InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
State AGs reach $2 million settlement to resolve data breach
On December 18, state attorneys general from Connecticut, Indiana, Kentucky, Michigan, New Jersey, New York and Oregon announced a $2 million settlement with an online retailer concerning allegations that the retailer failed to promptly and adequately respond to a 2019 data breach that compromised more than 22 million consumers’ personal information. According to the Assurance of Voluntary Compliance, the retailer failed to detect a data breach that allowed an unidentified attacker to obtain information including Social Security numbers and tax identification numbers. After learning about the vulnerability from a third-party security researcher, the retailer issued a patch to remediate the vulnerability and required users to reset passwords on their customer accounts. However, the AGs claim that the retailer took nearly six months to conduct a full investigation into whether its user database had been breached, and, after determining that users’ personal information was for sale on the dark web, later began notifying affected users of the breach.
In addition to paying $2 million to the AGs, which is partially suspended due to the retailer’s financial condition, the retailer—who has not admitted to the alleged violations—has agreed to (i) develop and implement a comprehensive information security program; (ii) design an incident response and data breach notification plan to encompass preparation, detection and analysis, containment, eradication, and recovery; (iii) ensure personal information safeguards and controls are in place, such as encryption, segmentation, penetration testing, risk assessment, password management, logging and monitoring, personal information deletion, and account closure notification; and (iv) ensure third-party security assessments occur biennially for the next five years.
Court grants preliminary approval of CCPA class action settlement
On December 29, the U.S. District Court for the Northern District of California granted preliminary approval of a proposed settlement in a class action alleging a children’s clothing company and cloud technology service provider (collectively, “defendants”) violated, among other things, the California Consumer Privacy Act (CCPA) after suffering a data breach and potentially exposing customers’ personal information (PII) used to purchase products from the company’s website. After the company issued a notice of the security incident in January 2020, the plaintiffs filed the class action alleging the company failed to (i) “adequately protect its users’ PII”; (ii) “warn users of its inadequate information security practices”; and (iii) “effectively monitor [the company]’s website and ecommerce platform for security vulnerabilities and incidents.”
After mediation, the plaintiffs filed an unopposed motion for preliminary approval of class action settlement, which provides for a $400,000 settlement fund to cover approximately 200,000 class members who made purchases through the company’s website from September 16, 2019 to November 11, 2019. Class members have the option of claiming a cash payment of up to $500 for a Basic Award or of up to $5,000 for a Reimbursement Award, with amounts increasing or decreasing pro rata based on the number of claimants. Additionally, the company agreed to certain business practice changes, including conducting a risk assessment of its data assets and environment and enabling multi-factor authentication for all cloud services accounts. When granting preliminary approval, the court concluded that the agreement does “not improperly grant preferential treatment to any individual or segment of the Settlement Class and fall[s] within the range of possible approval as fair, reasonable, and adequate.”
9th Circuit affirms dismissal of data breach class action against online payment firm
On December 17, the U.S. Court of Appeals for the Ninth Circuit affirmed dismissal of a class action suit brought against an online payments firm and associated entities and individuals (collectively, “defendants”) for allegedly misleading investors (plaintiffs) about a 2017 data breach. As previously covered by InfoBytes, the district court concluded that, while the plaintiffs plausibly alleged the defendants’ November 2017 announcement about the data breach was misleading because it only disclosed a security vulnerability and did not disclose a breach that “potentially compromised” 1.6 million customers until a month later in December, plaintiffs failed to show that the defendants knew the breach had affected 1.6 million customers when they made the initial statement. Moreover, the court concluded the plaintiffs failed to allege that plaintiffs’ cybersecurity expert was familiar with, or had knowledge of, the defendants’ specific security setup or that he actually talked to the defendants’ employees about the breach.
On appeal, the 9th Circuit agreed with the district court, noting that the complaint lacked any allegation that the defendants had a motive to mislead investors in November, but not in December, such as the selling of stock during the relevant period. Thus, the appellate court could not conclude that the plaintiffs showed that the November announcement “was intentionally misleading or so obviously misleading that he must have been aware of its potential to mislead.” Therefore, the appellate court affirmed dismissal for failure to state a claim.
Irish Data Protection Commission fines U.S. social networking company for violating GDPR
On December 15, the Irish Data Protection Commission (Commission) announced a final decision was reached in a General Data Protection Regulation (GDPR) investigation into a U.S.-based social networking tech company’s actions related to a 2019 data breach that affected users across the European Union. The final decision, published by the European Data Protection Board (EDPA), imposes a €450,000 fine against the company, and resolves an investigation in which the Commission alleged the company violated Articles 33(1) and 33(5) of the GDPR by failing to provide notice about the breach within a 72-hour period and by neglecting to adequately document the breach. According to the Commission, this inquiry is the first “dispute resolution” Article 65 decision (draft decision) under the GDPR, and marks the first decision issued against a “big tech” company. According to the final decision, “a number of concerned supervisory authorities raised objections” to aspects of the draft decision, taking issue, among other things, with the size of the proposed fine, which was originally set between €135,000 and €275,000. The EDPA determined that the objections were “relevant and reasoned” and instructed the Commission to increase the fine to ensure “it fulfils its purpose as a corrective measure and meets the requirements of effectiveness, dissuasiveness and proportionality” established under the GDPR.
