We bring to your attention a sampling of recent media stories involving cyber risk and privacy liability. These exposures include business interruption, legal liability (such as class action lawsuits), as well as crisis costs to investigate the breach, notify the victims and defend/settle lawsuits, including AG regulatory enforcement actions and fines. Also, don’t miss the items below in ORANGE.
Cyber Security and Higher Education
New this year at the NetDiligence® Cyber Risk & Privacy Liability Conference in Philadelphia: NetDiligence and Drexel University are hosting a round table discussion on the training necessary to support continued cyber security education for insurance, legal, and security professionals. Join Drexel University College of Computing & Informatics Dean Yi Deng and Thomas R. Kline School of Law Dean Daniel M. Filler for this timely discussion. Click here to download more information.
Investors in The Home Depot Inc. struck a deal to end their shareholder derivative suit against members of the retailer’s board of directors over a 2014 customer data breach, according to a proposed settlement filed in Georgia federal court Friday. Click to read entire article.
The U.S. Securities and Exchange Commission has yet to lodge a formal enforcement action against a public company for failing to report cyber incidents and risks, but that could change soon, the agency’s acting enforcement chief warned Thursday, adding that she could “absolutely” envision circumstances where one would be necessary. Click to read entire article.
Headphone maker Bose has had a class-action lawsuit filed against them, alleging that the company’s smartphone app spies on people and collects their data without consent. Click to read entire article.
A putative class action filed in Florida federal court alleges that national telehealth provider MDLive Inc. has designed its mobile app to secretly capture screenshots including sensitive patient information that it transmitted and stored without restricting access to medical providers with a legitimate need to see it. Click to read entire article.
More than a million American students had their information exposed this month in a data breach at a California-based company that offers data services to kindergarten through 12-grade schools. A student data warehouse platform, Schoolzilla first acknowledged the breach on April 12 in a message on its website, informing customers: “A well-known computer security researcher was doing a targeted analysis of Schoolzilla when he uncovered a file configuration error.” Click to read entire article.
CardioNet, a company which provides wireless health services for heart patients, will pay $2.5 million to settle claims that it violated the Health Insurance Portability and Accountability Act by not properly protecting patients’ electronic health information. Click to read entire article.
A lawsuit filed in Florida alleges that a healthcare app committed patient privacy violations by sending individuals’ health data to a third-party. Click to read entire article.
More than 4,000 clients of a Bangor mental health provider may have had their personal information stolen through a data breach last month. A spokesman for Behavioral Health Center, David Farmer, says the compromised data includes Social Security numbers and notes on services they received. Click to read entire article.
Providence, R.I.-based Lifespan, the state’s first health system, is notifying patients about a theft of an employee’s laptop that may have contained sensitive patient information. Click to read entire article.
On February 20, 2017, Atlantic Digestive Specialists (“ADS”) discovered that some of its systems were infected with ransomware. Click to read entire article.
Home Depot accidentally posted spreadsheets on its website for an unknown amount of time which listed about 8,000 customers’ personal information. Click to read entire article.
Chipotle said in a statement that it recently detected unauthorized activity on the network that supports payment processing. Click to read entire article.
Online retailers Showpo and Black Swallow have settled their data breach dispute, after Showpo alleged one of its former graphic designers downloaded the company’s entire customer database and passed it on to her new employers at Black Swallow. Click to read entire article.
On Saturday, the hacking group The Dark Overlord followed through with threats to release 10 of 13 new Orange Is the New Black episodes that it had in its possession after Netflix failed to pay a ransom. Click to read entire article.
Video game giant GameStop Corp. says it is investigating reports that hackers may have siphoned credit card and customer data from its website — gamestop.com. The company acknowledged the investigation after being contacted by KrebsOnSecurity. Click to read entire article.
In an April 13, 2017 decision in Walters v. Kimpton Hotel a California federal judge rejected the bid of hotel chain Kimpton Hotel and Restaurant Group, LLC to dismiss a proposed class action arising from a data breach last year. Judge Vince Chhabria found that the named plaintiff sufficiently alleged imminent harm to establish standing notwithstanding the absence of allegations that his personal information had been misused. Click to read entire article.
In February, the hotel chain parent company, which includes brands such as Crowne Plaza, Holiday Inn, Candlewood Suites, and Kimpton Hotels and Resorts, among others, admitted to a data breach first discovered in late December last year. Click to read entire article.
A data breach at an online futures trading brokerage left exposed thousands of files, including credit reports, passport scans, and customer chat logs. The leak, now secured, was identified and reported by Chris Vickery of the Kromtech Security Research Team. It was caused by a misconfigured backup device managed by a third-party IT vendor. …Vickery reported that about 70GB of data had been sitting on the open web, consisting of roughly 97,000 files. Click to read entire article.
When Scottrade Bank recently confirmed a data breach that exposed nonpublic information of 20,000 consumer and business customers, it did something unusual. Instead of offering no explanation or a vague description of what happened, waiting for a full investigation to reveal the details, the St. Louis bank immediately pointed the finger at one of its vendors. “On April 2, Genpact, a third-party vendor, confirmed that it had uploaded a data set to one of its cloud servers that did not have all security protocols in place,” the bank said in a statement late last week. “As a result, the data was not fully secured for a period of time.” Click to read entire article.
Officials with California’s public health department have said that data on dozens of people who rely on the state’s AIDS Drug Assistance Program was breached. Click to read entire article.
Joseph Facciponti and Joseph Moreno discuss the potential for regulatory and civil liability for corporations in the aftermath of a data breach. Click to read entire article.
On March 21, 2017, the Attorney General (“AG”) of New York, Eric T. Schneiderman, announced that his office received a record number of data breach notices in 2016. The total number of breach notifications received by the AG’s office was nearly 1,300. Click to read entire article.
While some numbers have shifted, a Verizon researcher says that, year-over-year, little has actually changed and the same types of attacks continue to be successful. Click to read entire article.
As of April 11, the total number of breaches captured in the 2017 ITRC Breach Report from the San Diego-based Identity Theft Resource Center now totals 431, an increase of 37.3% over last year’s record pace. Click to read entire article.
…it is a distributed, immutable database that is autonomously managed without the need for a trusted third party. This makes it the ideal candidate for a variety of data security applications and the information security world has already begun to take notice. Click to read entire article.
Over half (58%) of businesses have sought information, advice or guidance on the cyber security threats facing their organisations over the past year, mainly from external security or IT consultants (32%) as well as via online searches (10%). Click to read entire article.
Payday lender Wonga has advised 270,000 customers of a data breach and offered inconsistent advice about the severity of the incident and how to respond. Click to read entire article.
Digital identities of more than a million citizens had been compromised by a programming error on a website maintained by the Jharkhand Directorate of Social Security. Click to read entire article.
Singapore’s privacy watchdog has fined India-based Tech Mahindra $10,000 for failing to protect the personal details of 2.78 million Singtel customers from unauthorised changes, which inadvertently caused the personal data of one customer to be leaked online.Click to read entire article.
Details emerge of how the money was retrieved from accounts in four different countries after government intervention. Click to read entire article.
As many as 500,000 Australian websites were rendered inaccessible for up to 90 minutes on Thursday morning, after Melbourne IT’s domain name system servers NetRegistry and TPP Wholesale suffered a cyberattack. Click to read entire article.
The official implementation of the Protection of Personal Information Act (POPIA) is set to cause a massive shake up in the relationship between companies and their customers, as South African businesses will soon be legally obligated to notify of a data breach. Click to read entire article.
Cyber Risk Assessment & Data Breach Services