On March 1, 2017, the New York State Department of Financial Services’ (“DFS”) first-in-nation Cybersecurity Regulations, designed to protect consumers and financial institutions from cyber-attacks, went into effect (the “Regulations”). See, 23 NYCRR Part 500. The “first-in-nation” nature of the Regulations is extremely important to note: the Regulations apply not only to what is referred to in the Regulations as a “Covered Entity” based in New York, but also to those that merely do business in New York. The Regulations also do not just cover financial institutions, but any business entity that is covered by the banking law, insurance law, or financial services laws. As such, the impact of the Regulation is wide-sweeping. On August 22, 2017 we published an alert relating to, and providing an overview, of the Regulations and on and February 6, 2018 and August 28, 2018 we published follow-ups highlighting the next round of disclosures required under the Regulations. Shipman & Goodwin LLP Data Privacy Team members Bill Roberts and Damien Privitera also conducted a CLE webinar – Compliance Checkup: NY DFS Cybersecurity Regulations – on August 7, 2018, which can be accessed here. Continue Reading NYSDFS Upcoming Deadlines Fast Approaching: Next Key Dates are February 15, 2019 and March 1, 2019
Stephen Forte is the New York practitioner of the Privacy and Data Protection team. As a commercial litigator who has worked the bulk of his career as an attorney representing financial institutions, Steve’s data privacy related work naturally focuses more on financial privacy and related areas such as PCI-DSS. In that vein he has been closely monitoring significant regulatory and legislative changes in the field within New York, such as the New York State Department of Financial Services that went into effect last year. Similarly, Steve regularly monitors decisions of interest from the state and federal courts in both New York and Connecticut, as well as nationally. Steve's complete biography can be found here.
When a data breach occurs at a company, not only is customer data vulnerable but so is employee information. But what obligations do employers owe their employees?
This issue was recently decided in part, at least with respect to Pennsylvania employers, in Dittman v. UPMC, 43 WAP 2017, 2018 WL 6072199, at *14 (Pa. Nov. 21, 2018). In Dittman, a group of employees sued their employer, the University of Pittsburg Medical Center, for failure to take reasonable care to protect their personal private information. On appeal, the Supreme Court of Pennsylvania overturned the decision of the lower court and held that an employer owes a common law duty of care to its employees to use reasonable care to safeguard their sensitive data as stored on the employer’s internet-accessible computer system. Notably, the employees’ position was not that the employer engaged in any misfeasance, but nonfeasance for failure to prevent the harm from occurring. The Supreme Court found that the mere fact that third parties committed the wrongdoing – the data breach – did not negate the duty of the employer to safeguard the employees’ sensitive information that they were required to provide the employer as a condition of employment.
The Dittman case is certainly not the first time a group of employees sued an employer based upon a data breach of the employer’s computer system that resulted in the disclosure of the employees’ personally identifiable information. In Sackin v. TransPerfect Global, Inc., 278 F. Supp. 739 (S.D.N.Y. 2017), the employer moved to dismiss a class action filed by the employees, which motion was denied, in part. Among other things, the district court found that the complaint sufficiently stated a cause of action for breach of common law duty of care and that the employer violated its duty to take reasonable steps to protect the employees’ data. The court also found that a viable cause of action existed for breach of the implied contract between the employer and employees, but not for breach of the terms of the employment contract. With respect to the former, the conduct and course of dealing between the parties was deemed to rise to the level of an implied contract because, as a prerequisite of employment, the employees were required to provide the employer with certain sensitive data, and given how commonplace data and identity theft are in the current day and age, the court found an implied assent by the recipient to protect that data. Continue Reading Employers Beware and Take Reasonable Care
As the number of data breaches increases, so do the number of data breach-related lawsuits, whether styled as class actions or individual lawsuits. To the extent these lawsuits are commenced in the federal courts, it gives rise to the question of what satisfies Article III standing. Merely because a data breach may have occurred and personally identifiable information may have been exposed, or is at risk of being exposed, does not necessarily confer standing of the party whose information has been compromised in the absence of actual harm. As with most litigations, the answer also depends, at least in part, in what jurisdiction the lawsuit is commenced.
