DNA Information of Thousands of Individuals Exposed Online for Years

It is being reported that Vitagene, a company that provides DNA testing to provide customers with specific wellness plans through personalized diet and exercise plans based on their biological traits, left more than 3,000 user files publicly accessible on Amazon Web Services servers that were not configured properly.

The information that was involved included customers’ names, dates of birth and genetic information (such as the likelihood of developing medical conditions), as well as contact information and work email addresses. Almost 300 files contained raw genotype DNA that was accessible to the public.

Vitagene has been providing services since 2014 and the records exposed dated between 2015 and 2017. Vitagene was notified of the accessibility of the information on July 1, 2019, and fixed the vulnerability.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.
This article was written by Linn F. Freedman of  Robinson & Cole LLP.

Bombas Settles with NYAG Over Credit Card Data Breach

Modern sock maker, Bombas, recently settled with New York over a credit card breach, agreeing to pay $65,000 in penalties.  According to the NYAG, malicious code was injected into Bombas’ Magento ecommerce platform in 2014.  The company addressed the issue over the course of 2014 and early 2015, and according to the NYAG, determined that bad actors had accessed customer information (names, addresses and credit card numbers) of almost 40,000 people. While the company notified the payment card companies at the time, it concluded that it did not need to notify impacted individuals because the payment card companies “did not require a formal PFI or otherwise pursue the matter beyond basic questions.”

In 2018, Bombas updated its cyber program, causing it to “revisit” the incident, deciding to notify impacted individuals and attorneys general. The NYAG concluded that the company had delayed in providing notice in violation of New York breach notification law, which requires notification “in the most expedient time necessary.” In addition to the $65,000 penalty, the company has agreed to modify how it might handle potential future breaches. This includes conducting prompt and thorough investigations, as well as training for employees on how to handle potential data breach matters.

Putting it into PracticeThis settlement is a reminder to companies to ensure that they have appropriate measures in place to investigate potential breaches, and understand their notification obligations.

 

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.
For more on financial breaches, please see the Financial Institutions & Banking page on the National Law Review.

Preliminary approval of class action settlement for Experian data breach exceeds $47M

Remember Experian’s massive data breach of 15 million customers in 2015?  The resulting consolidated class action is nearly resolved.  On December 3, 2018, a California federal judge granted preliminary approval to a proposed class settlement valued at over $47 Million.

Forty lawsuits against Experian were consolidated in the U.S. District Court for the Central District of California.  The class members, all T-Mobile USA customers, may have had their names, addresses, Social Security numbers, birth dates and passport numbers compromised in the breach.

Strictly speaking, this is no longer a FCRA case. In December 2016, the court granted in part Experian’s motion to dismiss, agreeing with Experian that it did not furnish a consumer report in violation of the FCRA because “[t]heft victims don’t ‘provide’ a thief with stolen goods.”

The settlement includes a $ 22 million nonreversionary settlement fund, which will be used to provide two years of credit-monitoring and insurance services to class members who submit valid claims, cash payments for out-of-pocket costs and documented time spent due to the data breach, $2,500 service awards for each class representative, as well as attorneys’ fees and costs, not to exceed $10.5 million.  In addition, $11.7 million must be set aside for remedial and enhanced security measures at Experian.

Copyright © 2018 Womble Bond Dickinson (US) LLP All Rights Reserved.

This post was written by John C. Hawk IV of Womble Bond Dickinson (US) LLP.

The National Law Review Covers Litigation News from all over the country.

The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)

The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.

Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010.

The Yahoo Data Breaches

In December 2014, Yahoo’s security team discovered that Russian hackers had obtained its “crown jewels”—the usernames, email addresses, phone numbers, birthdates, passwords and security questions/answers for at least 500 million Yahoo accounts. Within days of the discovery, according to the SEC, “members of Yahoo’s senior management and legal teams received various internal reports from Yahoo’s Chief Information Security Officer (CISO) stating that the theft of hundreds of millions of Yahoo users’ personal data had occurred.” Yahoo’s internal security team thereafter was aware that the same hackers were continuously targeting Yahoo’s user database throughout 2015 and early 2016, and also received reports that Yahoo user credentials were for sale on the dark web.

In the summer of 2016, Yahoo was in negotiations with Verizon to sell its operating business. In response to due diligence questions about its history of data breaches, Yahoo gave Verizon a spreadsheet falsely representing that it was aware of only four minor breaches involving users’ personal information.  In June 2016, a new Yahoo CISO (hired in October 2015) concluded that Yahoo’s entire database, including the personal data of its users, had likely been stolen by nation-state hackers and could be exposed on the dark web in the immediate future. At least one member of Yahoo’s senior management was informed of this conclusion. Yahoo nonetheless failed to disclose this information to Verizon or the investing public. It instead filed the Verizon stock purchase agreement—containing an affirmative misrepresentation as to the non-existence of such breaches—as an exhibit to a July 25, 2016, Form 8-K, announcing the transaction.

