CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘data breach’

Cybersecurity in Georgia Hits a Roadblock

Posted on: May 14th, 2018

By: Ze’eva Kushner

On May 8, 2018, Georgia’s Governor Nathan Deal made a controversial decision to veto a cybersecurity bill.  Issued in the wake of the massive data breach of Atlanta-based Equifax, among other data breaches across the country, the cybersecurity bill would have made logging into a computer without permission illegal, even if no information was stolen.  The recent ransomware attack on the City of Atlanta serves as a reminder of the potential significant costs of not having computer systems protected adequately.

However, the bill included multiple exemptions, one of which would have permitted individuals to engage in active defense measures aimed at preventing or detecting unauthorized computer access.  In the industry, this is often referred to as “hacking back.”  The defensive actions could have included techniques such as using beaconing technology to determine the location of a hacker or leaving one’s network to track down stolen data.  The legality of these cyber defense measures is murky.

Google and Microsoft both urged Governor Deal to veto the bill, explaining that the active defense exemption would have authorized the hacking of other networks and systems under the pretext of cybersecurity and potentially lead to anticompetitive behavior.  According to Governor Deal, the end result of the bill would have hurt organizations’ ability to secure their computer systems.

If you have any questions or would like more information, please contact Ze’eva Kushner at [email protected].

Countries Around the World Are Investigating Facebook’s Cambridge Analytica Event

Posted on: April 26th, 2018

By: Allen E. Sattler

On March 18, 2018, news broke of the Cambridge Analytica event where the data of an estimated 87 million Facebook users was disclosed to the UK-based political consulting firm.  The breach of user data resulted in several U.S. investigations, including by Congress and by the Federal Trade Commission (“FTC”).  Facebook entered into a consent decree with the FTC in 2011, where Facebook agreed to never make deceptive claims concerning users’ privacy and to obtain users’ informed consent before changing the way in which it shares their data.  The FTC is investigating whether Facebook violated the terms of this agreement which carries a possible $40,000 per-violation fine.

On April 10 and 11, Mark Zuckerberg appeared before Congress where he testified that Facebook failed to protect its users’ data and that Facebook “didn’t take a broad enough view” of its responsibility in ensuring the privacy of its users following its initial discovery of the Cambridge Analytica event.  He also accepted personal responsibility for the matter as the company’s founder and CEO.

What might have been lost in the flurry of domestic activity is the amount of scrutiny Facebook is receiving by nations around the globe.  This breach involved users from many countries, with over 1 million affected users in each of four different countries.

The European Union launched an investigation into Facebook on March 19, and the United Kingdom and Australia quickly followed.  Under Australian privacy laws, the government has the authority to issue fines against Facebook of up to $1.6 million if it determines that Facebook violated those laws.

Countries of southeast Asia soon followed with investigations of their own.  Indonesia, which is home to over 115 million Facebook users, 1 million of whom were affected by this breach, launched an investigation on April 6.  Under Indonesian law, the government can assess fines against Facebook representatives personally of up to $870,000.  Singapore has opened an investigation as well, where it has already questioned Facebook executives located in their country.

The Philippines announced its investigation into Facebook on April 13.  The county was rated as the biggest user of social media several years running.  Research indicates that Filipinos spend almost four hours per day on various social media platforms.   This breach affected nearly 1.2 million Filipinos, and news reports indicate that Cambridge Analytica might have helped President Rodrigo Duterte in his successful 2016 campaign.  The event therefore has enormous significance to Filipinos.

On Friday, April 20th, Germany became the latest country to open an official investigation into the Facebook.  Germany’s data privacy regulator said fines could be levied against Facebook in the amount of 300,000 euros ($366,000).

Facebook had revenues of more than $40 billion last year, so the fines that each country might assess against the company seem relatively insignificant.  The investigations launched against Facebook can nevertheless have a big impact on the company and on the entire industry.  This event has garnered the attention of countries around the world, and it has already led to a greater awareness of privacy concerns that exist on social media platforms.

If you have any questions or would like more information, please contact Allen Sattler at [email protected].

 

Supreme Court Declines to Hear Data Breach Standing Case

Posted on: February 23rd, 2018

By: Amy C. Bender

The ongoing issue of when a plaintiff has grounds (“standing”) in data breach cases saw another development this week when the U.S. Supreme Court declined to weigh in on the debate.

CareFirst, a BlueCross BlueShield health insurer, suffered a cyberattack in 2014 that was estimated to have exposed data of 1.1 million customers. Affected customers filed a federal class action lawsuit in the District of Columbia claiming CareFirst failed to adequately safeguard their personal information. CareFirst asked the court to dismiss the case, arguing that, since the customers had not alleged their stolen personal data had actually been misused or explained how it could be used to commit identity theft, the customers had not suffered an injury sufficient to give them standing to sue and the court therefore lacked jurisdiction to hear the case. The court agreed with CareFirst and dismissed the case. Notably, in this particular breach, CareFirst maintained the hackers had not accessed more sensitive information such as the customers’ Social Security or credit card numbers, and the court found the customers had not alleged or shown how the hackers could steal the customers’ identities without that information. In other words, the mere risk to the customers of future harm in the form of increased risk of identity theft was too speculative.

The customers appealed this decision, and the appellate court reversed, finding the district court had read the customers’ complaint too narrowly. The appellate court reasoned that the customers actually had asserted their Social Security and credit card numbers were included in the compromised data and that they had sufficiently alleged a substantial risk of future injury.

In response, CareFirst filed a petition with the Supreme Court asking it to review the appellate decision. This would have been the first pronouncement on this issue from the high court in a data breach class action lawsuit, a move long-awaited by lower courts, lawyers, and their clients in order to gain more clarity on the application of prior decisions like Spokeo in the specific context of data breach litigation. However, the Supreme Court denied the request (without explanation, as is typical).

As we have reported here and here, courts continue to grapple with the contours of standing in data breach cases. We will continue to monitor and report on developments in this still-evolving area of the law.

If you have any questions or would like more information, please contact Amy Bender at [email protected].

 

South Dakota Introduces Data Breach Notification Legislation

Posted on: February 14th, 2018

By: Kacie L. Manisco

On January 23, 2018, South Dakota’s Senate Attorney Judicial Committee unanimously voted in favor of introducing data breach notification legislation. Senate Bill 62 would require an “Information Holder,” i.e., a person or business conducting business in South Dakota that owns or retains computerized personal or protected information, to notify South Dakota residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The law would require notification within 45 days from the discovery of the breach, unless notification would impede a criminal investigation. Moreover, when there is a breach affecting more than 250 South Dakota residents, the Information Holder would be required to notify the state’s Attorney General and all consumer reporting agencies of the timing, distribution and content of the breach notification.

The Bill defines a “breach” as “the acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises security, confidentiality, or integrity of personal or protected information maintained by the information holder.”

The Bill further empowers the South Dakota Attorney General’s office to investigate and enforce violations. The Attorney General would be authorized to impose criminal penalties for the failure to disclose a breach as an unfair or deceptive practice under South Dakota’s Deceptive Trade Practices and Consumer Protection law. In addition, the Attorney General could impose a civil penalty of $10,000 per day per violation and recover attorneys’ fees and costs associated with any action brought against the Information Holder.

Currently, Alabama and South Dakota are the only two states in the United States without data breach notification statutes. If the South Dakota legislation passes, Alabama may soon be the only state lacking a data breach notification law.

If you have any questions or would like more information, please contact Kacie Manisco at [email protected].