Privacy & Information Security Law Blog

On February 1, 2024, the Federal Trade Commission announced a proposed settlement with Blackbaud Inc. (“Blackbaud”) in connection with alleged security failures that resulted in a breach of the company’s network and access to the personal data of millions of consumers. As part of the settlement, Blackbaud will be required to comply with a variety of obligations, including deleting personal data that the company does not have a need to retain.

On November 23, 2023, the UK government’s National Cyber Security Centre (“NCSC”) and the Republic of Korea’s National Intelligence Service (“NIS”) issued a joint advisory detailing techniques and tactics used by cyber actors linked to the Democratic People’s Republic of Korea (“DPRK”) that are carrying out software supply chain attacks. The publication follows the recent announcement of a new Strategic Cyber Partnership between the UK and the Republic of Korea where the two nations have committed to work together to tackle common cyber threats.

On December 20, 2022, the English High Court has granted the victim of a cyber attack a permanent injunction against cyber attackers whilst the victim organization maintains its anonymity. Generally, a claimant's identity is public in English court proceedings. Injunctions can be made against unknown and unidentifiable defendants enabling them to be granted against individuals who are acting in breach or threatening to commit a breach. 

On October 31, 2022, the Federal Trade Commission announced a proposed settlement with education technology provider Chegg in connection with the company’s alleged poor cybersecurity practices. 

On March 15, 2022, the Federal Trade Commission (FTC) announced a proposed settlement with custom merchandise platform CafePress in connection with the company’s alleged failure to implement reasonable security measures, and its alleged attempt to cover up a 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to affected individuals.

On January 5, 2022, the New York Office of the Attorney General (“NY AG”) announced the results of an investigation into “credential stuffing,” which uncovered 1.1 million compromised accounts from cyberattacks on 17 well-known companies. The announcement included a “Business Guide for Credential Stuffing Attacks,” (the “Guide”) detailing the attacks and providing tips for businesses to protect themselves.

On November 8, 2021, law enforcement agencies in both the United States and European Union announced that a series of actions, including a number of arrests, were taken against the Russia-linked ransomware group, “REvil.” The U.S. Department of Justice (the “DOJ”) unsealed documents relating to an August indictment against two individuals in Dallas for alleged involvement in REvil ransomware attacks against several U.S. businesses. The European authorities, Europol, also announced that police in Romania and South Korea had arrested five people alleged to be REvil affiliates.

On September 1, 2021, the Federal Trade Commission banned Support King, LLC, the operator of SpyFone.com (“SpyFone”), and its CEO, Scott Zuckerman, from offering, promoting, selling or advertising any surveillance app, service or business. The FTC alleged SpyFone allowed purchasers to illegally surveil other individuals by surreptitiously monitoring a device user’s activity without the device user’s knowledge. The FTC also alleged that SpyFone failed to safeguard such illegally harvested personal information by failing to put in place basic security measures.

On July 30, 2021, the UK High Court handed down its judgment in the case of Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), determining that the claimant could not seek damages on the basis of misuse of personal information, breach of confidence or common law negligence following a data breach.

On April 13, 2021, the U.S. Department of Justice (“DOJ”) announced that the Federal Bureau of Investigation (“FBI”) executed a court-authorized removal of malicious web shells from hundreds of vulnerable computers in the U.S.

On March 31, 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”), announced a fine of €475,000 for Dutch headquartered online travel agency Booking.com for failure to report a data breach within 72 hours of becoming aware of the incident in 2019.

On February 8, 2021, Pinellas County, Florida officials announced that a hacker had remotely gained access to the City of Oldsmar's water treatment system on two separate occasions and was able to change the setting for sodium hydroxide in the water supply. The incident highlights the danger to local government information systems and the dangers of remote access vulnerabilities.

On January 12, 2021, in Wengui v. Clark Hill, PLC, et al., the United States District Court for the District of Columbia rejected a law firm defendant’s assertions of the attorney-client privilege and work product doctrine for forensic reporting and other related information associated with its outside counsel’s data breach investigation.

