As a result of the Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013), data breach class actions were largely considered dead in the water.  The overwhelming majority of courts, relying heavily on Clapper, dismiss data breach actions for the simple reason that until a consumer suffers actual identity theft, she lacks Article III standing to sue.  In other words, without actual identity theft, the risk of future harm—as well as any money spent attempting to protect against potential identity theft—is purely speculative and does not suffice to constitute a legally cognizable injury.
Continue Reading Barbarians at the Gate: Seventh Circuit Finds Article III Standing for Data Breach Class Actions

Perhaps it’s the books I’ve been reading or the television shows I’ve been watching, but my mind can’t seem to stop linking the recent barrage of cybersecurity attacks with those ne’er-do-wells that plagued the Caribbean from 1650 through the 1730s.  Yes, I’m talking about pirates, but not the Errol Flynn/Johnny Depp-style buccaneer, more the Edward Teach model, the notorious “Blackbeard.”  One of Blackbeard’s most infamous successes occurred in Charleston, South Carolina in 1718 when he blockaded Charleston Harbor and held some of the town’s leading citizens for ransom.  Rather than demand the typical jewels and money, Blackbeard wanted something else – he held both the town and its people ransom for £300 of medicine.  After a circus of errors conspired to delay the ransom payment, Blackbeard received his medicine and released both the harbor and his prisoners – minus, of course, much of their finer possessions (they were pirates after all) – and sailed off into legend.  So what does this jaunt down piracy lane have to do with cybersecurity and federal contractors?  Simple, sometimes we don’t know what’s really of value and how that value can be used.  Case in point – the OPM breach.
Continue Reading Ransoming Sensitive Personal Information: Will OPM’s Data Breach Trigger Your Insider Threats?

On June 19, 2015, the National Institute of Standards and Technology (“NIST”) published the final version of guidance for federal agencies to ensure sensitive information remains confidential when stored outside of federal systems.  The guidelines, Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, apply to nonfederal information systems and organizations that process, store, or transmit federal controlled unclassified information, or “CUI,” and match the guidelines published for public comment last fall.  The new guidance is step two in a three-part plan with the National Archives and Records Administration (“NARA”), discussed in last month’s blog, to ensure the confidentiality of sensitive federal information no matter where it is stored.  As data breaches continue to make near-daily news, federal contractors not using the “recommendations” laid out in SP 800-171 would be wise to take another look, as they contain, more than ever, the Government’s express expectations of how it wants its information protected.
Continue Reading ALERT: NIST Issues Final Guidance on Federal Contractor Cybersecurity Standards for Controlled Unclassified Information

Most companies are worried about external threats – things that are coming at their people, their group, their company, their government, all from an outside actor.  Like government’s with an eye on counter-intelligence, however, savvy businesses also realize that their employees can also pose a very real, internal threat.  While an insider breach is not necessarily a common event, when it does happen, it tends to happen on a large scale.  Last year, the FBI reported that when a malicious insider breach surfaced, it cost industry $412,000 per incident, on average.  Over ten years, the average loss per industry is $15 million.  And, unless you’ve been hiding under a rock, you know that the Government is not immune to insider breaches and the reputational impact to federal contractors resulting therefrom.  Exacerbating, or perhaps facilitating, this threat is the manner in which companies (and governments) store, transfer, and maintain vital company records and data.  With the right password and a $16 thumb drive, an intern can steal the corporate keys to the kingdom, and still be home in time for lunch.  Simply put, all employers face the risk of insider threats which are more perilous than ever in the computer age.  Recognizing that internal threats are real, the issue, then, is how to stop these threats from manifesting.  Learning from recent high-profile mistakes, the Government is trying to make sure its contractors stay ahead of the risk of an internal breach.
Continue Reading Cyber-Breach & NISPOM Conforming Change 2 – It’s What’s on the Inside That Counts

In July 2014, the Russian President signed data protection and information legislation that requires all “data operators” who are processing personal data of Russian citizens, including over the Internet, to
Continue Reading Russian Parliament Moving To Advance Commencement Date On Data Protection And Information Legislation

California has broadened its data breach notification statutes in response to the increasing number of large data breaches of customer information.  AB 1710, which Governor Jerry Brown signed into law, amends California’s Data Breach Notification Law to (1) ban the sale, advertising for sale or offering for sale of social security numbers, (2) extend the existing data-security law and obligations applicable to entities that own or license customer information to entities that “maintain” the information, and (3) require that if the person or business providing notification of a breach under the statute was the source of the breach then the notice must include an offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost for 12 months along with any information necessary to take advantage of the offer.  The last of these amendments has spurned some debate over whether the statute actually mandates an offer of credit monitoring or other services given its use of the phrase “if any.”  It is also unclear what exactly is intended by or who qualifies as “the source of the breach.”
Continue Reading California To Expand Its Data Breach Notification Rules