The Weekly Privacy Rewind

Class Actions

Liquor Store Chain Binny’s Is Latest Target of BIPA

• In a putative class action complaint filed in Cook County Circuit Court, employees of Illinois liquor store chain Binny’s Beverage Depot alleged the company violates Illinois’ Biometric Information Privacy Act.

• Among Binny’s alleged BIPA violations are failing to obtain consent before using employees’ fingerprint for timekeeping purposes, failing to obtain consent before disseminating such biometric data to third parties and failing to maintain lawful data-retention practices.

Continue Reading

The Weekly Privacy Rewind

Class Actions

Google Seeks Dismissal of BIPA Class Action

• Google has sought dismissal of a putative class action lawsuit alleging violations of Illinois’ Biometric Information Privacy Act (BIPA).

• According to the original complaint, Google allegedly violated BIPA by scanning photos of nonusers uploaded to Google Photos and then “extracting geometric data” of the subjects of those photos, creating facial templates, or so-called faceprints.

• In its motion to dismiss, Google argued that the putative class representatives do not have standing because “there is no evidence of data breach; no evidence of disclosure to third parties; and no evidence of misuse of any data.”

Continue Reading

Deeper Dive: Using Response Time Metrics to Drive Incident Response Preparedness & Response Improvement

One of the most important metrics in our report is the incident response (IR) timeline, which tracks the average time it takes companies to detect, contain, fully investigate, and provide notification of the incident to individuals. The metric is valuable because it helps entities identify areas where they can improve before an incident occurs and gives them context to response time expectations during an incident.

Continue Reading

Last but not least: Alabama enacts a data breach notification law with strong notification and security requirements

Several weeks ago, South Dakota and Alabama became the final two states to enact data breach notification laws. The Alabama Data Breach Notification Act of 2018 takes effect on May 1, 2018, and imposes information security, breach notification and data disposal requirements on organizations handling Alabama residents’ personal information.

Alabama requires organizations to implement and maintain reasonable security measures

Alabama joins a minority of states that mandate security controls; its new law requires organizations that acquire or use personal information (“covered entities”) to protect the information with “reasonable security measures.” To guide organizations and regulators, the statute lists several considerations to help identify reasonable security measures, including whether the organization has designated an individual to coordinate its security measures, tailored security measures to an appropriate assessment of the organization’s risk scenarios and kept its management informed of the security measures. A reasonableness assessment must also consider the organization’s size, the amount of sensitive data it uses and how it uses it, and the cost to implement certain measures, and should focus on failures that are “multiple or systemic.” The statute also requires organizations to properly dispose of sensitive data that is no longer required to be retained pursuant to applicable law, regulations or business needs. Notably, however, the statute’s civil penalty provisions apply only to violations of the notice requirements discussed below. Continue Reading

Canadian Breach Notification Requirements Take Effect November 1

On April 18, 2018, the Canadian government published long-awaited Breach of Security Safeguards Regulations specifying the requirements for notifying the Office of the Privacy Commissioner and affected individuals of data breaches that pose a “real risk of significant harm.” The Regulations will come into force on November 1.

As we previously reported, the Digital Privacy Act, which amended Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) to include a mandatory breach notification requirement, became law nearly three years ago. The Regulatory Impact Analysis Statement accompanying the Regulations indicates that the timing of their release last week may have been motivated in part by a desire to bring Canadian standards in line with the forthcoming EU General Data Protection Regulation, which takes effect on May 25. Certain stakeholders, including the Privacy Commissioner, advocated immediate implementation of the Regulations, citing the “lengthy period of consultations on the Regulations and the frequency of data breaches involving the information of Canadians” as well as “the need to align the Regulations more closely with those of the breach reporting requirements of the GDPR given that many Canadian organizations must comply with both Canadian and European law.”

