April Brings Showers … and Changes to State Data Breach Notification Laws

Vector of highly detailed map of New Mexico state of the United States of America grunge style - easy edit to take off grunge effect or to edit colors

Over the past few weeks there have been noteworthy changes to data breach notification acts within several states. Of importance, New Mexico enacted its first notification law while Tennessee and Virginia amended existing legislation. New Mexico On April 6, 2017 New Mexico enacted HB 15, the Data Breach Notification Act, making it the 48th state to pass a notification law. The Act goes into effect on June 16, 2017, leaving Alabama and South Dakota as the only states without notification requirements. The Act, drawing on other state’s recent amendments, included biometric data (fingerprints, facial characteristics, retina patterns, etc.) in its definition of personal identifying information. The Act’s three components include: (1) Disposal of personal identifying information; (2) Security Measures for Storage of personal identifying information; and (3) Notification of a ...
Continue Reading...


IRS Student Loan Application Program Breach Affecting up to 100,000 Taxpayers

463151329 On April 6, 2017, IRS Commissioner John Koskinen testified during a Senate Finance Committee meeting that the personal data of up to 100,000 taxpayers may have been compromised by hackers accessing both students’ and parents’ tax information through the Data Retrieval Tool (DRT), a free application for federal student aid data retrieval connected with the Free Application for Federal Student Aid (FAFSA). Obtaining such information allowed these hackers to file fraudulent tax returns and steal refunds. The last breach of this magnitude occurred in 2015, when outside hackers gained access to over 300,000 tax returns, stealing data and initiating fraudulent returns. In the fall of 2016, the IRS recognized the possibility of a similar threat after noticing that hackers could take advantage of the DRT program which contained both students’ ...
Continue Reading...

Congress Rolls Back FCC Privacy Regulations

US Capitol On March 28, 2017, Congress passed legislation (S.J. Res. 34) that rolled back privacy regulations recently adopted by the Federal Communications Commission. The resolution passed the Senate by a vote of 50-48 and the House by a voted of 215 to 205. This is one of several sets of regulations Congress is rolling back under the authority of the Congressional Review Act of 1996. Under this statute, Congress can nullify administrative regulations by simply passing a joint resolution of disapproval. On December 2, 2016, the FCC adopted a set of regulations entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (81 Fed. Reg. 87274 (December 2, 2016)). As noted in the Federal Register noted, these rules focused “on transparency, choice, and data security, and provides heightened protection ...
Continue Reading...

New York Issues Final Cybersecurity Regulation

On February 13, 2017, the New York Department of Financial Services (NYDFS) adopted the final version of its first-of-its-kind cybersecurity regulation, “Cybersecurity Requirements For Financial Services Companies” (23 NYCRR 500). This regulation took effect on March 1, 2017. The final regulation reflects several of the comments offered during the final comment period that concluded on January 27, 2017. For a prior list of significant changes from the initial version to the second version, please see our blog post located here. Most of the changes that are contained in the final regulation consist of formatting and technical changes. Some new provisions clarify already existing provisions, e.g., Section 500.17(b) clarifies that the annual report to the Superintendent should be a report on the prior year. Other minor changes include record retention requirements ...
Continue Reading...

NYDFS Issues Updated Cybersecurity Regulation

Data Protection The New York Department of Financial Services (NYDFS) recently issued an updated version of its proposed cybersecurity regulation, “Cybersecurity Requirements For Financial Services Companies” (23 NYCRR 500). The updated proposed regulation reflects several of the comments offered during the initial public notice and comment period that concluded on November 14, 2016. Some of the most noteworthy changes in the revision are as follows: Section 500.04 — NYDFS clarified that while a Covered Entity must designate a qualified individual to perform the responsibilities of a Chief Information Security Officer (CISO) outlined in the regulation, that individual is not required to have this specific title. This individual is also not required to be dedicated exclusively to performing the duties of the CISO. Section 500.13 — The previous version required each Covered Entity ...
Continue Reading...