On September 22, 2016, Yahoo finally disclosed the 2014 data breach to Verizon and in a press release attached to a Form 8-K.  Yahoo’s disclosure pegged the number of affected Yahoo users at 500 million.

The following day, Yahoo’s stock price dropped by 3%, and it lost $1.3 billion in market capitalization. After Verizon declared the disclosure and data breach a “material adverse event” under the Stock Purchase Agreement, Yahoo agreed to reduce the purchase price by $350 million (a 7.25% reduction in price) and agreed to share liabilities and expenses relating to the breaches going forward.

Since September 2016, Yahoo has twice revised its data breach disclosure.  In December 2016, Yahoo disclosed that hackers had stolen data from 1 billion Yahoo users in August 2013, and had also forged cookies that would allow an intruder to access user accounts without supplying a valid password in 2015 and 2016. On March 1, 2017, Yahoo filed its 2016 Form 10-K, describing the 2014 hacking incident as having been committed by a “state-sponsored actor,” and the August 2013 hacking incident by an “unauthorized third party.”  As to the August 2013 incident, Yahoo stated that “we have not been able to identify the intrusion associated with this theft.” Yahoo disclosed security incident expenses of $16 million ($5 million for forensics and $11 million for lawyers), and flatly stated: “The Company does not have cybersecurity liability insurance.”

The same day, Yahoo’s general counsel resigned as an independent committee of the Yahoo Board received an internal investigation report concluding that “[t]he 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident.” The internal investigation found that “senior executives and relevant legal staff were aware [in late 2014] that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool.”

The report concluded that “failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident.” Yahoo’s CEO, Marissa Mayer, also forfeited her annual bonus as a result of the report’s findings.

On September 1, 2017, a California federal judge partially denied Yahoo’s motion to dismiss the data breach class actions. Then, on October 3, 2017, Yahoo disclosed that all of its users (3 billion accounts) had likely been affected by the hacking activity that traces back to August 2013. During a subsequent hearing held in the consumer data breach class action, a Yahoo lawyer stated that the company had confirmed the new totals on October 2, 2017, based on further forensic investigation conducted in September 2017. That forensic investigation was prompted, Yahoo’s counsel said, by recent information obtained from a third party about the scope of the August 2013 breach. As a result of the new disclosures, the federal judge granted the plaintiffs’ request to amend their complaint to add new allegations and causes of action, potentially including fraud claims and requests for punitive damages.

The SEC Breaks New Cybersecurity Ground

Just a month after issuing new interpretive guidance about public company disclosures of cyberattacks (see our Post and Alert), the SEC has now issued its first cease-and-desist order and penalty against a public company for failing to disclose known cyber incidents in its public filings. The SEC’s administrative order alleges that Yahoo violated Sections 17(a)(2) & (3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934 and related rules when its senior executives discovered a massive data breach in December 2014, but failed to disclose it until after its July 2016 merger announcement with Verizon.

During that two-year window, Yahoo filed a number of reports and statements with the SEC that misled investors about Yahoo’s cybersecurity history. For instance, in its 2014-2016 annual and quarterly reports, the SEC found that Yahoo included risk factor disclosures stating that the company “faced the risk” of potential future data breaches, “without disclosing that a massive data breach had in fact already occurred.”

Yahoo management’s discussion and analysis of financial condition and results of operation (MD&A) was also misleading, because it “omitted known trends and uncertainties with regard to liquidity or net revenue presented by the 2014 breach.” Knowing full well of the massive breach, Yahoo nonetheless filed a July 2016 proxy statement relating to its proposed sale to Verizon that falsely denied knowledge of any such massive breach. It also filed a stock purchase agreement that it knew contained a material misrepresentation as to the non-existence of the data breaches.

Despite being informed of the data breach within days of its discovery, Yahoo’s legal and management team failed to properly investigate the breach and made no effort to disclose it to investors. As the SEC described the deficiency, “Yahoo senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings to be misleading.” Yahoo’s in-house lawyers and management also did not share information with its auditors or outside counsel to assess disclosure obligations in public filings.

In announcing the penalty, SEC officials noted that Yahoo left “its investors totally in the dark about a massive data breach” for two years, and that “public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.” The SEC also noted that Yahoo must cooperate fully with its ongoing investigation, which may lead to penalties against individuals.

The First Hacker Faces Sentencing

Coincidentally, on the same day that the SEC announced its administrative order and penalty against Yahoo, one of the four hackers indicted for the Yahoo cyberattacks (and the only one in U.S. custody) appeared for sentencing before a U.S. District Judge in San Francisco. Karim Baratov, a 23-year-old hacker-for-hire, had been indicted in March 2017 for various computer hacking, economic espionage, and other offenses relating to the 2014 Yahoo intrusion.