Continue Reading

Deeper Dive: Forensics

A company’s ability to quickly and effectively conduct a forensic investigation is often critical to limiting the impacts of a data security incident, determining the scope of the incident and developing an effective communications plan. In BakerHostetler’s 2018 Data Security Incident Response Report, we analyzed over 560 data security incidents that we worked on in 2017. A forensic investigation was conducted in 41 percent of those incidents, which represents a 7 percent increase from 2016, showing that more companies are realizing the benefits of engaging outside forensic firms. For incidents involving network intrusions, forensic investigations were conducted in 65 percent of these matters. Network intrusions are often complex investigations requiring specialized forensic tools and expertise that many organizations do not have internally. The average cost of a forensic investigation in 2017 was $84,417, which represents a 35 percent increase from 2016 (but is still lower than the 2015 average cost of $102,806). However, the increase in average cost is primarily due to the number of large, complex network intrusion investigations we handled in 2017. For the 20 largest forensic investigations we handled in 2017, the average cost of forensics was $436,938.

Continue Reading

The Weekly Privacy Rewind

Data Breaches

Portable Oxygen Device Maker Inogen Announces Data Breach

• Inogen Inc., which makes portable oxygen devices, reported to the U.S. Securities and Exchange Commission that it experienced a data breach that involved approximately 30,000 current and former customers.

• According to the company’s Form 8-K, sometime between Jan. 2 and March 14, unauthorized individuals gained access to an employee’s email account, which contained personal information belonging to Inogen oxygen rental customers.

• Inogen “is notifying approximately 30,000 current and former customers of this incident and will provide resources, including credit monitoring and an insurance reimbursement policy, to assist them.”

Continue Reading

U.S. Senate Duo and California Ballot Initiative Propose to Radically Alter U.S. Consumer Internet Privacy and Upend Digital Advertising

Amid growing concerns over the improper use of user information and data breaches, and in the same week as the Senate examines the Cambridge Analytica controversy, a duo of U.S. senators who have long advocated for federal consumer privacy legislation seized the moment to propose a bill that would give the Federal Trade Commission (FTC or Commission), for the first time, the authority to promulgate regulations to govern internet publishers’ and service providers’ privacy practices regarding adults and proposes seemingly European Union (EU)-inspired privacy protections, including opt-in consent to broad categories of data use and sharing. If passed, the law, and the FTC regulations to be promulgated under it, could radically alter the internet economy by making it significantly harder for publishers to monetize data to provide more relevant advertising to users, so-called interest-based advertising (IBA), which is the economic underpinning of the business model of the publishers and services that provide their content and services to users for free on an advertiser-supported basis. The proposal actually goes further in some ways than EU law, in that it would prohibit limiting services to users who consent to data use and sharing necessary for IBA, and would give the FTC the authority to determine whether pricing based on “discounts or other incentives in exchange for express affirmative consent” is “reasonable.” Although scores of prior attempts by Congress to pass broad federal consumer privacy legislation have gone nowhere, the circumstances of the moment may have created a tipping point. And even if a federal consumer privacy law fails to get through Congress, a California advocacy group is attempting to qualify a ballot initiative for EU-style privacy laws for the November general election that could also threaten ad-supported digital media.

Continue Reading

The Weekly Privacy Rewind

Class Actions

Uber Data Breach Suits Consolidated in California

• The U.S. Judicial Panel on Multidistrict Litigation has settled on the U.S. District Court for the Central District of California in which to centralize the class actions arising from the data breach that Uber announced in November 2017, involving the personal information of approximately 57 million drivers and riders.

• According to the panel’s transfer order, “California has a significant connection to [the] litigation, as Uber … has its headquarters in [the] state, where much of the common evidence, including witnesses, will be located.” Continue Reading

Deeper Dive: Take Action to Close the Largest Cause of Data Security Incidents – Your Employees

If you work at a typical company, employee actions and inadvertent disclosures present the greatest threat to the security of your data. Therefore, providing proper training and technical safeguards is one of the most important means to enhance your company’s security profile.

In BakerHostetler’s newly-released 2018 Data Security Incident Response Report, we assisted our clients with over 560 incidents, more than a third of which stemmed from phishing incidents in which an employee was tricked by an email message into providing access credentials to an unauthorized party, visiting a phony website, downloading an infected document or clicking on a link that installed malware. Other sizeable incident types also involved employee errors: 17 percent of incidents were inadvertent disclosures and 11 percent were due to stolen or lost devices.

Because people are fallible, training is not enough. Technological safety nets are needed. Companies should consider implementing the following data security measures, which can make it more difficult for criminals to succeed with attacks that prey upon employee vulnerabilities:

Continue Reading

LexBlog