Data Breach Settlement Highlights Need for Proactive Management of Data Security Threats

Lawsuit written on brown vintage paper.

Lincare Inc. recently agreed to settle a class action lawsuit for $875,000. The class plaintiffs consisted of employees whose personal information was compromised in 2017. The breach involved a business email compromise scam. The settlement amount is not the only cost to the company and in fact may cost less than implementing remedial measures (credit/identity monitoring) and IT reforms to prevent such an incident from happening in the future. For example, the settlement terms dictate that an additional two years of free credit and identity monitoring services be provided to the class plaintiffs. Furthermore, Lincare will have to perform ongoing risk assessments to ensure protected information is secured; hire and maintain an IT head to manage the processes and applications deployed to secure protected information; implement a breach response program ...
Continue Reading...


GDPR: The Countdown to Compliance

General Data Protection Regulation (GDPR) Many companies, large and small, are scrambling with last-minute preparations for compliance with the European Union’s General Data Protection Regulation (GDPR), which goes into effect May 25, 2018. This is because If they don’t comply, they face fines of up to 4 percent of a company’s worldwide revenue for serious infractions or $20 million euros – whichever is higher. A recent IAPP survey of U.S. and European companies carried out by the Pokémon Institute has revealed that only 52 percent of companies expect to achieve compliance by the deadline and that 40 percent of companies are likely to achieve GDPR compliance after May 25, 2018. The remainder 8 percent of companies were not sure when they will achieve compliance. For 83 percent of the responding companies, preparing for data breach ...
Continue Reading...

Chili’s Carefully Announces Limited Data Breach

Data Protection On May 11, 2018, Chili’s Grill & Bar learned that “some of [their] guest’s payment card information was compromised at certain Chili’s restaurants” as the result of a “data incident,” according to a press release on the company’s website. Preliminary investigations suggest malware was used to gather payment card information for purchases between March and April 2018. While such data incidents are increasingly common, Chili’s press release is notable for two reasons. Firstly, The release, presented as a letter to “valued guests,” provided information within days of the breach, despite the fact its investigation is ongoing. Secondly, the press release did not identify the “certain Chili’s restaurants” impacted by the breach, thwarting immediate class action litigation. Yahoo, in sharp contrast, waited approximately 22 months to report an incident, leading to ...
Continue Reading...

No More Chits to Call In: Computer Crime Policy Does Not Cover Fraudulent Transaction

Fraud Concept - Magnifying Glass. In Interactive Communications International, Inc. v. Great American Insurance Company, a lawsuit closely monitored by those in the cyberinsurance space, the Eleventh Circuit affirmed a Georgia federal court’s decision, finding an insurance policy’s “Computer Fraud” coverage did not extend to certain losses caused by fraudsters. The decision comports with other recent decisions finding that social engineering fraud schemes do not satisfy the policy’s requirement of losses resulting directly from the use of a computer. Here, the devil was in the details. InComm operated a business that sold “chits” to consumers containing a money value which could then be loaded onto a debit card. To redeem the value of the chits, consumers called InComm’s 1-800 number and were connected with an interactive voice response (IVR) computer system. The IVR system, which ...
Continue Reading...

FTC Settles False Representation Claim Against Mobile Phone Manufacturer

471970744 The Federal Trade Commission (FTC) has settled with BLU Products, Inc. over allegations that the unlocked mobile phone manufacturer allowed a third-party provider to collect detailed personal information about its consumers without their knowledge or consent. In 2016, BLU Products admitted that a third-party app called “Wireless Update” has been “collecting unauthorized personal data in the form of text messages, call logs and contacts from customers” on some devices. The FTC alleged that BLU Products, its co-owner, and president falsely claimed that only information needed to perform requested services, including security and operating system updates, would be collected. The complaint alleged that the China-based third-party service provider ADUPS Technology Co., Ltd had in fact collected far more information than necessary, including the full content of consumers’ text messages, real-time location ...
Continue Reading...

