Barbarians at the Gate: Seventh Circuit Finds Article III Standing for Data Breach Class Actions

As a result of the Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013), data breach class actions were largely considered dead in the water.  The overwhelming majority of courts, relying heavily on Clapper, dismiss data breach actions for the simple reason that until a consumer suffers actual identity theft, she lacks Article III standing to sue.  In other words, without actual identity theft, the risk of future harm—as well as any money spent attempting to protect against potential identity theft—is purely speculative and does not suffice to constitute a legally cognizable injury. Continue Reading

The Baby and the Bathwater: The Department of Commerce’s Bureau of Industry and Security (BIS) Intrusion and Surveillance Software Export Licensing Proposal

If you are not aware, please take note that the July 20, 2015 deadline is fast approaching for comments to the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) proposed rule on the export control of certain intrusion and surveillance related software.  The proposed rule, which addresses changes to the U.S. Export Administration Regulations (EAR), is designed to align with agreements made in the December 2013 Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, a multilateral export control regime with 41 participating states committed to promoting transparency and responsibility in cross-border transfers of arms and dual-use goods and technologies.  The wide-reaching rule proposes adding new controls in Category 4 of the EAR’s Commerce Control List (CCL) intended to address “intrusion software” used by hackers and other cybercriminals.  The difficulty is that, in the way the proposed rule is worded (and explained), it also subjects network penetration testing products, the type that use “intrusion software” to identify cyber-vulnerabilities, to the same export licensing requirements.  That is to say, the manner in which the controlled intrusion software would be defined includes the good as well as the bad, and – could have a chilling effect on beneficial research and development of defensive software. Continue Reading

Ransoming Sensitive Personal Information: Will OPM’s Data Breach Trigger Your Insider Threats?

Perhaps it’s the books I’ve been reading or the television shows I’ve been watching, but my mind can’t seem to stop linking the recent barrage of cybersecurity attacks with those ne’er-do-wells that plagued the Caribbean from 1650 through the 1730s.  Yes, I’m talking about pirates, but not the Errol Flynn/Johnny Depp-style buccaneer, more the Edward Teach model, the notorious “Blackbeard.”  One of Blackbeard’s most infamous successes occurred in Charleston, South Carolina in 1718 when he blockaded Charleston Harbor and held some of the town’s leading citizens for ransom.  Rather than demand the typical jewels and money, Blackbeard wanted something else – he held both the town and its people ransom for £300 of medicine.  After a circus of errors conspired to delay the ransom payment, Blackbeard received his medicine and released both the harbor and his prisoners – minus, of course, much of their finer possessions (they were pirates after all) – and sailed off into legend.  So what does this jaunt down piracy lane have to do with cybersecurity and federal contractors?  Simple, sometimes we don’t know what’s really of value and how that value can be used.  Case in point – the OPM breach. Continue Reading

ALERT: NIST Issues Final Guidance on Federal Contractor Cybersecurity Standards for Controlled Unclassified Information

On June 19, 2015, the National Institute of Standards and Technology (“NIST”) published the final version of guidance for federal agencies to ensure sensitive information remains confidential when stored outside of federal systems.  The guidelines, Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, apply to nonfederal information systems and organizations that process, store, or transmit federal controlled unclassified information, or “CUI,” and match the guidelines published for public comment last fall.  The new guidance is step two in a three-part plan with the National Archives and Records Administration (“NARA”), discussed in last month’s blog, to ensure the confidentiality of sensitive federal information no matter where it is stored.  As data breaches continue to make near-daily news, federal contractors not using the “recommendations” laid out in SP 800-171 would be wise to take another look, as they contain, more than ever, the Government’s express expectations of how it wants its information protected. Continue Reading

Another Blow to Call Recording Class Actions

Back in February, the California Court of Appeal in Hataishi v. First American Home Buyers Protection Corp., 223 Cal. App. 4th 1454 (Feb. 21, 2014), dealt a significant blow to call recording class actions across California.  The Court held that plaintiffs asserting claims under California Penal Code section 632 (“Section 632”) had to establish that the telephone calls that were monitored or recorded were “confidential” – meaning that the plaintiffs had an objectively reasonable expectation that their calls were not being overheard or recorded.  Applying this standard classwide was impossible.  Each individual’s objectively reasonable expectations would turn on individualized inquiries, including the length of the class member’s experience with the defendant, whether the class member had ever been notified that her calls with the defendant may be monitored or recorded, and each class member’s experience with other businesses that record or monitor calls.  We asked then whether call recording class actions were doomed.

