The Weekly Privacy Rewind

Class Actions

Plaintiffs Seek Approval for $4.3 Million Settlement With Sonic in Credit Card Data Breach Suit

• Following a variety of lawsuits against fast food chain Sonic Drive-In related to a 2017 credit card data breach, plaintiffs are seeking consolidation of those suits, class certification and a $4.3 million settlement.

• The settlement would create a nationwide class of Sonic diners affected by the breach, each of whom would receive $10 if they used their credit or debit cards at the store, or $40 if they experienced fraudulent or unauthorized charges.

• The plaintiffs argued that the settlement is fair when balanced with the risks of further litigation.

Continue Reading

Broker-Dealer and Investment Adviser Agrees to Settle SEC Enforcement Action Arising From a Data Security Incident

The U.S. Securities and Exchange Commission (SEC) recently announced a consent order settling an enforcement action brought by the SEC against Voya Financial Advisors Inc. (VFA) in connection with a data security incident that occurred in 2016. VFA is a registered broker-dealer and investment adviser with the SEC. The order memorializes the SEC’s agreement to accept $1 million in settlement of the charges alleging that VFA violated both the SEC’s “Safeguards Rule” and “Identify Theft Red Flags Rule.” This was the SEC’s first enforcement action under the Identity Theft Red Flags Rule.

As background, over a six-day period in April 2016,  fraudsters impersonating VFA independent registered representatives called VFA’s support line and requested a reset of three representatives’ passwords to VFA’s web portal used to access VFA customer information. VFA reset the passwords, provided temporary passwords over the phone for all three representatives and provided the representatives’ user names to the fraudsters for two of the impersonated representatives. Within three hours of the first fraudulent reset request, one of the actual representatives called VFA to report that he just received an email notifying him that his password was reset and that he had not requested this action. In response, VFA began to implement containment measures, but the actors were still able to obtain credentials to log in to the portal and access personally identifiable information (PII) for more than 5,600 customers. The actors were also able to set up new VFA customer accounts in VFA’s web portal. The investigation that ensued found that there were no unauthorized transfers of funds or securities by the actors (or known cases of identity theft). VFA had also previously been subject to a similar attack between January and March of the same year, where fraudsters utilized some of the same phone numbers and techniques impersonating representatives as in the April 2016 event. Additionally, one of the representatives targeted in the April 2016 event was targeted in this previous incident.

Continue Reading

FDA Regional Incident Preparedness and Response Playbook Provides Guidance to the Healthcare Industry for Large-scale, Multi-patient Medical Device Cybersecurity Incidents

Earlier this month, the Mitre Corporation, on behalf of the Food and Drug Administration (FDA), released the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (the Playbook) as part of the FDA’s ongoing efforts to protect patients from cybersecurity vulnerabilities associated with the use of medical devices. The Playbook highlights high-profile cybersecurity attacks, including the WannaCry and Petya/Not Petya attacks, and the need for preparation for handling large-scale incidents involving medical devices. The Playbook’s primary audience includes healthcare delivery organizations, clinicians, healthcare technology management professionals, risk managers, facilities staff and information technology personnel involved with emergency response and preparedness. The Playbook provides preparedness and response recommendations for large-scale, multi-patient medical device cybersecurity issues that impact the functionality of a device and patient safety, and recommends that medical device cybersecurity incidents be included as part of the overall incident response plan.

The Playbook focuses on regional medical device cybersecurity incident preparedness and response, and developing regional partnerships to draw upon the expertise across a “region” to help ensure that patient safety is maintained. The Playbook also provides guidance for all phases of medical device incident response, including preparedness, detection and analysis, containment, eradication, recovery, and post-activity analysis. The Playbook is available here.

SEC Investigation Highlights BEC Risk and Need for Comprehensive Risk Assessments by Public Companies

The Securities and Exchange Commission issued a press release and an investigative report on Oct. 16 cautioning public companies to consider cyber threats when implementing internal accounting controls. The report stems from the SEC’s investigation of nine companies that lost between $1 million and $100 million each in so-called business email compromise (BEC) frauds, in which attackers take over accounts on a company’s email system and use that access to trick company personnel into paying large sums to bank accounts controlled by the attackers. The attackers often divert funds intended for employees, contractors or vendors, and the SEC’s report notes that the frauds sometimes last months and are only detected when law enforcement intervenes or the real payee complains that payments never arrived.

