data breach

Subscribe to data breach
Digital
Copyright: argus456 / 123RF Stock Photo

The Federal Trade Commission is investing nearly $3 million in technology to support an increasing need for e-discovery driven by massive data breaches such as the one disclosed recently by Equifax.

The news comes from the National Law Journal, which reports that the FTC awarded a one-year contract to Innovative Discovery LLC of Arlington, Virginia for a secure litigation support service. The agency awarded the contract without competitive bids because it “faces usual and compelling circumstances that require the immediate initiation of this pilot,” the Law Journal reported.

“The FTC is entering into an unprecedented year of investigations and litigation, including its investigation into the Equifax data breach and an usually high number of forensic data acquisitions in fraud cases,” agency officials wrote. The contract, they added, “is essential to enabling the FTC to successfully conduct investigations and litigation to stop consumer harm, thus enabling the agency to accomplish its mission.”

Data privacy and security

A new study notes that despite record spending on cybersecurity, overconfidence may be hurting companies’ ability to protect against data breaches.

Tech publication Information Week reports that the survey of IT professionals, by security firm Gemalto, showed that while 94 percent of respondents said their perimeter security was effective, nearly a third reported breaches within the last 12 months. Surprisingly, 14 percent said they would not trust their own organization to safeguard their personal data.

Why the disconnect? Experts interviewed by Information Week chalked it up to a lack of understanding of cybercrooks’ motivations, and a general lack of knowledge about cybersecurity in corporate C-suites. Click here to read the full story.

Username and password login fields, online security
Equifax suffers major data breach affecting 143 million people.

It wasn’t a good week for credit reporting agency Equifax, which admitted to a major data breach affecting more than 143 million people.

Consumers’ data was exposed over three months via a vulnerability in a web application, the company said in a press release announcing the breach.

The breach was covered by every major news outlet, but Data Breach Today‘s Jeremy Kirk raises some interesting questions about Equifax’s notification strategy in this piece.

For the latest in breach response protocol in all 50 states, download Data Breach 411, a free app developed by Fox Rothschild’s Privacy & Data Security practice, available in the iTunes Store.

Cyber insurance
Copyright: putilich / 123RF Stock Photo

Venerable insurer Lloyd’s of London says a global cyber attack on a major provider of cloud services could carry costs of up to $53 billion, reports Data Breach Today.

That’s a hefty price tag that explains the rising demand for cyber insurance. It also sheds light on why insurers are proceeding extremely carefully. The costs of a major data breach can be significant and difficult to predict.

To help define the level of exposure, Lloyd’s worked with cyber consultant Cyence to produce a new report that outlines the direct economic costs of two types of global cyber attacks and estimates the portion of the loss in each scenario that would covered by insurance. In the case of a cloud services attack, only 17 percent of the loss would be insured, Lloyd’s estimates. In the case of a global attack exploiting a software vulnerability, only 7 percent of the estimated loss of up to $28 billion would be assured.

Analysts estimate the cyber insurance market is worth up to $3.5 billion today and could grow to $7.5 billion by 2020.

The freedom from automated calls at random hours of the evening may seem like the true American dream these days as more and more companies rely on these calls to reach out and communicate with customers.  Unfortunately, now that the Federal Communications Commission (“FCC”) voted to expand the Telephone Consumer Protection Act (“TCPA”) to include stringent yet vague restrictions on telemarketing robocalls, it may not be a dream for everyone. 

In June of this year, in a 3-2 vote, the FCC voted on adding the rule to the TCPA that entails barring companies from using “autodialers” to dial consumers, disallowing more than one phone call to numbers that have been reassigned to different customers, and mandating a stop to calls under a customer’s wishes.  These restriction may seem reasonable but dissenting Commissioner, Ajit Pai, recognized that the rule’s broad language will create issues because it does not distinguish between legitimate businesses trying to reach their customers and unwanted telemarketers.  Some attorneys have further commented on the rule stating that its use of “autodialer” opens up a can of worms of interpretations and can really be viewed as any device with even the potential to randomly sequence numbers, including a smartphone.  Companies using even slightly modernized tactics to reach out to their customer base are now at risk of facing litigation—and it won’t stop there.  Businesses that legitimately need to reach out to their customers will be caught between a rock and a hard place as they face a one-call restriction now and may also open themselves up to litigation if a customer decides to take that route.

The FCC Chairman, Tom Wheeler, attempted to quash concerns by stating that “Legitimate businesses seeking to provide legitimate information will not have difficulties.”  This statement unfortunately won’t stop plaintiff’s attorneys from greasing their wheels to go after companies who even make “good faith efforts” to abide by the new rule.  Attorneys who defend businesses have recognized that the rule is ridden with issues that could potentially harm companies that simply do not have the mechanisms to fully control and restrict repeated calls or the technology that makes those calls.  But, long story short, just because this rule has been put in motion, does not mean it will stand as is. Litigation and court action will likely be a natural consequence and that may result in changes for the future.  For now, businesses that utilize automated phone calls should be wary of the technology used and attempt to at least keep track of numbers and phone calls made.  When in doubt, talk to an attorney to make sure you are taking the appropriate precautions.