In Gilot v. Equivity, 18-CV-3492 (WFK), 2018 WL 3653150, at *1 (E.D.N.Y. July 31, 2018), the district court reinforced the Second Circuit’s position on what is required for a plaintiff to have Article III standing. In Gilot, an action commenced by an individual was dismissed for lack of standing where it was only alleged that the unauthorized release of her personally identifiable information to a third party without her consent could lead to potential identity theft. The words “could” and “potential” are important because in the Second Circuit, as in the First, Third and Eighth Circuits, having been put at risk, without actual harm, is insufficient to confer Article III standing upon a plaintiff.
The Eleventh Circuit generally follows the First, Second, Third, and Eighth Circuits; however, the threshold for damages to confer standing is lower. In Muransky v. Godiva Chocolatier, Inc., 905 F.3d 1200 (11th Cir. 2018), the plaintiff alleged that the merchant violated the Fair and Accurate Credit Transactions Act (FACTA) by printing an untruncated receipt with more than five digits of the customer’s credit card number. This statutory violation was sufficient to withstand a motion to dismiss for lack of standing since it constituted damages in the form of the plaintiff needing to bear the cost of safely keeping or disposing of the receipt to avoid someone obtaining the credit card number. Continue Reading Standing Considerations in Federal Data Breach Litigation
Cathay Pacific recently disclosed that a data breach occurred exposing information for as many as 9.4 million people – the largest airline data breach ever. The extent of the information obtained varied from credit card information (although it is reported that only partial credit information was obtained or that the cards were expired), to telephone numbers, dates of birth, frequent flier numbers, passport numbers, government ID numbers, and past travel information.
Shortly after Cathay Pacific revealed its breach, British Airways announced that the data breach it incurred last month may have been included information for an additional 185,000 customers than initially disclosed (which last month was reported to be 380,000 customers – although British Airways is now claiming it is possibly less). While an investigation is ongoing, the breach is believed to have included, among other things, payment details, inclusive of – for at least some customers – the CVV number.
No sector is safe from data breaches and some are either more vulnerable and/or more attractive to cyber criminals than others because of the types of information stored. The airline industry is one where the companies are likely to have a treasure trove of personally identifiable information. This is a valuable reminder that, as a business, it is important to be sensitive and cognizant to the types of customer data in your possession and be sure to take the necessary steps to keep it secure.
On March 1, 2017, the New York State Department of Financial Services’ (“DFS”) first-in-nation Cybersecurity Regulations, designed to protect consumers and financial institutions from cyber-attacks, went into effect (the “Regulations”). See, 23 NYCRR Part 500. The “first-in-nation” nature of the Regulations is extremely important to note: the Regulations apply not only to what is referred to in the Regulations as a “Covered Entity” based in New York, but also to those that merely do business in New York. Furthermore, the Regulations do not just cover financial institutions, but any business entity that is covered by the banking law, insurance law, or financial services laws. As such, the impact of the Regulation is wide-sweeping. On August 22, 2017 we published an alert relating to the Regulations and on and February 6, 2018 we published a follow-up alert highlighting the next round of disclosures required under the Regulations. This alert further highlights the upcoming September 4, 2018 deadline. Shipman & Goodwin LLP Data Privacy Team members Bill Roberts and Damian Privitera also conducted a CLE webinar entitled “Compliance Checkup: NY DFS Cybersecurity Regulations” on August 7, 2018.
A brief overview of who is covered, key dates, and the areas in which compliance must be met is below. Continue Reading NYSDFS Upcoming Deadlines Fast Approaching: Next Key Date is September 4, 2018
As we approach the Fall of 2018, data breaches and cybersecurity incidents remain prevalent throughout the U.S. (and the world). No matter what industry you are in, you are susceptible to a breach. This year alone already, breaches have been disclosed by companies such as Saks, Lord & Taylor, Panera Bread, Facebook, Under Armour’s MyFitnessPal App, just to name a few. Those few companies alone account for over 320 million records having been breached. Although not listed, insurance, financial, educational and health care companies and institutions are also not without incident.
