Data Breaches and Privacy Challenges: A Pandemic Year in Review

As if having to deal with the COVID-19 pandemic was not enough for law firms and clients, this year has seen a striking number of data breaches, privacy-related lawsuits, and government enforcement proceedings, as well as large settlements of new and older claims. Indeed, on December 8, 2020, in perhaps the ultimate 2020 irony, cybersecurity consultant FireEye, Inc., announced that it was itself the victim of a cyber attack by a highly sophisticated state-sponsored attacker that targeted and accessed certain assessment tools that the company uses to test its customers’ security. See https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

The breadth of these cyber incidences reflects more than just the problems of securing work-from-home technology, interference with Zoom conference calls, and system vulnerabilities that existed even before COVID-19. Indeed, they essentially are a 2021 blueprint for the kinds of privacy issues that companies may best be advised to focus on, and that legislators and regulators in New York and elsewhere across the country may seek to address.

Consumer Data

Soon after the year began, the Federal Trade Commission (FTC) reached a settlement highlighting its interest in ensuring that businesses safeguard consumer data.

On January 6, the FTC announced that it settled with a Utah company and its former chief executive officer (CEO) over allegations that the firm failed to put in place reasonable security safeguards, allowing a hacker to access the personal information of more than a million consumers.

The FTC alleged that InfoTrax Systems, L.C., and its former CEO Mark Rawlins failed to use reasonable, low cost, and readily available security protections to safeguard the personal information they maintained on behalf of InfoTrax’s business clients. According to the FTC, as a result of the company’s alleged security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016. The hacker accessed consumers’ sensitive personal information, including Social Security numbers, according to the FTC’s complaint.

Under the settlement, InfoTrax and Rawlins were prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified by the FTC. In addition, the settlement required the company and Rawlins to obtain third-party assessments of their companies’ information security programs every two years. See https://www.ftc.gov/news-events/press-releases/2020/01/ftc-finalizes-settlement-utah-company-its-former-ceo-over.

Statutory Compliance

Many laws and regulations, domestic and international, establish privacy standards with which businesses must comply. Another January settlement is an example of the significance of one in particular: the EU-U.S. Privacy Shield, which enables companies to transfer consumer data legally from European Union countries to the United States.

Here, the FTC finalized settlements with five companies over allegations they falsely claimed certification under the EU-U.S. Privacy Shield framework.

In separate actions, the FTC alleged that DCR Workforce, Inc., Thru, Inc., LotaData, Inc., and 214 Technologies, Inc., all falsely asserted in statements on their websites that they were certified under the EU-U.S. Privacy Shield framework. The FTC alleged that LotaData also falsely claimed that it was a certified participant in the Swiss-U.S. Privacy Shield framework, which establishes a data transfer process similar to the EU-U.S. Privacy Shield framework.

In addition, the FTC alleged that EmpiriStat, Inc., falsely claimed it was a current participant in the Privacy Shield after allowing its certification to lapse, failed to verify annually that statements about its Privacy Shield practices were accurate, and did not affirm it would continue to apply Privacy Shield protections to personal information collected while participating in the program.

Under the settlements, all five companies were prohibited from misrepresenting their participation in the EU-U.S. Privacy Shield framework or in any other privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization. EmpiriStat also was required to continue to apply the Privacy Shield protections to personal information it collected while participating in the program, or return or delete the information. See https://www.ftc.gov/news-events/press-releases/2020/01/ftc-finalizes-settlements-five-companies-related-privacy-shield.

In the States

States, including New York, seemed especially active in privacy actions in 2020 – including against well known, household names.

For example, in late September, New York, together with more than three dozen other states and the District of Columbia, reached a settlement with Anthem, Inc., that resolved a massive 2014 data breach that, the states asserted, compromised the personal information of 78.8 million customers nationwide, including more than 4.6 million customers in New York State alone. See https://ag.ny.gov/press-release/2020/attorney-general-james-helps-secure-395-million-after-anthems-2014-data-breach.

The states contended that the breach gave attackers access to Anthem’s data warehouse, where they harvested names, dates of birth, Social Security numbers, health care identification numbers, home addresses, email addresses, phone numbers, and employment information.

Under the settlement, Anthem agreed to pay $39.5 million in penalties and fees, over $2.7 million of which was for New York. In addition to the payment, Anthem also agreed to make a series of changes to its security protocols, including:

• Prohibiting the misrepresentation of the extent to which Anthem protects the privacy and security of consumers’ personal information;
• Implementing a comprehensive information security program that incorporates principles of zero trust architecture and includes regular security reporting to the board of directors and prompt notice of significant security events to the CEO;
• Setting up specific security requirements with respect to segmentation, logging and monitoring, anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training, among other requirements; and
• Scheduling third-party security assessments and audits for three years, as well as requiring that Anthem make its risk assessments available to a third-party assessor during that term.

The settlement with the states was in addition to the previous class action settlement Anthem reached that established a $115 million fund to pay for additional credit monitoring, cash payments of up to $50 per individual breached, and reimbursement for out-of-pocket losses for affected consumers. (The deadlines for consumers to submit claims under that settlement have passed).