A recent District of Nevada ruling could cause issues for consumers in data breach class action cases moving forward.  On June 1, 2015, the court ruled that a consumer class action against Zappos.com Inc. could not proceed because the class did not state “instances of actual identity theft or fraud.”  The suit was brought as a result of a 2012 data breach where Zappos’ customers’ personal information was stolen, including names, passwords, addresses, and phone numbers.  Even though the information was stolen, the court dismissed the case because the class could not prove that they had been materially harmed and had no other standing under Article III.

If a data breach has occurred, but the victims cannot claim any harm besides the fear that a hacker has their information, courts have been willing to grant defendants’ motions to dismiss.  The ruling by the District of Nevada court is the most recent decision in a trend to block consumer class actions relating to data breaches.  Many of these recent rulings have been influenced by the Supreme Court’s 2013 decision in Clapper v. Amnesty International USA.  In Clapper, the Supreme Court held that claims of future injury could only satisfy the Article III standing requirement if the injury was “certainly impending” or if there was a “substantial risk” that the harm was going to occur.  Unfortunately for the consumer class in the Zappos’ case this means that unless their stolen information has been used to harm them, the data breach alone is not enough standing to bring a suit.

However, some district courts have been able to find sufficient standing for data breach victims in spite of the Clapper decision.  In Moyer v. Michaels Stores, a district court in the Northern District of Illinois ruled that data breach victims had standing to sue.  The court relied on Pisciotta v. Old National Bancorp, a Seventh Circuit pre-Clapper decision, which held that the injury requirement could be satisfied by an increased risk of identity theft, even if there was no financial loss.  Moyer further distinguished itself from Clapper by explaining that Clapper dealt with national security issues, and not general consumer data breaches.  Other district courts have distinguished their cases from Clapper by holding that Clapper dealt with harm that was too speculative to quantify, while consumer data breach cases deal with the concrete possibility of identity theft.

Although Clapper set the tone for consumer data breach claims, district courts have been divided because of different interpretations in the ruling.  The Supreme Court recently granted certiorari in another Article III standing case, Spokeo Inc. v. Robins Inc., which deals with a private right of action grounded in a violation of a federal statute.  Although it does not directly deal with consumer data breaches, the decision may lead the Supreme Court to expand the standing requirements generally.  Given society’s increasing use of technology and inclination to store personal information electronically, consumer data breach claims will only increase in the future.  The courts’ standing requirements must adapt to meet the changing needs of individuals and businesses alike.

With 2013 being dubbed as the “Year of the Mega Breach” it comes as no surprise that the Federal Trade Commission (“FTC”), on June 30, 2015 published “Start with Security: A Guide for Businesses” to educate and inform businesses on protecting their data.  The FTC is tasked with protecting consumers from “unfair” and “deceptive” business practices and with data breaches on the rise, it has come to take that job much more seriously.  The lessons in the guide are meant to aid businesses in their practices of protecting data and the FTC cites to real examples of its data breach settlement cases to help companies understand each lesson and the real world consequences that some companies have faced.  Here are the lesson headlines:

  1. 1. Start with security;
  2. 2. Control access to data sensibly;
  3. 3. Require secure passwords and authentication;
  4. 4. Store sensitive personal information securely and protect it during transmission;
  5. 5. Segment networks and monitor anyone trying to get in and out of them;
  6. 6. Secure remote network access;
  7. 7. Apply sound security practices when developing new products that collect personal information;
  8. 8. Ensure that service providers implement reasonable security measures;
  9. 9. Implement procedures to help ensure that security practices are current and address vulnerabilities; and
  10. 10. Secure paper, physical media and devices that contain personal information.

  Katherine McCarron, the Bureau of Consumer Protection attorney, explained that the Bureau “look[s] at a company’s security procedures and determine[s] whether they are reasonable and appropriate in light of all the circumstances” when evaluating an organization’s conduct.  It is likely that this guide will become the FTC’s road map for handling future enforcement actions and will help businesses to remain on the safe side of the data breach fence.

Whether you run a mom and pop shop or a multi-million dollar company, this guide is a must-read for any business that processes personal information.

Start reading here.

https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business

Copyright: argus456 / 123RF Stock Photo
Copyright: argus456 / 123RF Stock Photo

Fox Rothschild partner Scott L. Vernick was quoted in The New York Times article, “Hacking Victims Deserve Empathy, Not Ridicule.” Full text can be found in the September 2, 2015, issue, but a synopsis is below.

While some data breach victims may face only minor frustrations – changing a password or getting a new credit card – it is a different story for the more than 30 million Ashley Madison users who had their accounts for the infidelity website compromised.

