Gordon & Rees Wishes Everyone a Happy Privacy Day!

By on January 28, 2015
Leave a comment

On Jan. 22, Gordon & Rees presented its First Inaugural Legal Education Conference, a day of informative programs covering 10 legal areas of key importance to businesses. The Privacy and Data Security Group presented on the topic “Trends in Data Breach, Emerging Regulations, Enforcement and Lawsuits” at the Convene Conference Center in New York City.

The program panelists included Gordon & Rees attorneys Andrew Castricone, Craig Mariam, Linda Mullany, Peiyi Chen, and Hazel Mae Pangan, who discussed the triggering events and identification of a data breach incident, responsive and investigative measures, notification requirements to government agencies and consumers, and customer/client complaints and lawsuits. In addition to retail and institutional breaches, the panelists reviewed HIPAA/HITECH Privacy and Security Rules, as well as the HIPAA Breach Notification Rule, including its similarities and differences to other data security rules, and the Enforcement Rule under HIPAA. More than 200 guests, including clients, attorneys, business owners, consultants and industry experts were among those in attendance.

For your reference, we’ve provided Cyber/Data Breach Reference Guide: Best Practices, State Surveys, HIPAA Enforcement. This helpful guide includes a 50 state survey of the current data breach statutes as well as an additional 50 state survey of current data destruction statutes.

We thank you to all those who attended, and helped make the symposium a great success.

Filed under Uncategorized

FTC Charges Data Broker with Theft of Consumers’ Information and Money from Accounts

By on January 22, 2015
Leave a comment

According to a recent Federal Trade Commission complaint, a data broker sold sensitive personal information of hundreds of thousands of consumers – including Social Security and bank account numbers – to scammers who allegedly debited millions from their accounts.  The complaint alleges that data broker LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization.

According to the FTC’s website and the complaint, these defendants would collect hundreds of thousands of payday loan applications from payday loan websites.  These website applications, including those bought and sold by LeapLab, contained consumers’ sensitive financial information, names, addresses, phone numbers, Social Security numbers and bank account numbers including routing numbers.

The FTC’s complaint alleges that certain non-lender third parties included marketers that made unsolicited sales offers to consumers via email, text message, or telephone calls.  According to the FTC’s complaint, the defendants had reason to believe these marketers had “no legitimate need” for the sensitive information they were selling. The defendants in the case are alleged to have violated the FTC Act’s prohibition on unfair practices.

The FTC notes that it files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the FTC that a proceeding is in the public interest.  We will monitor this case and provide further updates of interest.

Image courtesy of Flickr by John Taylor.

Filed under Data Breach Investigations, Federal Trade Commission, Merchant/Vendor Data Breach, Privacy Rights, Retailers

FTC Approves Final Order Requiring Snapchat to Implement a Stronger Privacy Policy

By on January 20, 2015
Leave a comment

The Federal Trade Commission (FTC) recently approved a final order settling charges against Snapchat, Inc. (Snapchat), the developer of a mobile application that allows users to exchange impermanent photographs, referred to by Snapchat as “snaps” (the “FTC order”).

When Snapchat was launched in May 2012, users were sending approximately twenty-five snap images per second.  By November 2013, that figure surged to nearly four hundred million snaps per day, and continues to grow.  Many attribute Snapchat’s immense popularity to the intuitive user interface, the scarcity effect tied to the vanishing snaps, and Snapchat’s promise that images and video sent through the application would be irretrievably destroyed and not digitally archived after viewing.

In May 2013, the Electronic Privacy Information Center (EPIC) filed a complaint with the FTC alleging that Snapchat deceptively mislead consumers to believe that snaps would be destroyed within seconds of viewing when, in fact, they are stored on users’ phones in a relatively accessible form and can be easily captured by way of “screen-shotting” the image.  EPIC further claimed that Snapchat failed to establish and enforce security measures to protect user data.

The FTC order settles EPIC’s allegations and forbids Snapchat from misrepresenting (1) the extent to which a snap is deleted after being viewed; (2) the extent to which Snapchat is capable of detecting or notifying senders when a recipient has saved a snap; and (3) the steps taken by Snapchat to protect against misuse of user information.