On November 13, 2020, the UK Information Commissioner’s Office (“ICO”) fined Ticketmaster UK Limited (“Ticketmaster”) £1.25 million for failing to keep its customers’ personal data secure. The ICO found that Ticketmaster had failed to implement appropriate security measures to prevent a cyber attack, breaching the requirements of Articles 5(1)(f) and 32 of the EU General Data Protection Regulation (“GDPR”). The ICO acted as the lead supervisory authority with regard to the cross-border processing affected by this breach, and the penalty has been approved by the other EU data protection authorities through the GDPR’s cooperation process. Ticketmaster has indicated that it will appeal the fine.

On October 30, 2020, the UK Information Commissioner’s Office (“ICO”) announced its fine of £18.4 (approximately $23.9 million) issued to Marriott International, Inc., (“Marriott”) for violations of the EU General Data Protection Regulation (“GDPR”). This is a significant decrease from the proposed fine of £99,200,396 (approximately $124 million) announced by the ICO in July 2019. The ICO’s fine only relates to the breach from the point at which the GDPR came into force in May 2018, and is the second largest fine levied by the ICO thus far under the GDPR. Marriott has not admitted liability for the breach, but has indicated that it does not plan to appeal.

On September 21, 2020, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a $1.5 million settlement with Athens Orthopedic Clinic PA (“Athens Orthopedic”) for alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules.

In the final segment of an S4x20 video on Cybersecurity Law and Governance, Lisa Sotto, Chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, explains what effective cybersecurity oversight looks like for a company board of directors. While boards may have paid lip service to cyber risk a decade ago, they moved the issue to the top of their radar screen in the wake of CEO terminations resulting from cyber attacks. Sotto addresses responsible oversight by boards and offers best practice recommendations for preparedness efforts. She warns that boards that ignore ...

In Part 1 of an S4x20 video on Cybersecurity Law and Governance, Lisa Sotto, Chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, speaks to cyber risk as one of the top risk issues for senior executives in the current digital landscape.

Update: We are monitoring the COVID-19 situation and, like many of you, re-assessing our in-person gatherings and events over the next few months. As an immediate step, we have decided to postpone our London Breakfast Meeting and will circulate details of a webinar on this topic shortly. We thank you for your understanding.

On March 17, 2020, Hunton Andrews Kurth LLP will host a breakfast briefing in our London office, with guest speakers from Deloitte’s Cyber Breach Support team, to explore UK and EU cyber enforcement trends and discuss the current cybersecurity threat environment. In the face of record-breaking fines handed out by the regulators, securing networks, hardening systems, and protecting data from cyber attacks is becoming ever more critical. Understanding common cyber threats, including the attack vectors, how they work, and how they can be detected, is key to working with IT security colleagues to protect an organization from cyber attacks and respond to incidents.

In the final part of our Never Stop Learning podcast series, Lisa Sotto, partner and chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, and Eric Friedberg, Co-President of Stroz Friedberg, LLC, and Aon’s Cyber Solutions Group, discuss practical solutions in preparing for a cyber incident.

In part two of our podcast by Never Stop Learning, Lisa Sotto, partner and chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, and Eric Friedberg, Co-President of Stroz Friedberg, LLC, and Aon’s Cyber Solutions Group, discuss the fragmented nature of data security law in the U.S. and abroad. Sotto notes that the “patchwork quilt of regulation” in the U.S. regarding data security makes it difficult for companies to know what rules to implement. She stresses that the severity of cyber attacks has increased significantly over the past decade.

In a recent podcast by Never Stop Learning, Lisa Sotto, partner and chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, and Eric Friedberg, Co-President of Stroz Friedberg, LLC, and Aon’s Cyber Solutions Group, discuss “Cybersecurity: How Concerned Should We Be?” As threats from cyber attacks continue to grow in both scope and complexity, it is imperative for companies and individuals alike to have a better understanding of cyber threats and the risks involved. We have broken down the podcast into a three-part series to help highlight the key themes.

On July 22, 2019, the Federal Trade Commission announced that Equifax Inc. (“Equifax”) agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement agreement with the FTC, the Consumer Financial Protection Bureau (“CFPB”), and 48 U.S. states and territories to resolve investigations into the colossal data breach the company suffered in 2017. This is the largest data breach settlement in U.S. history.

