Utah recently amended its breach notice law to provide certain defenses to companies who suffer a data breach.  It is now the second state, after Ohio, to include such provisions. Specifically, entities that create and reasonably comply with a written cybersecurity program may have an affirmative defense to litigation resulting after a data breach. For the safe harbor to apply, the written cybersecurity program must:
Continue Reading Utah Creates Data Breach Safe Harbor

Cyberattacks have become big business from the standpoint of attackers.  Threat actors range well beyond cults of old, and now including sophisticated state actors, large businesses organized for the very purpose of cyber breach and theft, and complex threat networks that aggregate information formerly treated as innocuous.  This is a real risk for companies as we look forward to the remainder of 2021. At the same time, ransomware is changing the state of cyber insurance, with regulators across the globe entering the field to govern the conduct of attacked businesses in this climate. Regulations cover terms of ransom payments and subsequent obligations to persons whose information goes out the pipes.  For more on these risks, you can listen to the recent Nota Bene podcast episode (on Apple PodcastsGoogle PodcastsSpotify, or Stitcher) with Sheppard Mullin partners Kari Rollins and Michael Cohen.
Continue Reading Managing the World of Cybersecurity in a New Era

Will HHS’ approach for imposing penalties in the aftermath of a data breach become a little clearer in 2021? This is a distinct possibility in the wake of a Fifth Circuit decision vacating penalties against MD Anderson Cancer Center. The hospital suffered three data breaches, leading HHS to impose over $4 million in civil penalties. That fine was reversed recently by the Fifth Circuit as arbitrary, capricious, and contrary to law.
Continue Reading What Does the Fifth Circuit’s Vacating of HHS HIPAA Fines Mean for Companies This Year?

A class action lawsuit filed against PayPal in connection with a breach it suffered in 2017 was dismissed recently because the plaintiffs did not adequately allege PayPal’s intent to deceive investors.  The litigation began after PayPal’s acquired TIO Networks Corporation, a smaller payment processor and platform.  Post-acquisition, PayPal announced that it had discovered “security vulnerabilities” in TIO’s operations and it thus suspended TIO’s operations.  At that point, TIO had not yet been integrated into PayPal’s platform.  PayPal confirmed that it was investigating TIO’s security measures with the help of outside assistance, and that PayPal customers’ data remained secure.  PayPal further confirmed that it was not aware of any breach of personal information maintained by TIO.  The following month, however, PayPal announced that a breach of personal information had in fact occurred.  Confidential information belonging to 1.6 million customers had been potentially compromised, causing PayPal’s stock price to drop by 5.75%.
Continue Reading Successful Dismissal of PayPal Class Action Over Breach Disclosures Serves as Risks Reminder

As we reach the end of January 2021, it is becoming increasingly clear that this will be a busy year in the areas of privacy and data security. Following up on our posts discussing some of the important trends from last year, the Sheppard Mullin Privacy and Cyber Security team has put together a comprehensive resource containing all of our posts from last year.  From a focus on artificial intelligence, to international data flow and vendor transfer concerns, to ongoing enforcement of a patchwork of laws, we anticipate many of the issues facing companies in 2020 will not go away this year.

Continue Reading 2020 Privacy Year In Review

The operator of CafePress, an online retailer that sells customizable mugs and other products, has reached an agreement with New York State Attorney General Letitia James and six other State Attorneys Generals to settle claims related to a 2019 data breach.  The breach stemmed from a cyberattack that the company suffered in early 2019. Upon learning of the attack, the company engaged a third-party investigation firm that identified a vulnerability in the company’s Structured Language Query (SQL) protocols. As a result, CafePress looked at its database and two weeks of logs but did not find evidence of any data breach.  Regardless, CafePress released a security patch to fix the vulnerability and automatically reset the passwords of all customer accounts, requiring all users to reset their passwords upon logging in.
Continue Reading New York and Others Settle with CafePress Over 2019 Data Breach

The FTC recently settled with Ascension Data & Analytics for failure to oversee service providers. Ascension provides services to mortgage companies within its corporate family of entities. According to the complaint, Ascension uses third parties to provide some of its services. One of those, OpticsML, had access to tax returns for approximately 60,000 customers. OpticsML stored the information on a cloud-based server which server was publicly accessible for a year. During that time the tax documents were accessed by unauthorized individuals. The originating IP addresses were in Russia and China.  Although the security incident was that of OpticsML, the FTC alleged that Ascension violated the Gramm-Leach-Bliley Act’s Safeguards Rule. Namely, the company failed to properly oversee its service providers and it failed to adequately assess risk. In particular, the FTC alleged that:
Continue Reading FTC Settles Over Alleged Failure to Manage Service Providers

Alleging unfair and deceptive practices in violation of the FTC Act, the FTC recently entered into a settlement agreement with SkyMed International, Inc. The company sells travel emergency plans to individuals who sustain medical emergencies or injuries while traveling internationally, and has signed up -according to the FTC- thousands of consumers. During the sign-up process individuals provided the company with sensitive health information.
Continue Reading FTC Settles with Travel Services Provider Over Security Issues

NIST has now finalized its guidance providing important information on selecting both security and privacy control baselines for the Federal Government. The guidance is available here: Special Publication 800-53B, Control Baselines for Information Systems and Organizations. As we previously discussed when the draft version was released, these control baselines are from NIST Special Publication 800-53, and have been moved to this separate publication as a consolidated catalog of privacy and security controls. While the implementation of a minimum set of controls is required for protecting federal information systems, NIST envisions that these control baselines can be implemented by any organization that processes, stores, or transmits information.
Continue Reading NIST Finalizes Guidance on Security and Privacy Control Baselines – SP 800-53B

The Department of Defense (DoD) recently published an interim rule that sets forth its Cybersecurity Maturity Model Certification (CMMC) program plan, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.” NIST SP 800-171 relates to protection of sensitive, but unclassified information (within a company’s system.) The interim rule will be effective November 30, 2020, and comments are due the same day. You can read our in-depth breakdown of the key provisions here.
Continue Reading Interim Rule Solidifies Cybersecurity Requirements for Defense Industrial Base