In reaction to instances such as those mentioned above, as well as on the heels of Europe’s recently enacted General Data Protection Regulation (“GDPR”), federal and state legislatures throughout the U.S. are in the process of beginning to pass new laws. A few of the trailblazers in new data protection and/or cybersecurity laws are California, Vermont, and New York.
One of the most impactful new laws which companies must be aware of is the California Consumer Privacy Act (the “CCPA”), which follows the GDPR. The CCPA, passed on June 28, 2018, and which will be effective January 1, 2020, is an important law to be aware of because, while it only applies to California citizens, it targets both domestic companies and companies outside of California who do business in the state. It is also largely anticipated that other states will follow in passing similar types of legislation. At its core, this is a consumer friendly law, which will place a great deal of challenges on companies to remain in compliance. Continue Reading Trailblazing States in Data Privacy and Cybersecurity
New York has already been on the forefront in the area of cybersecurity as evidenced by what is widely acknowledged as the first-in-nation cybersecurity regulations promulgated by the New York State Department of Financial Services (the “DFS”). These regulations are far sweeping due to in large part that they cover any non-exempt entity under the control of the DFS – ranging from lenders to insurance companies and other in between – and also any company that does business in New York, not just those based in New York.
In a continued effort to combat cybersecurity and data privacy issues and to prevent hacks, New York is also on the verge of passing the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”), which is aimed at protecting the personal information of New Yorkers from all businesses. Much like the DFS regulations, the SHIELD Act would have broad reach even outside the boarders of New York State, as evidenced by a key feature whereby it would apply to any business that holds sensitive data of New Yorkers, regardless of whether they do business in the state. The sensitive data that would be protected by the SHIELD Act is not limited to only social security numbers and other financial data, but any breach that exposes usernames and passwords, biometric data, or private health data. To achieve its goals, the proposed Act will require businesses to adopt reasonable administrative, technical, and physical safeguards for data. The extent to what is “reasonable” will depend on the size of the company. Among the impetus for this proposed legislation is the extreme amount by which reported data breaches increased in New York from 2016 – 2017, 1,583 data breaches were reported and the number of New Yorkers whose personal information was exposed quadrupled to 9.2 million. The full text of the proposed legislation can be found here.
These new laws will require entities that do business in New York to ensure compliance and to implement steps to protect personal information. While this has not yet been enacted, best practices are to put comparable procedures in place, which procedures should be applied to data involving both New Yorkers and non-New Yorkers. When in doubt, err on the side of protecting as much information as practicable and reasonable. Even if you are not in New York or do not do business in New York, it is likely that all states will be updating their laws to combat cybersecurity and data privacy going forward.
In late 2014, Yahoo! (now known as Altaba, Inc.) incurred a data breach resulting in data being leaked for over 500 million users accounts (and according to some reports, even more). This included usernames, email addresses, phone numbers, birthdates, encrypted passwords and security questions. While this massive hack may have been bad in its own right, Yahoo! officials did not report the breach until almost two years later in 2016 (right around the time when it was closing on an acquisition deal with Verizon, who now owns Yahoo). Understandably, this did not go over well once the information was discovered and will now cost the company $35 million, payable to the Securities and Exchange Commission. What is notable; however, is that this “fine” (which is actually a settlement) is based primarily on Yahoo’s filing of annual and quarterly reports during that two year period in which the breach was not disclosed, thereby withholding the information from both the government and investors. It was not the fact that it was withheld from its actual users from two years. Regardless, Yahoo will now be notorious not only for a massive hack, but for incurring the first penalty of this nature that has been levied against a publically traded company for failure to disclose.
Failure to have proper data privacy and cybersecurity protocols can come back to haunt companies in various ways. Penalties and enforcement agencies can also vary depending on the nature of the infraction. Best practice is to follow all applicable reporting guidelines and to be transparent about both any incidents that may have occurred, in addition to remedial efforts.