On July 11, 2019, Washington Attorney General Bob Ferguson announced that his office had entered into a consent decree and $10 million settlement with Premera Blue Cross (“Premera”) that stems from a 2014-2015 breach that affected more than 11 million individuals. The settlement, which includes a payment of roughly $5.4 million to Washington state and $4.6 million to a coalition of 29 other state Attorneys General (the “Multistate AGs”), is one of the largest ever for a breach involving protected health information (“PHI”) and comes just one month after another notable HIPAA settlement involving a similar coalition of state AGs.

On April 24, 2019, the Federal Trade Commission announced two data security cases involving online operators—one, an online rewards website, and the second, a dress-up games website—that were alleged to have failed to take reasonable steps to secure consumers’ data, which allowed hackers to breach both websites.

Hundreds of contractors and subcontractors with connections to U.S. electric utilities and government agencies have been hacked, according to a recent report by the Wall Street Journal. The U.S. government has linked the hackers to a Russian state-sponsored group, sometimes called Dragonfly or Energetic Bear. The U.S. government alerted the public that the hacking campaign started in March 2016, if not earlier, although many of its victims were unaware of the incident until notified by the Federal Bureau of Investigation and Department of Homeland Security, the Wall Street Journal reports.

On December 20, 2018, the French data protection authority (the “CNIL”) announced that it levied a €400,000 fine on Uber France SAS, the French establishment of Uber B.V. and Uber Technologies Inc., for failure to implement some basic security measures that made possible the 2016 Uber data breach.

The U.S. Department of Justice (the “DOJ”) has unsealed an indictment accusing nine Iranian nationals of engaging in a “massive and brazen cyber assault” against at least 176 universities, 47 private companies and 7 government agencies and non-governmental organizations, including the Federal Energy Regulatory Commission (“FERC”). According to the DOJ, the nationals worked for Mabna Institute, an Iranian-based company, as “hackers for hire,” stealing login credentials and other sensitive information to sell within Iran and for the benefit of the Iranian government.

On August 11, 2017, the FTC published the fourth blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Require secure passwords and authentication, examines five effective security measures companies can take to safeguard their computer networks.

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) and the Health Care Industry Cybersecurity Task Force (the “Task Force”) have published important materials addressing cybersecurity in the health care industry.

On December 27, 2016, the Securities and Exchange Commission (“SEC”) announced charges against three Chinese traders who allegedly made almost $3 million in illegal profits by fraudulently trading on nonpublic information that had been hacked from two New York-based law firms. This is the first action in which the SEC has brought charges in connection with an incident involving hacking into a law firm’s computer network.

On July 25, 2016, Lisa Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, was interviewed on KUCI 88.9 FM radio’s Privacy Piracy show. Lisa discussed the changing regulatory landscape, information security enforcement actions, the threat actors who attack companies’ data and how to manage the aftermath of a data breach. “There is no industry sector that is exempt [from being targeted],” Lisa says. She notes that, because “data can be sold for a monetary sum, data is now the equivalent of cash.”

Listen to the full interview.

On February 23, 2016, the Federal Trade Commission announced that it reached a settlement with Taiwanese-based network hardware manufacturer ASUSTeK Computer, Inc. (“ASUS”), to resolve claims that the company engaged in unfair and deceptive security practices in connection with developing network routers and cloud storage products sold to consumers in the U.S.

On August 24, 2015, the United States Court of Appeals for the Third Circuit issued its opinion in Federal Trade Commission v. Wyndham Worldwide Corporation (“Wyndham”), affirming a district court holding that the Federal Trade Commission has the authority to regulate companies’ data security practices.

Last week, the Cybersecurity Unit of the U.S. Department of Justice (the “Justice Department”) released a guidance document, entitled Best Practices for Victim Response and Reporting of Cyber Incidents (“Guidance”), discussing best practices for cyber incident response preparedness based on lessons learned by federal prosecutors while handling cyber investigations and prosecutions. The Guidance is intended to assist organizations with preparing to respond to a cyber incident, and emphasizes that that the best time to plan a cyber response strategy is before an incident occurs. The Justice Department drafted the Guidance with smaller, less-experienced organizations in mind, but also believes that larger organizations may benefit from its summary of best practices.

On March 3, 2015, the Third Circuit heard oral arguments in FTC v. Wyndham Worldwide Corp. (“Wyndham”) on whether the FTC has the authority to regulate private companies’ data security under Section 5 of the FTC Act.

