With hackers on the loose, and wire transfers as a place for them to gain unauthorized access to bank accounts, it is no wonder that when it comes to potentially intercepted wires, customers and banks are playing hot potato with who to blame. Typically, banks bear the risk of loss for unauthorized wire transfers. The Electronic Fund Transfer Act (“EFTA”) for consumer accounts and Article 4A of the Uniform Commercial Code (“UCC”) for business accounts, are two entities that govern these transfers. Both have opposing interests considering that the EFTA attempts to shield customers from paying unauthorized charges whereas the UCC has a framework in place that protects the banks and shifts the risk of loss to the customer if the bank can show that (1) a commercially reasonable security procedure was in place and, (2) the bank accepted the payment order in good faith and in compliance with the security procedure and any other written agreement or customer instruction.
Continue Reading Bank Security and Wire Transfers: Even Vaulted Systems Can’t Protect All Personal Information
data breach
The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 6 of 6)
This blog post is the sixth and final entry of a six-part series discussing the best practices relating to cyber security. The previous post discussed the individuals and organizations that should be notified once a cyberattack occurs. This post will focus on what a business should not do after a cyberattack. Key points include (1) not using the network, (2) not sharing information with unconfirmed parties, and (3) not attempting to retaliate against a different network. …
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 6 of 6)
The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 5 of 6)
This blog post is the fifth entry of a six series discussing the best practices relating to cyber security. The previous post discussed the important steps that a business should take to preserve evidence and information once a cyberattack has been identified. This post will discuss the individuals and organizations that should be notified once a cyberattack occurs. The four most important groups to contact are (1) individuals within the business, (2) law enforcement officials, (3) The Department of Homeland Security, and (4) other possible victims.
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 5 of 6)
The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 4 of 6)
This blog post is the fourth entry of a seven-part series discussing the best practices relating to cyber security. The previous post discussed the initial steps that a business should take once a cyberattack has been identified. This post will discuss further steps that a business should take after an attack. …
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 4 of 6)
The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 3 of 6)
This blog post is the third installment of a seven-part series discussing the best practices relating to cyber security. The first two blog posts discussed the best practices for preparing a business in case of a cyberattack. This post will discuss the initial steps that a business should take after a cyberattack occurs. …
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 3 of 6)
The Seventh Circuit Sides with Plaintiffs in Data Breach Litigation
On July 20, 2015, in Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015), the Seventh Circuit held that the United States District Court for the Northern…
Continue Reading The Seventh Circuit Sides with Plaintiffs in Data Breach Litigation
Pennsylvania Continues to Rely on Third Circuit Holding that the Risk of Harm is Not Enough in Data Breach Actions
As noted in Dittman et al. v. The University of Pittsburgh Medical Center, Case No. GD-14-003285, previously reported on here, Pennsylvania has firmly adopted the approach that the Risk of Harm is Not Enough in Data Breach Actions. Still, data breaches have become some of the most noteworthy headlines in recent news. An increase in litigation has brought with it efforts to shrink the case load through the Article III requirement of standing. This means that courts are finding that the plaintiffs have not sufficiently established a concrete injury in order to seek remedies from the court. One of the main issues with data breaches is that once the data has been extracted or accessed, it is not necessarily always true that tangible harm will follow. Due to that nature, the Third Circuit established that when it comes to data breach actions, simply the risk of future harm does not suffice to save the claim. The seminal case of Reilly v. Ceridian Corp. held that where no actual misuse is alleged, “allegations of hypothetical, future injury do not establish standing under Article III.” 664 F. 3d 38 at 41 (3rd Circuit 2011).
Continue Reading Pennsylvania Continues to Rely on Third Circuit Holding that the Risk of Harm is Not Enough in Data Breach Actions
Stricter Data Privacy Requirements in Connecticut
On June 30, 2015, Connecticut Governor Dannel Malloy signed into law Senate Bill 949, “An Act Improving Data Security and Agency Effectiveness”, a data privacy and security bill that creates…
Continue Reading Stricter Data Privacy Requirements in Connecticut
Pennsylvania State Court Rejects Data Breach Claims
In response to a data breach in 2014, employees of University of Pittsburgh Medical Center filed a two-count class action complaint against UPMC for (1) negligence and (2) breach of…
Continue Reading Pennsylvania State Court Rejects Data Breach Claims
The FCC – A New Data Security Regulator?
On October 24, the Federal Communications Commission (FCC) threw its hat into the data security regulation ring when it announced it intends to fine two telecommunications companies $10 million for…
Continue Reading The FCC – A New Data Security Regulator?