The final order also directs Snapchat to implement a privacy program that will be monitored for the next twenty years.  Additionally, Snapchat agreed to revise its privacy policy to address privacy risks and to protect the confidentiality of information about its users, including names, addresses, online contact information, telephone numbers, IP addresses, geo-location, usernames, and passwords.  The revised Snapchat privacy policy now provides that Snapchat “can’t guarantee that messages will be deleted within a specific timeframe” and that, even after a snap is deleted from Snapchat’s server, it “may remain in backup for a limited period of time.”  Snapchat also now warns that, “there may be ways to access messages while still in temporary storage on recipients’ devices or, forensically, even after they are deleted.”

The final order furthers the FTC’s recent efforts to ensure that companies in the post smart phone era describe mobile applications truthfully and uphold privacy promises to end users.  The approval of the final order could well inspire other applications like Slingshot (Facebook’s answer to Snapchat), and Whisper and Secret (applications that allow users to make anonymous confessions) that promise anonymity and privacy to reassess the way in which current privacy policies are drafted and enforced.

Image courtesy of Wikimedia Commons 

Filed under Electronic Privacy Information Center, Federal Trade Commission

‘Twas the Season for Data Breaches

By on January 13, 2015
Leave a comment

With the recent hacks into Sony’s system and the emails sent to Home Depot’s customers regarding the breach of its system, data breach is no longer some fantastical notion that only plays out in a 1980s sci-fi movie. It is a real threat to businesses and their employees and customers, and that threat rises during the holiday season, when the average consumer spends approximately $800 on gifts for family, friends, and co-workers.

Venture back with me to December 2013, when Target Corporation announced that it was hacked, which resulted in 110 million of its customers having their credit- and debit-card information stolen. When I came across a recent ruling in that case, my reaction was: “Oh, yes. I vaguely remember that happening,” and I might have even been a customer who received an email from Target explaining the breach. My point is that, as consumers, the shock has worn off, and we are not surprised to hear about such breaches. But businesses cannot be so cavalier—the courts require vigilance in the protection of data.

As we have reported on our blog, multiple lawsuits arose shortly after Target’s announcement, resulting in the consolidation of all federal cases into In re: Target Corp. Customer Data Security Breach Litig., which involved claims brought by financial institutions on one hand, and by consumers on the other.  Just last month, the District of Minnesota ruled largely in favor of the financial institutions on Target’s motion to dismiss, making it clear that Target breached its duty to maintain adequate security systems.

Just in time for the holiday season, the now famous Sony breach (which, in part, resulted in the cancellation of most theater showings of the movie, “The Interview”) has triggered at least five class-action complaints filed in California federal court against Sony Pictures Entertainment, Inc.  The hacking incident allegedly exposed volumes of confidential emails, social security numbers, and salary and medical information of Sony’s former and current employees.  The gist of the complaints is that Sony, despite being aware that hackers were able to breach their system, “failed to develop, maintain, and implement internet security measures on its corporate network,” and this led to the catastrophic data breach that one complaint calls an “epic nightmare.”  Just last week at the Consumer Electronics Show, Sony’s CEO, Kazuo Hirai described the hack, noting that Sony and its current and former employees “were the victim[s] of one of the most vicious and malicious cyber attacks in recent history.”

The class action filed in Los Angeles Superior Court also blames Sony for its decision regarding “The Interview,” since the film allegedly sparked the ire of hackers who were not pleased with the subject matter (a planned talk show assassination of North Korea’s leader, who was heavily parodied).  In addition to its limited theatrical release, it was recently reported that the film has earned over $30 Million in online and on demand sales.

It is too early to predict the outcome of these actions, but it is likely that the federal complaints regarding Sony will ultimately be consolidated.  As with most data breach cases, we anticipate heavily briefed motions to dismiss on standing and other grounds.  We will, or course, track these cases and provide updated reports as developments unfold.

Filed under Data Breach, Data Breach Class Actions, Minnesota’s Plastic Security Card Act