His co-defendants, who remain in Russia, are two officers of the Russian Federal Security Service (FSB) and a Russian hacker who has been on the FBI’s Cyber Most Wanted list since November 2013. The indictment alleges that the Russian intelligence officers used criminal hackers to execute the hacks on Yahoo’s systems, and then to exploit some of that stolen information to hack into other accounts held by targeted individuals.

Baratov is the small fish in the group. His role in the hacking conspiracy focused on gaining unauthorized access to non-Yahoo email accounts of individuals of interest identified through the Yahoo data harvest.  Unbeknownst to Baratov, he was doing the bidding of Russian intelligence officers, who did not disclose their identities to the hacker-for-hire. Baratov asked no questions in return for commissions paid on each account he compromised.

In November 2017, Baratov pled guilty to conspiracy to commit computer fraud and aggravated identity theft. He admitted that, between 2010 and 2017, he hacked into the webmail accounts of more than 11,000 victims, stole and sold the information contained in their email accounts, and provided his customers with ongoing access to those accounts. Baratov was indiscriminate in his hacking for hire, even hacking for a customer who appeared to engage in violence against targeted individuals for money. Between 2014 and 2016, he was paid by one of the Russian intelligence officers to hack into at least 80 webmail accounts of individuals of interest to Russian intelligence identified through the 2014 Yahoo incident. Baratov provided his handler with the contents of each account, plus ongoing access to the account.

The government is seeking eight years of imprisonment, arguing that Baratov “stole and provided his customers the keys to break into the private lives of targeted victims.” In particular, the government cites the need to deter Baratov and other hackers from engaging in cybercrime-for-hire operations. The length of the sentence alone suggests that Baratov is not cooperating against other individuals. Baratov’s lawyers have requested a sentence of no more than 45 months, stressing Baratov’s unwitting involvement in the Yahoo attack as a proxy for Russian intelligence officers.

In a somewhat unusual move, the sentencing judge delayed sentencing and asked both parties to submit additional briefing discussing other hacking sentences. The judge expressed concern that the government’s sentencing request was severe and that an eight-year term could create an “unwarranted sentencing disparity” with sentences imposed on other hackers.

The government is going to the mat for Baratov’s victims.  On May 8, 2018, the government fired back in a supplemental sentencing memorandum that reaffirms its recommended sentence of 8 years of imprisonment. The memorandum contains an insightful summary of federal hacking sentences imposed on defendants, with similar records who engaged in similar conduct, between 2008 and 2018. The government surveys various types of hacking cases, from payment card breaches to botnets, banking Trojans and theft and exploitation of intimate images of victims.

The government points to U.S. Sentencing Guidelines Commission data showing that federal courts almost always have imposed sentences within the advisory Guidelines range on hackers who steal personal information and do not earn a government-sponsored sentence reduction (generally due to lack of cooperation in the government’s investigation). The government also expands on the distinctions between different types of hacking conduct and how each should be viewed at sentencing. It focuses on Baratov’s role as an indiscriminate hacker-for-hire, who targeted individuals chosen by his customers for comprehensive data theft and continuous surveillance. Considering all of the available data, the government presents a very persuasive argument that its recommended sentence of eight years of imprisonment is appropriate. Baratov’s lawyers may now respond in writing, and sentencing is scheduled for May 29, 2018.

Lessons from the Yahoo Hacking Incidents and Responses

There are many lessons to be learned from Yahoo’s cyber incident odyssey. Here are some of them:

The Criminal Conduct

  • Cybercrime as a service is growing substantially.

  • Nation-state cyber actors are using criminal hackers as proxies to attack private entities and individuals. In fact, the Yahoo fact pattern shows that the Russian intelligence services have been doing so since at least 2014.

  • Cyber threat actors—from nation-states to lone wolves – are targeting enormous populations of individuals for cyber intrusions, with goals ranging from espionage to data theft/sale, to extortion.

  • User credentials remain hacker gold, providing continued, unauthorized access to online accounts for virtually any targeted victim.

  • Compromises of one online account (such as a Yahoo account) often lead to compromises of other accounts tied to targeted individuals. Credential sharing between accounts and the failure to employ multi-factor authentication makes these compromises very easy to execute.

The Incident Responses

  • It’s not so much about the breach, as it is about the cover up. Yahoo ran into trouble with the SEC, other regulators and civil litigants because it failed to disclose its data breaches in a reasonable amount of time. Yahoo’s post-breach injuries were self-inflicted and could have been largely avoided if it had properly investigated, responded to, and disclosed the breaches in real time.

