The Weekly Privacy Rewind


European Regulators Fine Uber Over 2016 Data Breach

• British and Dutch privacy regulators issued fines totaling approximately $1.2 million against ride-hailing company Uber over its 2016 data breach.

• According to the U.K.’s Information Commissioner’s Office, “a series of avoidable data security flaws” led to the exposure of personal information of approximately 2.7 million British Uber users, prompting a fine of £385,000.

• Similarly, the Dutch Data Protection Authority (DPA) fined the company €600,000 for the breach, predominantly for not reporting the breach to the DPA and data subjects within 72 hours.

Continue Reading

HHS OIG Launches Cybersecurity Webpage to Raise Awareness and Boost Cybersecurity Best Practices

Healthcare data can be up to 10 times more valuable to cyber criminals than credit card numbers, according to a report from the Department of Health & Human Services’ (HHS) Office of the Inspector General (OIG). And, with healthcare-focused ransomware attacks like WannaCry and NotPetya in the news more frequently, it’s no wonder that HHS OIG has identified cybersecurity threats as a top management challenge for 2018. “Cybersecurity incidents and breaches pose a significant risk to the confidentiality, integrity, and availability of sensitive data. This could cause a myriad of problems, including placing the health and safety of patients at risk,” OIG’s Top Management and Performance Challenges Facing HHS report warned. HHS wants stakeholders to understand the importance of protecting healthcare data and to focus on initiatives that eradicate inadequacies found in access controls, patch management, configuration management, data encryption, and website security. See OCR’s October 2018 Cybersecurity Newsletter.

Continue Reading

Cookies and Consent Under the EU GDPR

According to a recent story published by The Register, the U.K. data privacy watchdog, the Information Commissioner’s Office (ICO) has issued a warning to the U.S.-based newspaper The Washington Post (WaPo) about obtaining consent under the EU General Data Protection Regulation (GDPR) and allowing its readers to switch off tracking and cookies.

Article 6(1) of the GDPR provides, in part, “[p]rocessing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Article 7(4) states: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” Continue Reading

The CLOUD Act and the Warrant Canaries That (Sometimes) Live There

The Clarifying Lawful Overseas Use of Data Act (Pub. L. No. 115-141 (2018), or the CLOUD Act, was enacted in the U.S. on March 23, 2018, in response to difficulties U.S. law enforcement agencies (LEAs) had when attempting to gain access to data held by cloud service providers through Stored Communication Act (SCA) warrants, as the SCA did not contemplate cloud computing when it was enacted into law; likewise, LEAs were also forced to utilize U.S. Senate-approved mutual legal-assistance treaties (T.I.A.S. No. 10-201 or MLATs) or letters rogatory to access data stored overseas. Read more >>

The Weekly Privacy Rewind

Class Actions

Pennsylvania Supreme Court Declares Employers Have Affirmative Duty to Protect Employee Personal Information

• According to a recent opinion by the Pennsylvania Supreme Court, “an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.”

• The putative class action stems from a 2014 data breach that exposed personal information of 62,000 employees and former employees of the University of Pittsburgh Medical Center. According to the original complaint, the data, which included names, birth dates, Social Security numbers, addresses, tax forms and bank account information, was used to file fraudulent tax returns on behalf of some of the employees. Continue Reading

EU-U.S. Privacy Shield Framework Joint Annual Review 2.0

As we previously reported here, the Federal Trade Commission (FTC) announced several enforcement actions in late 2017, on the eve of the first annual joint EU-U.S. review of the Privacy Shield Framework. Now the second annual review of the EU-U.S. Privacy Shield Framework is underway, and the FTC has announced several new enforcement actions, which are meant to highlight the importance of the framework and reaffirm the U.S.’s commitment to strong privacy enforcement.