Continue Reading

Cyber-Breach & NISPOM Conforming Change 2 – It’s What’s on the Inside That Counts

Most companies are worried about external threats – things that are coming at their people, their group, their company, their government, all from an outside actor.  Like government’s with an eye on counter-intelligence, however, savvy businesses also realize that their employees can also pose a very real, internal threat.  While an insider breach is not necessarily a common event, when it does happen, it tends to happen on a large scale.  Last year, the FBI reported that when a malicious insider breach surfaced, it cost industry $412,000 per incident, on average.  Over ten years, the average loss per industry is $15 million.  And, unless you’ve been hiding under a rock, you know that the Government is not immune to insider breaches and the reputational impact to federal contractors resulting therefrom.  Exacerbating, or perhaps facilitating, this threat is the manner in which companies (and governments) store, transfer, and maintain vital company records and data.  With the right password and a $16 thumb drive, an intern can steal the corporate keys to the kingdom, and still be home in time for lunch.  Simply put, all employers face the risk of insider threats which are more perilous than ever in the computer age.  Recognizing that internal threats are real, the issue, then, is how to stop these threats from manifesting.  Learning from recent high-profile mistakes, the Government is trying to make sure its contractors stay ahead of the risk of an internal breach.

Continue Reading

Russian Parliament Moving To Advance Commencement Date On Data Protection And Information Legislation

In July 2014, the Russian President signed data protection and information legislation that requires all “data operators” who are processing personal data of Russian citizens, including over the Internet, to do so from servers/databases within Russia.  While the original law provided for a September 1, 2016 commencement date, new legislation is moving through the Russian Parliament that would advance the commencement date to January 1, 2015.  This law should significantly impact the collection, processing and storage of personal data of Russian citizens.

This issue was recently reported on by our friends at Bird & Bird.  Click this link to read the Bird & Bird alert.

California To Expand Its Data Breach Notification Rules

California has broadened its data breach notification statutes in response to the increasing number of large data breaches of customer information.  AB 1710, which Governor Jerry Brown signed into law, amends California’s Data Breach Notification Law to (1) ban the sale, advertising for sale or offering for sale of social security numbers, (2) extend the existing data-security law and obligations applicable to entities that own or license customer information to entities that “maintain” the information, and (3) require that if the person or business providing notification of a breach under the statute was the source of the breach then the notice must include an offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost for 12 months along with any information necessary to take advantage of the offer.  The last of these amendments has spurned some debate over whether the statute actually mandates an offer of credit monitoring or other services given its use of the phrase “if any.”  It is also unclear what exactly is intended by or who qualifies as “the source of the breach.”

Continue Reading

Trending Information: The Connection Between Data Brokers and the Fashion Industry

Consumers frequently reveal personal information about themselves through a variety of daily online and offline activities.  For fashion designers and retailers, this consumer information represents a valuable tool to identify, target, and expand customer advertising and messaging.  This information can be utilized by employing a data broker, or a company who aggregates consumer information and do provide information about the relevant consumer marketplace.  Data brokers collect, maintain, manipulate, and share a significant amount of data about consumers without ever directly interacting with them.  While data brokers afford a major advantage for retailers, including fashion companies, they also raise privacy concerns for the consumers that data brokers profile.  The Federal Trade Commission (“FTC”) recently issued a report summarizing the results of its study on the activities of nine data brokers, and recommended that Congress consider enacting legislation to make data broker practices more transparent or to give consumers greater control over the personal information that is collected about them and shared by data brokers.[1]  This post summarizes the portions of the FTC’s report that are most relevant for fashion retailers and designers.

Continue Reading

LexBlog