For the second time in less than a year, the 7th Circuit has found standing by plaintiffs seeking class certification for a data breach.
On April 14, 2016 the 7th Circuit issued its opinion in Lewert v. P.F. Chang’s China Bistro, Inc. PF Chang Opinion (7th Circuit April 14, 2016) (01168901xAE57E)
P.F. Chang had a credit card breach in 2014 involving 33 restaurants in the Chicago area. Customers affected by the breach sought class certification which the district court denied on grounds plaintiffs had no standing.
The Court of Appeals reversed the lower court, finding that class representatives alleged sufficient harm by way of fraudulent credit card charges, $106 in credit monitoring costs and time monitoring potential identity theft.
This is the second time the 7th Circuit has found standing for data breach claimants, the first being the Neiman Marcus decision issued last summer. Rejimilas v Neiman Marcus 7th Circuit Opinion (2015) (01129892xAE57E) P.F. Chang tried to distinguish Neiman Marcus because its breach involved only credit cards so there was no risk of wider identity theft. In rejecting this argument, the court said that it is unknown whether a stolen credit card can lead to identity theft.
Plaintiffs argued that they were damaged in the amount of their meal because they would not have eaten at P.F. Chang’s had they known data security was ineffective. The court’s response was tepid.
Plaintiffs also alleged that their identity has value, just as a stolen car has value. The court stated that a court that previously found value in personal identity had limited scope.
P.F. Chang highlights (again) the importance of an insured’s first response to a breach. The fact that Neiman Marcus offered credit monitoring helped persuade the court that the store anticipated harm to its customers. And P.F. Chang’s suggestion that customers monitor credit reports also raised the specter of future
On February 17, Hollywood Presbyterian Medical Center announced that it had paid cyber extortionists a ransom of 40 bitcoins in order to restore control over its systems and administrative functions. While the number might not seem high at first glance, it equates to roughly $17,000. The hospital first noticed malware on its system on February 5, but waited ten days before deciding that payment was the fastest way to regain control of their systems. The hackers had introduced malware into the hospital’s system that encrypted the hospital’s files, making them inaccessible. The FBI is still investigating how the hackers were able to install the malware.
Bitcoin is a completely digital currency that attracts cyber extortionists because bitcoin transactions do not go through any intermediary such as a bank. There is a lower chance that an illegal payment can be tracked. The extortionist usually sets the amount just low enough for the infected entity to consider payment.
While cyber extortion is popular among some criminals in eastern Europe, the Hollywood Presbyterian Medical Center episode is one of the higher profile examples in the U.S. The publicity about the paid ransom may encourage others looking for a fast payout. Cyber experts believe that about 3% of users with infected systems pay ransom.
It is difficult to say whether the rate of cyber extortion incidents will increase in the US. Not all cyber criminals are willing to shut down operations at a facility where access to files can mean the difference between life and death. But the healthcare industry presents an easy target for attacks because its technology is often outdated and electronic medical records are available on laptops and I-Pads used throughout the hospital and often within easy reach.
Password manager SplashData has announced the 2015 edition of its annual “Worst Passwords List.” As has been the case since 2011, “123456” and “password” remain the most commonly used password.
SplashData’s annual report is compiled from more than 2 million leaked passwords during the year from around the globe. Even though some web users are using longer passwords, their simplicity undercuts any security. SplashData recommends a 12-item password with a mix of 5 types of characters.
So, here’s hoping no one contributing to this list is responsible for nuclear launch codes: Worst Passwords of 2015 (01130454xAE57E)
This year’s Super Bowl is at Levi’s Stadium in Santa Clara, California. Organizers are touting free, open and fast-paced wireless service. According to The Atlantic, the stadium will have 13,000 Wi-Fi access points, about one every 10 feet. (Click here for The Atlantic)
An estimated 100,000 devices are expected to be connected to the stadium network, including devices belonging to high ranking corporate officials who may be carrying a lot of sensitive data on their I-Phones and I-Pads. The FBI is warning fans not to be tricked into logging on to the wrong wireless network. Other security experts recommend cash payments when buying that beer or foam finger.