  • SEC disclosures in particular must account for known incidents that could be viewed as material for securities law purposes.  Speaking in the future tense about potential incidents will no longer be sufficient when a company has actual knowledge of significant cyber incidents.

  • Regulators are laying the foundation for ramped-up enforcement actions with real penalties. Like Uber with its recent FTC settlement, Yahoo received some leniency for being first in terms of the SEC’s administrative order and penalty. The stage is now set and everyone is on notice of the type of conduct that will trigger an enforcement action.

  • Yahoo was roundly applauded for its outstanding cooperation with law enforcement agencies investigating the attacks. These investigations go nowhere without extensive victim involvement. Yahoo stepped up in that regard, and that seems to have helped with the SEC, at least.

  • Lawyers must play a key role in the investigation and response to cyber incidents, and their jobs may depend on it. Cyber incident investigations are among the most complex types of investigations that exist. This is not an area for dabblers and rookies. Organizations need to hire in-house lawyers with actual experience and expertise in cybersecurity and cyber incident investigations.

  • Senior executives need to become competent in handling the crisis of cyber incident response. Yahoo’s senior executives knew of the breaches well before they were disclosed. Why the delay? And who made the decision not to disclose in a timely fashion?

  • The failures of Yahoo’s senior executives illustrate precisely why the board of directors now must play a critical role not just in proactive cybersecurity, but in overseeing the response to any major cyber incident. The board must check senior management when it makes the wrong call on incident disclosure.

The Litigation

  • Securities fraud class actions may fare much better than consumer data breach class actions. The significant stock drop coupled with the clear misrepresentations about the material fact of a massive data breach created a strong securities class action that led to an $80 million settlement.  The lack of financial harm to consumers whose accounts were breached is not a problem for securities fraud plaintiffs.

  • Consumer data breach class actions are more routinely going to reach the discovery phase. The days of early dismissals for lack of standing are disappearing quickly.  This change will make the proper internal investigation into incidents and each step of the response process much more critical.

  • Although the jury is still out on how any particular federal judge will sentence a particular hacker, the data is trending in a very positive direction for victims. At least at the federal level, hacks focused on the exploitation of personal information are being met with stiff sentences in many cases. A hacker’s best hope is to earn government-sponsored sentencing reductions due to extensive cooperation. This trend should encourage hacking victims (organizations and individuals alike) to report these crimes to federal law enforcement and to cooperate in the investigation and prosecution of the cybercriminals who attack them.

  • Even if a particular judge ultimately goes south on a government-requested hacking sentence, the DOJ’s willingness to fight hard for a substantial sentence in cases such as this one sends a strong signal to the private sector that victims will be taken seriously and protected if they work with the law enforcement community to combat significant cybercrime activity.

Copyright © by Ballard Spahr LLP
This post was written by Edward J. McAndrew of Ballard Spahr LLP.

Fiat Chrysler Car Hacking Case Put In Neutral

Plaintiff lawyers’ continued search for damage theories to assert in claims arising from a data breach – or fear of a breach – received a potential setback this week when Chief Judge Michael Reagan of the United States District Court for the Southern District of Illinois permitted Fiat Chrysler and Harmon International to seek an interlocutory appeal of the court’s earlier ruling in Flynn v. Fiat Chrysler US that class plaintiffs had standing to bring their “car hacking” claims in federal court.  The ruling comes just one month before the scheduled start of trial. Fiat Chrysler and Harmon moved for an appeal after the Ninth Circuit ruled in a similar case, Cahen v. Toyota Motor Corp, that plaintiffs did not have standing to pursue diminution in value damages against Toyota based on a fear that the vehicles were susceptible to hacking.

 Both Flynn and Cahen were filed in 2015, following a series of well-publicized demonstrations by white hat hackers that certain Toyota and Fiat Chrysler cars could be hacked and remotely controlled by a third party, in potentially malicious ways. Plaintiffs in both lawsuits asserted that the cybersecurity vulnerabilities that gave rise to the potential for hacking constituted a design defect that reduced the value of their cars.

 The Ninth Circuit in Cahen previously rejected this diminution of value theory, agreeing with the District Court that “plaintiffs have not, for example, alleged a demonstrable effect on the market for their specific vehicles based on documented recalls or declining Kelley Bluebook values . . . nor have they alleged a risk so immediate that they were forced to replace or discontinue using their vehicles, thus incurring out-of-pocket damages.” In rejecting Fiat Chrysler’s motion to dismiss in the Flynn case, Judge Reagan reached a different conclusion, finding that plaintiffs had standing to seek diminution of value damages.  Key to the court’s decision was the fact that the cybersecurity defects in Chrysler cars that had been widely reported (originally in a Wired magazine article)  led to a nationwide recall. The recall itself gave rise to additional reports of car hacking involving Chrysler cars, which the plaintiffs argued provided a foundation for a jury to conclude that the market value of Fiat Chryslers had been reduced. Additionally, plaintiffs alleged that the recall had not fixed the cybersecurity vulnerabilities, which the court found could give rise to a conclusion that the market for Chryslers had been altered.