Then, in late November, New York, 45 other states, and the District of Columbia announced that they had reached a settlement with The Home Depot, Inc., resolving an investigation into a massive 2014 data breach that they alleged had compromised the payment card information of approximately 40 million consumers nationwide. As alleged, the breach occurred when hackers gained access to Home Depot’s network and deployed malware on the company’s self-checkout point-of-sale system. The states and the District of Columbia contended that the malware allowed hackers to obtain the payment card information of customers who used self-checkout lanes at Home Depot stores throughout the United States between April 10, 2014 and September 13, 2014.

The settlement, see https://ag.ny.gov/press-release/2020/attorney-general-james-helps-secure-175-million-after-data-breach-home-depot, required Home Depot to pay a total of $17.5 million, of which $597,459.80 was specifically for New York. In addition to the payment, Home Depot also agreed to a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers. Specifically, it agreed that it would:

• Employ a duly qualified chief information security officer reporting to both senior or C-level executives and the board of directors regarding Home Depot’s security posture and security risks;
• Provide resources necessary to fully implement the company’s information security program;
• Provide appropriate security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information;
• Employ specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management; and
• Undergo a post settlement information security assessment that, in part, will evaluate its implementation of the agreed upon information security program.

Other notable settlements this year were approved by courts in In re Equifax Inc. Customer Data Security Breach Litigation, MDL Docket No. 2800; No. 1:17-md-2800-TWT (N.D. Ga. March 17, 2020) (approving class action settlement resolving claims arising from data breach Equifax announced on September 7, 2017), and In re Yahoo! Inc. Customer Data Security Breach Litigation, No. 16-MD-02752-LHK (N.D. Cal. July 22, 2020) (approving Yahoo! settlement).

The Twitter Hack

On July 15, Twitter was hacked and approximately 130 Twitter accounts pertaining to politicians, celebrities, and musicians were compromised, including those belonging to Barack Obama, Jeff Bezos, Warren Buffett, Kim Kardashian West, and Elon Musk. Federal authorities subsequently brought criminal charges against three individuals, see https://www.justice.gov/opa/pr/three-individuals-charged-alleged-roles-twitter-hack, alleging that the hackers created a scam bitcoin account, hacked into Twitter VIP accounts, sent solicitations from the Twitter VIP accounts with a false promise to double any bitcoin deposits made to the scam account, and then stole the bitcoin that victims deposited into the scam account. According to prosecutors, the scam bitcoin account received more than 400 transfers worth more than $100,000.

New York’s response to the attack was particularly interesting.

After the hack became public, New York Governor Andrew M. Cuomo requested that the New York State Department of Financial Services (DFS) investigate the matter. On October 14, the DFS released the results of its investigation. Specifically, the DFS found in its report, available at https://www.dfs.ny.gov/Twitter_Report, that:

• The hackers accessed Twitter’s systems with a simple technique: by calling Twitter employees and claiming to be from Twitter’s IT department. After the hackers duped four employees into giving them their log-in credentials, they hijacked various Twitter accounts with millions of followers.
• The hackers tweeted simple “double your bitcoin” messages, with a link to send payments in bitcoins.
• Despite being a global social media platform boasting over 330 million average monthly users in 2019, Twitter lacked adequate cybersecurity protection. At the time of the attack, Twitter did not have a chief information security officer, adequate access controls and identity management, and adequate security monitoring – some of the core measures required by the DFS’s own cybersecurity regulation.

Significantly, the DFS recommended a new cybersecurity regulatory framework for giant social media companies. It reasoned that the largest social media companies, whose platforms reach millions of people around the world, should be designated as “systemically important institutions” with prudent regulation to manage heightened cybersecurity risk.

Conclusion

Whether the DFS’s recommendation to regulate “systemically important” social media companies will become law remains to be seen, but it is just one example of a trend toward increased privacy regulation. Consider that a large number of bills have been introduced in Congress recently, ranging from the “National Biometric Information Privacy Act of 2020,” available at https://www.congress.gov/bill/116th-congress/senate-bill/4400/text#:~:text=Introduced%20in%20Senate%20(08%2F03%2F2020)&text=To%20regulate%20the%20collection%2C%20retention,information%2C%20and%20for%20other%20purposes.&text=To%20regulate%20the%20collection%2C%20retention,information%2C%20and%20for%20other%20purposes, to the “COVID-19 Consumer Data Protection Act,” available at https://www.congress.gov/bill/116th-congress/senate-bill/3663?q=%7B%22search%22%3A%5B%22COVID-19+Consumer+Data+Protection+Act%22%5D%7D&s=1&r=1, and the “Public Health Emergency Privacy Act,” available at https://www.congress.gov/bill/116th-congress/senate-bill/3749?q=%7B%22search%22%3A%5B%22Public+Health+Emergency+Privacy+Act%22%5D%7D&s=2&r=1.

It would be foolish for businesses to consider that only national or international companies are targeted by bad actors or meant to be regulated by the proposed bills. To the contrary, cyber-attacks on smaller, privately-held companies and non-profits are common and, despite the absence of news reporting, often have devasting effects on those entities. These bills, and the other developments discussed above, all should reinforce the key point of this column: Privacy issues will continue to be top-of-mind in the New Year for government officials, regulators, businesses, and consumers alike.

Reprinted with permission from the December 14, 2020 issue of the New York Law Journal. © ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.