Data Breach

The FTC Wants More Power to Investigate Corporate Data Privacy Violations: Will Cyber Insurance Cover the Costs of a Company’s Response?

On May 8, 2019, all five commissioners of the U.S. Federal Trade Commission (FTC) testified before a congressional hearing on data privacy regulation and enforcement. At the hearing, the FTC commissioners testified that the FTC seeks enhanced powers to investigate and prosecute privacy violations by large companies. According to the commissioners, fines are not enough. As FTC Commissioner Rohit Chopra noted during the testimony, “[the FTC] cannot change behavior without finding out who at the top caused those problems.” The clear takeaway from this testimony? Companies that collect, process and store personal data from their customers should prepare themselves for an increase in data privacy-related investigations, especially coming from the FTC.

Higher Ed Falls Victim to New Data Breach

By: Linda Perkins

On April 2, 2019, The Georgia Institute of Technology (Georgia Tech) announced that it had sustained a data breach when one of its central databases was accessed by an unknown outsider through a web application, thereby exposing the personal information of up to 1.3 million current and former faculty members, students, staff and student applicants. Local news organizations report that information security officials at the university are continuing to investigate the incident to determine the extent to which its systems were compromised and to identify those individuals whose information was compromised. …

The $29 Million Yahoo Derivative Data Breach Settlement: What Next?

By: Sedgwick Jeanite and Meryl Breeden

On January 4, 2019 a federal district court in California approved a $29 million settlement in a shareholder derivative lawsuit against former Yahoo directors and officers regarding high-profile data breaches at Yahoo between 2013 and 2016. The settlement is a noteworthy departure from other breach-related derivative suits – which have been largely unsuccessful. As the number of data breach derivative lawsuits against directors and officers continues to increase, the relatively large size of this settlement may create valuation expectations that will drive up the settlement costs of other pending and future data breach-related derivative cases.

Amendments to Massachusetts Data Breach Law Impose New Requirements

By: Michael Jervis

Effective April 11, 2019, new amendments to Massachusetts’s Data Breach Notification Act go into effect. The amendments impose additional requirements on covered companies that sustain a data breach involving personal data of Massachusetts residents. The new requirements are:

First Joint Cross-State HIPAA Breach Lawsuit Brought in Response to 2015 Cyberattack

By: Michael Jervis

A lawsuit has been filed by the attorneys general of 12 states against a company called Medical Informatics Engineering (MIE) arising out of a 2015 data breach involving stolen medical records for millions of individuals. The complaint generally alleges that MIE and its subsidiary NoMoreClipboard “failed to take adequate and reasonable measure to ensure their computer systems were protected.” The attackers compromised MIE’s WebChart application and as a result were able to obtain personal information for nearly 4 million individuals who were patients of affected providers that used the software. The information obtained included the kind of personally identifiable information typical for such breaches, including names, home addresses, birth dates, social security numbers, email addresses and passwords. …

Five Quick Thoughts on Dittman

By: Joshua Mooney

Recently, the Supreme Court of Pennsylvania issued a landmark decision in Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018) in which employers now have an independent duty to protect employee data from cyberattacks. The case was explained in an alert published last week. Here are five quick thoughts on the decision: …

Marriott’s Starwood Data Breach Could Expose 500 Million Customers

By: Andrew Lipton

On November 30, 2018 Marriott International announced that hackers gained “unauthorized access” to the Starwood brand reservation database, potentially compromising the accounts of approximately 500 million guests. According to company officials, the hackers “copied and encrypted [guests’] information, and took steps toward removing it” beginning in 2014. This information included names, phone numbers, email addresses, passport numbers, dates of birth and guest’s travel itinerary information. Marriott allegedly discovered the data breach last week. …

Data Breach Report Reveals Cost Saving Measures for Companies

By: Josh Mooney and Michael Jervis

The Ponemon Institute has released a recent report concluding, among other things, that the cost to a company suffering a data breach in the U.S. has risen eight percent year-on-year from 2017. The total cost of the average breach has reached a staggering $8 million. Perhaps more important, however, is the report’s conclusion that organizations which took proactive measures drastically reduced the cost of a breach. Not surprisingly, costs of a breach were the highest in the U.S. compared to other jurisdictions. Also not surprising is that organizations in the healthcare industry generally suffer higher costs than other organizations—three times higher than the average cost. Information used to compile the report came from interviews with over 2,000 IT and data protection professionals. …

Cyber Law: Pennsylvania Supreme Court Watch

By: Josh Mooney and Kate Woods

The body of cybersecurity case law continues to grow. On April 10, 2018, the Pennsylvania Supreme Court is set to hear arguments regarding employers’ liability for data breaches in Dittman v. UPMC.

Specifically, Pennsylvania’s justices will consider and ultimately decide whether UPMC had a duty to safeguard its employees’ electronic information and whether the economic loss doctrine applies, thus barring recovery for purely economic losses. …

Insider Trading Charges Brought Against CIO for Post-Breach Trading

By: Joshua Mooney and Gwenn Barney

On March 14, 2018, the Securities and Exchange Commission (SEC) charged a chief information officer (CIO) for a US business division of Equifax with insider trading in advance of Equifax’s September 2017 disclosure of the massive security breach it suffered that exposed personal information of approximately 148 million Equifax customers. …