On 9 March 2018, the United States District Court for the Northern District of California, San Jose Division, granted in part and denied in part Yahoo! Inc. (‘Yahoo’) and Aabaco Small Business, LLC’s (‘Aabaco’) (collectively, ‘the Defendants’) motion to dismiss the putative class litigation brought by nine named individuals (‘the Plaintiffs’) over the way the Defendants handled several data breaches that occurred between 2013 and 2016. See discussion at:
The U.S. Securities and Exchange Commission (“SEC”) issued a press release on April 24, 2018 announcing a $35 million penalty payment by Yahoo! (n/k/a Altaba), in order to settle charges that it misled investors by failing to disclose “one of the world’s largest data breaches…” As noted by the SEC, “within days of the December 2014 intrusion, Yahoo’s information security team learned that Russian hackers had stolen what the security team referred to internally as the company’s ‘crown jewels…” The SEC’s San Francisco regional director commented that “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark…” Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million The case reportedly is the first time the SEC has pursued a company for failing to disclose a data breach. U.S. regulator fines Altaba $35 million over 2014 Yahoo email hack
As Illinois and other jurisdictions seek limitations, those limits get tested.
In 2008, the Illinois legislature passed the Illinois Biometric Information Privacy Act (BIPA). The Act requires entities to develop written policies, made available to the public, which establish a retention schedule and guidelines for permanently destroying identifiers. Private entities that collect, capture, purchase, receive or otherwise obtain a biometric identifier or information must inform the subject in writing, inform the subject of the purpose and length of time the data will be stored, and receive a written release. As of 2018, there were in excess of twenty-five actions filed in Cook County Circuit Court (Illinois) with other litigation pending in federal courts in Illinois, California and one case on remand from the Second Circuit, where Plaintiffs have alleged violations of BIPA.
See link to discussion of these cases and status of challenges to use of biometric data in commercial settings.
In a follow up to an earlier alert regarding the critical problems in modern processors recently reported by Google, HHS issued its own “Technical Report.” In Google’s “white papers,” they explain that their teams and other analysts and academics discovered and reported on vulnerabilities dubbed “Spectre” and “Meltdown.” These are described as vulnerabilities that affect nearly every computer chip manufactured in the last 20 years. Recently, the patches also have come under scrutiny as Intel reports reboot problems and slowdowns following implementation. Microsoft then reported new updates for Windows 10 to resolve such issues.
The fault arises from features built into chips that are supposed to help them run faster. There is no evidence that the flaws have been exploited but reportedly such exploits may be difficult to detect.
HHS cautions in its alert that the vulnerabilities have the potential to expose sensitive information, such as protected health information (PHI), which is processed on these chips. HHS warns that entities should employee risk management processes to address the vulnerabilities and ensure the security of medical records. HHS list the major concerns as:
Challenges identifying vulnerable medical devices and accessory medical equipment and ensuring patches are validated to prevent impacts to the intended use.
Cloud Computing: Potential PHI or Personally Identifiable Information (PII) data leakage in shared computing environments
Web browsers: Possible PHI/PII data leakage
Patches: Potential for service degradation and/or interruption from patches
Privately disclosed to chipmakers in June 2017, the bugs became public after a series of leaks in early January 2018. Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. HHS notes that although medical devices and support equipment may not resemble PCs, their operating systems (Windows, Linux) run on processors that could be vulnerable. HHS states: “The risks of PHI data leakage is especially acute in shared infrastructure like cloud computing instances.” Amazon Web Services, Google Cloud and Microsoft Azure all immediately deployed patches against the Meltdown attack. HHS cautions that while the major platforms handled the response in a timely way, there are other cloud managed service providers and institutional or private cloud instances that may not have known about the vulnerabilities before January 3, 2018.
“With the rise in PHISHING attacks, including SPEAR PHISHING and WHALING, there has been an increase in the number of policyholders seeking recovery for such losses under commercial crime types of policies.”
Connected Cars Present Safety, Security and Privacy Challenges
On August 4, 2015, Plaintiffs filed a class action against Chrysler and Harmon International following a recent story in Wired Magazine that detailed how researchers were able to take control of a Jeep Cherokee via the vehicle’s uConnect system. The suit essentially argues that there is a design defect in these vehicles as programs are pre-loaded onto the vehicle, which have been shown to be insecure and create security and safety vulnerabilities to owners and passengers. Plaintiffs Brian Flynn and George and Kelly Brown filed suit, in the U.S. District Court for the Southern District of Illinois, on behalf of themselves and a putative class (Case 3:15-cv-00855). The complaint alleges violations of the federal statute on warranties for consumer products (Magnuson-Moss), breach of implied warranty of merchantability, fraud, negligence, unjust enrichment, violations of the Illinois deceptive business practices act, fraudulent concealment/fraud by omission, and violations of the Missouri merchandising practices act. Plaintiffs allege that because the uConnect system is always connected to the Internet (via 3G cellular data), even if a vehicle owner chooses not to use any Internet related services, there is no way to disable the cellular connectivity. Plaintiffs argue that the vehicles are defectively designed in that essential engine and safety functionality is connected to the unsecure uConnect system. Plaintiffs allege “malicious hackers could broadcast harmful signals over radio waves causing a security and safety related crisis as a large number of vehicles all fail simultaneously.” The system allegedly is also accessible through the vehicles’ USB port, allowing anyone with access to the vehicle to load malicious software onto the system, which would spread to critical functions. Plaintiffs argue that the uConnect system should be segregated from the other critical systems. Plaintiffs argue that software updates are only remedial fixes as now that the capability to affect powertrain and safety functionality has been shown, hackers will find new vulnerabilities to exploit. Plaintiffs argue that a recall is deficient as the vehicles designed this way will never be safe or secure.