Health insurer to pay $48 million to resolve 2014 data breach
On September 30, a multistate settlement was reached between a health insurance company and a collation of 42 state attorneys general and the District of Columbia to resolve a 2014 data breach that allegedly comprised the personal information of more than 78 million customers nationwide. According to the states, cyber attackers infiltrated the company’s systems using malware installed through a phishing email. The data breach resulted in the exposure of consumers’ social security numbers, birthdays, and other personal data. Under the terms of the settlement, the health insurer must pay $39.5 million in penalties and fees, and is required to (i) not misrepresent the extent of its privacy and security protections; (ii) implement a comprehensive information security program, including “regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO”; (iii) implement specific security requirements, including “anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training”; and (iv) schedule third-party assessments and audits for three years.
Separately, the California AG reached a $8.69 million settlement, subject to court approval, in a parallel investigation, which requires the health insurer to, among other things, implement changes to its information security program and fix vulnerabilities to prevent future data breaches.
Previously in 2018, the health insurer reached a $115 million class action settlement, which provided for two years of credit monitoring, reimbursement of out-of-pocket costs related to the breach, and alternative cash payment for credit monitoring services already obtained (covered by InfoBytes here).
California AG, former FTC chairs argue about federal privacy law preemption during Senate committee hearing
On September 23, the Senate Committee on Commerce, Science, and Transportation held a hearing titled, “Revisiting the Need for Federal Data Privacy Legislation.” The hearing examined the current state of consumer data privacy and legislative efforts to provide baseline data protections for American consumers, and examined the lessons learned from the EU’s Global Data Protection Regulation (GDPR) and recently enacted state privacy laws. Witnesses included a number of former chairs and commissioners of the FTC, along with California Attorney General Xavier Becerra.
Becerra discussed the California Consumer Privacy Act (CCPA), which sets forth various requirements for businesses that collect, transfer, or sell a consumer’s personal information, and provides California residents several rights, including the right to know what data companies have collected on them and the right to ask to delete data or opt-out of its sale. (See continuing InfoBytes coverage on the CCPA here.) Concerning future federal privacy legislation, Becerra stressed that any such legislation should not preempt the work happening at the state level, and he urged the Committee “to favor legislation that sets a federal privacy-protection floor rather than a ceiling,” in order to allow states the opportunity to provide tailored protections for their residents. Becerra also stressed that the ideal federal legal framework would “recognize[] that privacy protections must keep pace with innovation,” and further addressed the need for a meaningful enforcement regime that respects the work undertaken by the states.
Former FTC chairs Jon Leibowitz and Maureen Ohlhausen, however, argued (see here and here) in favor of federal preemption. They suggested that a single national comprehensive privacy standard would be stronger and more comprehensive than existing regimes such as the CCPA and GDPR, and could better serve consumers even if it replaces state regulations. Both stressed that preempting state laws should not mean weakening protections for consumers. Moreover, both Leibowitz and Ohlhausen emphasized that federal privacy legislation should be technology- and industry-neutral, with rigorous standards backed by tough enforcement. Leibowitz also urged Congress to provide the FTC with the ability to impose civil penalties on violators for first-time offenses, and recommended that the FTC be granted the primary authority to administer the law and be given continued authority to provide redress directly to consumers. Former chair William Kovacic presented a different approach, which would establish a domestic privacy network to promote cooperation and coordination between federal and state privacy regulators to improve policy formation.
Other topics covered in the hearing included Chairman Roger Wicker’s (R-MS) recently introduced bill (S. 4626), known as the SAFE DATA Act, which would require businesses to be more transparent about their data collection, processing, and transfer activities, and give consumers more choices and control over their data. Among other things, the bill would preempt privacy laws in California and other states, except in regard to data breaches, and would not include a private right of action allowing consumers to sue over privacy violations.
