On 9 March 2018, the United States District Court for the Northern District of California, San Jose Division, granted in part and denied in part Yahoo! Inc. (‘Yahoo’) and Aabaco Small Business, LLC’s (‘Aabaco’) (collectively, ‘the Defendants’) motion to dismiss the putative class litigation brought by nine named individuals (‘the Plaintiffs’) over the way the Defendants handled several data breaches that occurred between 2013 and 2016. See discussion at:
The U.S. Securities and Exchange Commission (“SEC”) issued a press release on April 24, 2018 announcing a $35 million penalty payment by Yahoo! (n/k/a Altaba), in order to settle charges that it misled investors by failing to disclose “one of the world’s largest data breaches…” As noted by the SEC, “within days of the December 2014 intrusion, Yahoo’s information security team learned that Russian hackers had stolen what the security team referred to internally as the company’s ‘crown jewels…” The SEC’s San Francisco regional director commented that “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark…” Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million The case reportedly is the first time the SEC has pursued a company for failing to disclose a data breach. U.S. regulator fines Altaba $35 million over 2014 Yahoo email hack
Illinois’ Attorney General Lisa Madigan issued a report and a press release on March 2, 2105 addressing proposed updates to the Personal Information Protection Act, the Illinois breach notification statute. In her press release, she states:
Madigan recently drafted legislation to strengthen the state’s Personal Information Protection Act (PIPA). Originally passed in 2005 at Attorney General Madigan’s direction, PIPA made Illinois among the first states in the country to require entities that suffer a data breach to notify Illinois residents if the breached information included residents’ drivers’ license numbers, social security numbers, or financial account information. Since the law’s enactment, the extent of sensitive information collected about consumers has expanded and the threat of data breaches has increased significantly, necessitating the need to update and strengthen the state’s law.
Madigan’s bill, which is sponsored by Sen. Daniel Biss and Rep. Ann Williams, will expand the type of information that requires a company to notify consumers of a breach, including medical information outside of federal privacy laws, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts. The bill also requires entities holding sensitive information to take “reasonable” steps to protect the information and requires entities to notify the Attorney General’s office when breaches occur. Madigan said her office would create a website that lists every data breach that affects Illinois to increase awareness among residents.
One of the notable findings in the report is what the AG calls “confusion over breaches,” citing comments from consumer roundtable discussions. The report states that the most frequent complaint from participants was that while they were well aware of breaches from the media, they were not always aware if those breaches had affected them directly. The report outlines three principles the updated legislation should address:
1. Disclosure – the new law should require websites and apps that collect personal information to display privacy policies that explain what information is collected and who that information is shared with.
2. Protection – the updated law should require entities to establish reasonable security measures to safeguard sensitive personal information.
3. Notification – the legislation should expand the definition of personal information (medical, health insurance information, biometric data, geolocation information, sensitive marketing data, contact information when combined with additional identifying information like DOB, and log in credentials); require entities to notify the AGs office and create a database of breaches affecting Illinois; enable small businesses to notify local media rather than statewide media when breaches occur.
News reports suggest the legislation will go to the Illinois General Assembly shortly.
In advance of the State of the Union, President Obama appeared at the Federal Trade Commission today to preview a couple of administration proposals, which will be addressed in the upcoming speech to the nation. The President addressed a potential federal breach notification statute:
…we’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused. Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies — and it’s costly, too, to have to comply to this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late. So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days. In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans —- even when they do it overseas.
So, the proposal is to standardize breach notification to 30 days (Personal Data Notification & Protection Act; Florida is 30 days; some states say as soon as practicable).
The political pundits comment that it is not clear whether such legislation would make it through Congress. This is due to certain industry resistance to tackling a new federal statute having absorbed the various state rules; and then there are consumer groups, who worry about preemption on the issue. See comments at:
Another new proposal is the Student Digital Privacy Act. This legislation would require that data gathered about students through educational programs can be used only in an educational context, not sold to third parties (similar to the recent California law).
The Administration is also going to revive its 2012 Consumer Privacy Bill of Rights, which lays out principles for online data collection (revised proposal to come out in 45 days).
The President also took up the challenge of “precision medicine:”
I want the country that eliminated polio and mapped the human genome to lead a new era of medicine — one that delivers the right treatment at the right time. In some patients with cystic fibrosis, this approach has reversed a disease once thought unstoppable. Tonight, I’m launching a new Precision Medicine Initiative to bring us closer to curing diseases like cancer and diabetes — and to give all of us access to the personalized information we need to keep ourselves and our families healthier.