Despite Recent High-Profile Dismissals, Wendy’s Shareholders Try Again with Cybersecurity-Related Derivative Lawsuit

iStock_000038012250_Large The resilient plaintiff’s bar is not backing down from their quest to hold directors and officers personally liable for corporate misconduct that leads to cybersecurity breaches. Taking guidance from the failures which resulted in a string of dismissals of high-profile cybersecurity-related shareholder derivative lawsuits, a shareholder of the fast food-chain The Wendy’s Company is taking another shot to impose liability on corporate leadership for failing to take precautions against cyber-attacks. To be clear, these derivative cases are trying to hold the directors and officers liable for mismanagement of the company which led to the data breach, not for the liability arising directly from the data breach itself. These types of derivative lawsuits, however, have been largely unsuccessful. On December 16, 2016, a shareholder of the fast-food chain Wendy’s filed a ...
Continue Reading...

Lessons in Cyber-Hygiene: How John Podesta was Caught by Phishing

computer crime Instead of a Hollywood-style cyberattack into an underground bank of highly secure servers, it appears Hillary Clinton’s campaign chairman John Podesta fell victim to a run-of-the-mill phishing email appearing to come from Google. On March 19, 2016, Podesta received an alarming email to his Gmail account indicating someone had accessed his account, inviting Podesta to click on a Bitly URL (a service providing shortlinks, or smaller URL addresses) pointing to a longer URL that looked like a Google link. According to Bitly’s statistics, the URL sent to Podesta was clicked two times in March. From March to May, it appears the same hackers created 213 short links targeting 108 email addresses on the hillaryclinton.com domain. Reports indicate a similar phishing attack managed to hoodwink former US Secretary of State Colin ...
Continue Reading...

Lessons in Cyber-Hygiene: Securing Employee Passwords

iStock_000010623991_Medium The human element remains a significant threat vector for institutions of all sizes, and management is well advised to take proactive steps to educate and implement effective “cyber-hygiene” policies for all employees to minimize the risks associated the range of social engineering tactics, from phishing to inadvertent disclosures, as well as curb the opportunities for plain old mistakes. The area of password protection is among the most obvious areas for improvement in the world of cyber-hygiene. In a recent survey of 750 IT administrators and company “decision makers” sponsored by CyberArk and conducted by Vanson Bourne, 40 percent of organizations reporting to using a Microsoft Word document or spreadsheet to store administrative passwords and another 28 percent of those polled use either a shared server or USB stick to store ...
Continue Reading...

The Yahoo Class Action: Plaintiff’s Bar Finds a New Cottage Industry

Lawsuit written on brown vintage paper. The only “surprise” in the Yahoo class action complaint, filed Friday, September 23, 2016, is that Yahoo issued a press release announcing the breach a mere one day earlier.  The class action complaint, undersigned by three law firms in San Francisco, Boca Raton, and New York, seeks certification for: “All persons within the United States whose personal information was accessed following the data breach that Yahoo announced in a press release on September 22, 2016.”  Indeed, the complaint makes a number of allegations relating directly to the September 22 press release, including what appears to be a copy-and-paste of the entire release’s language. The stated causes of action are cookie-cutter with the word “Yahoo” pasted among otherwise generic allegations about the breach and alleged damages. Retention of counsel to work ...
Continue Reading...

Judge Rules No Standing to Pursue Fear Of “Hacker Harm”

iStock_000036136302_Double Last week a judge in the Southern District of Illinois trimmed several claims from a class action complaint made against Chrysler and Harman International Industries stemming from a 2015 WIRED magazine article. The July 21, 2015 WIRED article described the author’s experience of being a “digital crash-test dummy, a willing subject on whom [two hackers] could test the car-hacking research they’d been doing over the past year.” Less than two weeks after the article was published, on August 4, 2015, the plaintiffs filed their class action complaint Chrysler and Harman – the maker of the uConnect telematics system, which, among many things, pairs an owner’s smart phone to their car.  The plaintiffs allege that they suffer pangs of anxiety and fear because of the possibility that their cars could be ...
Continue Reading...