The SEC Imposed its First Data-Breach Related Disclosure Penalty

666927562 On the heels of the Securities and Exchange Commission (SEC) February 20, 2018 guidance on cybersecurity-related disclosures, the SEC imposed its first data breach related enforcement penalty. It should come as no surprise that the SEC’s first penalty was levied against Yahoo arising from its massive 2014 data breach. The $35 million penalty was, as the SEC stated in its April 24 press release, intended “to settle charges that [Yahoo] misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.” Significantly, the SEC’s order found that Yahoo’s public disclosures in the period following the data breach were misleading in several ways, including the disclosure of its risk factors. The SEC found that the ...
Continue Reading...

Nearly a 50 percent Increase in Gulf Region Cyberattacks

Woman using smartphone Cyber security network Gulf Business Machines (GBM) reports a significant increase – from 28 percent in 2016 to 41 percent in 2017 — in hacking events among Gulf-based enterprises. Even so, only 31 percent of regional organizations are concerned about the detection and response to these attacks. At the 2018 Gulf Information Security Expo and Conference in Dubai that took place from May 1-3, 2018, GBM issued its Seventh Annual Cybersecurity Study, which surveyed regional organizations regarding security in the business environment. The survey polled over 600 executives and IT professionals from a range of industries including IT, education, oil and gas, hospitality, and healthcare across the United Arab Emirates, Oman, Bahrain, and Kuwait. The GBM White Paper illustrated these relevant findings: 79 percent believed their company had an effective security strategy in place ...
Continue Reading...

Targeting Public Services: How Municipalities and Gas Pipelines are Vulnerable to Cyberattacks

GettyImages-686643058 While the Facebook / Cambridge Analytica scandal has captured the public’s attention, two significant attacks on the City of Atlanta and natural-gas pipeline operators illustrate risk to fundamental human services, including law enforcement and consumer energy. On March, 22 2018, the City of Atlanta reported a ransomware cyberattack on government network servers, including servers hosting data for the Atlanta Police Department, preventing government employees from accessing information necessary to perform their duties. In particular, the police department was effectively handcuffed, and unable to access evidence relating to criminal investigations, or to assist citizens in recovering seized property. While the city’s information management team is hopeful that it will restore all interrupted data, the attack has caused, at the very least, a short term interruption of services. Four of the nation’s ...
Continue Reading...

Facebook Continues Playing the Globalist Game

General Data Protection Regulation (GDPR) Facebook once again recently taught us that it may be easier to avoid a law, than to comply with it. On April 17, 2018, Facebook confirmed that to meet its mission to comply “in spirit” with “the whole” of the European Union’s General Data Protection Regulation (GDPR) , which takes effect on May 25, 2018, Facebook is effectively moving data for approximately 1.5 million users outside the reach of the law.  By offering “new privacy experiences” complete with updated terms of service and data policy, Facebook is transitioning responsibility for all users outside the US, Canada and the EU from Facebook’s Irish company to its American branch located in California. As a result, effected users will be unable to file complaints with Ireland’s Data Protection Commissioner or in Irish courts; instead, U.S. ...
Continue Reading...

Consumers Have Standing for Data Breach Claims against Barnes & Noble

iStock_000010623991_Medium The Court of Appeals for the Seventh Circuit has issued its second decision in favor of consumers bringing claims against retailers for injuries following cyber attacks exposing sensitive consumer information in Diefenbach v. Barnes & Noble, Inc. On April 11, 2018 the court resurrected the class action brought against the book retailer by consumers whose debit card information was hacked in 2012. Specifically, the court ruled that the named plaintiffs properly alleged an injury under state consumer protection laws, including lost time, cost of credit monitoring, and inhibited access to bank accounts, did not meet the threshold pleading standards. Judge Easterbrook, writing for the court, found Barnes & Noble’s arguments against plaintiffs’ constitutional standing ineffective and unconvincing. Supporting her ruling that the victims suffered damages and therefore had standing to ...
Continue Reading...