Breach Notifications

Subscribe to Breach Notifications via RSS

On March 7, 2018, FBI Director Christopher Wray delivered remarks at Boston College that highlight the agency’s ongoing efforts to better respond to cyber threats.  Director Wray’s remarks focused on the private and public sector partnerships that the FBI (and other authorities) are cultivating to combat the increased sophistication of cyber threats as they evolve into what he described as “full-blown economic espionage and extremely lucrative cyber crime.”
Continue Reading FBI Director: FBI Might Not Share Information With Adversarial Authorities

In the first criminal charges brought in connection with the Equifax data breach, the United States Attorney for the Northern District of Georgia announced yesterday the indictment of Jun Ying, a former Chief Information Officer of a U.S. business division of Equifax, on charges of insider trading in violation of federal securities laws.  At the same time, the SEC announced parallel civil charges against Ying.  Both the indictment and the SEC complaint allege that Ying was not specifically informed that Equifax had been breached, but, as a result of his position, was made aware of enough confidential information to—according to his own contemporaneous text messages—“put 2 and 2 together” to infer that “[w]e may be the one breached.”  After deducing this material information, Ying allegedly conducted internet research on the 2015 data breach of Experian, another major credit bureau, and its negative impact on Experian’s stock price.  Immediately following his internet search, Ying allegedly exercised all of his vested stock options and sold those Equifax shares for a total of $950,000 in proceeds, avoiding more than $117,000 in losses that he would have incurred had he still been holding the shares at the time the data breach was publicly announced more than a week later.  The SEC is seeking disgorgement of an amount equal to the losses Ying allegedly avoided, civil monetary penalties, an order barring Ying from ever serving as an officer or director of a public company, and an injunction enjoining Ying from further violating the federal securities laws.  The indictment charges Ying with two counts of criminal securities fraud, which, if he is convicted, carry a maximum sentence of 45 years. 
Continue Reading DOJ And SEC Charge Former Equifax Executive With Insider Trading

Last week, the Ninth Circuit reversed a Nevada district court’s dismissal, for lack of Article III standing, of plaintiffs’ claims arising out of a data breach.[1]  In so holding, the Ninth Circuit reaffirmed its position on one side of a circuit split on the issue of standing to bring suit based on a substantial risk of identity theft or fraud resulting from a data breach, even in the absence of allegations that the risk actually materialized,[2] an issue that the Supreme Court recently declined to review.
Continue Reading Ninth Circuit Reverses Dismissal For Lack of Standing in Data Breach Case

Last week, Pennsylvania’s Attorney General sued Uber for allegedly failing to provide timely notice to its drivers that their personal identifying information (“PII”) had been compromised in a data breach in 2016.  The lawsuit seeks $13.5 million in penalties against Uber—$1,000 for each of the 13,500 Pennsylvanian Uber drivers whose driver’s license information was accessed by hackers.  The complaint alleges that, in violation of Pennsylvania’s data breach notification law,[1] Uber failed to provide notice “without unreasonable delay” to the affected drivers, instead paying the hackers to allegedly “delete the data and stay quiet.”  A second claim in the lawsuit against Uber alleges the company’s conduct violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.
Continue Reading Pennsylvania Attorney General Sues Uber Over Data Breach

On March 2, 2018, Yahoo! entered into a proposed settlement of a securities class action filed against the company following its disclosures in 2016 that it had suffered significant data breaches in 2013 and 2014.[1]  Under the settlement, which is still subject to court approval, Yahoo! has agreed to pay $80 million to settle claims that it misled investors by failing to disclose the breaches in its public filings, while still touting the strength of its cybersecurity practices.
Continue Reading Yahoo! Enters Proposed Settlement in Data Breach Securities Class Action

Late last month, the Supreme Court declined to review the D.C. Circuit’s decision in CareFirst v Attias.  In CareFirst, the D.C. Circuit ruled that the mere theft of personal information was sufficient to provide standing to bring suit, even in the absence of other alleged harm.  As we have previously discussed, the federal Courts of Appeals have reached differing conclusions on the issue—with the D.C., Third, Sixth, Seventh, Ninth, and Eleventh Circuits[1] holding that data theft, with the attendant risk of future identify theft fraud, is by itself sufficient for Article III standing, and the Second, Fourth, and Eighth Circuits[2] holding, in contrast, that such allegations are not sufficient on their own to satisfy Article III’s injury requirements. 
Continue Reading Supreme Court Declines to Review Standing in the Data Breach Context Despite Ongoing Circuit Split

The new mandatory personal data breach notification regime introduced by the GDPR should be a key area of focus for organizations seeking to put in place GDPR compliance programs.  Personal data breaches are not only increasingly frequent and on the front pages, they are also one of the most likely causes of complaints being made by individuals against an organization and most likely subjects of investigation by data protection authorities (“DPAs”).  Regardless of whether an organization is at fault in allowing a breach to occur, its response will materially affect the impact of the breach on data subjects, and therefore the potential consequences for the organization itself.  Personal data breach management – of which breach notification forms a large part – should therefore be a priority area in any organization’s compliance efforts, including with respect to the GDPR. 
Continue Reading Notification of data breaches under the GDPR – 10 Frequently Asked Questions

On December 27, 2017, the New York Secretary of State sent a demand letter to Equifax Inc.’s interim CEO requesting additional information to aid the Division of Consumer Protection’s efforts “to investigate, mediate and/or mitigate identity theft complaints from consumers generally” as well as its investigation into the data breach disclosed by Equifax, Inc. on July 29, 2017, in which the personal data of approximately 143 million individuals (including 8.4 million New York residents) was compromised.  The letter demands that Equifax, Inc. provide a direct contact to respond to consumer concerns and requests information in 10 categories, including (a) a summary of the credit reporting agency’s plan (if any) to make affected New York residents “whole” following the breach, (b) a copy of the forensic review prepared by the cybersecurity firm Mandiant, (c) New York-specific data for those consumers whose credit card details or dispute documents containing personally identifiable information were exposed in the breach and (d) the number of children 15 years old and younger affected by the breach, nationwide as well as within New York, and the “long-term protection response” (if any) created for such affected children.  The demand was made pursuant to emergency regulations adopted by the Department of State in December 2017 that require credit reporting agencies to respond to requests made by the Division of Consumer Protection within 10 business days.  A company spokesperson for Equifax, Inc. confirmed on January 4, 2018 that the credit reporting agency intends to respond to the demand letter within the required time period.  This demand is the latest development in a plethora of investigations by various law enforcement agencies and regulators into the breach and follows requests for information from all 50 state attorneys general as well as a subpoena from the New York Department of Financial Services (“DFS”).
Continue Reading New York Regulator Demands Additional Information from Equifax

In the wake of the high-profile breaches at Equifax and Uber, several constituencies have been making a sustained push for a federal data protection and breach statute.  Last week, a broad coalition of bank, insurance and retail associations urged Congress to pass national legislation establishing uniform data protection and breach notification standards.  In their letter, the organizations stressed that businesses and consumers would benefit from uniform requirements, in contrast to the current regime involving overlapping and sometimes differing State requirements.  Among other things, the letter urged Congress to adopt legislation that imposed flexible and scalable standards for data protection depending on the size and nature of the company and exclusive enforcement of the new national standards by the FTC and state Attorneys General (other than entities subject to state insurance regulation or who comply with the Gramm-Leach-Bliley Act and HIPAA).
Continue Reading 2018 Brings Continued Calls for a Federal Data Protection and Breach Statute