Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

What's trending in data privacy & security

August 8, 2014
What’s trending in data privacy & security
We’re looking ahead on all fronts in data privacy and security. The largest cybertheft of Internet
passwords ever—1.2 billion unique e-mail and password credentials—was announced this week,
affecting masses of individuals and companies. Are you one of the victims? Also, New Hampshire
businesses, you have until September 30 to ensure compliance with your state’s new social media
law. Here’s a round-up of the latest news.
Data Breach
Russian gang pulls off largest cybertheft ever
Hold Security, a security firm that performs deep web monitoring and other services, announced
on August 5, 2014, that a Russian gang, dubbed CyberVor, has successfully stolen 1.2 billion unique
e-mail and password credentials of individuals and companies. It is believed that this is the largest
cybertheft of Internet passwords to date.
To pull this off, CyberVor injected malicious code into over 420,000 websites and ftp sites. It
amassed 4.5 billion records, which translated into 1.2 billion unique e-mail and passwords.
According to Hold Security, this cyber gang has possession of “the largest cache of stolen data” to
date. Hold Security is offering to let individuals and companies know if their e-mails and passwords
were compromised by registering at HoldSecurity.com.
Security experts are advising individuals to change passwords, avoid using the same password for
multiple sites and to use complex passwords.—Linn Foster Freedman
P.F. Chang’s announces more details about data breach, affecting over 33 restaurant
locations; Jimmy John’s also investigating data breach
We reported a few weeks ago that the P.F. Chang’s China Bistro (“P.F. Chang’s”) restaurant chain
confirmed a data breach of its customers’ financial information but had not yet determined the
scope of the breach. On August 4, 2014, only a few weeks later, P.F. Chang’s confirmed that the
breach affected more than 33 restaurant locations between October 19, 2013 and June 11, 2014;
however, the number of affected customers has yet to be determined. They have confirmed that
credit and debit card numbers, names and expiration dates were hacked over an eight-month
period. P.F. Chang’s has been strongly advising its customers to review their financial statements
and report any fraudulent activity. The restaurant chain has also added some helpful information to
their website.
This newsletter is intended as an information source for the clients and friends of Nixon Peabody LLP. The content should not be construed
as legal advice, and readers should not act upon information in the publication without professional counsel. This material may be considered
advertising under certain rules of professional conduct. Copyright © 2014 Nixon Peabody LLP. All rights reserved.
Earlier this week on August 1, 2014, Jimmy John’s, another restaurant chain, announced its
investigation into a potential data breach of customer data including credit card information. With
more than 1,900 locations in 43 states, this breach could affect a great number of individuals across
the United States. The breach has reportedly been tied to “card-present” fraudulent activity,
meaning that the customer information has been turned into counterfeit copies and those
fraudulent copies are being used for other transactions. The restaurant chain stated that it is
“currently working with the proper authorities and investigating the situation,” but declined to
offer anything further. The widespread threat of data breaches can affect any business, large or
small. Breaches like P.F. Chang’s and Jimmy John’s should serve as warnings for other businesses
whose data security practices may not be up-to-par. Assess your practices and stay ahead of the
hackers.—Kathryn M. Sylvia
Target discloses that data breach costs exceed $148 million
In a filing with the Securities and Exchange Commission on Tuesday, Target disclosed that the
costs of the data breach it experienced late last year reached $148 million in the second quarter of
2014, despite insurance payouts of $38 million. Target further disclosed that it expected its earnings
to drop $.78 a share. This disclosure represents the harsh reality of the massive devastation a data
breach can cost a company, both in real dollars and in brand reputation. It is another stark reminder
to get security practices up to best industry standards.—Linn Foster Freedman
Enforcement & litigation
Record setting $75 million TCPA class action settlement with Capital One, an outlier among
TCPA suits
A Telephone Consumer Protection Act (TCPA) class action settlement, for a record $75,455,099,
was reached on August 4, 2014 with Capital One Financial Corp. (“Capital One”) and three other
collections agencies. Capital One, along with Leading Edge Recovery Solutions LLC, Capital
Management Services LP and AllianceOne Receivables Management Inc., allegedly made
autodialed telephone calls to over 21 million cellular numbers without prior express consent as
required by TCPA regulations. Collectively, the four parties will pay the settlement amount in a
fund set up for this class action and must alter their current telephone marketing practices. This
settlement was described by class action attorneys as the “the largest settlement cash sum—by
far—in the 22-year history of the TCPA.” However, this type of settlement is not common in
TCPA class actions generally. The specific circumstances of this case led to this startling sum; to
start, this class action was consolidated from four separate class actions originating in three states,
Illinois, Washington and California. A TCPA settlement like this one will not likely appear any
time soon. This settlement, however, should be a reality check for businesses—reassess your
texting and telephone marketing tactics to avoid the wrath of the TCPA.—Kathryn M. Sylvia
Facebook hit with international class-action privacy suit
Max Schram, a 26 year old Austrian Facebook user, launched a class-action lawsuit against
Facebook on August 1, 2014. In one week, the law student was able to obtain assigned claims on
behalf of 17,000 Facebook users for the class action through a specially created app.
