We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Among the stories we’re highlighting this month: class actions against social media giants, big breaches in healthcare, the ABA publishes formal opinion regarding lawyers’ obligations before and after a data breach, Gemalto publishes global breach stats for first half of 2018, increased liability for UK employers, and more. Also, don’t miss the items below in ORANGE.

RETAIL
Nordstrom data breach exposes employee information

The Seattle Times reported worker names, Social Security numbers, dates of birth, checking account and routing numbers, salaries and additional information is included in the breach notification, which is being sent by email or being personally delivered by the retailer’s managers. Click to read entire article.

HEALTHCARE
ERS Online Coding Error Exposes 1.25M Users to Health Data Breach

The Employee Retirement System (ERS) of Texas reported to OCR on Oct. 15 that information on potentially 1.25 million people may have been exposed in a health data breach. Click to read entire article.

Bankers Life Data Breach Exposes 566,127 People

On October 25, Fortune 1000 company CNO Financial Group, Inc. submitted a report to the Office for Civil Rights’ Breach Portal at the U.S. Department of Health and Human services. The report revealed that the personally identifiable information of 566,127 people was accessed by an unauthorized party through a subsidiary of CNO, Bankers Life. Click to read entire article.

42,000 customers affected by Health First data breach

Health First officials told FLORIDA TODAY on Monday the data breached was fairly low-level, though it could have included some customers’ Social Security numbers. Mostly it appears to have involved information such as addresses and birth dates. Click to read entire article.

—VENDOR CAUSED—
Huntsville Hospital vendor reports data breach

“Regrettably, we’ve learned that Jobscience, Inc., the vendor which we’ve used for online employment application services since 2006, had a data breach which may have involved information from individuals who applied for jobs at Huntsville Hospital. Because of this, notification letters are being sent to the affected persons. Click to read entire article.

FINANCIAL SERVICES
HSBC hit with data breach in the US

London-headquartered HSBC has confirmed that online bank accounts of its customers in the US were illegally accessed about a month ago, with possibly compromised data including account numbers and transaction history. Click to read entire article.

TECH & SOCIAL MEDIA
Colorado law firm files class action lawsuit against Facebook over security breach

Two people from Colorado have joined a federal class action lawsuit against Facebook over its September security breach, according to a news release from Franklin D. Azar & Associates. Azar filed the lawsuit on Oct. 11 and is asking Facebook for damages and to provide credit monitoring services to the 30 million people impacted. Click to read entire article.

Class Action Lawsuit Filed Against Eventbrite Following Ticketfly Data Breach

According to a suit filed in Illinois’ Cook County Superior Court, Eventbrite “failed to prevent, detect, or otherwise act in a reasonable manner or within a reasonable time.” As a result, customers’ confidential information was placed at risk. Click to read entire article.

Google Didn’t Reveal Security Bug For Months, ‘Wall Street Journal’ Reports

Google is shutting down its consumer version of Google Plus, its social network that some saw as its answer to Facebook. This comes after a flaw was discovered that might have exposed personal information of hundreds of thousands of customers. According to The Wall Street Journal, that flaw was discovered in March, but the company decided not to disclose it. Click to read entire article.

PUBLIC ENTITIES
New York County Cyberattack Prompts State CIRT Response

Otsego County and Cyber Incident Response Team officials identified a remote server in a county employee’s home as the source of the breach and believe cryptominers are behind the attack. Click to read entire article.

—VENDOR CAUSED—
City of St. Petersburg announces data security breach involving residents’ credit card information

The City of St. Petersburg announced a data breach on Tuesday that involved customers’ credit card information. According to city officials, the City of St. Petersburg utilizes a third-party software product called Click2Gov to provide customers with the ability to pay utility bills, parking tickets, business licenses, building permits, and civil citations online via the Internet. Click to read entire article.

AIRLINES
Thousands more British Airways customers hit in data breach

British Airways has revealed that the data breach that hit the company earlier this year may have affected far more customers than initially thought after discovering an additional issue. The airline has said that a further 185,000 customers may have had personal details such as payment card numbers stolen in the attack earlier this year. Click to read entire article.

PROFESSIONAL SERVICES
The ABA Says Lawyers Have Obligations Before and After a Data Breach

…Because of this growing and serious threat to the legal profession, the ABA published Formal Opinion 483 to direct attorneys and law firms on how they should handle data breaches before, during, and after an event. In short, lawyers are not expected to be as bulletproof as Superman, but they must take proactive steps to protect sensitive client data and they must disclose material data breaches. Click to read entire article.

CYBER RISK STUDIES
Data breaches compromise 3.3 billion records in first half of 2018

Gemalto has released the latest findings of the Breach Level Index, a global database of public data breaches, revealing 944 data breaches led to 3.2 billion data records being compromised worldwide in the first half of 2018. Click to read entire article.

CANADA
Federation of Sovereign Indigenous Nations pays hacker $20K in bitcoin after massive data breach, sources say

The Federation of Sovereign Indigenous Nations recently paid more than $20,000 to an anonymous hacker who breached its computer system, CBC News has learned. The revelation surfaces as hundreds of delegates gather in Saskatoon on Wednesday and Thursday to elect a new FSIN chief and two vice-chiefs. Click to read entire article.

Ontario Cannabis Store Data Breach Affects 4,500 Customers

In a privacy update on its site, the Ontario Cannabis Store said the breach affected about 2 percent of its customer orders, or 4,500 customers. Canada Post said customers’ information was accessed by someone using its delivery tracking tool. Click to read entire article.

Vancouver-based Burgerville hit by data breach

Burgerville announced… that its network had been hit by a cybersecurity breach that may have resulted in customers’ credit and debit card information being compromised, including names, card numbers, expiration dates and three-digit CVV numbers. Click to read entire article.

EUROPE / UK
Data breach compromises 64,000 Tomorrowland festival attendees

Threat actors managed to access the information of 64,000 Tomorrowland festival-goers who attended the 2014 event in Boom, Antwerp, Belgium. Click to read entire article.

Vicarious liability in the data breach context – bad news for UK employers?

The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable to compensate affected data subjects for loss caused by a data breach, even where the company has committed no wrongdoing and regardless of the employee’s motive. Click to read entire article.

Asia / Pacific
Securities regulator should look into Cathay Pacific data leak case

The data breach has affected 9.4 million customers and caused a war of words between the former and current privacy commissioner. Click to read entire article.