for in evaluating whether to proceed with a motion to compel arbitration in response to data privacy and security class actions. Otherwise, a perceived effective defense strategy may have dire consequences and put the plaintiffs in the driver’s seat.  

If you have questions or would like more information, please contact Bill Cheney at [email protected].

Georgia High Court to Rule on Damages Required for Data Breach Claims

Posted on: September 3rd, 2019

By: Amy Bender

The Georgia Supreme Court soon will weigh in on the ongoing debate within the courts of when individuals may bring claims based on data breaches involving their personal information when they have not suffered any actual financial harm.

In what is now, however unfortunate, a familiar story, the plaintiffs in Collins et al. v. Athens Orthopedic Clinic, P.A. were patients at a medical clinic that experienced a ransomware attack that provided the hacker access to their personal information stored on the clinic’s computer database, such as their Social Security number, date of birth, and medical history. The hacker then posted the information on the Dark Web and another website. The clinic did not provide credit monitoring, identity theft protection, or other remedies to its victim patients, which the patients then had to purchase themselves. One of the plaintiffs also experienced fraudulent credit card charges, although she actually did not allege those changes were the result of the clinic’s data breach.

Instead of claiming any violation of a data breach statute, the plaintiffs brought claims under Georgia state law for negligence, breach of contract, unjust enrichment, declaratory judgment, Georgia Uniform Deceptive Trade Practices Act, and attorney’s fees. The trial court dismissed the claims before trial, and the Georgia Court of Appeals agreed, finding measures such as credit monitoring and identity theft protection and their associated costs, which are designed to prevent exposure to future, speculative harm, were not sufficient proof of the damages required to establish any of their claims.

The Georgia Supreme Court agreed to review the case and recently heard oral argument. A decision is expected within the next few months. At oral argument, some of the justices seemed skeptical of the lower courts’ rulings and the argument that the plaintiffs needed to wait until they had been victimized by identity fraud before they could file suit. However, no ruling has been made yet.

Courts around the country have taken differing views on whether the mere exposure of personal information, without more, is enough to be considered “damages” or if the plaintiff must prove additional financial harm. (See our related blog posts here, here, and here.) The upcoming Georgia Supreme Court decision hopefully will shed light on this issue and serve as a helpful guide for both organizations and individuals, at least within the State of Georgia.

Another takeaway from this case is that it usually is prudent for an organization that has experienced a data breach exposing personal information of its patients or clientele to bear the cost of credit monitoring and identity theft services, in addition to implementing strong data security measures that may prevent such an attack from occurring in the first place. Indeed, although not mandatory in Georgia and most other states, a handful of other states do require that these services be offered to affected individuals at no cost when they are notified of a data breach. Although these costs can be high, they can be covered by the organization’s cyber liability insurance policy and likely pale in comparison to the time and money the organization may spend defending a lawsuit arising out of the breach.

For more information or for assistance with data security or response measures, contact FMG’s Data Security, Privacy & Technology team.