On October 8, 2014, the Department of Homeland Security reported that over the course of several months, the network of a large critical manufacturing company was compromised. According to the ICS-CERT Monitor, the compromised company is a conglomerate that acquired multiple organizations in recent years, resulting in multiple corporate networks being merged. The Department of Homeland Security concluded that these mergers introduced latent weaknesses into the company’s network, allowing hackers to go largely undetected for a significant period of time.

Hunton & Williams Insurance Litigation & Counseling partner Lon Berk reports:

An Israeli security firm recently uncovered a hacking operation that had been active for more than a decade. Over that period, hackers breached government servers, banks and corporations in Germany, Switzerland and Austria by using over 800 phony front companies (which all had the same IP address) to deliver unique malware to victims’ systems. The hackers purchased digital security certificates for each phony company to make the sites appear legitimate to visitors. Data reportedly stolen included studies on biological warfare and nuclear physics, plans for key infrastructure, and bank account and credit card data.

On April 7, 2014, the U.S. District Court for the District of New Jersey issued an opinion in Federal Trade Commission v. Wyndham Worldwide Corporation, allowing the FTC to proceed with its case against the company. Wyndham had argued that the FTC lacks the authority to regulate data security under Section 5 of the FTC Act. The judge rejected Wyndham’s challenge, ruling that the FTC can charge Wyndham with unfair data security practices. The case will continue to be litigated on the issue of whether Wyndham’s data security practices constituted a violation of Section 5.

Hunton & Williams Insurance Litigation & Counseling partner Lon Berk reports:

The recently publicized Secure Sockets Layer (“SSL”) bug affecting Apple Inc. products raises a question regarding insurance coverage that is likely to become increasingly relevant as “The Internet of Things” expands. Specifically, on certain devices, the code used to set SSL connections contains an extra line that causes the program to skip a critical verification step. Consequently, unless a security patch is downloaded, when these devices are used on shared wireless networks they are subject to so-called “man-in-the-middle” security attacks and other serious security risks. Assuming that sellers of such devices may be held liable for damages, there may be questions about insurance to cover the risks.

Hunton & Williams Insurance Litigation & Counseling partner Lon Berk reports:

Insurers often contend that traditional policies do not cover cyber risks, such as malware attacks and data breach events. They argue that these risks are not “physical risks” or “physical injury to tangible property.” A recent cyber attack involving ATMs, however, calls this line of reasoning into question.

The scale of some recent cyber events has been extraordinary. Target reports that 70 million people (almost 25% of the U.S. population) were affected by its recent breach. CNN recently reported that in South Korea there was a breach that affected 40% of its citizens. The staggering impact of these events is leading companies to seek protection through both technology and financial products, such as insurance. Insurers typically attempt to avoid this sort of enormous exposure with terrorism exclusions, and it is reasonable to expect aggressive insurers to rely upon such exclusions ...

On June 5, 2013, the United States District Court for the Northern District of Ohio denied an employer’s motion to dismiss, holding that the Stored Communications Act (“SCA”) can apply when an employer reads a former employee’s personal emails on a company-issued mobile device that was returned when the employment relationship terminated. The defendants, Verizon Wireless (“Verizon”) and the manager who allegedly read the plaintiff’s emails, argued that the SCA applies only to computer hacking scenarios, and that the plaintiff authorized the reading of her personal emails. The court rejected both of the arguments, finding:

On August 23, 2012, the United States Court of Appeals for the Sixth Circuit held in Retailer Ventures, Inc. v. Nat’l Union Fire Ins. Co. that losses resulting from the theft of customers’ banking information from a retailer’s computer system are covered under a commercial crime policy’s computer fraud endorsement.

On March 27, 2012, the Federal Trade Commission announced a proposed settlement order with RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites. The FTC alleged that RockYou failed to protect the personal information of 32 million of its users, and violated multiple provisions of the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule when it collected information from approximately 179,000 children.

On December 12, 2011, the United States Court of Appeals for the Third Circuit affirmed a decision that employees of Ceridian Corporation's (“Ceridian's") customers did not have standing to sue Ceridian after the payroll processing firm suffered a data breach.