Russian hackers are suspected in a cyber attack on a Ukrainian electrical grid which would be the first time a cyber attack caused widespread electrical outage. U.S. firm blames Russian ‘Sandworm’ hackers for Ukraine outage.
On December 23, a large swath of the Ukraine involving about 700,000 homes was without power for several hours. It would be the first documented case of a cyber attack on an electrical power facility that caused an electrical blackout. The suspected malware is a virus called Black Energy. It is believed to have entered the system through a mundane phishing attack on email.
“It is a milestone,” said John Hultquist, director of cyber espionage analysis at iSight Partners. “We’ve definitely seen targeted destructive events against energy before – oil firms for example – but never the event which causes a blackout.”
Attempted cyber attacks on power infrastructures are not a new concern, but a successful one is, even for US power sources that are well defended. Among the many issues raised by such an event is whether the next phase of cyber problems has arrived and will eventually overtake claims for privacy breaches.
Late on December 17, 2015, Houston-based Landry’s Inc. announced a massive, network-wide credit card breach affecting its restaurants. Landry’s owns and operates over 500 restaurants, including well-known chains such as Bubba Gump’s, Rainforest Café, Mastro’s Restaurants, McCormick and Schmick’s, Morton Steakhouse and Claim Jumper. According to Kreb’s on Security, the breach may date back to May 2015 and in some cases, may be continuing. It is not clear yet how many restaurant chains are affected.
While Landry’s is investigating the scope of the breach (which the company expects could take weeks or months), it believes that the breach exposed data available on the magnetic stripe of credit cards, which includes consumer names, card numbers, expiration dates and verification codes. According to Kreb’s, banks have detected fraudulent charges. Although Landry’s is implementing an upgraded and more secure payment processing system, it believes that the breach began before the new system’s installation.
From an insurance perspective, what may make this breach different (and worse) is the sheer number of entities under the same corporate umbrella. Unlike the Anthem breach which targeted just Anthem, even though the fall-out reached multiple health plans, the Landry’s breach may involve multiple entities: individual restaurants and chains. If different restaurants and chains qualify as named insureds under a Landry’s policy, then insurers may be looking at a type of aggregation scenario: one insured is actually dozens of insureds, and they all have the same breach. But even if each restaurant has its own policy, they may come after Landry’s as the gateway to the breach.
Under either scenario, insurers will be getting to know the Landy’s breach in 2016.
On October 27, 2015 the U.S Senate passed by a vote of 74-21 the Cyber Information Sharing Act of 2015 (CISA). The bill allows government agencies and businesses to share information about cybersecurity threats with one another. Shared information is supposed to consist of “threat indicators” such as technical information about the type of malware used or how hackers cover their tracks once they penetrate a system. Bill sponsors say that shared information will help organizations better understand the source and type of attacks and therefore be better able to anticipate and defend against cyber attacks.
Companies are encouraged but not required to share cyber threat information with the Department of Homeland Security, which then shares information with other companies and government agencies. The bill requires companies and the DHS to scrub an individual’s personal information from the shared data. Participating companies are granted immunity for civil lawsuits brought by customers who sue for sharing private data.
The Senate bill was co-sponsored by Senate Intelligence Chair Richard Burr (R-North Carolina) and Vice Chair Sen. Diane Feinstein (D-California). Although supported by the White House and a wide range of business groups, the Senate bill was opposed by some legislators and technology companies such as Facebook, Google, Apple and Yahoo on grounds it provides too much data to government agencies without offering privacy protections for US citizens.
Senate bill 754 must be reconciled with similar legislation passed by the House of Representatives last April. A House-Senate agreement is not expected until 2016. Once signed into law by President Obama, the U.S. Attorney General has 180 days to finalize a plan for collecting and disseminating cyber threat data.