 In certifying the case for appeal, Judge Reagan explained that the initial finding of standing was debatable and noted that a ruling by the Seventh Circuit in favor of Fiat Chrysler would obviate the need for trial. The case remains stayed while the Seventh Circuit considers whether to agree to review the court’s standing ruling.

 A ruling by the Seventh Circuit rejecting the District Court’s standing analysis in Flynn would potentially close what had been a new front in data breach litigation. Flynn had been one of only a few data security cases in the country to proceed past the motion to dismiss stage on a diminution in value theory of damages. What made Flynn particularly remarkable is that there had not been an actual reported breach that resulted in physical or other damages.

 On the other hand, a ruling in favor of plaintiffs could have widespread ramifications and, in theory, could give rise to design defect claims against manufacturers of other connected products — such as refrigerators, medical devices, and smart televisions — based on data security vulnerabilities that increase the risk of hacking.

The Internet of Things is growing rapidly. According to Gartner, there are over 5 billion devices connected to the internet, and by 2020, there will be 25 billion, with revenues expected to exceed $300 billion. To be sure, there are important differences between the automobile market and the market for other consumer products that may limit the viability of overpayment damages claims for data security vulnerabilities outside of automobiles. Still, the potential that these IoT manufacturers could be subject to products liability claims stemming from cybersecurity vulnerabilities is an issue to watch carefully.

Copyright © by Ballard Spahr LLP
Philip N. Yannella of Ballard Spahr LLP

So…Everyone’s Been Compromised? What To Do In The Wake of the Equifax Breach

By now, you’ve probably heard that over 143 million records containing highly sensitive personal information have been compromised in the Equifax data breach. With numbers exceeding 40% of the population of the United States at risk, chances are good that you or someone you know – or more precisely, many people you know – will be affected. But until you know for certain, you are probably wondering what to do until you find out.

To be sure, there has been a lot of confusion. Many feel there was an unreasonable delay in reporting the breach. And now that it has been reported, some have suggested that people who sign up with the Equifax website to determine if they were in the breach might be bound to an arbitration clause and thereby waive their right to file suit if necessary later (although Equifax has since said that is not the case). Others have reported that the “personal identification number” (PIN) provided by Equifax for those who do register with the site is nothing more than a date and time stamp, which could be subject to a brute-force attack, which is not necessarily reassuring when dealing with personal information. Still others have reported that the site itself is subject to vulnerabilities such as cross-site scripting (XSS), which could give hackers another mechanism to steal personal information. And some have even questioned the validity of the responses provided by Equifax when people query to see if they might have been impacted.

In all the chaos, it’s hard to know how to best proceed. Fortunately, you have options other than using Equifax’s website.

1. Place a Credit Freeze

Know that if you are a victim of the breach, you will be notified by Equifax eventually. In the meantime, consider placing a credit freeze on your accounts with the three major credit reporting bureaus. All three major credit reporting bureaus allow consumers to freeze their credit reports for a small fee, and you will need to place a freeze with each credit bureau. If you are the victim of identity fraud, or if your state’s law mandates, a credit freeze can be implemented without charge. In some states, you may incur a small fee. Lists of fees for residents of various states can be found at the TransUnionExperian, and Equifax websites. Placing a freeze on your credit reports will restrict access to your information and make it more difficult for identity thieves to open accounts in your name. This will not affect your credit score but there may be a second fee associated with lifting a credit freeze, so it is important to research your options before proceeding. Also, know that you will likely face a delay period before a freeze can be lifted, so spur-of-the-moment credit opportunities might suffer.

Here is information for freezing your credit with each credit bureau:

Equifax Credit Freeze

  • You may do a credit freeze online or by certified mail (return receipt requested) to:

            Equifax Security Freeze

            P.O. Box 105788

            Atlanta, GA 30348

  • To unfreeze, you must do a temporary thaw by regular mail, online or by calling 1-800-685-1111 (for New York residents call 1-800-349-9960).

Experian Credit Freeze

  • You may do a credit freeze online, by calling 1-888-EXPERIAN (1-888-397-3742) or by certified mail (return receipt requested) to:

            Experian

            P.O. Box 9554

            Allen, TX 75013

  • To unfreeze, you must do a temporary thaw online or by calling 1-888-397-3742.

