Cybersecurity

Subscribe to Cybersecurity via RSS

Last week, Pennsylvania’s Attorney General sued Uber for allegedly failing to provide timely notice to its drivers that their personal identifying information (“PII”) had been compromised in a data breach in 2016.  The lawsuit seeks $13.5 million in penalties against Uber—$1,000 for each of the 13,500 Pennsylvanian Uber drivers whose driver’s license information was accessed by hackers.  The complaint alleges that, in violation of Pennsylvania’s data breach notification law,[1] Uber failed to provide notice “without unreasonable delay” to the affected drivers, instead paying the hackers to allegedly “delete the data and stay quiet.”  A second claim in the lawsuit against Uber alleges the company’s conduct violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.
Continue Reading Pennsylvania Attorney General Sues Uber Over Data Breach

The Office of the Comptroller of the Currency (“OCC”) recently issued its Semiannual Risk Perspective.  The OCC identified cybersecurity as a key operational risk, pointing to the increasing speed and sophistication of cybersecurity threats, which can target the theft of personally identifiable information, intellectual property, and bank funds.
Continue Reading Cybersecurity Key Operational Risk in OCC’s Semiannual Risk Perspective Report

A pair of recent enforcement actions by the CFTC and New York Attorney General’s Office (“NYAG”) show that both federal and state authorities are pursuing cases against companies believed to have insufficient data security practices, even in the absence of breaches resulting in harm to customers.

First, late last month, the CFTC entered into a settlement with a registered futures commission merchant that allegedly failed to diligently supervise an unnamed “IT Provider.”  The IT Provider inadvertently introduced a vulnerability to the merchant’s network, exposing private customer records and sensitive information, including personally identifiable information.  An unnamed “Third Party” detected the vulnerability and accessed nearly 100,000 files containing sensitive information.  The Third Party eventually contacted the merchant and federal authorities to disclose vulnerability, and deleted the data.  It appears that the data was not otherwise improperly accessed.
Continue Reading Recent Enforcement Actions by Regulators Show Continued Focus on Cybersecurity and Data Protection Issues

On March 6, 2018, the World Economic Forum (WEF) published a white paper report analyzing challenges that financial services and fintech firms face in protecting customer information against the increasing risk of cyber-attacks and setting out proposals to better manage this cyber-risk.[1] As described below, the report recommends industry-wide efforts to adopt standardized cyber-risk metrics and to develop mechanisms for assessing cybersecurity. In conjunction with the publication of these recommendations, Citigroup Inc., Kabbage, Inc., Zurich Insurance Group AG and the Depository Trust & Clearing Corporation have formed a consortium to address cybersecurity risks in the fintech industry.[2]
Continue Reading World Economic Forum Publishes Recommendations for Managing Cyber-Risk

On March 2, 2018, Yahoo! entered into a proposed settlement of a securities class action filed against the company following its disclosures in 2016 that it had suffered significant data breaches in 2013 and 2014.[1]  Under the settlement, which is still subject to court approval, Yahoo! has agreed to pay $80 million to settle claims that it misled investors by failing to disclose the breaches in its public filings, while still touting the strength of its cybersecurity practices.
Continue Reading Yahoo! Enters Proposed Settlement in Data Breach Securities Class Action

Late last month, the Supreme Court declined to review the D.C. Circuit’s decision in CareFirst v Attias.  In CareFirst, the D.C. Circuit ruled that the mere theft of personal information was sufficient to provide standing to bring suit, even in the absence of other alleged harm.  As we have previously discussed, the federal Courts of Appeals have reached differing conclusions on the issue—with the D.C., Third, Sixth, Seventh, Ninth, and Eleventh Circuits[1] holding that data theft, with the attendant risk of future identify theft fraud, is by itself sufficient for Article III standing, and the Second, Fourth, and Eighth Circuits[2] holding, in contrast, that such allegations are not sufficient on their own to satisfy Article III’s injury requirements. 
Continue Reading Supreme Court Declines to Review Standing in the Data Breach Context Despite Ongoing Circuit Split

On February 21, 2018, the Securities and Exchange Commission (the “Commission”) published interpretive guidance to assist public companies when considering, drafting and issuing disclosure about cybersecurity risks and incidents (the “interpretive guidance”). The interpretive guidance became effective immediately upon issuance.

The Commission’s interpretive guidance reaffirms and expands upon guidance issued by the Division of Corporation

Earlier this year, U.S. Customs and Border Protection (“CPB”) revealed that, in 2017, it searched the electronic devices of approximately 50 percent more travelers than it had in the previous year. The same day, it announced that it was issuing new search guidelines for the first time since August 2009.
Continue Reading New Rules for Searching Electronic Devices at the U.S. Border

The US-China Business Council (“USCBC”) released a report on February 5, 2018.  The report identifies three key areas in which the China Cybersecurity Law (the “CCL”), which came into effect in June 2017, has posed significant challenges to companies’ ability to conduct business in China, and sets forth detailed recommendations to the Chinese regulators to address such challenges. We previously discussed the CCL and the international business community’s concerns regarding the law’s expansive scope, prescriptive requirements, and lack of clarity on a range of critical issues. The new USCBC report raising many of these same concerns can be accessed here
Continue Reading US China Business Council Lays Out Recommendations to Improve China’s Cybersecurity Regulations

In response to the growing threat of malware and ransomware attacks and other cybersecurity threats facing businesses today, Apple, Cisco, Allianz and Aon announced a new holistic cyber risk management solution on February 5, 2018.  The new product is designed to provide a comprehensive framework for companies to reduce cyber risk by leveraging the expertise of each of the partners.  As cyber incidents often impose significant costs on companies that can be difficult to bear directly, cyber insurance can help provide some protection.  In a video promoting the new product, Anthony Belfiore, Chief Security Officer at Aon, described getting cyber insurance as “hav[ing] a parachute” so that a company does not “have to worry about these exposures the way [they] had to worry about them yesterday.”  While the partners have not made specific pricing information available for the new cyber insurance offering, under most cyber insurance policies, like other insurance plans, the insured pays an annual or monthly fee to obtain coverage for losses resulting from certain specified incidents, often subject to a deductible.
Continue Reading Apple and Cisco Announce Holistic Cybersecurity Insurance Policy that Rewards Good Cybersecurity Practices