A PDF version of the 118-page bill can be found here: Senate Bill (S. 754) on Cyber Sharing (Passed Oct. 27, 2015) (01082756xAE57E)
Last week I attended the Privacy and Security Forum at George Washington University. Here are a few points to ponder.
•Privacy by design or privacy by default? Functionality requires design. Privacy by default means there is a malfunction.
•In a breach response, “privilege is the playbook.” Privilege determines who does what, when you do it, how you do it and who you share it with.
•In a breach response, proper communication is key, whether it be with the board, customers, insurers, law enforcement or regulators. Companies need to balance communications with running a business even though business instincts may be at odds with a legally sound breach response.
•Why do courts struggle to find harm in massive breach cases? Is it because the consequences of a breach – such as changing passwords- are considered just an inconvenience and not actual harm? Is a data breach too vague because it involves thousands of people with “innocuous” complaints?
•Is the health industry lulled into thinking that its “space” on the privacy spectrum is relatively settled, compared to other industries still sorting out which regulations even apply?
•E-commerce is tailored and targeted. Legal on-line price discrimination occurs when e-merchants adjust prices or display different offers to different users, depending on your browsing history, your device (Mac or PC, desktop or mobile) or your location.
The White House announced today that the US and China have reached a “common understanding” to protect intellectual property, trade secrets and confidential business information from cyber thefts. The parties agreed that neither government will conduct or knowingly support theft of intellectual property in order to gain a competitive advantage. The countries agreed to provide timely responses to requests for information about malicious online activities.
Each nation will designate representatives to discuss cyber theft issues. The US representatives are expected to be from the Department of Homeland Security, the FBI and the Justice Department. No meetings by the group will be held until 2016.
A wide gulf remains between the parties about how to prevent further attacks by China and any U.S. response. No specific breaches were mentioned, including the massive OPM breach which US experts believe was launched from China. The Chinese government has denied any involvement.
Putting aside the salacious details, there is something different about the Ashley Madison hack when compared to other high profile breaches at Anthem or Target.
The Ashley Madison breach revealed secrets that are now known forever. What makes the Ashley Madison attack feel different is that it involved personal and intimate information, disclosed for public shaming, not profit.
Following the recent breach at Ashley Madison, an on-line site dedicated to helping married people find others looking to have an extramarital affair, at least four lawsuits were filed in the US against Ashley Madison’s parent company, Avid Life Media (two in California, one in Texas, and one in Missouri) and at least one in Canada where Avid Life Media is based. All the suits have been filed by anonymous “Jane” or “John Doe” plaintiffs alleging breach of contract, negligent protection of customer data and violation of various state privacy laws. The lawsuits also allege that the Ashley Madison companies knew that their networks were insecure, which may find support if the recent speculation that the hack was an “inside job” by a disenchanted employee proves to be true.
While the legal allegations are familiar to anyone following data breach lawsuits, there is something different about data that was stolen here. Yes, credit card information was accessed, but the crux of the Ashley Madison hack was to share people’s secrets, specifically the identities of people who anonymously tried to pursue an affair. Ashley Madison promised anonymity but the breach erases that promise. In “hacker speak,” the practice of stealing and publishing private information about someone with malicious intent is known as “doxxing.”
Ashley Madison users, while not the most sympathetic group to experience an invasion of privacy, may be victims of a breach that cuts to the heart of what it means to have “private” information stolen. Credit cards can be replaced, but secrets cannot be unrevealed. It strikes the same chords as a recent “internet of things” story about hackers who could hack a baby monitor and view a sleeping child.
These types of hacks show that there does not have to be a monetary loss in order for the hacking of personal information to make an impact. For companies like Ashley Madison that market their ability to protect secrets and other personal, non-monetary information (i.e. information beyond social securities and credit card numbers), the loss of goodwill from a breach is potentially more threatening than the cost of replacing stolen credit cards or defending lawsuits. Such companies would be well-served to plan ahead and take extra precautions with their sensitive data.