In an indictment unsealed on March 23, 2018, the Department of Justice (DOJ) brought criminal charges against nine Iranian nationals affiliated with the Mabna Institute in Iran, alleging computer intrusion, fraud, and aggravated identity theft.[1] Prosecutors charged the defendants with conspiring to steal a massive amount of intellectual property from universities, private companies, and government institutions worldwide, obtaining more than 31 terabytes of data. The defendants allegedly acted on behalf of the Islamic Revolutionary Guard Corps (IRGC), which is an arm of the Iranian government whose responsibilities include foreign operations and intelligence gathering. In addition to the announced charges, the nine defendants and the Mabna Institute were also designated for sanctions by the Treasury Department, Office of Foreign Asset Control, pursuant to Executive Order 13694 “Blocking the Property of certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”[2]
Continue Reading Department of Justice Indicts Iranian Hackers, Revealing Significant Data Breach and Targeting of Intellectual Property of Private Companies and Educational Institutions
FBI Director: FBI Might Not Share Information With Adversarial Authorities
On March 7, 2018, FBI Director Christopher Wray delivered remarks at Boston College that highlight the agency’s ongoing efforts to better respond to cyber threats. Director Wray’s remarks focused on the private and public sector partnerships that the FBI (and other authorities) are cultivating to combat the increased sophistication of cyber threats as they evolve into what he described as “full-blown economic espionage and extremely lucrative cyber crime.”
Continue Reading FBI Director: FBI Might Not Share Information With Adversarial Authorities
DOJ And SEC Charge Former Equifax Executive With Insider Trading
In the first criminal charges brought in connection with the Equifax data breach, the United States Attorney for the Northern District of Georgia announced yesterday the indictment of Jun Ying, a former Chief Information Officer of a U.S. business division of Equifax, on charges of insider trading in violation of federal securities laws. At the same time, the SEC announced parallel civil charges against Ying. Both the indictment and the SEC complaint allege that Ying was not specifically informed that Equifax had been breached, but, as a result of his position, was made aware of enough confidential information to—according to his own contemporaneous text messages—“put 2 and 2 together” to infer that “[w]e may be the one breached.” After deducing this material information, Ying allegedly conducted internet research on the 2015 data breach of Experian, another major credit bureau, and its negative impact on Experian’s stock price. Immediately following his internet search, Ying allegedly exercised all of his vested stock options and sold those Equifax shares for a total of $950,000 in proceeds, avoiding more than $117,000 in losses that he would have incurred had he still been holding the shares at the time the data breach was publicly announced more than a week later. The SEC is seeking disgorgement of an amount equal to the losses Ying allegedly avoided, civil monetary penalties, an order barring Ying from ever serving as an officer or director of a public company, and an injunction enjoining Ying from further violating the federal securities laws. The indictment charges Ying with two counts of criminal securities fraud, which, if he is convicted, carry a maximum sentence of 45 years.
Continue Reading DOJ And SEC Charge Former Equifax Executive With Insider Trading
Ninth Circuit Reverses Dismissal For Lack of Standing in Data Breach Case
Last week, the Ninth Circuit reversed a Nevada district court’s dismissal, for lack of Article III standing, of plaintiffs’ claims arising out of a data breach.[1] In so holding, the Ninth Circuit reaffirmed its position on one side of a circuit split on the issue of standing to bring suit based on a substantial risk of identity theft or fraud resulting from a data breach, even in the absence of allegations that the risk actually materialized,[2] an issue that the Supreme Court recently declined to review.
Continue Reading Ninth Circuit Reverses Dismissal For Lack of Standing in Data Breach Case
Pennsylvania Attorney General Sues Uber Over Data Breach
Last week, Pennsylvania’s Attorney General sued Uber for allegedly failing to provide timely notice to its drivers that their personal identifying information (“PII”) had been compromised in a data breach in 2016. The lawsuit seeks $13.5 million in penalties against Uber—$1,000 for each of the 13,500 Pennsylvanian Uber drivers whose driver’s license information was accessed by hackers. The complaint alleges that, in violation of Pennsylvania’s data breach notification law,[1] Uber failed to provide notice “without unreasonable delay” to the affected drivers, instead paying the hackers to allegedly “delete the data and stay quiet.” A second claim in the lawsuit against Uber alleges the company’s conduct violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.
