Cryptocurrency: Key Areas of Concern For Attorneys

By:   Fields Howell Attorneys Jennifer Wolak, Samantha Rowles, & Adam Adler and ProQuest’s Vice President, Claims Advocate Lead Jennifer Groszek. 

Cryptocurrency is a rapidly evolving area and certainly will impact attorneys in the E&O space. Attorneys must understand what cryptocurrency is and how it works. Current law does not provide any federal agency with plenary authority over cryptocurrency. Various agencies (the SEC, CFTC, IRS, and DOJ) are promulgating guidance and engaging in enforcement actions. This patchwork approach creates uncertainty and can be a minefield for attorneys offering advice in this space. The increasing popularity of cryptocurrency combined with its regulatory uncertainty has also created a situation in which attorneys may feel pressure to accept digital coins as a form of payment, but face increased risks and ethical pitfalls when doing so.

Areas of concern involve whether initial coin offerings (ICOs) could be classified as a securities, fraud, tax implications and potential ethical issues with attorneys accepting payment in bitcoin and other cryptocurrencies… Full Article

 

 

 

 

 

Cyber News “In Brief”

By: Jennifer Wolak, Adam Adler and Samantha Lemery Rowles

Welcome to our Cyber News “In Brief” post, here’s a quick overview of some of the significant recent headlines.

Case Updates
Under Armour recently announced that its nutrition app, MyFitnessPal, has suffered a data breach that impacted approximately 150 million users.  The app allows users to track their caloric intake and exercise.  The breach allegedly did not compromise credit card information or birthdays.  Instead, the breach compromised usernames, emails, and passwords.  These email addresses can be particularly valuable to spammers.  Some of the password information stolen was protected by “bcrypt,” which converts the information into an unintelligible format that could take longer and more resources to unravel.  Other information, however, may have been stored in a less protected format.

Dating app Grindr has indicated that it will stop sharing the HIV status of its users with other companies.  According to media reports, user information was sent to two companies that test the performance of Grindr’s products and allegedly to create new features.  Grindr has insisted that it had security measures in place to protect users’ privacy, such as the encryption of sensitive information.  Grindr also insisted that it never sells any user information and will isolate the information going forward.

Grindr is just one example of the recent media focus on data-sharing practices and the privacy disclosures that companies use to disclose these practices.  Facebook has been in the spotlight for its purported knowledge of Cambridge Analytica’s harvesting of data from up to 87 million users.  There are allegations that this information was then used to influence the recent U.S. presidential election.  Cambridge Analytica gathered the data through a personality app.  Facebook announced that it will notify users as to whether their data was at issue.  A link also will be provided to allow users to delete apps and prevent them from collecting information.  According to some reports, Facebook has suspended CubeYou, a data analytics company, due to CubeYou’s alleged gathering of data via quizzes and then sharing that information with marketing companies.  We expect to see more of these types of suspensions.

Most of us voluntarily put quite a bit of personal information on publicly available social media apps but how much control should we have over how that information is used?  How should these data-sharing practices be regulated and to what extent?  By some accounts, Facebook’s Mark Zuckerberg has indicated that he may not be willing to impose the EU General Data Protection Regulation (the “GDPR”) as the standard without exception worldwide but eventually, there may not be a choice in the matter.  Zuckerberg will testify before Congress this week.

Apps are not the only targets – Retailers Saks Fifth Avenue and Lord & Taylor recently announced that 5 million credit and debit cards have been compromised.  It appears the card information may have been stolen from stores using the “chip and signature” standard but it is not clear whether the information was subject to encryption.   Recently, hackers posted the stolen information on the dark web.  The hack allegedly was committed by a group known as JokerStash (also known as Fin7), which may have been behind the Whole Foods and Chipotle breaches as well.  By some reports, the group has disclosed 125,000 credit card numbers thus far and promised to release more shortly.

It appears Sears, Delta, and Best Buy all were affected by a recent breach.  According to media reports, all three companies use the same third-party firm, [24]7.ai, to provide online and mobile chat services for customers.  Some customer payment information may have been compromised.  [24]7.ai has maintained that it has confidence in the security of its platform.