Continue Reading

California Legislature Cracks Down on Advertising Bots Involved in Commercial Transactions and Influencing Voters in Elections

Bot or real person? – a question most online users probably don’t ask themselves when interacting online or seeing how many followers a person has on a social media platform. Most likely, online users don’t know whether they are talking to a “bot,” especially if they think they are communicating on or browsing an interactive site. This lack of transparency may be due to the fact that there is currently no enacted law that relates to the disclosure of the use of automated bot accounts on social media.

Continue Reading

The Weekly Privacy Rewind

BIPA

Medline and Con Tech Lighting Latest Illinois Employers Hit With Claims under BIPA

• Two Illinois employers, Con Tech Lighting and Medline Industries, are the latest to face claims alleging violations of Illinois’ Biometric Information Privacy Act.

• In the Con Tech complaint, the named plaintiff, who is seeking class certification, alleges that she was never informed “the specific limited purposes or length of time” for which her biometric information “would be collected, stored or disseminated.” The complaint seeks statutory damages of $5,000 for each willful or reckless violation and $1,000 for each negligent violation of BIPA.

• The complaint against Medline, which also seeks class certification, alleges that the plaintiff, who is no longer employed by the company, has been unsuccessful in getting the company to respond to her attempts to understand whether it maintained her fingerprints after she left the company. According to the complaint, the “[p]laintiff would not have provided her fingerprints to defendant had she known that defendant would retain such information for an indefinite period of time without her consent.”

• Both cases were filed in Cook County Circuit Court.

Continue Reading

The Ninth Circuit Wades Into the “Autodialer” Fray and Creates a Circuit Split. TCPA Litigants Await FCC Guidance

What constitutes an autodialer or “automatic telephone dialing system” (ATDS) under the Telephone Consumer Protection Act (TCPA) is in flux.

Under the statute, an “automatic telephone dialing system” is defined as “equipment that has the capacity” to “store or produce telephone numbers to be called, using a random or sequential number generator,” and “to dial such numbers.” 47 U.S.C. § 227(a)(1).

Continue Reading

California Delays Privacy Law Enforcement and Congress Is Lobbied to Pre-empt the Law

This summer California enacted, effective Jan. 1, 2020, the California Consumer Privacy Act (CCPA), a privacy law unprecedented in the U.S. that grants California residents a broad range of European-like privacy rights. Amendments passed as SB 1121 on Aug. 31 and signed into law by Gov. Brown on Sept. 23 extend the time for the California attorney general (CaAG) to promulgate regulations to July 1, 2020, push back enforcement until the earlier of that date or six months from issuance of the regulations, and remove the CaAG’s ability to intervene in private lawsuits – changes made at the request of the CaAG. Fortunately for industry, the CaAG’s recommendation that the CCPA’s limited private right of action be expanded was rejected, and language was even added to clarify the limits of consumer lawsuits. The U.S. Chamber of Commerce is lobbying Congress to pass a federal omnibus privacy and data protection law that would pre-empt the CCPA and other existing and future state data protection laws. See its proposal and statement here. The Internet Association, a trade group that represents leading internet companies, has also released a proposed framework for federal legislation. Most recently, on Sept. 24, the Interactive Advertising Bureau, with 650 digital advertising industry members, joined in the calls for a federal omnibus law to pre-empt CCPA in a letter to the Senate committee exploring such a bill.

Continue Reading

Navigating the State Data Breach Laws? An Enhanced Resource is Available

In large security incidents, the differences among state breach notification laws usually do not come into play. In smaller matters, where individuals in only a few states are potentially affected, the differences sometimes result in having an obligation to notify individuals in some states but not others. And states have been active in amending their notification laws, creating even more differences. Maryland started off 2018 with an amended breach notification law, and Arizona, Colorado, Connecticut, Delaware, Iowa, Louisiana and Oregon followed suit.  Also this year, the final two states without data breach notification laws, Alabama and South Dakota, passed a law.

Continue Reading

The Weekly Privacy Rewind

Class Actions

Judge Approves $80M Settlement in Yahoo Data Breach Suit

• U.S. District Judge Lucy Koh awarded plaintiffs $80 million in a consolidated class action brought against Yahoo by shareholders resulting from data breaches Yahoo experienced in 2014 and 2016.

• According to the suit, Yahoo’s stock was trading at an artificially high price because of the company’s failure to disclose the breaches in a timely fashion.

• This is not the end of litigation related to these breaches, as Yahoo continues to face claims from users.

Continue Reading

LexBlog