We bring to your attention a sampling of recent media stories involving cyber risk and privacy liability. These exposures include business interruption, legal liability (such as class action lawsuits), as well as crisis costs to investigate the breach, notify the victims and defend/settle lawsuits, including AG regulatory enforcement actions and fines. Also, don’t miss the items below in ORANGE.


Cyber Security and Higher Education

New this year at the NetDiligence® Cyber Risk & Privacy Liability Conference in Philadelphia: NetDiligence and Drexel University are hosting a round table discussion on the training necessary to support continued cyber security education for insurance, legal, and security professionals. Join Drexel University College of Computing & Informatics Dean Yi Deng and Thomas R. Kline School of Law Dean Daniel M. Filler for this timely discussion. Click here to download more information.


D&O CLASS ACTION
Home Depot Settles Investor Suit Over Data Breach

Investors in The Home Depot Inc. struck a deal to end their shareholder derivative suit against members of the retailer’s board of directors over a 2014 customer data breach, according to a proposed settlement filed in Georgia federal court Friday. Click to read entire article.

SEC Suits Over Cyber Reporting Could Be On Horizon

The U.S. Securities and Exchange Commission has yet to lodge a formal enforcement action against a public company for failing to report cyber incidents and risks, but that could change soon, the agency’s acting enforcement chief warned Thursday, adding that she could “absolutely” envision circumstances where one would be necessary. Click to read entire article.

PRIVACY ETHICS / WRONGFUL DATA COLLECTION
—CLASS ACTION LAWSUIT ALERT—
Bose Gets Hit with Privacy Breach Lawsuit

Headphone maker Bose has had a class-action lawsuit filed against them, alleging that the company’s smartphone app spies on people and collects their data without consent. Click to read entire article.

—CLASS ACTION LAWSUIT ALERT—
Patients Say Telehealth Provider Wrongly Shared Their Data

A putative class action filed in Florida federal court alleges that national telehealth provider MDLive Inc. has designed its mobile app to secretly capture screenshots including sensitive patient information that it transmitted and stored without restricting access to medical providers with a legitimate need to see it. Click to read entire article.

K-12 EDUCATION
—VENDOR CAUSED—
1.3 million K-12 students exposed by now-secured data breach

More than a million American students had their information exposed this month in a data breach at a California-based company that offers data services to kindergarten through 12-grade schools. A student data warehouse platform, Schoolzilla first acknowledged the breach on April 12 in a message on its website, informing customers: “A well-known computer security researcher was doing a targeted analysis of Schoolzilla when he uncovered a file configuration error.” Click to read entire article.

HEALTHCARE
—SETTLEMENT ALERT—
Wireless Health Co. Strikes $2.5M HIPAA Deal

CardioNet, a company which provides wireless health services for heart patients, will pay $2.5 million to settle claims that it violated the Health Insurance Portability and Accountability Act by not properly protecting patients’ electronic health information. Click to read entire article.

—MOBILE APP RISK—
MDLive Lawsuit Claims Patient Data Privacy Violations

A lawsuit filed in Florida alleges that a healthcare app committed patient privacy violations by sending individuals’ health data to a third-party. Click to read entire article.

Bangor Mental Health Provider Details Extent of Hackers’ Data Breach

More than 4,000 clients of a Bangor mental health provider may have had their personal information stolen through a data breach last month. A spokesman for Behavioral Health Center, David Farmer, says the compromised data includes Social Security numbers and notes on services they received. Click to read entire article.

Rhode Island’s Lifespan Informs 20k Patients of Data Breach

Providence, R.I.-based Lifespan, the state’s first health system, is notifying patients about a theft of an employee’s laptop that may have contained sensitive patient information. Click to read entire article.

Atlantic Digestive Specialists, Notice of Data Breach

On February 20, 2017, Atlantic Digestive Specialists (“ADS”) discovered that some of its systems were infected with ransomware. Click to read entire article.

RETAIL
Up to 8,000 Home Depot shoppers’ private data at risk after the company posts spreadsheets on its website

Home Depot accidentally posted spreadsheets on its website for an unknown amount of time which listed about 8,000 customers’ personal information. Click to read entire article.

Check your bank statements: Chipotle investigating data breach

Chipotle said in a statement that it recently detected unauthorized activity on the network that supports payment processing. Click to read entire article.

Showpo settles data ‘theft’ allegations against Black Swallow for $60,000

Online retailers Showpo and Black Swallow have settled their data breach dispute, after Showpo alleged one of its former graphic designers downloaded the company’s entire customer database and passed it on to her new employers at Black Swallow. Click to read entire article.

MEDIA / ENTERTAINMENT
Hackers leak 10 new Orange Is the New Black episodes after Netflix fails to pay ransom

On Saturday, the hacking group The Dark Overlord followed through with threats to release 10 of 13 new Orange Is the New Black episodes that it had in its possession after Netflix failed to pay a ransom. Click to read entire article.

ONLINE GAMES
Gamestop.com Investigating Possible Breach

Video game giant GameStop Corp. says it is investigating reports that hackers may have siphoned credit card and customer data from its website — gamestop.com. The company acknowledged the investigation after being contacted by KrebsOnSecurity. Click to read entire article.

