On July 25, 2019, New York Governor Anthony Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The Act creates additional protections for the residents of New York and their private information. It also endeavors to improve cybersecurity measures for those who possess private information about New York residents.
Most attorneys are well aware of statutory obligations that require private and governmental entities to notify individuals of data breaches that involve the loss or disclosure of personally identifiable information. An area that may be less clear, however, is what ethical obligations attorneys have to guard against data breaches involving client information and what steps attorneys must take when a data breach occurs.
On April 24, 2018, the Securities Exchange Commission (SEC) announced a $35 million fine against the company formerly known as Yahoo! Inc. (now known as Altaba, Inc.) for failing to disclose a massive cyber data breach to its investors for nearly two years. This is the first time the SEC has punished a company for such conduct.
Our firm is now helping a client with damage control and data recovery upon discovering – a week after their former Chief Technology Officer (CTO) had resigned but six months after he’d been demoted to a lesser role -- that the CTO had created a back door for himself to the client’s servers and had spent those last six months of his employment accessing, downloading and storing emails of the client’s top executives, and its most important vendors.
As we are early into the new year, for many, hope springs eternal to get in shape during 2018. Many of us wear some kind of fitness activity tracker that monitors steps, heart rate, calories, sleep patterns, etc. Recent news coverage of Strava, the running and cycling fitness tracking app, has caused concern for the United States military. But might it cause concerns for some businesses that operate under high levels of security, as well?
Continuing a trend in the last few years, in 2017, eight states amended their security breach notification laws to expand definitions of “personal information”, specify the timeframe in which notification must be provided, and require businesses to implement adequate security practices to protect personal information in their possession, among other things. New Mexico also enacted a data breach notification statute of its own, leaving only two states without specific legislation relating to data breach notification requirements. A summary of the highlights of the new law and other amendments enacted in 2017 follows:
No! It is a common misconception among the general public that someone always has to pay when there is a data breach. It is understandable that individuals affected by a data breach will be upset, distraught, and even angry. In light of recent large-scale data breaches, it is safe to say we have all been there, with our personal information that we entrusted to particular companies or employers now out there in the hands of cyber thieves.
Citing a sixty percent increase in data breach notifications from 2015 to 2016, New York Attorney General Eric Schneiderman recently introduced the Stop Hacks and Improve Data Electronic Security Act (SHIELD) bill. The legislation would require companies that handle sensitive date of New York residents to adopt “reasonable administrative, technical and physical protections for data.”
On Friday, July 21, users of the “married dating” website, ashleymadison.com, received preliminary approval of an $11.2 million class action settlement. This settlement seeks to resolve a number of consolidated lawsuits against Avid Life Media, some of which also named the owners and operators of the website. This settlement will conclude all the civil claims against Avid Life Media and a number of individually named owners and operators of the business arising from the data breach that brought the website to heightened notoriety in 2015. This $11.2 million class action settlement is separate from the Federal Trade Commission’s $1.6 million settlement with Ruby Corp., Avid’s parent company, which resolved charges that customers had been misled, not only with regard to the retention of private information, but also with regard to alleged fake profiles of female users made to attract new users.
Yahoo recent announcement that CEO Marissa Mayer would forego a 2017 stock award (after giving up a 2016 cash bonus) following security breaches in 2014, 2015 and 2016 underscores the importance of having a security team in place to prevent or at least mitigate, security breaches.