TransUnion Credit Freeze

  • You may do a credit freeze online, by phone (1-888-909-8872) or by certified mail (return receipt requested) to:

            TransUnion LLC

            P.O. Box 2000

            Chester, PA 19016

  • To unfreeze, you must do a temporary thaw online or by calling 1-888-909-8872.

After you complete a freeze, make sure you have a pen and paper handy because you will be given a PIN code to keep in a safe place.

2. Obtain a Free Copy of Your Credit Report

Consider setting up a schedule to obtain a copy of your free annual credit report from each of the reporting bureaus on a staggered basis. By obtaining and reviewing a report from one of the credit reporting bureaus every three or four months, you can better position yourself to respond to unusual or fraudulent activity more frequently. Admittedly, there is a chance that one of the reporting bureaus might miss an account that is reported by the other two but the benefit offsets the risk.

3. Notify Law Enforcement and Obtain a Police Report

If you find you are the victim of identity fraud (that is, actual fraudulent activity – not just being a member of the class of affected persons), notify your local law enforcement agency to file a police report. Having a police report will help you to challenge fraudulent activity, will provide you with verification of the fraud to provide to credit companies’ fraud investigators, and will be beneficial if future fraud occurs. To that end, be aware that additional fraud may arise closer to the federal tax filing deadline and having a police report already on file can help you resolve identity fraud problems with the Internal Revenue Service if false tax returns are filed under your identity.

4. Obtain an IRS IP PIN

Given the nature of the information involved in the breach, an additional option for individuals residing in Florida, Georgia, and Washington, D.C. is to obtain an IRS IP PIN, which is a 6-digit number assigned to eligible taxpayers to help prevent the misuse of Social Security numbers in federal tax filings. An IP PIN helps the IRS verify a taxpayer’s identity and accept their electronic or paper tax return. When a taxpayer has an IP PIN, it prevents someone else from filing a tax return with the taxpayer’s SSN.

If a return is e-filed with a taxpayer’s SSN and an incorrect or missing IP PIN, the IRS’s system will reject it until the taxpayer submits it with the correct IP PIN or the taxpayer files on paper. If the same conditions occur on a paper filed return, the IRS will delay its processing and any refund the taxpayer may be due for the taxpayer’s protection while the IRS determines if it is truly the taxpayer’s.

Information regarding eligibility for an IRS IP PIN and instructions is available here and to access the IRS’s FAQs on the issue, please go here.

Conclusion

Clearly, the Equifax breach raises many issues about which many individuals need to be concerned – and the pathway forward is uncertain at the moment. But by being proactive, being cautious, and taking appropriate remedial measures available to everyone, you can better position yourself to avoid fraud, protect your rights, and mitigate future fraud that might arise.

 This post was written by Justin L. Root Sara H. Jodka of Dickinson Wright PLLC © Copyright 2017
For more legal news go to The National Law Review

Equifax Breach Affects 143M: If GDPR Were in Effect, What Would Be the Impact?

The security breach announced by Equifax Inc. on September 7, 2017, grabbed headlines around the world as Equifax revealed that personal data of roughly 143 million consumers in the United States and certain UK and Canadian residents had been compromised. By exploiting a website application vulnerability, hackers gained access to certain information such as names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers and credit card numbers. While this latest breach will force consumers to remain vigilant about monitoring unauthorized use of personal information and cause companies to revisit security practices and protocols, had this event occurred under the Global Data Protection Regulation (GDPR) (set to take effect May 25, 2018), the implications would be significant. This security event should serve as a sobering wake up call to multinational organizations and any other organization collecting, processing, storing, or transmitting personal data of EU citizens of the protocols they must have in place to respond to security breaches under GDPR requirements.

Data Breach Notification Obligations

Notification obligations for security breaches that affect U.S. residents are governed by a patchwork set of state laws. The timing of the notification varies from state to state with some requiring that notification be made in the “most expeditious time possible,” while others set forth a specific timeframe such as within 30, 45, or 60 days. The United States does not currently have a federal law setting forth notification requirements, although one was proposed by the government in 2015 setting a 30-day deadline, but the law never received any support.

While the majority of the affected individuals appear to be U.S. residents, Equifax stated that some Canadian and UK residents were also affected. Given Equifax’s statement, the notification obligations under GDPR would apply, even post-Brexit, as evidenced by a recent statement of intent maintaining that the United Kingdom will adopt the GDPR once it leaves the EU. Under the GDPR, in the event of a personal data breach, data controllers must notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay. A notification to the authority must at least: 1) describe the nature of the personal data breach, including the number and categories of data subject and personal data records affected, 2) provide the data protection officer’s contact information, 3) describe the likely consequences of the personal data breach, and 4) describe how the controller proposes to address the breach, including any mitigation efforts. If it is not possible to provide the information at the same time, the information may be provided in phases “without undue further delay.”

