Photo of Mark S. Melodia

Company response to major data breach results in first-of-its-kind fine for improper disclosure to investors

On April 24, 2018, U.S. Securities and Exchange Commission (SEC) and Altaba Inc., (formerly known as Yahoo! Inc.) agreed to settle SEC Division of Enforcement charges stemming from the compromise of 3 billion Yahoo accounts that occurred in 2013 and 2014, but were not disclosed until 2016.[1] The 2014 incident was attributed to Russian hackers by the U.S. government in March 2017.[2]

 The SEC’s administrative proceeding order pointed to Altaba’s delayed disclosure of the 2013–2014 security incident as well as the company’s public filing of multiple reports with the SEC, which commented on the risks and consequences of a breach in general, but did not notify investors that such a threat had already been realized in 2013 and 2014.[3] Unlike previous high-profile fines for improper incident response arising from failures to disclose to affected customers or subjects of breached data, the $35 million fine levied against Altaba is the first of its kind to focus on disclosure to investors of a public company that has suffered a breach, and should encourage companies to direct commensurate focus to their data breach response plans to meet responsibilities to shareholders.Continue Reading Being first isn’t always best: SEC settles for $35 million fine for failure to disclose data breach to investors

The General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. It will attempt to standardize data protection law throughout the European Union. The GDPR will not be fully harmonized since the law has more than 70 opening clauses that will leave room for the EU Member States’ legislators to implement (stricter,

Nearly every state in the United States requires notification when certain personal information is lost, stolen, or misused. However, the many state laws vary in subtle but crucial respects, making it difficult to get to a bottom line quickly. Reed Smith’s Information Technology, Privacy & Data Security practice is thrilled to release a first-of-its-kind tool

The federal judiciary derives its power from Article III of the United States Constitution. That power is limited to deciding “Cases” and “Controversies,” Art. III, section 2. In the case of Spokeo v. Robins, the United States Supreme Court considered whether a plaintiff presents such a “case” or “controversy” where he only alleged a violation of a consumer protection statute, but did not allege any additional harm. The statute in question was the Fair Credit Reporting Act (“FCRA”). The Court found that plaintiff “cannot satisfy the demands of Article III by alleging a bare procedural violation. A violation of one of the FCRA’s procedural requirements may result in no harm.” Slip op. at 10. Even though Congress enacted the FCRA to avoid dissemination of inaccurate information, for example, “It is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm.” Id. at 11. The Supreme Court remanded this case for the Ninth Circuit Court of Appeals to further consider whether this plaintiff presented a “concrete injury” justifying the assertion of Article III jurisdiction.
Continue Reading In Spokeo v. Robins, The United States Supreme Court Articulates a Need for ‘Concrete’ Injury To Sue in Federal Court

In the latest step toward finalising a replacement for the defunct Safe Harbor program, the European Commission has published its draft adequacy decision, formally supporting its view that the proposed EU-U.S. Privacy Shield will ensure an adequate level of protection for the transfer of personal data from the EU to U.S. companies which enlist in

In December 2015, the Federal Trade Commission (FTC) settled a drawn-out civil action it brought against Wyndham Worldwide Corporation (Wyndham) for multiple data breaches involving cardholder data (i.e., information on credit and debit cards). In a departure from dozens of prior FTC settlements that mandated broad security measures for all consumer data, the Wyndham consent order was limited in scope to cardholder data, and required compliance with the Payment Card Industry Data Security Standard (PCI DSS) and annual independent audits to confirm compliance.

PCI compliance has apparently become a topic of great interest to the FTC, and it has now issued an Order to nine PCI DSS auditors pursuant to Section 6(b) of the FTC Act, seeking insight into data security compliance auditing and its role in protecting consumers’ information and privacy. The companies have been given 45 days to respond with a “Special Report” containing information, documents, and items responsive to the Order. According to the FTC’s  Press Release regarding the Order, “[i]nformation collected by the FTC will be used to study the state of PCI DSS assessments.”

The Order contains a number of requests with upwards of 38 subparts, and specifically seeks both information and documentation regarding PCI auditing activities from January 2013 through the present, including:
Continue Reading Following its Settlement with Wyndham, the FTC Launches Wide Scale Inquiry Into PCI Compliance Audits

Higher education institutions are increasingly targets of data breaches due to the vast amount of private information, including educational, medical and employee data, they maintain.  It is no longer a question of if a data breach will occur, but when.  Academic institutions can take certain measures to minimize exposure in the event of a breach,

Before September 15, 2015, no federal court had certified a class action to litigate security breach claims. But now U.S. District Court Judge Paul A. Magnuson, overseeing the In re: Target Corporation Customer MDL, has certified as a class:

All entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.

This certified class representatives will litigate three claims on behalf of all such issuers: that Target was negligent in failing to provide sufficiently secure customer data; that Target violated Minnesota’s Plastic Security Card Act (“PCSA”); and that this violation of Minnesota law constituted negligence per se.

In opposing class certification, Target had maintained that no classwide proof of injury existed, especially given variations in state laws. Target also contended that damages would have to be calculated on a bank-by-bank basis, making class adjudication untenable. The court considered and rejected both of these arguments in turn.
Continue Reading FINANCIAL INSTITUTIONS MAKE HISTORY IN TARGET MDL, FIRST CLASS ACTION CERTIFIED IN FEDERAL COURT TO LITIGATE SECURITY BREACH ISSUES

Legal 500 US Awards 2015 - Winner - Data protection & privacyReed Smith LLP’s Information Technology, Privacy & Data Security Group has been named the “Data Protection and Privacy: 2015 Firm of the Year” by The Legal 500 United States.

Over the past decade, the group has developed into a think-tank for the firm’s clients, linking experienced cybersecurity and privacy professionals with veteran intellectual property litigators,

Perturbed by two allegedly unwanted faxes, Arnold Chapman brought a putative class action under the Telephone Consumer Protection Act (“TCPA”). For himself, he sought the most the statute could provide – $3,000, an injunction, and costs. ($3,000 represents $500 in statutory damages for each of the two faxes, trebled for an allegedly knowing or wilful violation.) The defendant offered Chapman $3,002, and the entry of an injunction, and costs. Chapman let the offer expire without accepting it. The District Court dismissed the case as moot.

Chapman appealed, and late last week, the Seventh Circuit reversed the lower court ruling. In Arnold Chapman v. First Index, Inc., the Seventh Circuit held that an expired offer of judgment does not moot an individual plaintiff’s claims. In so ruling, the panel reversed circuit precedent and aligned itself with the Second, Ninth, and Eleventh Circuits on the issue.Continue Reading What Do You Get for the Plaintiff Who Has Everything? Maybe a Class Action, Ruled The Seventh Circuit