Continue Reading

GDPR Spurring Legal Reforms in South America With New Legislation in Brazil

As organizations continue to grapple with the requirements of the EU General Data Protection Regulation (GDPR) even months after its effective date, one thing is clear: The impact of the regulation extends far beyond an organization’s European operations. The global effects of the GDPR are even more apparent when one surveys new and proposed data protection legislation around the world. On Aug. 14, 2018, Brazil signed into law the Lei Geral de Proteção de Dados Pessoais (LGPD), the first omnibus privacy law in the nation’s history. The law, which is set to take effect on Feb. 16, 2020, is very similar to the GDPR, including in its expansive definition of personal data and its strong emphasis on both the rights of data subjects and the requirement of lawful bases of processing of personal data.

Continue Reading

The Weekly Privacy Rewind

Class Actions

Plaintiffs Seek Approval for $4.3 Million Settlement With Sonic in Credit Card Data Breach Suit

• Following a variety of lawsuits against fast food chain Sonic Drive-In related to a 2017 credit card data breach, plaintiffs are seeking consolidation of those suits, class certification and a $4.3 million settlement.

• The settlement would create a nationwide class of Sonic diners affected by the breach, each of whom would receive $10 if they used their credit or debit cards at the store, or $40 if they experienced fraudulent or unauthorized charges.

• The plaintiffs argued that the settlement is fair when balanced with the risks of further litigation.

Continue Reading

Broker-Dealer and Investment Adviser Agrees to Settle SEC Enforcement Action Arising From a Data Security Incident

The U.S. Securities and Exchange Commission (SEC) recently announced a consent order settling an enforcement action brought by the SEC against Voya Financial Advisors Inc. (VFA) in connection with a data security incident that occurred in 2016. VFA is a registered broker-dealer and investment adviser with the SEC. The order memorializes the SEC’s agreement to accept $1 million in settlement of the charges alleging that VFA violated both the SEC’s “Safeguards Rule” and “Identify Theft Red Flags Rule.” This was the SEC’s first enforcement action under the Identity Theft Red Flags Rule.

As background, over a six-day period in April 2016,  fraudsters impersonating VFA independent registered representatives called VFA’s support line and requested a reset of three representatives’ passwords to VFA’s web portal used to access VFA customer information. VFA reset the passwords, provided temporary passwords over the phone for all three representatives and provided the representatives’ user names to the fraudsters for two of the impersonated representatives. Within three hours of the first fraudulent reset request, one of the actual representatives called VFA to report that he just received an email notifying him that his password was reset and that he had not requested this action. In response, VFA began to implement containment measures, but the actors were still able to obtain credentials to log in to the portal and access personally identifiable information (PII) for more than 5,600 customers. The actors were also able to set up new VFA customer accounts in VFA’s web portal. The investigation that ensued found that there were no unauthorized transfers of funds or securities by the actors (or known cases of identity theft). VFA had also previously been subject to a similar attack between January and March of the same year, where fraudsters utilized some of the same phone numbers and techniques impersonating representatives as in the April 2016 event. Additionally, one of the representatives targeted in the April 2016 event was targeted in this previous incident.

Continue Reading

FDA Regional Incident Preparedness and Response Playbook Provides Guidance to the Healthcare Industry for Large-scale, Multi-patient Medical Device Cybersecurity Incidents

Earlier this month, the Mitre Corporation, on behalf of the Food and Drug Administration (FDA), released the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (the Playbook) as part of the FDA’s ongoing efforts to protect patients from cybersecurity vulnerabilities associated with the use of medical devices. The Playbook highlights high-profile cybersecurity attacks, including the WannaCry and Petya/Not Petya attacks, and the need for preparation for handling large-scale incidents involving medical devices. The Playbook’s primary audience includes healthcare delivery organizations, clinicians, healthcare technology management professionals, risk managers, facilities staff and information technology personnel involved with emergency response and preparedness. The Playbook provides preparedness and response recommendations for large-scale, multi-patient medical device cybersecurity issues that impact the functionality of a device and patient safety, and recommends that medical device cybersecurity incidents be included as part of the overall incident response plan.

The Playbook focuses on regional medical device cybersecurity incident preparedness and response, and developing regional partnerships to draw upon the expertise across a “region” to help ensure that patient safety is maintained. The Playbook also provides guidance for all phases of medical device incident response, including preparedness, detection and analysis, containment, eradication, recovery, and post-activity analysis. The Playbook is available here.