Consumers Have Standing for Data Breach Claims against Barnes & Noble

iStock_000010623991_Medium

The Court of Appeals for the Seventh Circuit has issued its second decision in favor of consumers bringing claims against retailers for injuries following cyber attacks exposing sensitive consumer information in Diefenbach v. Barnes & Noble, Inc. On April 11, 2018 the court resurrected the class action brought against the book retailer by consumers whose debit card information was hacked in 2012. Specifically, the court ruled that the named plaintiffs properly alleged an injury under state consumer protection laws, including lost time, cost of credit monitoring, and inhibited access to bank accounts, did not meet the threshold pleading standards. Judge Easterbrook, writing for the court, found Barnes & Noble’s arguments against plaintiffs’ constitutional standing ineffective and unconvincing. Supporting her ruling that the victims suffered damages and therefore had standing to ...
Continue Reading...


Facebook Faces a Bombardment of Lawsuits Over Handling of Personal Information

Facebook phone Facebook is facing yet another class action lawsuit in the wake of the well-publicized Cambridge Analytica scandal. The lawsuit, filed in the Northern District of California near the company’s Menlo Park headquarters, follows close on the heels of Facebook’s admission that the personal information of a large number of its users was collected via a personality quiz app named “This is Your Digital Life” and shared with Cambridge Analytica. The app harvested the personal information of not only those who used it, but also millions of users who were merely friends of the people who installed the app. The app developer was allegedly granted permission by Facebook to collect data for academic research, but sold the data on to Cambridge Analytica to be used to influence voting. The lawsuit alleges ...
Continue Reading...

New York AG Seeks to Require Privacy Violation Notifications

Facebook Logo 21333270_l While the law has adapted to the reality of cyberattacks and data breaches, in the wake of recent revelations about Facebook use of personal information, New York’s Attorney General intends to propose legislation to address Privacy Violations — where personal information is obtained or used by organizations in violation of a platform’s terms of service, or the law. Facebook has recently acknowledged that data analytics firm Cambridge Analytica collected personal information of 50 million Facebook users without their consent as part of a political influence campaign. It was reported that Mark Zuckerberg and other social media executives will testify before Congress. It was also announced last week that New York State Attorney General Eric Schneiderman intends to propose legislation requiring such platforms to notify his office and New York consumers ...
Continue Reading...

Better Late Than Never — Time to Get Those Cybersecurity Certifications of Compliance into NYDFS

If you are an individual or company regulated by the New York State Department of Financial Services (NYDFS), you may have received an email from NYDFS reminding you to submit your Certification of Compliance as soon as possible. New York’s relatively new cybersecurity regulation, 23 NYCRR 500 (the Regulation), requires all people and companies covered by the Regulation (Covered Entities) to file an annual statement by February 15 certifying that the entity was compliant (Certification of Compliance) with the Regulation as of December 31 of the prior calendar year. If you have not filed yet, please consider the following points: NYDFS advises that Covered Entities should file as soon as possible. The filing system is relatively user friendly. You have to file via the portal. NYDFS has stated that it “will ...
Continue Reading...

Study Finds Nearly Eighty Percent of Respondents Lack Formal Incident Response Plan on Cyberattacks

Data Protection IBM Security has announced the staggering findings of the third-annual benchmark study on Cyber Resilience — an organization’s ability to maintain its core purpose and integrity in the face of cyberattacks. Conducted by the Ponemon Institute and sponsored by IBM Resilient, more than 2,800 security and IT professionals were surveyed around the world in preparation of “The 2018 Cyber Resilient Organization.” The study found that many organizations continue to be ill-prepared for a cyberattack. Some of the more staggering findings are as follows: 77 percent of respondents do not have a formal cyber security incident response plan (CSIRP) applied consistently across their organization; Approximately 50 percent of respondents (approximately) have an informal/ad hoc or completely non-existent incident response plan; 57 percent of respondents report that the time to resolve an ...
Continue Reading...

New York’s New Cyber Law Is Beginning to Byte

iStock_000050437260_XXXLarge In late 2016, in response to the “ever-growing threat” posed to information and financial systems, the New York State Department of Financial Services (DFS) proposed cybersecurity regulations to “promote the protection of customer information and information technology systems of regulated entities.” The DFS defined “covered entities” as any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law of New York.  Banks, insurance companies, and other financial services institutions and licensees regulated by the DFS are just some examples of entities now under the gun with respect to implementation and enforcement of the new law. Revised regulations — N.Y.C.R.R. 500 — went into effect March 1, 2017, after companies and ...
Continue Reading...

DFS Partially Clarifies Who Qualifies for an Exemption Under Cybersecurity Regulation

By the terms of 23 NYCRR 500.19(e), Covered Entities that have determined they qualify for a limited exemption from compliance under 23 NYCRR 500.19(a)-(d) of New York’s new Cybersecurity Regulation — as of August 28, 2017 — are required to file a Notice of Exemption with the New York Department of Financial Services (NYDFS) on or prior to September 28, 2017. The first compliance date of August 28, 2017 in New York’s cybersecurity regulation, and the date for Covered Entities to determine whether they qualify for a limited exemption from the regulation date for Covered Entities to make such a determination, has now come and gone. On the heels of these key dates, the New York Department of Financial Services (NYDFS) has updated two of the Frequently Asked Questions, Questions 1 and 4, ...
Continue Reading...

Major Cyber Attack on Britain’s National Health Service

London_iStock_000054776234_Medium A widespread cyber attack has breached healthcare services across England and Scotland, possibly impacting up to 33 NHS organizations and additional general practitioners. The Prime Minister has confirmed the attack, and that the National Cyber Security Centre is already working with NHS digital to safeguard patient data. More information can be found here.  
Continue Reading...

Don’t Be Held Hostage by Ransomware

GettyImages-618534958 (1) Chair of Goldberg Segalla’s Cyber Risk Practice Group, John J. Jablonski, Esq., offers insights on avoiding a ransomeware attack in a recent blog post for the Pennsylvania Institute of Certified Public Accountants, accessible here. John will also be sharing his insights on cybersecurity at the PICPA Data Privacy and Security for Professional Service Organizations program in Philadelphia on May 24.
Continue Reading...

Re-Thinking the U.S. Government’s Approach to Cybersecurity

Central Intelligence Agency Are the “cybersecurity” tools used by the CIA and NSA causing harm to U.S. businesses and citizens? An analysis of the WikiLeaks materials, and recent hacker activity, suggests the answer may be yes. This month, it was revealed that at least 40 cyber attacks on organizations in 16 countries were conducted with top-secret hacking tools, according to security researcher Symantic Corporation. While not formally blaming the CIA, Symmantic said it connected these attacks to the CIA hacking tools obtained by WikiLeaks, and that the targets were government entities or had some national security value. The CIA efforts, however, do not appear to be limited to foreign targets. Cisco Systems, whose Internet switches direct electronic traffic, has also reported that the CIA exploited flaws allowing eavesdropping across 300 different Cisco products. ...
Continue Reading...