This is part of the movement toward tailored therapies and treatments for diseases and chronic conditions. The example referenced in administration materials was that of a cystic fibrosis patient, given the medicine Kalydeco (developed by a company called Vertex). Reportedly this is the first drug designed to counter the genetic cause of the life-threatening chronic lung disease. The medicine targets the underlying cause of the disease for a small subset of patients.
Providing such targeted treatments likewise requires collection of more personalized medical information from patients. Costs of collecting data and personalizing treatment is noted in reaction to such initiatives but its promoters also hope that “[m]ore research will allow clinicians to make more-precise diagnoses, which in turn drive better treatments.” http://www.modernhealthcare.com/
See also, The Patient-And Her Data-Will See You Now,
“Personalized medicine has the potential to transform our health care system, which consumes almost $3 trillion a year, 80 percent of it for preventable diseases,” Dr. Snyderman said.
Although the new tests and treatments are often expensive, he added, personalized medicine can save money while producing better results. “It focuses therapy on individuals in whom it will work,” he said. “You can avoid wasting money on people who won’t respond or will have an adverse reaction.”
On June 20, 2014, Florida Governor Rick Scott signed into law the Florida Information Protection Act of 2014. The legislation beefs up the definition of what will trigger a notification response. The definition of personal information is now defined as an individual’s first name, first initial and last name, or any middle name and last name, in combination with any one or more of these data elements:
-DL number or ID number, passport number, military ID number or other similar number issued on a government document
-Financial account number or credit/debit card number in combination with security/access code or password
-Any information regarding a person’s medical history, mental/physical condition or treatment/diagnosis
-Health insurance policy number or subscriber number
-User name or email address, in combination with a password or security question (that would permit access)
The law requires notification following a breach “without unreasonable delay,” and no later than 30 days following the determination of a breach (with certain exceptions). If the notification affects more than 1,000 persons at a single time, notice must also be given to consumer reporting agencies. The act now uses the definition “covered entity” to describe the organizations impacted; covered entity includes a sole proprietorship, partnership, corporation, trust, estate, cooperative, association or other commercial entity that acquires, maintains, stores, or uses personal information. (For certain purposes, this includes governmental entities). The act addresses customer records and data (electronic format). Notice is to be provided to the Department of Legal Affairs of any breach affecting 500 or more individuals, no later than 30 days after the determination of a breach (or reason to believe there was a breach).
In addition to describing the incident and who was affected, the reporting entity must include a police or incident report or computer forensics report, a copy of policies in place regarding breaches, and steps taken to rectify the breach.
The law provides quite a few more rigorous requirements involving security and how entities are to provide a breach response. The Attorney General “thanked” the Governor for enacting the law quoting other legislators who commented that the act “will better protect the confidential personal information of Floridians and hold accountable those who attempt to compromise the security of that information.” The AG notes that the law also requires covered entities “to take reasonable measures to protect Floridians’ personal information and [to] properly dispose of customer records.”
See also commentary about why this law could be model for a comprehensive federal law (reasonable data protection; secure disposal; unauthorized access triggers notification; scale of notification requirements; PII includes medical history, insurance ID; 30-day notification deadline; documentation of investigation; schedule for penalties).
HHS issued a press release on May 7, 2014 announcing settlements with two healthcare organizations. Following submission of a joint breach report by New York and Presbyterian Hospital (NYP) and Columbia University (CU), the HHS Office of Civil Rights (“OCR”) investigated the disclosure of ePHI of 6,800 individuals, which included patient status, vital signs, medications, and laboratory results. NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.
In addition to the disclosure of ePHI, OCR’s investigation found that neither NYP or CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections; and neither entity had conducted a thorough risk analysis or had an adequate risk management plan.
NYP has paid $3.3 million and CU has paid $1.5 million, with both entities agreeing to a substantive corrective action plan.
Kentucky is now the 47th state to enact a data breach notification law.
Identity Theft/Fraud Trigger
The bill was signed into law by Governor Steve Beshear earlier this month and requires notification following an event “that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud. Kentucky’s law defines “personally identifiable information” as an individual’s first name or first initial and last name in combination with any one or more of the following data elements (when not redacted):
Account number, credit or debit number, in combination with any required security code, access code or password permit[ing]access to an individual’s financial account.