Loyalty programs could also present a significant vulnerability.  Panera recently was hit by a data breach.  We understand the records targeted belonged to customers that enrolled in the loyalty program.  As a result, names, emails, physical addresses, birthdays, and the last four digits of credit card numbers may have been compromised.  By some accounts, Panera allegedly was warned that its website was exposing sensitive data but did not immediately fix the issue.  There have been conflicting reports regarding the number of consumers affected.

In drone news, the Trump administration has recently asked Congress to give the Departments of Homeland Security and Justice the ability to track and destroy drones that could be used by terrorist groups to deliver harmful substances or conduct reconnaissance.  There is some concern that the proposal could lead to power that is unnecessarily broad.

The information in this blog post (“post”) is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from Fields Howell or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the reader’s state, country or other appropriate licensing jurisdiction.

Four Takeaways From California’s Data Breach Suit Against Experian

On March 6, 2018, the state of California filed a lawsuit seeking civil penalties against credit reporting agency Experian Data Corporation and others.  This case has important implications for companies that collect or store consumers’ personal identifying information (“PII”), including possible exposure to hefty fines at the hands of state and local government entities for failure to comply with breach notification laws.

Case Background

California filed suit against Experian, Court Ventures, Inc. (“CVI”), and U.S. Infosearch.com, LLC (“USI”) (collectively, the “Defendants”), alleging that the Defendants failed to notify victims that their PII was stolen in a large-scale data breach.  This lawsuit comes on the heels of another suit that California filed against Equifax in September 2017 under a similar theory following the data breach that company experienced.

CVI and USI aggregate and sell access to consumers’ PII.  According to the Complaint, CVI and USI entered a Data Sharing Agreement and pooled their aggregated consumer PII.  This provided paying customers with access to a larger database of PII (the “Database”).  In March 2012, Experian allegedly acquired CVI and became a party to the Data Sharing Agreement.

In July 2010, Heiu Minh Ngo allegedly posed as a private investigator and purchased access to the Database.  Ngo then sold access to Database information to criminals via two illicit websites.  As many as 30M consumers’ PII may have been compromised.  According to media reports, criminals stole $65M by filing fraudulent tax returns using PII obtained via Ngo’s illicit websites.

California’s Basis for its Suit

California has sued the Defendants under California’s unfair competition and breach notification laws.  The breach notification law provides:

A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person…. Cal. Civ. Code § 1798.82(a)

The statute requires that disclosure “shall be made in the most expedient time possible and without unreasonable delay.” Id.

The Complaint alleges the Defendants have yet to notify affected persons of the data theft.  The Complaint seeks penalties of up to $2,500 per violation, plus an additional $2,500 for each affected person who is elderly or disabled.  With an estimated 3.6M affected Californians, this sum could exceed $9B.

Key Takeaways

There are four important takeaways from this case.

– Companies’ exposure from data breaches could increasingly stem from fines and penalties imposed by state and local government entities.

– California’s UCL and breach notice provisions could become an increasingly popular tool for California government entities eager to crack down on privacy or cybersecurity violations.  In fact, a separate suit against Equifax filed in September 2017 seeks to hold Equifax responsible for penalties under the UCL for its alleged six-week delay (and other deficiencies) in providing notification of the breach to victims.

– Security vulnerabilities are not necessarily the product of a technical deficiency.  Indeed, the Complaint alleges that consumers’ PII in this instance was compromised not through any technical vulnerability, but rather through a failure to properly vet Ngo and recognize his large-scale criminal operation.

– Liability for companies could result from agreements reached with third parties or other companies during the course of mergers and acquisitions.  Here, Experian acquired CVI and, thereby became party to the Data Sharing Agreement.  This acquisition, and Experian’s later part in the Data Sharing Agreement, were key vulnerabilities exposing it to potential liability.  Companies would, therefore, be wise to properly vet all agreements with third parties to prevent vulnerabilities that can result from unknown entities’ ability to gain access to the PII they collect.

 

Written by: Jennifer Wolak & Adam Adler
April 2, 2018

The information in this blog post (“post”) is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from Fields Howell or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the reader’s state, country or other appropriate licensing jurisdiction.