Written by Lauren Macon and Cara Peterman
SEC Chairman Jay Clayton issued a public statement on Cybersecurity (the “Clayton Statement”) last week, disclosing a 2016 attack on the SEC’s database of corporate filings. The intrusion exploited a vulnerability in the test filing component of the EDGAR system, a document repository for disclosures from public companies and issuers, through which the intruder was able to gain access to nonpublic (and potentially sensitive) corporate information. Though the intrusion was detected in 2016, Clayton stated that the agency learned only in August 2017 that the incident, “may have provided [...] Read more
Written by Gavin Reinke
The United States Court of Appeals for the Eighth Circuit recently affirmed the district court’s dismissal of a putative class action brought by customers of the brokerage firm Scottrade in the wake of an alleged data breach impacting Scottrade in 2013. The named plaintiffs had asserted several contract-based claims against Scottrade, alleging that Scottrade had violated its contractual obligations to take adequate steps to safeguard the personal identifying information (“PII”) of its customers.
The Eighth Circuit first considered whether the plaintiffs had adequately alleged standing. [...] Read more
Written by Andrew Liebler
Health insurance giant Anthem, Inc. agreed to the largest data breach settlement to-date last week, ending multi-district consumer litigation over a 2015 data breach for $115 million. The data breach, which resulted from a hacker-orchestrated cyberattack following the theft of an employee password, exposed personally identifiable information (“PII”) and protected health information (“PHI”) of nearly 80 million people. The stolen information included the names of current and former clients, dates of birth, addresses, social security numbers, and other medical information.
The settlement [...] Read more
Written by Gavin Reinke
Earlier this month, the United States District Court for the Northern District of Illinois entered an order dismissing with prejudice a putative class action concerning a security breach affecting PIN pad devices at numerous Barnes & Noble locations. The lawsuit, In re Barnes & Noble Pin Pad Litigation, No. 12-cv-8617 (N.D. Ill.), was brought by consumers who had used credit and debit cards at Barnes & Noble during the time period of the breach.
The operative complaint pleaded several causes of action against Barnes & Noble, including breach of implied contract and the violation [...] Read more
Written by Mike Barry
Third-party forensic investigations performed at the direction of counsel are part-and-parcel of virtually every data breach. There has been little case law, however, directly addressing the extent to which the attorney-client privilege and/or work product doctrine protects those forensic investigations from disclosure. Last week, the Central District of California held that, under the specific facts at issue, that information is indeed protected by at least the attorney work product doctrine.
In In re Experian Data Breach Litigation, 15-1592 (C.D. Cal. May 18, 2017), the Court considered [...] Read more
Written by Maki DePalo
Japan’s Act on Protection of Personal Information currently in force (“Current APPI”) dates back to 2003. It was originally enacted on May 30, 2003, and came into effect in 2005. Ten years later, the National Diet passed extensive reforms to modernize the Current APPI in September, 2015. Although the Amended Act on Protection of Personal Information (“Amended APPI”) has been partly in effect, it will come fully into effect on May 30, 2017.
It is important to note that the Amended APPI applies to “personal information handling business operators” which is defined as a person [...] Read more
Written by Nameir Abbas
New Mexico recently became the 48th state to pass some form of data breach notification legislation, leaving Alabama and South Dakota as the lone holdouts. The Data Breach Notification Act was signed by New Mexico Governor Susana Martinez on April 6, 2017. The law applies to persons that own or license personal identifying information of New Mexico residents, defined as an individual’s first name or first initial and last name in combination with a social security number, driver’s license number, government-issued ID number, account number plus security or access code or password, or biometric [...] Read more
Written by Justin Hemmings
On March 21, 2017, New York Attorney General (NYAG) Eric T. Schneiderman announced that his office had received a record breaking 1,282 data breach notices to his office affecting 1.6 million New York residents during 2016. Compared to 2015, these figures represent a 60 percent increase in the number of notices and a 300 percent increase in the number of New York residents affected. These research figures build on the NYAG’s 2014 report “Information Exposed: Historical Examination of Data Security in New York State,” which analyzed eight years of security breach statistics in New York from [...] Read more
Written by Adria Moshe
On February 13, 2017 Australia became one more among nation states adopting data breach notification legislation. In recent House and Senate votes, the Australian Parliament amended the Privacy Act 1988, introducing mandatory data breach notification requirements for entities regulated by the Privacy Act.
Who is Subject to the New Legislation?
The recent bill requires entities with revenue over $3 million AUD ($2.3 million USD) and certain credit reporting bodies and recipients of tax file number information to notify both the Australian Information Commissioner and affected individuals “as [...] Read more
Written by Privacy & Data Security Team
California, which has historically been one of the states at the vanguard of data breach notification issues, has made an update to its statute that takes effect on January 1, 2017. The update will require companies to notify affected individuals of a data breach of encrypted information, if “the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information [...] Read more