The plaintiffs have not alleged that any of them have actually experienced a “system” failure or intercept. The plaintiffs seek damages, of course, but not tied specifically to any statutory violation. Also, plaintiffs seek a court order to monitor any recall program or remedial measure.
Plaintiffs appear to be trying to get out in front of potential arguments that a particular car manufacturer may make and that Tesla, for instance, is trying to address. In Tesla’s case, it would likely argue that because Tesla is so “wired,” to borrow a phrase, the over-the-air updates are meant to identify and patch any vulnerabilities. Every three months every Tesla car receives automated software upgrades.
However, Congress is likely to cast another critical eye on these issues. Senators Ed Markey and Richard Blumenthal have introduced the Security and Privacy in Your Car Act (“SPY Act”) which would require automobile manufacturers to build IT security standards into connected cars. Blumenthal has commented that the “same kind of advances in technology that can bring enormous benefits of wireless connections can also guarantee our privacy and security.” If the bill were to become law, it would instruct the National Highway Traffic Safety Administration and the Federal Trade Commission to create IT security and privacy standards for vehicle electronics and associated in-vehicle networks. Part of the effort, as illustrated by the Flynn allegations above, is to require that critical navigation systems would need to be isolated from access points and attempt to stop hacking incidents in “real-time.” Another feature of the proposed legislation, which is not something the Flynn plaintiffs highlighted or alleged, are the privacy issues. The legislators are focusing on the collection of data associated with these systems. The legislation would prevent driving data from being used for advertising or marketing purposes (unless the owner “opts-in” for such use).
Looking to move on from Bitcoin is the Winklevoss exchange, Gemini. There is a dedicated website, which notes that their exchange operates (will operate) fully in the U.S., exclusively with American banks and the dollars never leave the country. Although not yet operational, the twins filed an application with the New York State Department of Financial Services in July 2015 seeking approval to operate as a trust company. The approval process may take months.
Illinois’ Attorney General Lisa Madigan issued a report and a press release on March 2, 2105 addressing proposed updates to the Personal Information Protection Act, the Illinois breach notification statute. In her press release, she states:
Madigan recently drafted legislation to strengthen the state’s Personal Information Protection Act (PIPA). Originally passed in 2005 at Attorney General Madigan’s direction, PIPA made Illinois among the first states in the country to require entities that suffer a data breach to notify Illinois residents if the breached information included residents’ drivers’ license numbers, social security numbers, or financial account information. Since the law’s enactment, the extent of sensitive information collected about consumers has expanded and the threat of data breaches has increased significantly, necessitating the need to update and strengthen the state’s law.
Madigan’s bill, which is sponsored by Sen. Daniel Biss and Rep. Ann Williams, will expand the type of information that requires a company to notify consumers of a breach, including medical information outside of federal privacy laws, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts. The bill also requires entities holding sensitive information to take “reasonable” steps to protect the information and requires entities to notify the Attorney General’s office when breaches occur. Madigan said her office would create a website that lists every data breach that affects Illinois to increase awareness among residents.
One of the notable findings in the report is what the AG calls “confusion over breaches,” citing comments from consumer roundtable discussions. The report states that the most frequent complaint from participants was that while they were well aware of breaches from the media, they were not always aware if those breaches had affected them directly. The report outlines three principles the updated legislation should address:
1. Disclosure – the new law should require websites and apps that collect personal information to display privacy policies that explain what information is collected and who that information is shared with.
2. Protection – the updated law should require entities to establish reasonable security measures to safeguard sensitive personal information.
3. Notification – the legislation should expand the definition of personal information (medical, health insurance information, biometric data, geolocation information, sensitive marketing data, contact information when combined with additional identifying information like DOB, and log in credentials); require entities to notify the AGs office and create a database of breaches affecting Illinois; enable small businesses to notify local media rather than statewide media when breaches occur.
News reports suggest the legislation will go to the Illinois General Assembly shortly.
• Proponents of updating ECPA, or the Electronic Communications Privacy Act, are using today to renew their call for reform.
“The statute governing access to electronic communications was written in 1986, well before most Americans relied on email and mobile devices to communicate,” said Ed Black, president and CEO of the Computer & Communications Industry Association (CCIA), in a statement. “After nearly 30 years on the books, it’s long overdue for an update.”
An update is what reform legislation, which will reportedly be re-introduced in “the coming weeks” by Sens. Patrick Leahy, D-Vermont, and Mike Lee, R-Utah, would provide. The bill would require a warrant before authorities could search email or other online communications. Under today’s ECPA, no warrants are required for such content that’s older than 180 days.