In response to the killing of Major General Qassim Suleimani, the government of Iran and its supreme leader, Ayatollah Ali Khamenei, have declared the country’s intention to strike back at the United States. According to reports, their desire is to respond proportionally, but not start a war, and they are contemplating multiple options, any subset of which they may implement.
Continue Reading Iran’s Imminent Cybersecurity Threat

The FTC recently settled with Infotrax Systems, L.C. a technology company providing software to the direct sales industry. The settlement followed a breach suffered by the company, and involved allegations the company had failed to use reasonable security. According to the FTC, for almost two years, a hacker accessed InfroTrax’s server unnoticed at least seventeen times. The data accessed included social security numbers and payment card information. It also included unencrypted user IDs and passwords. Infotrax learned of the incident from an alert that one of its servers had reached maximum storage capacity.
Continue Reading FTC and Software Company Reach Security Settlement Over Unfair Practices

As we recently reported, New York’s new SHIELD Act contains data security provisions. It also contains a number of key changes to New York’s existing breach notification obligations. These changes will become effective October 23, 2019.
Continue Reading New York SHIELD Act Expands Breach Notice Requirements Starting in October

Maryland has amended its breach notification law to require businesses that maintain data, not just those that own or license the data, to conduct “a reasonable and prompt investigation” into whether personal information has been or will be misused. This requirement will go into effect in October 2019. Starting then, vendors who maintain information will also have a duty to investigate, not just data owners. This is unlike other states with “duty to investigate” requirements, like Connecticut, Delaware, New Hampshire, and Wyoming, among others. In those states (and others), only the data owner is statutorily required to investigate. To the extent that vendors have been obligated to investigate, that obligation falls under other provisions of breach notice laws, namely requirements for the vendor to “cooperate” with the data owner. Or, in some cases, companies may have contractually required their vendors to conduct investigations in the event of a breach or potential breach.
Continue Reading Maryland Adds Requirements to Breach Notice Law

New requirements to the Texas data breach statute, including a requirement to notify the Texas attorney general of a breach, are set to go into effect January 1, 2020. The legislation, signed by Texas Governor, Greg Abbot, on June 14, 2019, requires that the Texas attorney general be notified of a breach within 60 days. The AG notification is required only if 250 or more Texas residents are affected. The notification to the attorney general must include a description of the breach, number of residents affected, measures taken in response to the breach, measures planned to be taken after notification and whether law enforcement has been engaged with the investigation.  The legislation also adds a 60 day timing requirement for notice, from the current “as quickly as possible” standard.
Continue Reading Texas Breach Law Will Change in 2020, To Require Attorney General Notification

The FTC recently settled with LightYear Dealer Technologies, maker of DealerBuilt software, over allegations that the company failed to provide adequate protection for the personal data it houses. The companies’ clients include many car dealers across the country, and allows those dealerships to house consumer information that is collected during the car purchase process. This information includes sensitive personal (Social Security numbers) and financial (payroll information and credit card numbers) information. According to the FTC complaint, a company employee without “guidance  or . . . steps to ensure the . . . device was securely configured” attached a new storage device to the company servers. This device created an open connection port during an 18 month period. During that time, no vulnerability scanning, penetration testing, or other diagnostics were conducted, according to the FTC. Instead, the vulnerability went undetected until a hacker exploited it and accessed the backup server for DealerBuilt. As a result, the hacker accessed millions of consumers’ information, including downloading five clients’ information. This information included almost 70,000 Social Security numbers, drivers’ license numbers, and payroll details. The company was, the FTC said, unaware of the breach until it was contacted by an impacted client.
Continue Reading FTC and Car Dealership Software Company Reach Security Settlement

New Jersey joins a growing list of states that include user name, email address or any other identifier in combination with any password or security question and answer would permit access to an online account as personal information that, if breached, would give rise to a duty to notify. Other states that include these identifiers as “triggering” of their states’ breach notice statutes include Alabama, Arizona, California, Colorado, Delaware, Florida, Nebraska, Nevada, Puerto Rico, South Dakota and Wyoming. This legislation was recently signed by Governor Phil Murphy and will be effective September 1, 2019.
Continue Reading New Jersey Breach Notice Law Expands To Cover Online Account Breaches

Washington joins Massachusetts as the second state this year to amend its data breach notification law. The amendments will not take effect, however, until March 1, 2020. As amended, the definition of personal information has been expanded to include name and date of birth, making Washington only the second state (North Dakota being the other) with this element in its law. Also included are name and student and military ID number, passport number; name and health insurance numbers or medical information; and name and biometric information. Also included in the definition of personal information are now login credentials.
Continue Reading Washington’s Breach Law Amended, Effective March 2020