Continue Reading Pennsylvania Attorney General Sues Uber Over Data Breach
Cybersecurity Key Operational Risk in OCC’s Semiannual Risk Perspective Report
The Office of the Comptroller of the Currency (“OCC”) recently issued its Semiannual Risk Perspective. The OCC identified cybersecurity as a key operational risk, pointing to the increasing speed and sophistication of cybersecurity threats, which can target the theft of personally identifiable information, intellectual property, and bank funds.
Continue Reading Cybersecurity Key Operational Risk in OCC’s Semiannual Risk Perspective Report
Recent Enforcement Actions by Regulators Show Continued Focus on Cybersecurity and Data Protection Issues
A pair of recent enforcement actions by the CFTC and New York Attorney General’s Office (“NYAG”) show that both federal and state authorities are pursuing cases against companies believed to have insufficient data security practices, even in the absence of breaches resulting in harm to customers.
First, late last month, the CFTC entered into a settlement with a registered futures commission merchant that allegedly failed to diligently supervise an unnamed “IT Provider.” The IT Provider inadvertently introduced a vulnerability to the merchant’s network, exposing private customer records and sensitive information, including personally identifiable information. An unnamed “Third Party” detected the vulnerability and accessed nearly 100,000 files containing sensitive information. The Third Party eventually contacted the merchant and federal authorities to disclose vulnerability, and deleted the data. It appears that the data was not otherwise improperly accessed.
Continue Reading Recent Enforcement Actions by Regulators Show Continued Focus on Cybersecurity and Data Protection Issues
Yahoo! Enters Proposed Settlement in Data Breach Securities Class Action
On March 2, 2018, Yahoo! entered into a proposed settlement of a securities class action filed against the company following its disclosures in 2016 that it had suffered significant data breaches in 2013 and 2014.[1] Under the settlement, which is still subject to court approval, Yahoo! has agreed to pay $80 million to settle claims that it misled investors by failing to disclose the breaches in its public filings, while still touting the strength of its cybersecurity practices.
Continue Reading Yahoo! Enters Proposed Settlement in Data Breach Securities Class Action
Supreme Court Declines to Review Standing in the Data Breach Context Despite Ongoing Circuit Split
Late last month, the Supreme Court declined to review the D.C. Circuit’s decision in CareFirst v Attias. In CareFirst, the D.C. Circuit ruled that the mere theft of personal information was sufficient to provide standing to bring suit, even in the absence of other alleged harm. As we have previously discussed, the federal Courts of Appeals have reached differing conclusions on the issue—with the D.C., Third, Sixth, Seventh, Ninth, and Eleventh Circuits[1] holding that data theft, with the attendant risk of future identify theft fraud, is by itself sufficient for Article III standing, and the Second, Fourth, and Eighth Circuits[2] holding, in contrast, that such allegations are not sufficient on their own to satisfy Article III’s injury requirements.
Continue Reading Supreme Court Declines to Review Standing in the Data Breach Context Despite Ongoing Circuit Split
Data Privacy Class Action Against Facebook Survives Motion To Dismiss
Earlier this week, the U.S. District Court for the Northern District of California (Hon. James Donato) held in Patel v. Facebook Inc.,[1] that plaintiffs had standing to pursue a putative data privacy class action against Facebook alleging that the company had “collected users’ biometric data secretly and without consent.”[2] The decision is the latest to weigh in on the injury allegations necessary for standing purposes under the Illinois Biometric Information Privacy Act[3] (“BIPA”), which regulates the collection and storage of biometric information, and provides a private right of action to a “person aggrieved by a violation.” In finding that standing was met, the Facebook decision arguably applied a lower injury threshold than other courts have interpreted to be the outer boundaries for pleading an Article III injury under BIPA.
Continue Reading Data Privacy Class Action Against Facebook Survives Motion To Dismiss