California AG enters into privacy settlement with fertility-tracking mobile app
On September 17, the California attorney general announced a settlement with a technology company that operates a fertility-tracking mobile app to resolve claims that security flaws put users’ sensitive personal and medical information at risk in violation of state consumer protection and privacy laws. According to the complaint filed in the Superior Court for the County of San Francisco, the company’s app allegedly failed to adequately safeguard and preserve the confidentiality of medical information by, among other things, (i) allowing access to user information without the user’s consent, by failing to “authenticate the legitimacy of the user to whom the medical information was shared”; (ii) allowing a password-change vulnerability to permit unauthorized access and disclosure of information stored in the app without the user’s consent; (iii) making misleading statements concerning implemented security measures and the app’s ability to protect consumers’ sensitive personal and medical information from unauthorized disclosure; and (iv) failing to implement and maintain reasonable security procedures and practices.
Under the terms of the settlement, the company—which does not admit liability—is required to pay a $250,000 civil penalty and incorporate privacy and security design principles into its mobile apps. The company must also obtain affirmative authorization from users before sharing or disclosing sensitive personal and medical information, and must allow users to revoke previously granted consent. Additionally, the company is required to provide ongoing annual employee training concerning the proper handling and protection of sensitive personal and medical information, in addition to training on cyberstalking awareness and prevention. According to the AG’s press release, the settlement also includes “a first-ever injunctive term that requires [the company] to consider how privacy or security lapses may uniquely impact women.”
New York AG settles data breach lawsuit with national coffee chain
On September 15, the New York attorney general announced a settlement with a national franchisor of a coffee retail chain to resolve allegations that the company violated New York’s data breach notification statute and several state consumer protection laws by failing to protect thousands of customer accounts from a series of cyberattacks. As previously covered by InfoBytes, the AG claimed that, beginning in 2015, customer accounts containing stored value cards that could be used to make purchases in stores and online were subject to repeated cyberattack attempts, resulting in more than 20,000 compromised accounts and “tens of thousands” of dollars stolen. Following the attacks, the AG alleged that the company failed to take steps to protect the affected customers or to conduct an investigation to determine the extent of the attacks or implement appropriate safeguards to limit future attacks. The settlement, subject to court approval, would require the company to (i) notify affected customers, reset their passwords, and refund any stored value cards used without permission; (ii) pay $650,000 in penalties and costs; (iii) maintain safeguards to protect against similar attacks in the future; and (iv) develop and follow appropriate incident response procedures.
District court approves MDL data breach settlement
On July 21, the U.S. District Court for the Northern District of California issued an order approving a $117.5 million class action settlement, including $23 million in attorneys’ fees, with a global internet company to resolve multidistrict litigation concerning the exposure of class members’ sensitive information stemming from multiple data breaches. The settlement approval follows a fairness hearing, as the court originally denied preliminary approval due to several identified deficiencies (covered by InfoBytes here), including that the settlement inadequately disclosed the sizes of the settlement fund and class, as well as the scope of non-monetary relief, and “appear[ed] likely to result in an improper reverter of attorneys’ fees.” Last July, the court preliminarily signed off on a revised settlement, conditionally certifying a class of U.S. and Israeli residents and small businesses with accounts between 2012 and 2016 that were affected by the breaches. These class members have been certified in the final approved settlement, which requires the company to provide class members with either two years of credit monitoring services or alternative compensation for members who already have credit monitoring. Among other things, the company will allocate at least $66 million each year to its information security budget until 2022, will increase the number of full-time security employees from current levels, and will “align its information security program with the National Institute of Standards and Technology Cybersecurity Framework” and “undertake annual third-party assessments to ensure compliance” with the framework.
District court allows data breach claim to proceed against national credit reporting agency
On July 8, the U.S. District Court for the Eastern District of New York allowed a consumer’s claim under New York’s consumer protection law (N.Y. G.B.L. § 349) to proceed against a national credit reporting agency (CRA) for grievances stemming from a 2017 data breach that compromised the consumer’s personal information. According to the opinion, the consumer alleged that the CRA, among other things, failed to “implement security and privacy measures to safeguard plaintiff’s sensitive information and misrepresented to him that his personal data would be protected from outside threats.” The CRA had previously entered into a class action settlement concerning the data breach and resolved hundreds of data breach cases brought against the company; however, the consumer opted out of that nationwide class action. The CRA moved to dismiss the consumer’s action, arguing, among other things, that data breach claims are not actionable under N.Y. G.B.L. § 349. While the court granted the CRA’s motion as to the consumer’s FCRA claim, the court denied the CRA’s request to dismiss the consumer’s claim under N.Y. G.B.L. § 349. Specifically, the court concluded that the consumer plausibly alleged the CRA misrepresented its ability to protect the consumer’s personal information, which “resulted in actual and pecuniary harm after [the consumer]’s identity was stolen and numerous unauthorized accounts were opened under his name.” The court distinguished this claim from the consumer’s FCRA claim, which asserted the CRA failed to “shield” the consumer’s information from the hackers, whereas the N.Y. G.B.L. § 349 claim rests on the CRA’s representations of protection.