The consequences of a cybersecurity incident can be severe. The economic loss associated with an incident can often be compounded by reputational damage, loss of trade secrets, destruction of assets, operational impairment, lost revenue following the announcement of the cybersecurity incident and the expense of implementing remedial measures. The timing and content of any public communication about a suspected or confirmed cybersecurity incident can exacerbate this loss and have a significant impact on the trading price of the issuer’s securities. The disclosure considerations become even more complex when a company is subject to overlapping, and potentially conflicting, regulatory obligations in multiple jurisdictions, including the United States and the European Union (“EU”). This issue is now at the forefront with the EU’s new data security and privacy regime, the General Data Protection Regulation (“GDPR”), which became effective on May 25, 2018.
On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the Securities and Exchange Commission (the “SEC”), pursuant to which Altaba agreed to pay $35 million to resolve allegations that Yahoo violated federal securities laws in connection with the disclosure of the 2014 data breach of its user database. The case represents the first time a public company has been charged by the SEC for failing to adequately disclose a cyber breach, an area that is expected to face continued heightened scrutiny as enforcement authorities and the public are increasingly focused on the actions taken by companies in response to such incidents. Altaba’s settlement with the SEC, coming on the heels of its agreement to pay $80 million to civil class action plaintiffs alleging similar disclosure violations, underscores the increasing potential legal exposure for companies based on failing to properly disclose cybersecurity risks and incidents.
Please click here to read the full alert memorandum.
On April 11, 2018, the Seventh Circuit reversed a district court’s dismissal, for failure to state a claim, of plaintiffs’ proposed class action arising out of a 2012 data breach affecting Barnes & Noble. In so holding, the court reaffirmed its view that allegations of data theft with a substantial risk of future harm are sufficient to assert an “injury” under Article III, even in the absence of allegations that the risk actually materialized. The Seventh Circuit further found that such injury may also satisfy the requisite damages allegations under federal pleading requirements. Continue Reading Seventh Circuit Expands Jurisprudence in Data Breach Cases
On April 18, 2018, government officials and cyber industry experts gathered in Washington, D.C., for the 2018 Incident Response Forum addressing legal and compliance challenges that arise following a data breach. At the conference, representatives from the SEC, DOJ, FTC, and other federal and state enforcement agencies discussed their top data breach-related concerns and enforcement priorities. Representatives spoke in their own capacity and were not making official agency statements, but their opinions can provide useful insight into agencies’ decision making processes and substantive views. Continue Reading Regulators and Law Enforcement Discuss Cyber Enforcement Priorities and Urge Cooperation Following Data Breaches
In a recent letter to leaders of the House Financial Services Committee, 31 state attorneys general urged Congress not to move forward with the Data Acquisition and Technology Accountability and Security Act, a federal breach notification bill, which aims to create a uniform set of reporting requirements for businesses nationwide. In their letter, the attorneys general argue that states have proven able enforcers of their citizens’ data privacy and security and, as such, the bill’s proposed preemption of state data breach and data security laws is unwarranted. Continue Reading State Attorneys General Warn Against Federal Data Breach Bill
On April 12, 2018, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced an agreement with Uber Technologies, Inc., to expand an August 2017 settlement regarding a 2014 data breach to include new violations arising from a second data breach that Uber discovered in 2016 but did not publicly disclose for over one year. The revised settlement order imposes new notification, reporting, and records retention obligations on Uber for up to 20 years regarding third-party audits of its privacy program, future data breaches involving personal data, and its bug bounty program. The proposed settlement order will be open for public comment for 30 days, after which time the Commission is likely to make the order final.
In August 2017, Uber entered into a consent agreement with the FTC related to a data breach that occurred three years before. The complaint resolved by the 2017 settlement order alleged that, in May 2014, an intruder used an access key publicly posted on the website GitHub to access sensitive personal information of Uber drivers (who the FTC treats as consumers) that Uber stored with a cloud provider. This information allegedly included unencrypted names, driver’s license numbers, bank account and routing numbers, and Social Security numbers. The FTC alleged that Uber had failed to (1) “implement reasonable access controls” to safeguard personal data of drivers and riders stored in the cloud, (2) implement reasonable security training and guidance, (3) maintain a written security program, and (4) encrypt certain information stored with the cloud provider. The complaint charged that Uber’s representations about the security of, and internal monitoring and auditing regarding access to, consumers’ personal information were false or misleading in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
In the 2018 complaint, the FTC alleges that Uber contemporaneously discovered a second data breach that had occurred in the fall of 2016—during the midst of the FTC’s nonpublic investigation into the 2014 breach. According to the complaint, intruders used an access key that had been posted to a private repository associated with GitHub to download unencrypted files containing personal data of U.S. riders and drivers, including approximately “25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver’s license numbers.” Continue Reading Revised FTC-Uber data breach settlement to include second breach, criticize ‘bug bounty’ payment
As of last month, when South Dakota and Alabama passed data breach notification laws, all 50 states (as well as the District of Columbia and several U.S. territories) now have data breach notification laws on their books. Continue Reading All 50 States Now Have Data Breach Notification Laws
On March 7, 2018, FBI Director Christopher Wray delivered remarks at Boston College that highlight the agency’s ongoing efforts to better respond to cyber threats. Director Wray’s remarks focused on the private and public sector partnerships that the FBI (and other authorities) are cultivating to combat the increased sophistication of cyber threats as they evolve into what he described as “full-blown economic espionage and extremely lucrative cyber crime.” Continue Reading FBI Director: FBI Might Not Share Information With Adversarial Authorities
In the first criminal charges brought in connection with the Equifax data breach, the United States Attorney for the Northern District of Georgia announced yesterday the indictment of Jun Ying, a former Chief Information Officer of a U.S. business division of Equifax, on charges of insider trading in violation of federal securities laws. At the same time, the SEC announced parallel civil charges against Ying. Both the indictment and the SEC complaint allege that Ying was not specifically informed that Equifax had been breached, but, as a result of his position, was made aware of enough confidential information to—according to his own contemporaneous text messages—“put 2 and 2 together” to infer that “[w]e may be the one breached.” After deducing this material information, Ying allegedly conducted internet research on the 2015 data breach of Experian, another major credit bureau, and its negative impact on Experian’s stock price. Immediately following his internet search, Ying allegedly exercised all of his vested stock options and sold those Equifax shares for a total of $950,000 in proceeds, avoiding more than $117,000 in losses that he would have incurred had he still been holding the shares at the time the data breach was publicly announced more than a week later. The SEC is seeking disgorgement of an amount equal to the losses Ying allegedly avoided, civil monetary penalties, an order barring Ying from ever serving as an officer or director of a public company, and an injunction enjoining Ying from further violating the federal securities laws. The indictment charges Ying with two counts of criminal securities fraud, which, if he is convicted, carry a maximum sentence of 45 years. Continue Reading DOJ And SEC Charge Former Equifax Executive With Insider Trading
Last week, the Ninth Circuit reversed a Nevada district court’s dismissal, for lack of Article III standing, of plaintiffs’ claims arising out of a data breach. In so holding, the Ninth Circuit reaffirmed its position on one side of a circuit split on the issue of standing to bring suit based on a substantial risk of identity theft or fraud resulting from a data breach, even in the absence of allegations that the risk actually materialized, an issue that the Supreme Court recently declined to review. Continue Reading Ninth Circuit Reverses Dismissal For Lack of Standing in Data Breach Case