The Federal Trade Commission has modified its 2017 settlement with Uber Technologies, Inc. (“Uber”) after learning of an additional breach that was not taken into consideration during its earlier negotiations with the company. The modifications are based on the fact that Uber failed to notify the FTC of a November 2016 breach, which took place during the time that the FTC was investigating an earlier, 2014 breach. The 2016 breach occurred when intruders used an access key that an Uber engineer had posted on GitHub to download more than 47 million user names, including related email addresses or phone numbers, as well as more than 600,000 drivers’ names and license numbers. The FTC alleged that after Uber learned of the breach, it paid the intruders a $100,000 ransom through its “bug bounty” program. The bug bounty program is intended to reward responsible disclosure of security vulnerabilities. Continue Reading FTC Revises Its Security Settlement with Uber

The Canadian government recently published a cabinet order stating that the effective date for breach notification provisions in the Digital Privacy Act would be November 1, 2018. At that time, businesses that experience a “breach of security safeguards” would be required to notify affected individuals, as well as the Privacy Commissioner and any other organization or government institution that might be able to reduce the risk of harm resulting from the breach. Continue Reading Canada Will Require Breach Notification November 1

On March 8, 2018, the Ninth Circuit Court of Appeals (“Ninth Circuit”) reversed a decision from the United States District Court for the District of Nevada. The trial court found that one subclass of plaintiffs in In re Zappos.Com, Inc. Customer Data Security Breach Litigation, had not sufficiently alleged injury in fact to establish Article III standing. The opinion focused on consumers who did not allege that any fraudulent charges had been made using their identities, despite hackers accessing their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information in a 2012 data breach.  Continue Reading Ninth Circuit Reverses District Court Decision in Zappos Consumer Data Breach Case

On March 15, 2018, the Trump Administration took the unprecedented step of publicly blaming the Russian government for carrying out cyber attacks on American energy infrastructure. According to a joint Technical Alert issued by the Department of Homeland Security and the FBI, beginning at least as early as March 2016, Russian government cyber actors carried out a “multi-stage intrusion campaign” that sought to penetrate U.S. government entities and a wide range of U.S. critical infrastructure sectors, including “organizations in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors.” Continue Reading U.S. Blames Russia for Cyber Attacks on Energy Infrastructure

On March 14, 2018, the Department of Justice and the Securities and Exchange Commission (“SEC”) announced insider trading charges against a former chief information officer (“CIO”) of a business unit of Equifax, Inc. According to prosecutors, the CIO exercised options and sold his shares after he learned of a cybersecurity breach and before that breach was publicly announced. Equifax has indicated that approximately 147.9 million consumers had personal information that was compromised. Continue Reading Insider Trading Charges Brought Against CIO for Post-Breach Trading

On February 12, 2018, the Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) published on its website (in English and French) a form to be used for the purpose of compliance with data breach notification requirements applicable under the EU General Data Protection Regulation (the “GDPR”). The CNPD also published questions and answers (“Q&As”) regarding the requirements (only available in French). Continue Reading Luxembourg DPA Publishes Data Breach Reporting Form

On February 13, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it entered into a resolution agreement with the receiver appointed to liquidate the assets of Filefax, Inc. (“Filefax”) in order to settle potential violations of HIPAA. Filefax offered medical record storage, maintenance and delivery services for covered entities, and had gone out of business during the course of OCR’s investigation.  Continue Reading Unsecured PHI Leads to OCR Settlement with Closed Business

On February 12, 2018, in a settled enforcement action, the U.S. Commodity Futures Trading Commission (“CFTC”) charged a registered futures commission merchant (“FCM”) with violations of CFTC regulations relating to an ongoing data breach. Specifically, the FCM failed to diligently supervise an information technology provider’s (“IT vendor’s”) implementation of certain provisions in the FCM’s written information systems security program. Though not unprecedented, this case represents a rare CFTC enforcement action premised on a cybersecurity failure at a CFTC-registered entity. Continue Reading CFTC Brings Cybersecurity Enforcement Action