Many of the victims of this latest massive data breach have been plunged into despair, fearing they could lose jobs and families, and expecting to be humiliated among friends and colleagues.

“It’s easy to be snarky about Ashley Madison, but just because it’s unpopular or even immoral, it doesn’t mean this sort of activity shouldn’t be protected,” said Scott L. Vernick, a noted privacy attorney. “This gets at fundamental issues like freedom of speech and freedom of association – today it’s Ashley Madison, tomorrow it could be some other group that deserves protection.”

With hackers on the loose, and wire transfers as a place for them to gain unauthorized access to bank accounts, it is no wonder that when it comes to potentially intercepted wires, customers and banks are playing hot potato with who to blame. Typically, banks bear the risk of loss for unauthorized wire transfers. The Electronic Fund Transfer Act (“EFTA”) for consumer accounts and Article 4A of the Uniform Commercial Code (“UCC”) for business accounts, are two entities that govern these transfers. Both have opposing interests considering that the EFTA attempts to shield customers from paying unauthorized charges whereas the UCC has a framework in place that protects the banks and shifts the risk of loss to the customer if the bank can show that (1) a commercially reasonable security procedure was in place and, (2) the bank accepted the payment order in good faith and in compliance with the security procedure and any other written agreement or customer instruction.

Due to the flexibility of the UCC and the fact that “commercial reasonability” is a question of law, some factors that pertain to it have been interpreted differently by the judicial system. These interpretations have established divergent norms. Some factors that courts look to in their decision making are the customer’s instructions to the bank, the bank’s understanding of the customer’s situation, alternative security procedures offered to the customer, and security procedures in general that are typical of the industry.

With these criterions, courts have been able to judge bank security procedures and assess whether their efforts were adequate. For example, the Eighth Circuit found that where a customer refuses commercially reasonable security procedures such as “dual control,” which requires two independent authorized users to approve the wire transfer, the customer, in effect, assumed the risk of failure. The bank’s procedure was considered adequate because they had the security measures in place in order to protect against cyberattacks. Conversely, in a case heard in the First Circuit, Comerica was found to have failed to satisfy its burden because it did not discover that unusual activity was happening with multiple accounts when a bank dealing fairly with a customer “would have detected and/or stopped the fraudulent wire activity earlier.” The court notes some of the factors that led to this decision such as: the volume and frequency of the wire transfers when there had previously been very low activity, the fact that the destinations of the funds were in Russia, and that Comerica had knowledge of current and prior phishing attempts.

Even the most sophisticated security systems—typically found in banks—are vulnerable to hacking. With the divergence of opinions within the law about who should bear the risk when something goes wrong, customers and banks alike should make sure to take the proper precautions while making transactions of any sort.

After a Cyberattack

This blog post is the sixth and final entry of a six-part series discussing the best practices relating to cyber security.  The previous post discussed the individuals and organizations that should be notified once a cyberattack occurs.  This post will focus on what a business should not do after a cyberattack.  Key points include (1) not using the network, (2) not sharing information with unconfirmed parties, and (3) not attempting to retaliate against a different network.

Do Not Search Through the Network

Once a cyberattack has been identified, most individuals may feel compelled to immediately examine their network and search through all of their system’s files.  This sudden reaction can cause further damage and may result in a total system failure.  Some hackers rely on the natural inclination to examine a network in order to cause more destruction.  They may install dormant malware that is triggered after an authorized user accesses the network to survey the damage.  If the hackers are monitoring the network after the attack, they may also be able to steal additional information such as passwords and usernames if individuals attempt to log on.

The better option is to immediately suspend all use of the network and commence the action plan.  By limiting network activity, a business may be able to contain the attack and safeguard unaffected systems.  Furthermore, suspending the network will help preserve evidence of the attack for law enforcement officials.  As a last resort, a business should be prepared to shut its entire system down in order to contain the attack if it is still active.

Do Not Release Information to Unconfirmed Parties

After a cyberattack, a business should be very careful to only communicate information to credible sources.  Some hackers will pose as law enforcement officials and send inquiring messages to the business after the attack.  These messages are sent in an attempt to gain information from the business.  The hackers may use this information to launch a second cyberattack on the already damaged network.  All communication should be via the telephone or in person if possible.  It is important that a business designate one individual to communicate on behalf of the business.  This individual should not share information with anyone until he or she has confirmed the identity of the other party.

Do Not Attempt to Retaliate Against Other Networks

If a business is able to determine the source of the cyberattack, it may be tempted to retaliate with cyber warfare against the source.  Not only is this tactic illegal under U.S. and foreign cybersecurity laws, but it may also cause further damage to a business’ system or provoke a second attack.  Additionally, many cyberattacks originate from innocent networks that have previously been hacked.  Retaliation against these networks would only hurt a previous victim and would not impact the hackers.  Remaining calm and following the action plan is always the best course of action after a business has been impacted by a cyberattack.