Another Month, Another Major Data Breach – This Time at Capital One

Capital One Financial Corp., the fifth largest United States credit card issuer, announced on July 29, 2019 that a data breach exposed approximately 140,000 Social  Security numbers and about 80,000 linked bank account numbers – impacting nearly 100 million U.S. residents and 6 million Canadian residents. The breach also included other personal information like names, addresses, postal codes, phone numbers, email addresses, dates of birth and self-reported income, credit scores, credit limits, balances, payment history, contact information and fragments of transaction data from a total…
Continue reading...

Federal Court Rejects Data Breach Suit Alleging a Breach of a Privacy Policy Involving Major Airline

Even as federal courts become more lenient with affording standing in data breach lawsuits, limits remain to the type of claims courts will permit to proceed. The United States District Court for the Central District of California provided a recent example on June 18, 2019, in dismissing a suit against Delta Air Lines arising from a data breach suffered in 2017 by a vendor for Delta that supports the company’s website by providing chat services and collecting customer data.  In McGarry v. Delta Air Lines,
Continue reading...

2019 Verizon Data Breach Report: Updating Consumers On How to Protect Themselves Again

The 2019 Verizon Data Breach Investigation Report (DBIR) was released at the end of May. This report provides an overview of data and statistical research relating to cyber threats as well as potential defenses to counteract them. The overall goal of the DBIR is to provide potential information and suggestions relating to protection as well as cyberattack recovery.  This year’s report proved to be the most extensive review yet conducted, tracking 41,686 security incidents around the world, including 2,013 data breaches from 86 countries and…
Continue reading...

Advisen Cyber Risk Insights Conference

I, along with three of my partners in Goldberg Segalla’s Cybersecurity and Data Privacy Practice Group, recently attended the Advisen Cyber Risk Insights Conference in New York City and came away with some terrific nuggets.  They include the importance of “silent cyber” to reinsurers and regulators, the fragmentation of the cyberinsurance market and the difficulty in driving change even for industry leaders, and continuing perceptions about coverage for cyber-related losses under stand-alone cyberinsurance policies and traditional insurance policies. One of the best resources I picked…
Continue reading...

Security Breach Compromises 50 Million Facebook Accounts

In the wake of concerns that the social media giant collects too much personal data, Facebook, Inc. discovered a security breach on September 25, 2018 that affected almost 50 million accounts. Recent privacy regulations, including those recently enacted in the European Union, may have forced Facebook into promptly reporting the breach just three days after it was discovered. Based on the breaking-news reports, the FBI is working with Facebook to investigate the breach to determine the extent of the breach, what information was accessed, whether…
Continue reading...

Cyber Survey Underscores Perspective of In-House Lawyers

In May, the Association of Corporate Counsel (ACC) Foundation released its “State of Cybersecurity Report: An In-House Perspective,” This report conveys the results of the organization’s far-ranging survey on this topic. In addition to the statistics elicited from 617 in-house lawyers (based in 33 countries), the report also includes many comments from the respondents. This report is full of interesting statistics.  Some of the highlights include:
  • One in three respondents indicated that either their current company or a previous employer had experienced a

Continue reading...

New York Cybersecurity Regulations Extended to Credit Reporting Agencies

This week, Governor Cuomo has directed the Department of Financial Services to issue a final regulation requiring credit reporting agencies to comply with cybersecurity regulations applied to financial service companies, previously adopted in 23 NYCRR 500, et seq. The new regulation, 23 NYCRR 201, et seq., obligates credit agencies reporting on 1,000 or more New York consumers to register annually with the DFS, and, beginning November 1, 2018, to comply the previously adopted standards, including adoption of a cybersecurity program and CISO, and other controls.…
Continue reading...

Chili’s Carefully Announces Limited Data Breach

On May 11, 2018, Chili’s Grill & Bar learned that “some of [their] guest’s payment card information was compromised at certain Chili’s restaurants” as the result of a “data incident,” according to a press release on the company’s website. Preliminary investigations suggest malware was used to gather payment card information for purchases between March and April 2018. While such data incidents are increasingly common, Chili’s press release is notable for two reasons. Firstly, The release, presented as a letter to “valued guests,” provided…
Continue reading...

Credit Card Payment Coverage Declined: Cyberinsurer Not Obligated to Reimburse P.F. Chang’s for PCI Liability

In the most significant cyberinsurance coverage decision to date, an Arizona federal district court in P.F. Chang’s China Bistro v. Federal Insurance Co., No. CV-15-01322-PHX-SMM (D. Ari. May 31, 2016), granted summary judgment to Federal Insurance Company, acknowledging it had no duty to reimburse P.F. Chang’s China Bistro for payment card industry liability assessments under the CyberSecurity policy issued by Federal to P.F. Chang’s corporate parent. This decision represents a significant victory for cyberinsurers insofar as it upholds insurers’ marketing strategy of making available…
Continue reading...

On the Rise: Cyber Breach Actions Take Center Stage

Yet another class action lawsuit has been filed following a cyber attack, this time against Excellus Health Plan Inc. and Lifetime Healthcare Inc. in federal court for the Western District of New York. The lawsuit was brought by self-proclaimed “New York City’s largest personal injury and mass-tort plaintiffs’ law firm” and the former employer of New York’s disgraced Assembly Speaker Sheldon Silver, who reportedly collected about $4 million in bribes and kickbacks during his employment, Weitz & Luxenberg P.C., as co-counsel with Faraci Lange LLP.…
Continue reading...