The statute specifies that any “information holder” shall disclose any breach of the security system following discovery or notification of the breach in the security of the data, to any resident of Kentucky whose unencrypted personal information was, or is reasonably believed to have been, acquired by an authorized person. The statute states disclosure “shall be made in the most expedient time possible…consistent with the legitimate needs of law enforcement.” The notification provisions shall not apply to any person subject to the provisions of Gramm-Leach Bliley, HIPAA or any state or local governmental agency.
In addition, the statute requires express parental permission for a cloud computing service provider to process student data, for any purpose other than for providing, improving, developing, or maintaining the integrity of the cloud computing services (or if done connection with educational research, per federal statute).
The state auditor had promoted enacting such legislation and released a report stating:
“Although auditors didn’t identify any cyber security breaches, they did find instances of state agencies failing to take the necessary steps to protect confidential or sensitive information,” Auditor Edelen said. “This further illustrates the need for legislation to incentivize state and local government to better secure the data it holds on us, as well as require them to notify us when it’s
lost or stolen.”
“The Kentucky Derby is a Grade I stakes race for three year-old Thoroughbred horses, held annually in Louisville, Kentucky, on the first Saturday in May. The race is one and a quarter miles at Churchill Downs. The race is known in the United States as “The Greatest Two Minutes in Sports™” for its approximate duration, and is also called “The Run for the Roses” for the blanket of roses draped over the winner. It is the first leg of the United States Triple Crown of Thoroughbred Racing and is followed by the Preakness Stakes and Belmont Stakes.”
Michaels Stores, Inc. is now reporting that two separate 8-month long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue. Reportedly, the security firms Michaels hired to investigate the “break-ins” found nothing but the ultimate analysis confirmed the attacks “using highly sophisticated malware that had not been encountered previously by either of the security firms.” In a press release dated April 17, 2014, the company states: “The Company has now identified and fully contained the incident, and the malware no longer presents a threat while shopping at Michaels or Aaron Brother.” Following the disclosures regarding Target and Neiman Marcus, in January of this year, Michaels Stores had previously reported that it was investigating a potential security breach involving customers’ credit card information.
The Target breach involved thieves planting malware on cash registers; the malware was designed to siphon card data when customers swiped the cards at the cash register. According to the information released by Michaels, it appears that the affected systems contained certain payment card information, card number and expiration date, but that there was no evidence that other customer personal information (name, address, debit card PIN) was at risk.
The Washington Post reports on the developments of PCORI – the Patient-Centered Outcomes Research Institute. This was part of the move to get better information, data, out of the electronic health records initiative funded and spelled out in the Affordable Care Act. The anonymized or de-identified data is supposed to help clinicians draw some meaningful conclusions from the vast wealth of information gathered by physicians, researchers, hospitals, insurers and the pharmaceutical industry. The PCORI network is supposed to identify patients who could be invited to join clinical trials. The new national patient network will comprise eleven sub-networks, drawing on records from participating organizations. Of importance to the privacy watchdogs is that the participating organization retains all of the personally identifiable information and only the aggregated data is submitted for use in a research project.
In other news, the FTC overcame some question of its authority to police data breach incidents, in this case data specifically involving consumer payment card account numbers. In the FTC v. Wyndham Worldwide Corporation matter, Wyndham hotels challenged the FTC’s authority to bring suit for injunctive relief following three breach incidents. The FTC had alleged in its suit that Wyndham had failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access, collection and use that “has caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses.” The FTC had alleged that after discovering the first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [its] network.” Accordingly, the FTC sought a permanent injunction against Wyndham, presumably then to enter into some kind of agreement to correct such practices. Wyndham argued that the FTC overstepped its authority and moved to dismiss the complaint, arguing that the FTC’s “unfairness authority” did not cover data security and arguing that the FTC needs to publish regulations before filing an unfairness claim in federal court. The US District Court for the District of New Jersey declined to “carve out a data-security exception to the FTC’s authority.” Wyndham had tried to get the Court to analogize this situation to the tobacco industry cases (where the FDA had denied authority over tobacco). Instead, the District Court noted the FTC had never disavowed its authority over unfair practices related to data security.
There are other issues to be resolved in the sphere of enforcement and oversight of similar data breaches. The injunction route can be fraught with technical issues and issues regarding how best to tailor oversight of an entities’ practices and promises. However, for now, the FTC has asserted its authority in an important way, and some commentators believe this will embolden the FTC to bring additional enforcement actions. More than likely, the FTC will scrutinize those incidents that involve significant security lapses and/or some significant financial impact on consumers.
See FTC v. Wyndham Worldwide, Case 2:13-cv-01887-ES-JAD, Filed 04/07/14