On January 10, 2019, Massachusetts Governor Charlie Baker signed legislation amending the state’s data breach law. The amendments take effect on April 11, 2019.
On October 23, 2018, the parties in the Yahoo! Inc. (“Yahoo!”) Customer Data Security Breach Litigation pending in the Northern District of California and the parties in the related litigation pending in California state court filed a motion seeking preliminary approval of a settlement related to breaches of the company’s data. These breaches were announced from September 2016 to October 2017 and collectively impacted approximately 3 billion user accounts worldwide. In June 2017, Yahoo! and Verizon Communications Inc. had completed an asset sale transaction, pursuant to which Yahoo! became Altaba Inc. (“Altaba”) and Yahoo!’s previously operating business became Oath Holdings Inc. (“Oath”). Altaba and Oath have each agreed to be responsible for 50 percent of the settlement.
Effective October 1, 2018, Connecticut law requires organizations that experience a security breach affecting Connecticut residents’ Social Security numbers (“SSNs”) to provide 24 months of credit monitoring to affected individuals. Previously, Connecticut law required entities to provide 12 months of credit monitoring for breaches affecting SSNs. Continue Reading Connecticut Requires 24 Months of Credit Monitoring for Certain Security Breaches
Effective September 21, 2018, Section 301 of the Economic Growth, Regulatory Relief, and Consumer Protection Act (the “Act”) requires consumer reporting agencies to provide free credit freezes and year-long fraud alerts to consumers throughout the country. Under the Act, consumer reporting agencies must each set up a webpage designed to enable consumers to request credit freezes, fraud alerts, extended fraud alerts and active duty fraud alerts. The webpage must also give consumers the ability to opt out of the use of information in a consumer report to send the consumer a solicitation of credit or insurance. Consumers may find links to these webpages on the Federal Trade Commission’s Identity Theft website.
The Act also enables parents and guardians to freeze their children’s credit if they are under age 16. Guardians or conservators of incapacitated persons may also request credit freezes on their behalf.
Section 302 of the Act provides additional protections for active duty military. Under this section, consumer reporting agencies must offer free electronic credit monitoring to all active duty military.
For more information, read the FTC’s blog post.
On August 15, 2018, U.S. District Judge Lucy Koh signed an order granting final approval of the record $115 million class action settlement agreed to by Anthem Inc. in June 2017. As previously reported, Judge Koh signed an order granting preliminary approval of the settlement in August 2017. Continue Reading Judge Grants Final Approval of Record Data Breach Settlement in Anthem Class Action
On June 25, 2018, the New York Department of Financial Services (“NYDFS”) issued a final regulation (the “Regulation”) requiring consumer reporting agencies with “significant operations” in New York to (1) register with NYDFS for the first time and (2) comply with the NYDFS’s cybersecurity regulation. Under the Regulation, consumer reporting agencies that reported on 1,000 or more New York consumers in the preceding year are subject to these requirements, and must register with NYDFS on or before September 1, 2018. The deadline for consumer reporting agencies to come into compliance with the cybersecurity regulation is November 1, 2018. In a statement, Governor Andrew Cuomo said, “Oversight of credit reporting agencies ensures that the personal private information of New Yorkers is less vulnerable to the threat of cyber attacks, providing them with peace of mind about their financial future.”
On August 25, 2017, U.S. District Judge Lucy Koh signed an order granting preliminary approval of the record class action settlement agreed to by Anthem Inc. this past June. The settlement arose out of a 2015 data breach that exposed the personal information of more than 78 million individuals, including names, dates of birth, Social Security numbers and health care ID numbers. The terms of the settlement include, among other things, the creation of a pool of funds to provide credit monitoring and reimbursement for out-of-pocket costs for customers, as well as up to $38 million in attorneys’ fees. Anthem will also be required to make certain changes to its data security systems and cybersecurity practices for at least three years. Continue Reading Record Breach Settlement in Anthem Class Action Receives Judge Approval
As reported in BNA Privacy Law Watch, on August 17, 2017, Delaware amended its data breach notification law, effective April 14, 2018. The Delaware law previously required companies to give notice of a breach to affected Delaware residents “as soon as possible” after determining that, as a result of the breach, “misuse of information about a Delaware resident has occurred or is reasonably likely to occur.” The prior version of the law did not require regulator notification. Continue Reading Delaware Amends Data Breach Notification Law
On June 23, 2017, Anthem Inc., the nation’s second largest health insurer, reached a record $115 million settlement in a class action lawsuit arising out of a 2015 data breach that exposed the personal information of more than 78 million people. Among other things, the settlement creates a pool of funds to provide credit monitoring and reimbursement for out-of-pocket costs for customers, as well as up to $38 million in attorneys’ fees. Continue Reading Record Data Breach Settlement in Anthem Class Action
On May 2, 2017, the United States Court of Appeals for the Second Circuit issued a summary order affirming dismissal of a putative data breach class action against Michaels Stores, Inc. (“Michaels”). The plaintiff’s injury theories were as follows: (1) the plaintiff’s credit card information was stolen and twice used to attempt fraudulent purchases; (2) the risk of future identity fraud and (3) lost time and money resolving the attempted fraudulent charges and monitoring credit. The plaintiff, however, quickly cancelled her card after learning of the unauthorized charges and did not allege that she was held responsible for any of those charges. Continue Reading Second Circuit Affirms Dismissal of Putative Data Breach Class Action for Lack of Article III Standing