In December 2009, a hacker may have gained access to personal and financial information of Ceridian’s customers, including names, addresses, Social Security numbers, dates of birth and bank account information. Although it is not known if the hacker read, copied or understood the data, Ceridian sent notification letters to affected individuals informing them of the breach and offering to provide one year of complimentary credit monitoring and identity theft protection.

On May 3, 2011, the Federal Trade Commission announced that it had reached settlements with Ceridian Corporation and Lookout Services, Inc. after alleging both companies had misrepresented the extent of their data security practices and subsequently failed to safeguard their customers’ information.  According to the FTC’s press release, the settlements “are part of the FTC’s ongoing efforts to ensure that companies secure the sensitive consumer information they maintain.”

On May 2, 2011, Sony Computer Entertainment America (“Sony”) disclosed that hackers had gained access to the personal information of 24.6 million customers who played games on the Sony Online Entertainment (“SOE”) network.  Sony stated that hackers may have accessed names, addresses and birth dates of SOE gaming customers, as well as credit card data of about 12,700 non-U.S. accounts and 10,700 bank account numbers from “an outdated database from 2007.”  Sony clarified that the SOE breach was not the result of a second attack, but rather occurred as part of the broad incursion against the company that affected 77 million PlayStation accounts, as the company previously disclosed on April 26.

On April 11, 2011, the United States District Court for the Northern District of California declined to dismiss four of the nine claims in a class action lawsuit filed against RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites.  The suit stems from a December 2009 security breach caused by an SQL injection flaw that resulted in the exposure of unencrypted user names and passwords of approximately 32 million RockYou users.  RockYou subsequently fixed the error and acknowledged in a public statement that “one or more individuals had illegally breached its databases” and that “at the time of the breach, the hacked database had not been up to date with industry standard security protocols.”  After receiving notification of the security breach from RockYou in mid-December, on December 28, 2009, a RockYou user who had signed up for a photo-sharing application filed a complaint seeking injunctive relief and damages for himself and on behalf of all other similarly-situated individuals.

BBC News is reporting that privacy was a major topic at this year’s Hackers on Planet Earth (“HOPE”) conference that was held in New York in July.  Participants spoke to the BBC about privacy vulnerabilities that they have discovered on various Internet sites.  For example, one participant discussed how GPS data embedded in digital photos users post online, combined with other information available in the photos and on the Internet, may reveal the exact locations where the users work, live and travel, as well as users’ real-time locations.  Participants explained that their ...

In 2009, for the first time in three years, more publicly reported data security breaches were caused by hackers than by other sources, such as insider theft.  The nonprofit Identity Theft Resource Center (“ITRC”) tracks breaches involving five categories of data loss: (i) “data on the move,” such as lost laptops; (ii) accidental exposure; (iii) insider theft; (iv) losses involving subcontractors; and (v) hacking.  The ITRC’s 2009 Breach Report analyzed 498 publicly reported breaches affecting over 222 million total records, concluding that hacking may be on the rise.

The court in In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D. N.J. Dec. 12, 2009) recently dismissed a class action lawsuit brought by investors in Heartland, a processor of payment card transactions whose stock value dropped significantly after it suffered a data security breach in which hackers allegedly stole 130 million payment card numbers.  The plaintiffs argued that Heartland’s statements to the effect that it had adequate security systems and that it took the issue of computer network security very seriously were fraudulent because Heartland knew it had poor data security and failed to remedy critical problems soon enough to prevent the theft.

News last week that Chinese and Russian hackers had infiltrated the U.S. electrical power grid gave practical significance to already high-profile issues in Washington -- how better to secure the nation’s cyber-infrastructure.  Late in 2008, the Center for Strategic and International Studies Commission on Cyber Security for the 44th Presidency (the Commission) released a report citing the U.S.’s failure to protect cyberspace as “one of the most urgent national security problems” facing the Obama administration.  The failure threatens the safety and well-being of the United States and its allies and raises immediate risks for the economy.  In a global economy, where economic strength and technological leadership are as important to national power as military force, failing to secure cyberspace puts the U.S. at a disadvantage.  When Chinese and Russian intruders apparently left software on networks supporting the U.S. power grid that could be used to compromise electric and water systems, the warnings of the Commission proved true in a real-world way.