Yahoo! data breach litigation to proceed
On 9 March 2018, the United States District Court for the Northern District of California, San Jose Division, granted in part and denied in part Yahoo! Inc. (‘Yahoo’) and Aabaco Small Business, LLC’s (‘Aabaco’) (collectively, ‘the Defendants’) motion to dismiss the putative class litigation brought by nine named individuals (‘the Plaintiffs’) over the way the Defendants handled several data breaches that occurred between 2013 and 2016. See discussion at:
The U.S. Securities and Exchange Commission (“SEC”) issued a press release on April 24, 2018 announcing a $35 million penalty payment by Yahoo! (n/k/a Altaba), in order to settle charges that it misled investors by failing to disclose “one of the world’s largest data breaches…” As noted by the SEC, “within days of the December 2014 intrusion, Yahoo’s information security team learned that Russian hackers had stolen what the security team referred to internally as the company’s ‘crown jewels…” The SEC’s San Francisco regional director commented that “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark…” Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million The case reportedly is the first time the SEC has pursued a company for failing to disclose a data breach. U.S. regulator fines Altaba $35 million over 2014 Yahoo email hack
California’s Updates on Breach and Security
Gov. Jerry Brown signed legislation beefing up California’s breach notification law. The new law, effective January 1, 2015, requires companies that suffer a breach to offer free identity theft prevention and mitigation services to consumers for at least a year if their Social Security or driver’s license number was compromised. The consumer will still be responsible for taking some action to accept those services.
The Governor signed other bills that also attempt to provide additional privacy and security protections, including restrictions on the paparazzi, laws addressing “revenge porn,” and a prohibition on the state from helping federal intelligence agencies collect telephone records without warrants:
- SB 1177 – Prohibits the creation and distribution of “profiles” of minor students; prohibits applications from targeting K-12 students
- AB 1256 and AB 2306 – Expand existing law regarding invasion of privacy (type of activity protected from unwarranted capturing of images or photographs; establishes zones of privacy around schools and medical facilities; eliminating the existing physical trespass requirement for invasion of privacy; renders illegal the use of drones and other electronic devices to capture images of individuals in their homes)
- AB 1356 – Expands legal recourse for stalking victims (allows plaintiffs to plead “substantial emotional distress” as an alternative to the existing standard of “reasonable fear”)
- AB 2643 – Creates private legal recourse against a person who intentionally distributes a sexually explicit image or video of another without his or her consent (allows plaintiffs to file a civil suit for damages against a defendant who posted intimate photos or videos of the plaintiff without consent)
- SB 828 – Prohibits state agencies from assisting the federal government in the collection of personal, electronically stored data, except under certain circumstances (that the state knows to be illegal or unconstitutional)
- SB 1255 – Expands existing law regarding the distribution of a sexually explicit image or video of another with the intent to cause serious emotional distress
In a report issued July 1, 2013, the California Attorney General, Kamala Harris, notes that more than 2.5 million Californians were “put at risk” by data breaches in 2012. The Data Breach Report 2012 (“the Report” or “the Data Breach Report”) cites key findings: 131 data breaches reported to the AG in 2012; the average breach incident involved 22,500 individuals; more than 28% of the breaches would not have required notification if the data had been encrypted; the retail industry reported the most data breaches; and, more than half of the breaches were the result of intentional intrusions by outsiders or unauthorized insiders. See link to AG website: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-releases-report-data-breaches-25-million.
Notably, Attorney General Harris provides some recommendations:
- Companies should encrypt digital personal information
- Companies and agencies should review and tighten security controls
- Companies and agencies should improve readability of breach notices
- Companies and agencies should offer mitigation products
- And, in a message to the Legislature – amend the breach notification law to require notification of breaches of online credentials, such as user name and password
This last recommendation would appear to significantly alter the notification landscape as there are numerous breaches that do not fall within the reporting/notifying criteria given the nature of the information impacted. States with notification statutes have used a variety of ways to define personal information (e.g., SSNs, bank information, routing numbers, taxpayer IDs) and typically the definition is based on the assumption that access to such information leaves a resident of that state more susceptible to some type of credit or financial fraud. The Data Breach Report notes that, in recent years, intrusions online have targeted passwords and other account credentials, which then allows criminals access to the account information (specifically referencing news reports on Sony, Yahoo!, the New York Times and Twitter). The Report highlights the social engineering aspect of data security: most consumers do not use unique passwords for all of their accounts. A takeover of one account may result in access to all, “including banking and other supposedly secure accounts.”
The Report specifies that the incidents reported on were submitted to the AG in 2012, while some occurred earlier and some breaches that occurred in 2012 were reported in 2013. Also, the Report does not cover the universe of data breaches, given that the notification law requires reporting to the AG only on breaches of electronic data affecting more than 500 individuals.
Another recommendation to the Legislature is a law to require the use of encryption to protect personal information on portable devices and media and in email. Other than the statutory suggestions, the Report serves as a guidepost for businesses, given the admonishments regarding improvement for security, clarity/accessibility in the actual notification texts and encouraging the notifying entities to offer credit security freezes. With respect to the last point, the Report underscores another serious type of ID theft: new account fraud.
BREACH REPORT 2012