HOSPITALITY
Data Breach Lawsuit Survives Motion to Dismiss

In an April 13, 2017 decision in Walters v. Kimpton Hotel a California federal judge rejected the bid of hotel chain Kimpton Hotel and Restaurant Group, LLC to dismiss a proposed class action arising from a data breach last year. Judge Vince Chhabria found that the named plaintiff sufficiently alleged imminent harm to establish standing notwithstanding the absence of allegations that his personal information had been misused. Click to read entire article.

InterContinental data breach expands from 12 to 1,200 hotels

In February, the hotel chain parent company, which includes brands such as Crowne Plaza, Holiday Inn, Candlewood Suites, and Kimpton Hotels and Resorts, among others, admitted to a data breach first discovered in late December last year. Click to read entire article.

FINANCIAL SERVICES
Data breach at online trading firm exposed customer credit reports, Social Security numbers

A data breach at an online futures trading brokerage left exposed thousands of files, including credit reports, passport scans, and customer chat logs. The leak, now secured, was identified and reported by Chris Vickery of the Kromtech Security Research Team. It was caused by a misconfigured backup device managed by a third-party IT vendor. …Vickery reported that about 70GB of data had been sitting on the open web, consisting of roughly 97,000 files. Click to read entire article.

—VENDOR CAUSED—
Scottrade Bank’s breach underlines third-party vendor risk

When Scottrade Bank recently confirmed a data breach that exposed nonpublic information of 20,000 consumer and business customers, it did something unusual. Instead of offering no explanation or a vague description of what happened, waiting for a full investigation to reveal the details, the St. Louis bank immediately pointed the finger at one of its vendors. “On April 2, Genpact, a third-party vendor, confirmed that it had uploaded a data set to one of its cloud servers that did not have all security protocols in place,” the bank said in a statement late last week. “As a result, the data was not fully secured for a period of time.” Click to read entire article.

PUBLIC ENTITY
CA agency reports ADAP data breach

Officials with California’s public health department have said that data on dozens of people who rely on the state’s AIDS Drug Assistance Program was breached. Click to read entire article.

LEGAL & CYBER LIABILITY – AN OVERVIEW
So You’ve Been Hacked: The Changing Landscape of Post-Data Breach Liability

Joseph Facciponti and Joseph Moreno discuss the potential for regulatory and civil liability for corporations in the aftermath of a data breach. Click to read entire article.

New York Tallies A Record-Breaking Number Of Data Breach Notices

On March 21, 2017, the Attorney General (“AG”) of New York, Eric T. Schneiderman, announced that his office received a record number of data breach notices in 2016. The total number of breach notifications received by the AG’s office was nearly 1,300. Click to read entire article.

CYBERSECURITY RISK STUDIES
Verizon Data Breach Investigations Report Reveals Ransomware Surge

While some numbers have shifted, a Verizon researcher says that, year-over-year, little has actually changed and the same types of attacks continue to be successful. Click to read entire article.

Breaches Continue to Surpass 2016’s Record Pace

As of April 11, the total number of breaches captured in the 2017 ITRC Breach Report from the San Diego-based Identity Theft Resource Center now totals 431, an increase of 37.3% over last year’s record pace. Click to read entire article.

EMERGING SECURITY ISSUES
Mega Data Breaches Could Drive the Blockchain Revolution

…it is a distributed, immutable database that is autonomously managed without the need for a trusted third party. This makes it the ideal candidate for a variety of data security applications and the information security world has already begun to take notice. Click to read entire article.

EUROPE / UK
Government: Half Of UK Businesses Suffered Security Breach Last Year

Over half (58%) of businesses have sought information, advice or guidance on the cyber security threats facing their organisations over the past year, mainly from external security or IT consultants (32%) as well as via online searches (10%). Click to read entire article.

Payday lender Wonga admits to data breach

Payday lender Wonga has advised 270,000 customers of a data breach and offered inconsistent advice about the severity of the incident and how to respond. Click to read entire article.

ASIA / PACIFIC
Days after Jharkhand breach, govt websites continue to bleed Aadhaar data

Digital identities of more than a million citizens had been compromised by a programming error on a website maintained by the Jharkhand Directorate of Social Security. Click to read entire article.

Singtel vendor fined $10k for data breach

Singapore’s privacy watchdog has fined India-based Tech Mahindra $10,000 for failing to protect the personal details of 2.78 million Singtel customers from unauthorised changes, which inadvertently caused the personal data of one customer to be leaked online.Click to read entire article.

Hacked: How $171 mn stolen from Union Bank was recovered

Details emerge of how the money was retrieved from accounts in four different countries after government intervention. Click to read entire article.

Melbourne IT suffer denial-of-service attack, thousands of websites inaccessible

As many as 500,000 Australian websites were rendered inaccessible for up to 90 minutes on Thursday morning, after Melbourne IT’s domain name system servers NetRegistry and TPP Wholesale suffered a cyberattack. Click to read entire article.

SOUTH AFRICA
SA companies will soon be forced to tell customers of a data breach by law

The official implementation of the Protection of Personal Information Act (POPIA) is set to cause a massive shake up in the relationship between companies and their customers, as South African businesses will soon be legally obligated to notify of a data breach. Click to read entire article.

Regards,
Mark Greisiger
NetDiligence®
Cyber Risk Assessment & Data Breach Services