Cyber News “In Brief”

By: Jennifer Wolak, Adam Adler and Samantha Lemery Rowles

Welcome to our Cyber News “In Brief” post, here’s a quick overview of some of the significant recent headlines.

Case Updates
Under Armour recently announced that its nutrition app, MyFitnessPal, has suffered a data breach that impacted approximately 150 million users.  The app allows users to track their caloric intake and exercise.  The breach allegedly did not compromise credit card information or birthdays.  Instead, the breach compromised usernames, emails, and passwords.  These email addresses can be particularly valuable to spammers.  Some of the password information stolen was protected by “bcrypt,” which converts the information into an unintelligible format that could take longer and more resources to unravel.  Other information, however, may have been stored in a less protected format.

Dating app Grindr has indicated that it will stop sharing the HIV status of its users with other companies.  According to media reports, user information was sent to two companies that test the performance of Grindr’s products and allegedly to create new features.  Grindr has insisted that it had security measures in place to protect users’ privacy, such as the encryption of sensitive information.  Grindr also insisted that it never sells any user information and will isolate the information going forward.

Grindr is just one example of the recent media focus on data-sharing practices and the privacy disclosures that companies use to disclose these practices.  Facebook has been in the spotlight for its purported knowledge of Cambridge Analytica’s harvesting of data from up to 87 million users.  There are allegations that this information was then used to influence the recent U.S. presidential election.  Cambridge Analytica gathered the data through a personality app.  Facebook announced that it will notify users as to whether their data was at issue.  A link also will be provided to allow users to delete apps and prevent them from collecting information.  According to some reports, Facebook has suspended CubeYou, a data analytics company, due to CubeYou’s alleged gathering of data via quizzes and then sharing that information with marketing companies.  We expect to see more of these types of suspensions.

Most of us voluntarily put quite a bit of personal information on publicly available social media apps but how much control should we have over how that information is used?  How should these data-sharing practices be regulated and to what extent?  By some accounts, Facebook’s Mark Zuckerberg has indicated that he may not be willing to impose the EU General Data Protection Regulation (the “GDPR”) as the standard without exception worldwide but eventually, there may not be a choice in the matter.  Zuckerberg will testify before Congress this week.

Apps are not the only targets – Retailers Saks Fifth Avenue and Lord & Taylor recently announced that 5 million credit and debit cards have been compromised.  It appears the card information may have been stolen from stores using the “chip and signature” standard but it is not clear whether the information was subject to encryption.   Recently, hackers posted the stolen information on the dark web.  The hack allegedly was committed by a group known as JokerStash (also known as Fin7), which may have been behind the Whole Foods and Chipotle breaches as well.  By some reports, the group has disclosed 125,000 credit card numbers thus far and promised to release more shortly.

It appears Sears, Delta, and Best Buy all were affected by a recent breach.  According to media reports, all three companies use the same third-party firm, [24]7.ai, to provide online and mobile chat services for customers.  Some customer payment information may have been compromised.  [24]7.ai has maintained that it has confidence in the security of its platform.

Loyalty programs could also present a significant vulnerability.  Panera recently was hit by a data breach.  We understand the records targeted belonged to customers that enrolled in the loyalty program.  As a result, names, emails, physical addresses, birthdays, and the last four digits of credit card numbers may have been compromised.  By some accounts, Panera allegedly was warned that its website was exposing sensitive data but did not immediately fix the issue.  There have been conflicting reports regarding the number of consumers affected.

In drone news, the Trump administration has recently asked Congress to give the Departments of Homeland Security and Justice the ability to track and destroy drones that could be used by terrorist groups to deliver harmful substances or conduct reconnaissance.  There is some concern that the proposal could lead to power that is unnecessarily broad.

The information in this blog post (“post”) is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from Fields Howell or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the reader’s state, country or other appropriate licensing jurisdiction.

Four Takeaways From California’s Data Breach Suit Against Experian

On March 6, 2018, the state of California filed a lawsuit seeking civil penalties against credit reporting agency Experian Data Corporation and others.  This case has important implications for companies that collect or store consumers’ personal identifying information (“PII”), including possible exposure to hefty fines at the hands of state and local government entities for failure to comply with breach notification laws.

Case Background

California filed suit against Experian, Court Ventures, Inc. (“CVI”), and U.S. Infosearch.com, LLC (“USI”) (collectively, the “Defendants”), alleging that the Defendants failed to notify victims that their PII was stolen in a large-scale data breach.  This lawsuit comes on the heels of another suit that California filed against Equifax in September 2017 under a similar theory following the data breach that company experienced.

CVI and USI aggregate and sell access to consumers’ PII.  According to the Complaint, CVI and USI entered a Data Sharing Agreement and pooled their aggregated consumer PII.  This provided paying customers with access to a larger database of PII (the “Database”).  In March 2012, Experian allegedly acquired CVI and became a party to the Data Sharing Agreement.

In July 2010, Heiu Minh Ngo allegedly posed as a private investigator and purchased access to the Database.  Ngo then sold access to Database information to criminals via two illicit websites.  As many as 30M consumers’ PII may have been compromised.  According to media reports, criminals stole $65M by filing fraudulent tax returns using PII obtained via Ngo’s illicit websites.

California’s Basis for its Suit

California has sued the Defendants under California’s unfair competition and breach notification laws.  The breach notification law provides:

A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person…. Cal. Civ. Code § 1798.82(a)

The statute requires that disclosure “shall be made in the most expedient time possible and without unreasonable delay.” Id.

The Complaint alleges the Defendants have yet to notify affected persons of the data theft.  The Complaint seeks penalties of up to $2,500 per violation, plus an additional $2,500 for each affected person who is elderly or disabled.  With an estimated 3.6M affected Californians, this sum could exceed $9B.

Key Takeaways

There are four important takeaways from this case.

– Companies’ exposure from data breaches could increasingly stem from fines and penalties imposed by state and local government entities.

– California’s UCL and breach notice provisions could become an increasingly popular tool for California government entities eager to crack down on privacy or cybersecurity violations.  In fact, a separate suit against Equifax filed in September 2017 seeks to hold Equifax responsible for penalties under the UCL for its alleged six-week delay (and other deficiencies) in providing notification of the breach to victims.

– Security vulnerabilities are not necessarily the product of a technical deficiency.  Indeed, the Complaint alleges that consumers’ PII in this instance was compromised not through any technical vulnerability, but rather through a failure to properly vet Ngo and recognize his large-scale criminal operation.

– Liability for companies could result from agreements reached with third parties or other companies during the course of mergers and acquisitions.  Here, Experian acquired CVI and, thereby became party to the Data Sharing Agreement.  This acquisition, and Experian’s later part in the Data Sharing Agreement, were key vulnerabilities exposing it to potential liability.  Companies would, therefore, be wise to properly vet all agreements with third parties to prevent vulnerabilities that can result from unknown entities’ ability to gain access to the PII they collect.

 

Written by: Jennifer Wolak & Adam Adler
April 2, 2018

The information in this blog post (“post”) is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from Fields Howell or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the reader’s state, country or other appropriate licensing jurisdiction.

 

Fields Howell Partner Paul Fields Wins 2016 Client Choice Award

Atlanta, GA – On February 17, 2016, the International Law Office (ILO) and Lexology announced the winners of the 2016 Client Choice Awards. Fields Howell LLP is pleased to announce that founding partner, Paul L. Fields, Jr., has been selected as the exclusive winner of the Insurance category for Georgia.

Established in 2005, the Client Choice Awards identify top attorneys by surveying senior in-house counsel on the quality of client service they receive from law firms, rather than relying on peer nominations as many other professional awards do. Using attorney-client relationships to define success, the awards seek partners that excel in their roles and continuously offer outstanding client services. This year’s winners were selected from over 2,500 individual nominations.

Paul’s nomination reflects his twenty-eight years in practicing complex insurance coverage and litigation. Throughout his career, Paul has cultivated long-term relationships with clients and is devoted to the success of their businesses. His professional knowledge and ability to provide individualized attention to his clients have earned him the utmost respect from counsel members all around the world.

To view the complete list of 2016 winners in the US & Canada, click here: Client Choice Awards 2016 Winners

About ILO:

Launched in 1998, ILO is the nexus where global corporate counsel engage with the world’s preeminent law firms, and each other. ILO is a multifaceted online resource for senior international corporate counsel, which provides tailored, quality-assured updates on global legal developments, a database of the world’s major deals and the legal advisers involved, and a comprehensive directory of firms and partners.

About Lexology:

Launched in 2007, Lexology is a daily newsfeed of law firm client alerts, articles and blogs delivered to the desktops of senior business lawyers worldwide on a daily basis. Lexology has built a unique audience of over 260,000 subscribers, over 60% of whom are in-house corporate counsel representing the vast majority of Fortune 500, FT Global 500 and FT Euro 500 companies – including all members of the Association of Corporate Counsel.

Fields Howell Opens Miami Office

We are pleased to announce the addition of our new Miami office, which officially opened its doors on February 1, 2016.

Armando P. Rubio, former partner at Cole Scott & Kissane PA, has joined the firm to lead the Miami office as Partner-in-Charge.

Armando and his team will be assisting the firm with its existing insurance coverage and defense practice, while bringing years of experience and a proven track record in marine liability, product liability and commercial defense. While leading this fully bilingual office in Miami, Armando will continue to handle matters in Florida, Mexico, the Caribbean and throughout Latin America.

We look forward to serving our clients in this new market.

Happy Holidays from Fields Howell

We want to wish all of our clients and partners a wonderful holiday season, and we look forward to doing business with you in 2016! Click the link below to play our holiday game!

http://www.fieldshowell.com/holiday/

(For best gaming experience, play on your mobile device.)

We Have Moved!

We have moved to a new office. Please update your records to reflect our new firm name:

Fields Howell LLP

and new address:

1180 W. Peachtree Street, Suite 1600

Atlanta, GA 30309

Fields Howell Adds Four New Associates

Fields Howell is pleased to announce the addition of four new associates to the firm this month: Stephen A. Kahn, Adam I. Adler, Elizabeth J. Accurso and Kamber S. Burke.

Stephen A. Kahn graduated magna cum laude from the University of Alabama School of Law (2010) where he served as a senior editor on the Law Review and as a member of the JAG Moot Court Team. During law school, Steve served as a legal intern in the Domestic Cable Distribution Office at Warner Brothers in Burbank, California; a judicial intern for the Honorable Michael Warren of the Oakland County Circuit Court; and clerked for Owens and Millsaps, LLP. Most recently, Steve relocated from Birmingham, Alabama, where he was a senior associate at Ferguson, Frost, Moore & Young, LLP. Steve’s practice primarily focuses on complex litigation and coverage defense. He is admitted to the Alabama State Bar, State Bar of Michigan and State Bar of Georgia.

Adam I. Adler graduated with honors from Emory School of Law (2011), where he interned with the United States District Court for the Northern District of Georgia and for the Fulton County District Attorney. Following law school, Adam worked for the United States Bankruptcy Court for the Northern District of California in San Jose. Upon returning to Atlanta, he started working as a staff attorney for the United States Court of Appeals for the 11th Circuit, and most recently as a judicial law clerk for Judge Peter T. Fay. Adam’s practice is centered with our professional liability team. He is a member of the State Bar of Georgia and State Bar of California.

Elizabeth J. Accurso is a recent graduate from Emory University School of Law (2015) where she was Notes and Comments editor for the Emory Law Journal. During law school, Elizabeth was an extern for the Georgia Attorney General in the Government Counsel Division, a research assistant to Professor Michael Kang, and a summer associate here at Fields Howell. Elizabeth returns to the firm as a first year associate practicing insurance coverage and defense, and complex litigation.

Kamber S. Burke is a recent graduate with honors from Emory University School of Law (2015) where she was a member of the Moot Court Society and Legal Association for Women Students. During law school, Kamber clerked at Neel, Robinson, & Stafford LLC; served as a judicial extern for the U.S. District Court for the Northern District of Georgia under The Honorable Timothy Batten, Sr.; interned for the Buckley Law Firm, LLP; was a legal intern at the Governor’s Office of Consumer Protection as an American Bar Association Janet D. Steiger Fellow; and served as a legal extern in the Ethics and Compliance Division at the Coca-Cola Company. Kamber’s practice will focus on insurance coverage and defense, and complex litigation.