According to Equifax’s notification to individuals, it learned of the event on July 29, 2017. If GDPR were in effect, notification would have been required much earlier than September 7, 2017. Non-compliance with the notification requirements could lead to an administrative fine of up to 10 million Euros or up to two percent of the total worldwide annual turnover.

Preparing for Breach Obligations Under GDPR

With a security breach of this magnitude, it is easy to imagine the difficulties organizations will face in mobilizing an incident response plan in time to meet the 72-hour notice under GDPR. However, there are still nearly eight months until GDPR goes into effect on May 25, 2018. Now is a good time for organizations to implement, test, retest, and validate the policies and procedures they have in place for incident response and ensure that employees are aware of their roles and responsibilities in the event of a breach. Organizations should consider all of the following in crafting a GDPR incident response readiness plan:

plan, GDPR, incident response

This post was written by Julia K. Kadish and Aaron K. Tantleff of Foley & Lardner LLP © 2017
For more legal analysis got to The National Law Review

Data Breaches Will Cost Yahoo and Verizon Long After Sale

data breach Yahoo VerizonFive Things You (and Your M&A Diligence Team) Should Know

Recently it was announced that Verizon would pay $350 million less than it had been prepared to pay previously for Yahoo as a result of data breaches that affected over 1.5 billion users, pending Yahoo shareholder approval. Verizon Chief Executive Lowell McAdam led the negotiations for the price reduction. Yahoo took two years, until September of 2016, to disclose a 2014 data breach that Yahoo has said affected at least 500 million users, while Verizon Communications was in the process of acquiring Yahoo. In December of 2016, Yahoo further disclosed that it had recently discovered a breach of around 1 billion Yahoo user accounts that likely took place in 2013.

While some may be thinking that the $350 million price reduction has effectively settled the matter, unfortunately, this is far from the case. These data breaches will likely continue to cost both Verizon and Yahoo for years to come.  Merger and acquisition events that are complicated by pre-existing data breaches will likely face at least four categories of on-going liabilities.  The cost of each of these events will be difficult to estimate during the deal process, even if the breach event is disclosed during initial diligence. First, the breach event will probably render integration of the systems of the target and acquirer difficult, as the full extent of the security issues is often difficult to assess and may evolve through time. According to Verizon executives, Yahoo’s data breaches created integration issues that had not been previously understood.  The eventual monetary cost of this issue remains unknown.

Second, where the target is subject to the authority of the Security and Exchange Commission (SEC), an SEC investigation and penalties if applicable, is likely, along with related shareholder lawsuits. As we wrote previously, The SEC is currently investigating if Yahoo should have reported the two massive data breaches it experienced earlier to investors, according to individuals with knowledge. Under the current agreement, Yahoo will bear sole liability for shareholder lawsuits and any penalties that result from the SEC investigation.

Third, there will likely be additional private party actions due to the breach. Exactly what these liabilities will be will depend on the data subject to exfiltration as a result of the breach.  In Yahoo’s case, Verizon and Yahoo have agreed to equally share in costs and liabilities created by lawsuits from customers and partners.  Multiple private party lawsuits have already been filed against Yahoo alleging negligence.

Fourth, other government investigations, such as by the Federal Bureau of Investigation (FBI), could result in additional costs, both monetary and reputational. The FBI is currently investing the Yahoo breaches.  Verizon and Yahoo will share the costs of the FBI investigation and other potential third party investigations.

Fifth, depending on the scope of the breach, there would likely be on-going remediation costs after the deal closes. According to a knowledgeable source, as of February 2017, Yahoo had sent notifications to a “mostly final” list of users, indicating that some remaining remediation activities may yet occur.

As we have seen, merger and acquisition events involving a target with a pre-existing data breach issues create difficult to assess costs and liabilities that will survive the closing of the transaction.

©1994-2017 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

In re: Target Corporation Customer Data Security Breach Litigation — instructive 8th Circuit case re class certification

target security breachJim Sciaroni  v.  Target Corporation Civil case – Class Action in Target Security Breach. The district court’s statement in the class certification order regarding Rule 23(a)(4)’s representation adequacy requirement are conclusions, not reasons, and on their own do not constitute the “rigorous analysis” of whether certification was proper in this case; the court has a continuous duty to reevaluate certification throughout the litigation and the court’s order rejecting an allegation of intraclass conflict made before final certification improperly refused to reconsider the issue solely because it had already certified the class; as a result the district court abused its discretion by failing to rigorously analyze the propriety of certification, especially once new arguments regarding the adequacy of representation were raised after preliminary certification, and the matter is remanded to the district court for it to conduct and articulate a rigorous analysis of Rule 23(a)’s certification prerequisites as applied to this case; “costs on appeal” for Rule 7 purposes include only those costs that a prevailing appellate litigant can recover under a specific rule or statute; as a result the bond set in this matter, which included delay-based administrative costs, is reversed and the matter remanded with directions to reduce the Rule 7 bond to reflect only those costs appellee will recover should they succeed in any issues remaining on appeal following the district court’s reconsideration of class certification. The panel retains jurisdiction over any remaining issues following the district court’s disposition on remand. The district court shall certify its findings and conclusions to this court within 120 days.

