Privacy & Cybersecurity

Settlement appears imminent in an employee class action against Sony Pictures Entertainment (“SPE”) arising from disclosure of their personally identifiable information (“PII”) in a massive data breach allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un. 

Card-issuing banks are forging ahead with their lawsuit against Target arising from the 2013 holiday shopping season data breach. Their July 1 motion for class certification has just been unsealed, allowing a glimpse at plaintiffs’ version of the events during November and December 2013 that resulted in theft of payment card data for 40 million Target customers.

Risks to sensitive data have never been greater. With the rise in cyber attacks and data breaches, outsourcing to third parties can present an exponential threat to corporations.

The National Institute of Standards and Technology has published a draft of its objectives for cybersecurity standardization, following in many ways the consultative model that it used successfully in drafting the NIST Framework for critical infrastructure cybersecurity.

Rather than our usual Privacy Monday "bits and bytes," we have a breaking story relating to the ongoing Wyndham/FTC saga.

The Impact Team, the vigilante group behind the hacking of the infamous website AshleyMadison.com has followed through on its threat to leak the full database of the site’s users online. On Tuesday, August 18, 2015, an impressive 9.7 gigabytes of compressed data was posted to the dark web using an Onion address accessible only through the Tor browser. 

Target has announced that it has entered into a settlement with Visa to resolve claims of issuers of Visa credit and debit cards arising from Target’s November 2013 data breach. The proposed settlement will pay issuers of Visa payment cards up to $67 million to reimburse losses associated with the theft of card numbers from Target POS terminals.

It's Privacy Monday again - and summer is winding down.
Here are three bytes of privacy/security information to start your week:

As EU data protection watchers know, the draft General Data Protection Regulation (which has been around long enough to be universally referred to by its acronym, GDPR) exists in three major versions, with a fourth version recently released by the office of the European Data Protection Supervisor (EDPS).

Retailer Neiman Marcus has filed a petition seeking en banc review by the entire Seventh Circuit of the decision by a three-judge panel of that court in Remijas v. Neiman Marcus Group, LLC reversing dismissal of consumer data breach claims for lack of standing.  

Many of the highest-profile and headline-catching data breaches involve external breaches of a company’s electronic systems. But the reality that these headlines obscure is the fact that internal data breaches are generally more prevalent and represent a primary source of concern for data security managers.

It's the first Monday in August ... and time for all those "back to school" ads.
While you enjoy what is left of the summer of 2015, we will kick off your week with a few privacy and security bits and bytes.

In yet another data breach affecting millions of individuals, UCLA Health System (“UCLA”) reported on Friday - July 17, 2015 - that hackers had accessed portions of its health network that contained personal information, including names, addresses, dates of birth, social security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information (including medical conditions, medications, procedures, and test results).

In Remijas v. Neiman Marcus Group, LLC, the Seventh Circuit reversed a district court decision dismissing consumer payment card data breach claims for lack of standing. 

We previously reported here that CNA filed a lawsuit against its insured Cottage Health System seeking reimbursement of amounts that it previously paid under Cottage’s cyber liability insurance policy.  

It's Monday! Once again, data breaches and hacks are front and center, so here are three stories you should know about to start your week.

Welcome to the dog days of summer 2015. Three privacy & security bits and bytes to start your week (if you are reading this on vacation ... good for you!)

In its recently-filed motion to dismiss claims of card-issuing banks arising from the September 2014 theft of payment card data from Home Depot point of sale terminals, Home Depot employs an approach typically used to respond to consumer claims.

Facing “industry stakeholders [that] were unable to agree on any concrete scenario” in which affirmative consent should be obtained from individuals before employing facial recognition technologies, nine consumer advocacy organizations made an about-face and withdrew from the multistakeholder process coordinated by the National Telecommunications and Information Administration (“NTIA”).

Don’t forget to register for our upcoming webinar discussion with an expert panel on Risk Assessments!