Bombas Settles with NYAG Over Credit Card Data Breach

Modern sock maker, Bombas, recently settled with New York over a credit card breach, agreeing to pay $65,000 in penalties.  According to the NYAG, malicious code was injected into Bombas’ Magento ecommerce platform in 2014.  The company addressed the issue over the course of 2014 and early 2015, and according to the NYAG, determined that bad actors had accessed customer information (names, addresses and credit card numbers) of almost 40,000 people. While the company notified the payment card companies at the time, it concluded that it did not need to notify impacted individuals because the payment card companies “did not require a formal PFI or otherwise pursue the matter beyond basic questions.” Continue Reading

Maryland Adds Requirements to Breach Notice Law

Maryland has amended its breach notification law to require businesses that maintain data, not just those that own or license the data, to conduct “a reasonable and prompt investigation” into whether personal information has been or will be misused. This requirement will go into effect in October 2019. Starting then, vendors who maintain information will also have a duty to investigate, not just data owners. This is unlike other states with “duty to investigate” requirements, like Connecticut, Delaware, New Hampshire, and Wyoming, among others. In those states (and others), only the data owner is statutorily required to investigate. To the extent that vendors have been obligated to investigate, that obligation falls under other provisions of breach notice laws, namely requirements for the vendor to “cooperate” with the data owner. Or, in some cases, companies may have contractually required their vendors to conduct investigations in the event of a breach or potential breach. Continue Reading

Texas Breach Law Will Change in 2020, To Require Attorney General Notification

New requirements to the Texas data breach statute, including a requirement to notify the Texas attorney general of a breach, are set to go into effect January 1, 2020. The legislation, signed by Texas Governor, Greg Abbot, on June 14, 2019, requires that the Texas attorney general be notified of a breach within 60 days. The AG notification is required only if 250 or more Texas residents are affected. The notification to the attorney general must include a description of the breach, number of residents affected, measures taken in response to the breach, measures planned to be taken after notification and whether law enforcement has been engaged with the investigation.  The legislation also adds a 60 day timing requirement for notice, from the current “as quickly as possible” standard. Continue Reading

FTC and Car Dealership Software Company Reach Security Settlement

The FTC recently settled with LightYear Dealer Technologies, maker of DealerBuilt software, over allegations that the company failed to provide adequate protection for the personal data it houses. The companies’ clients include many car dealers across the country, and allows those dealerships to house consumer information that is collected during the car purchase process. This information includes sensitive personal (Social Security numbers) and financial (payroll information and credit card numbers) information. According to the FTC complaint, a company employee without “guidance  or . . . steps to ensure the . . . device was securely configured” attached a new storage device to the company servers. This device created an open connection port during an 18 month period. During that time, no vulnerability scanning, penetration testing, or other diagnostics were conducted, according to the FTC. Instead, the vulnerability went undetected until a hacker exploited it and accessed the backup server for DealerBuilt. As a result, the hacker accessed millions of consumers’ information, including downloading five clients’ information. This information included almost 70,000 Social Security numbers, drivers’ license numbers, and payroll details. The company was, the FTC said, unaware of the breach until it was contacted by an impacted client. Continue Reading

Nevada’s Amended Privacy Law: Groundbreaking or More of the Same?

Nevada recently amended its existing online privacy law to give Nevada residents the ability – in certain circumstances – to opt out of the sale of their data to third parties. The amendment goes into effect October 1, 2019, and modifies Nevada’s current requirement that website operators have privacy policies. As amended, companies who must comply with this opt-out requirement will be those who operate websites or online services and sell “covered information” to third parties. Website operators are those who own or operate a website or online service for commercial purposes and collect “covered information” from Nevada residents on its site. There are exceptions, namely if a company is in the state, has less than 20,000 visitors a year to the company’s site, and whose revenue is derived primarily from a source other than selling goods or services on the website. Added to the law will also be exceptions (beginning October 1) for companies that are regulated under GLBA or HIPAA. Covered information is one of seven categories of personal information the operator collects online. The first six are fairly narrow: (1) first and last name; (2) home or other physical address; (3) e-mail address; (4) phone number; (5) Social Security Number; and (6) an identifier that lets a specific person be contacted online (for example, information used to engage in behavioral advertising). The last category, however, is much broader, and includes “any other information” that the website operator collects online and “combines with an identifier” in way that makes the information personally identifiable. Continue Reading

CARU Takes Action Against Two Mobile Apps

Two mobile apps directed at children were recently subject to action by the Children’s Advertising Review Unit. The first, “My Talking Tom,” is a virtual pet game for children operated by Outfit7 Limited. One issue was the display of Outfit7’s privacy policy. Under the Children’s Online Privacy Protection Act, privacy policies must be understandable, and contain no unrelated material. The app’s policy, however, contained advertisements for other games, and animated balloons that obstructed the user’s view. Accordingly, CARU found that the distracting content violated COPPA. Outfit7 prudently removed the content, and CARU took no further action on the issue. Continue Reading

Maine Passes Broadband Privacy Bill

Maine entered the privacy fray last week when Governor Janet T. Mills signed legislation targeting internet service providers by prohibiting the sale of information about customers’ internet use. The new restriction covers, in part, customer web browsing history, application usage history, and geolocation information. An internet service provider may only use, disclose, sell or permit access to such information with either the customer’s consent or by complying with one of the few outlined exceptions in the statute. Continue Reading

SEC Issues Alert On Outsourcing and Data Security

The SEC recently issued a risk alert warning about using vendors and cloud-based platforms. Many broker dealers and investment advisors are turning to these third parties to store customer data. In its alert, the SEC’s Office of Compliance Inspections and Examinations warns firms that relying on those third parties’ security tools is not, in and of itself, sufficient for the companies to demonstrate compliance with Regulations S-P and S-ID. These regulations require broker-dealers and investment advisers to protect customer records and detect and prevent identity theft. Continue Reading

Washington Enacts Restrictions on Applicant Wage and Salary Questions

Washington State will have new restrictions on what employers can ask applicants regarding their wage and salary history starting July 28, 2019. The new legislation will prohibit employers from seeking wage or salary history from job applicants in the state. Additionally, employers will not be able to require that an applicant’s prior salary history meet certain criteria. There are some limited exceptions to this general rule. First, employer can confirm an applicant’s wage or salary if the applicant has voluntarily disclosed that history. Second, the employer can confirm the information after having negotiated and made an employment offer. Continue Reading

Interest-Based Advertising Enforcer Hits 100

The Online Interest Based-Advertising Accountability Program, which enforces privacy principles for digital advertising, recently announced its 100th action. In announcing this landmark, the Accountability Program looked back at the nature of the cases it has brought, noting that it has covered both desktop and mobile issues, and its focus has fallen into a few key categories. These include providing consumers with “enhanced notice” of behavioral advertising activities and ensuring that opt-out tools exist (and that they work!). The Accountability Program also took the opportunity to remind online advertisers about its OBA Self-Regulatory Principles, and the guidance for applying the principles in a mobile environment. Continue Reading

LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree