Photo of Paul Bond

Company response to major data breach results in first-of-its-kind fine for improper disclosure to investors

On April 24, 2018, U.S. Securities and Exchange Commission (SEC) and Altaba Inc., (formerly known as Yahoo! Inc.) agreed to settle SEC Division of Enforcement charges stemming from the compromise of 3 billion Yahoo accounts that occurred in 2013 and 2014, but were not disclosed until 2016.[1] The 2014 incident was attributed to Russian hackers by the U.S. government in March 2017.[2]

 The SEC’s administrative proceeding order pointed to Altaba’s delayed disclosure of the 2013–2014 security incident as well as the company’s public filing of multiple reports with the SEC, which commented on the risks and consequences of a breach in general, but did not notify investors that such a threat had already been realized in 2013 and 2014.[3] Unlike previous high-profile fines for improper incident response arising from failures to disclose to affected customers or subjects of breached data, the $35 million fine levied against Altaba is the first of its kind to focus on disclosure to investors of a public company that has suffered a breach, and should encourage companies to direct commensurate focus to their data breach response plans to meet responsibilities to shareholders.Continue Reading Being first isn’t always best: SEC settles for $35 million fine for failure to disclose data breach to investors

In a published decision, a unanimous panel of the Appellate Division rejected “the notion that plaintiffs – in alleging an invasion of privacy in an office building’s bathroom – could only claim the presence of a hidden recording device by demonstrating their images were actually captured.” Jaime Friedman et al. v. Teodoro Martinez et al., case number A-4896-15T1.  In so doing, the panel rejected a lower court ruling and allowed plaintiffs to survive summary judgment on the basis of more circumstantial evidence.

The plaintiffs in Friedman alleged that a janitor placed hidden recording devices in a women’s restroom and recorded private activities for six months to a year. The police recovered footage of about eight hours of such illicit surveillance. The plaintiffs, sixty women, sued the janitor and his employer, as well as the owner of the building and the company managing the building. Each plaintiff alleged that she had used that women’s restroom while the hidden camera had been activated.

In discovery, the trial court required each plaintiff to identify one or more images of herself on the recovered recording. Thirty-five of the plaintiffs were unable to do so. As to those plaintiffs, the trial court granted defendants’ summary judgment.Continue Reading New Jersey Appellate Division allows some video surveillance claims to proceed, even though plaintiffs cannot identify themselves in the recovered recording

Democrat Phil Murphy has been elected as the next Governor of the State of New Jersey. Murphy comes in to the office with a double-digit victory over departing lieutenant governor Kim Guadagno (R), and the backing of a state legislature controlled by Democrats.  Governor-Elect Murphy, who has never served in elected office, promises to take the Garden State in a new direction.

Among the portions of his platform most likely to be of interest to businesses, Governor-Elect Murphy has committed to:

  1. “Establishing a state-level Consumer Financial Protection Bureau and strengthening existing regulations in light of President Trump’s efforts to roll-back the federal Dodd-Frank Wall Street reform law”;
  2. “Holding bankers accountable by prosecuting financial fraud”;
  3. “Requiring telecom providers and ISPs to seek permission before collecting personal information”;
  4. “Appointing an Attorney General who will enforce consumer protections around data privacy”;
  5. “Improving our state’s existing cybersecurity and other Homeland Security initiatives”; and
  6. “Convening stakeholders in government, industry, and academia to share best practices in cybersecurity and to foster new innovations.”

Continue Reading Businesses Operating in the Garden State Brace For NJ Governor Murphy

On October 18, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) entered into the long simmering debate over consumer-authorized data sharing.  This debate pits mainstream financial institutions, which are typically reticent to share customer data with third parties, against data aggregators and other fintechs.  Those newer companies provide services directly to consumers—or to enhance the consumer experience—and rely on data from mainstream institutions in order to do so.  Both sides are grappling with complex issues surrounding consumer information, including who owns consumers’ financial data, as well as how it can be used, shared, and kept secure.

The CFPB released a set of nine consumer protection principles to address those issues and “help safeguard consumer interests as the consumer-authorized aggregation services market develops.”  While pointedly refusing to ease any existing regulatory burden currently on the banks to ensure safety and privacy, the Bureau has now articulated a yet-to-be fully defined set of requirements for traditional financial institutions to cooperate with demands for openness.  Each consumer right embedded in these requirements implies a financial institution obligation, in some cases with considerable associated cost and operational disruption.

The release follows a November 2016 Request for Information where the CFPB asked stakeholders to weigh in on the challenges consumers face in accessing, using, and securely sharing their financial records.  The CFPB also released a 12-page report that summarized stakeholder insight and informed development of the following principles:
Continue Reading The CFPB Releases Data Sharing Principles, Setting Off A New Round of Controversy

Nearly every state in the United States requires notification when certain personal information is lost, stolen, or misused. However, the many state laws vary in subtle but crucial respects, making it difficult to get to a bottom line quickly. Reed Smith’s Information Technology, Privacy & Data Security practice is thrilled to release a first-of-its-kind tool

This month’s WannaCry ransomware attack is the latest example of how these targeted attacks can cripple operating systems, with the bitcoin payments the price for alleged relief.

In the attack, the WannaCry ransomware computer worm targeted the Microsoft Windows operating system, infecting more than 230,000 computers in 150 countries. The ransomware was allegedly spread through

The Telephone Consumer Protection Act (“TCPA”) applies in many circumstances when companies use an automatic telephone dialing system (or “autodialer”) and/or pre-recorded messages to call consumers. In those situations where the TCPA does apply, the company cannot make the call unless it is an “emergency,” or unless the company has the prior express consent of the called party.  The Federal Communications Commission (“FCC”) has the power to exempt certain categories of calls from the TCPA’s requirements.

The TCPA is vigorously enforced by the FCC and has also been the source of extensive class action litigation, including suits against utilities. Any violation of the TCPA can subject the calling company to statutory damages of $500 to $1,500 per call.  Those statutory damages can quickly add up to millions or tens of millions of dollars in liability.  Given this regulatory framework and potential liability, entities have petitioned the FCC for clarification regarding definitions in the TCPA and the application of the law to certain types of telephone communications.

The Edison Electric Institute and American Gas Association recently filed a petition with the FCC (the “EEI/AGA Petition”), seeking confirmation that “under the TCPA, providing a wireless telephone number to an energy utility constitutes ‘prior express consent’ to receive, at that number, non-telemarketing, informational calls related to the customer’s utility service, which are placed using an autodialer or an artificial or prerecorded voice.” The FCC has previously found that a consumer providing his or her telephone number signifies prior express consent to be called on that number for purposes that relate to the reason the number was provided.  For example, providing a phone number on a credit application signifies prior express consent to be called on that number for purposes related to that credit account.  The EEI/AGA sought clarification that such guidance applied in the context of providing telephone numbers to utility companies.

In a declaratory ruling released August 4, 2016, the FCC granted the EEI/AGA Petition. The FCC found that:  “in the absence of facts supporting a contrary finding, prior to the termination of a customer’s utility service, a customer who provided a wireless telephone number when he or she initially signed up to receive utility service, subsequently supplied the wireless telephone number, or later updated his or her contact information, is deemed to have given prior express consent to be contacted by their utility company for calls that are closely related to the service[.]”Continue Reading The FCC Clarifies Prior Express Consent Under the TCPA for Calls to Utility Company Customers

It can be a violation of the federal Computer Fraud and Abuse Act (“CFAA”) to “access[] a protected computer without authorization.” The CFAA clearly applies when criminals with no connection to a company try to force their way into information systems.  But in a recent decision a divided panel of the Ninth Circuit found the CFAA can apply even when someone uses a password willingly shared by an authorized user.

In this criminal case, the defendant, David Nosal, had left his employment at Korn/Ferry. Nosal was seeking confidential information on the Korn/Ferry computer system to use at a venture he had started to compete with his previous employer.  Nosal asked his former executive assistant to stay at Korn/Ferry so she could provide access to the systems, and other former employees he was working with borrowed her password to the system and used it to download trade secrets.
Continue Reading Ninth Circuit Rules that CFAA Imposes Criminal Penalties when Terminated Users Try To Access Systems With Borrowed Passwords

Just days after the Supreme Court’s ruling in Spokeo v. Robins, the highly anticipated decision is already impacting data breach class actions across the country. The defendant in the Spokeo case contended that the plaintiff had suffered no concrete injury, and that a mere statutory violation is not enough of an injury to