Apple Accused of Unlawfully Disclosing Users’ iTunes Data

Drawing on public criticism of Apple Inc.’s (Apple) privacy practices, in a class action complaint filed in the Northern District of California on May 24, 2016, several Apple users have accused Apple of selling its customers’ personal information and iTunes listening history to third-parties in an effort to “supplement its revenues and enhance the formidability of its brand[.]” The named plaintiffs in the proposed class action are Leigh Wheaton, a resident of Rhode Island, and Jean and Trevor Paul, residents of Michigan. Each have alleged…
Continue reading...

2019 Verizon Data Breach Report: Updating Consumers On How to Protect Themselves Again

The 2019 Verizon Data Breach Investigation Report (DBIR) was released at the end of May. This report provides an overview of data and statistical research relating to cyber threats as well as potential defenses to counteract them. The overall goal of the DBIR is to provide potential information and suggestions relating to protection as well as cyberattack recovery.  This year’s report proved to be the most extensive review yet conducted, tracking 41,686 security incidents around the world, including 2,013 data breaches from 86 countries and…
Continue reading...

Yearly Cyber Report Reveals Large Increases in Cyberattacks and Costs

The third Hiscox Cyber Readiness Report, which was published in April 2019, highlights the increased cyber risks that businesses are facing. The report, which drew data from seven countries (Belgium, France, Germany, the Netherlands, Spain, the United Kingdom, and the United States), noted the marked rise in both the amount of attacks and the overall costs stemming from cyber losses. Turning first to the increase in cyberattacks, 61 percent of respondents reported a cyber incident, up from 45 percent last year across the seven…
Continue reading...

Happy Birthday GDPR! Its Year in Review and the Future for Data Protection

The European Union’s General Data Protection Regulation (GDPR) turned a year old on May 25, 2019 already becoming a benchmark for privacy and data protection compliance.  Undoubtedly, one of the great successes of the GDPR to date has been reminding consumers of their rights surrounding data privacy, and forcing organizations to improve their own data privacy practices. The GDPR gives EU residents the right to request a portable copy of their data, the right to get their data erased, and the right to revoke their consent.…
Continue reading...

Resolution Agreement Requires Medical Imaging Company to Pay $3 Million to Settle Data Breach

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services revealed on May 6, 2019 that Tennessee-based Touchstone Medical Imaging (TMI) entered into a Resolution Agreement (RA) requiring them to pay a $3 million fine to settle a data breach that exposed over 300,000 patients’ protected health information (PHI). In addition to the significant monetary fine, TMI must adopt a corrective action plan that will address shortfalls in the company’s compliance with HIPAA Security and Breach Notification Rules, which is…
Continue reading...

Health Industry Cybersecurity Practices

Earlier this year the Department of Health and Human Services issued a report that in part detailed practices hospitals can use to avoid cyberattacks against the health care industry. The genesis of the report was the Cybersecurity Act of 2015 (CSA) and more specifically, section 405(d). That section calls for “aligning health care industry security approaches.” The forward to the report provides that “industry and government came together under the auspices of the 405(d) task group…focused on building a set of voluntary, consensus-based principles to…
Continue reading...

Cryptocurrency Theft is on the Rise

According to a recent study, losses from theft, fraud, and misappropriation of cryptocurrency increased to $1.2 billion worldwide in the first quarter of 2019, which is already 70 percent of all such activity from 2018.  In fact, it was  reported that hackers used phishing, viruses, and other techniques to steal $41 million in cryptocurrency from Binance, one of the world’s largest cryptocurrency exchanges. This is on the heels of an announcement by Fidelity Investments that it will soon buy and sell bitcoin for institutional customers.…
Continue reading...

There is Still Hope for Federal Privacy Legislation, but it May be Delayed

Highly-publicized data breaches and frequent scandals involving the collection and sale of personal data have made online privacy a bipartisan issue. Lawmakers have proposed a number of solutions. One of those proposals is a bill to create rules governing online privacy, headed by Democratic Senators Richard Blumenthal, Brian Schatz, and Maria Cantwell, and Republican Senators Jerry Moran, Roger Wicker, and John Thune. Republicans evidently hope to complete a draft of the bill by the end of May so it can be introduced, debated, and voted…
Continue reading...

Breach Settlements Are Helpful Cybersecurity Reminders

Over the past month, a number of high-profile cybersecurity settlements have been reported. These cases continue to remind companies to take steps both to secure personal data and sensitive materials, including data stored by third-party vendors, as well as to conduct a prompt and comprehensive forensic investigation into any incident to ensure both a factually correct determination, and, if necessary, timely notice to impacted individuals. On April 18, 2019, a multi-million dollar class-action settlement out of Washington State University was approved relating to the theft…
Continue reading...

Walking Back Spokeo: Does the 11th Circuit Make Data Breach Standing Even Easier?

In the context of data-breach litigation, Article III standing has historically been a hurdle for the plaintiffs’ bar. This “standing hurdle” is more than just an oxymoronic phrase.  And after the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), many believed that would be data-breach plaintiffs would find it even more difficult to establish Article III standing.  Under Spokeo, the data breach plaintiffs are required to show an “injury-in-fact” that is “concrete and particularized” and “actual or imminent, not…
Continue reading...