02/01/2017  Jim Sciaroni  v.  Target Corporation

   U.S. Court of Appeals Case No:  15-3909 and No:  15-3912 and No:  16-1203 and No:  16-1245 and No:  16-1408

   U.S. District Court for the District of Minnesota – Minneapolis

   [PUBLISHED] [Shepherd, Author, with Benton, Circuit Judge, and Strand, District Judge]

Download In re Target Corporation Customer Data Security Breach Litigation

© Copyright 2017 Armstrong Teasdale LLP. All rights reserved

The White House’s Revisions to its Breach Response Policy For Federal Agencies and Departments Also Affect Contractors

White House data breach responseOn January 3, 2017, the Obama Administration issued a memorandum to all executive departments and agencies setting for a comprehensive policy for handling breaches of personally identifiable information (the “Memorandum”), replacing earlier guidance. Importantly, the Memorandum also affects federal agency contractors as well as grant recipients.

The Memorandum is not the first set of guidance to federal agencies and departments for reporting breaches of personally identifiable information (PII), but it establishes minimum standards going forward (agencies have to comply within 180 days from the date of the Memorandum). The Memorandum makes clear that it is not setting policy on information security, or protecting against malicious cyber activities and similar activities; topics related to the recent fiery debates concerning the 2016 election results and Russian influence.

The Memorandum sets out a detailed breach response policy covering topics such as preparedness, establishing a response plan, assessing incident risk, mitigation, and notification. For organizations that have not created a comprehensive breach response plan, the Memorandum could be a helpful resource, even for those not subject to it. But it should not be the only resource.

Below are some observations and distinctions worth noting.

  • PII definition. Unlike most state breach notification laws, the Memorandum defines PII broadly: information that can be used to distinguish to trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. So, for example, the notification obligation for a federal contractor will not just apply if Social Security numbers or credit card numbers have been compromised.
  • Breach definition. Breaches are not limited phishing attacks, hackings or similar intrusions. They include lost physical documents, sending an email to the wrong person, or inadvertently posting PII on a public website.
  • Training. Breach response training must be provided to individuals before they have access to federal PII. That training should advise the individuals not to wait for confirmation of a breach before reporting to the agency. A belief (or hope) that one will find that lost mobile device should not delay reporting.
  • Required provisions in federal contracts. Federal contractors that collect or maintain federal PII or use or operate an information system for a federal agency must be subject to certain requirements by contract. The Memorandum requires agencies to update their contracts with contractors to ensure the contracts contain certain provisions, such as requiring contractors to (i) encrypt PII in accordance with OMB Circular A-130, (ii) train employees, (iii) report suspected or confirmed breaches; (iv) be able to determine what PII was or could have been accessed and by whom, and identify initial attack vectors, and (v) allow for inspection and forensic analysis. Because agencies must ensure these provisions are uniform and consistent in all contracts, negotiation will be difficult. The Federal Acquisition Regulatory Council is directed to work the Office of Management and Budget to promptly develop appropriate contract clauses and regulatory coverage to address these requirements.
  • Risk of harm analysis. Agencies will need to go through a complex risk of harm analysis to determine the appropriate breach response. Notably, encryption of PII is not an automatic exception to notification.
  • Notification. The rules for timing and content of breach notification are similar to those in many of the state breach notification laws. The Memorandum also advises agencies to anticipate undeliverable mail and to have procedures for secondary notification, something not clearly expressed in most state notification laws. The Memorandum also suggests website FAQs, which can be more easily updated and tailored. Agency heads have ultimate responsibility for deciding whether notify. They can consider over-notification and should try to provide a single notice to cover multiple notification requirements. They also can require contractors to provide notification following contractor breaches.
  • Tabletop Exercises. The Memorandum makes clear that testing breach response plans is essential and expressly requires that tabletop exercises be conducted at least annually.

Federal contractors and federal grant recipients that have access to federal PII will need to revisit (or develop) their own breach response plans to ensure they comply with the Memorandum, as well as the requirements of the applicable federal agency or department which can be more stringent. Of course, those plans must also incorporate other breach response obligations the organizations may have, whether those obligations flow from other federal laws (e.g., HIPAA), state laws, or contracts with other entities. Putting aside presidential politics, cybersecurity threats are growing and increased regulation, enforcement and litigation exposure is likely.

Jackson Lewis P.C. © 2017