The lawsuit alleges that Facebook supports surveillance of the National Security Agency through
its PRISM surveillance program by tracking Facebook users on external websites through features
such as the “Like” button and transferring user data to external applications without the Facebook
user’s authorization. This suit is being touted as a first and will be watched closely.—Linn Foster
Freedman
Cybersecurity
NIST issues free Cybersecurity Framework (CSF) Reference Tool
The National Institute of Standards and Technology (NIST) recently issued a free and helpful
Cybersecurity Framework Reference Tool (CSF) to assist companies with implementing their
cybersecurity efforts. The CSF outlines a Framework Core, which consists of five concurrent and
continuous cybersecurity functions: Identify, Protect, Detect, Respond, Recover. The CSF explains
that “these Functions provide a high-level, strategic view of the lifecycle of an organization's
management of cybersecurity risk.”—Linn Foster Freedman
Children’s privacy
iKeepSafe approved: newest COPPA ‘Safe Harbor’ oversight program announced
On August 1, 2014, the Federal Trade Commission (FTC) approved the iKeepSafe safe harbor
program under the Children’s Online Privacy Protection Act (COPPA). COPPA requires that
website operators or online service providers that are either directed to children under the age of 13,
or that have actual knowledge that they are collecting personal information from children under
the age of 13, provide notice of the collection to parents, who must then provide verifiable consent
before the website operator or online service provider can collect any personal information from
children. Those website operators who voluntarily choose to partake in an FTC-approved COPPA
safe harbor program, like iKeepSafe, are subject to review and disciplinary action in accordance with
the safe harbor’s guidelines, instead of formal FTC investigations and enforcement. The FTC, in its
approval letter and press release, stated that it “determined that the iKeepSafe safe harbor program
provides the same or greater protections for children as those contained in the COPPA Rule;
effective mechanisms to assess operators’ compliance; effective incentives for operators’
compliance with the guidelines; and an adequate means for resolving consumer complaints.”—
Kathryn M. Sylvia
Social Media
New Hampshire enacts social media law—effective September 30, 2014
On August 1, 2014, New Hampshire Governor Maggie Hassan signed HB 1407, New Hampshire’s
new social media law, which becomes effective on September 30, 2014. The law prohibits
employers from requiring an employee or prospective employee to disclose social media or
electronic mail passwords or login information to the employer.
The law further prohibits an employer from requiring an employee or prospective employee to add
anyone, including the employer or the employer’s agent, to the list of contacts on a social media
account. Finally, the law prohibits an employer from taking or threatening to take disciplinary
action against an employee who refuses to provide a password or login information to the
employer.
The law provides an exception for employers to obtain information about the employee or
prospective employee that is in the public domain, and specifically exempts employers from
obtaining information during an investigation to ensure the employee’s compliance with laws and
regulations, prohibitions against work-related employee misconduct received from an employee or
other source, or the unauthorized transfer of an employer’s proprietary, confidential or financial
information.
Civil penalties may be assessed against an employer who violates HB 1407 by the labor
commissioner, so, New Hampshire businesses—get your compliance in place before
September 30.—Linn Foster Freedman
Resources
Department of Education releases best practices for school data collection
The United States Department of Education recently issued “Transparency Best Practices for
Schools and Districts,” guidance to help elementary and secondary schools, as well as local
educational agencies, follow best practices when collecting, using and disclosing student data.
The guidance outlines the requirements of the Family Education and Privacy Act, the Protection of
Pupil Rights Amendment and best practices in order for schools and agencies to be more
transparent with students and their families around data collection. It is a worthwhile read for
school administrators and parents alike.—Linn Foster Freedman
For more information on the contents of this alert, please contact:
— Linn Foster Freedman, Privacy & Data Protection Group Leader, at
lfreedman@nixonpeabody.com or 401-454-1108
— Kathryn M. Sylvia at ksylvia@nixonpeabody.com or 401-454-1029
NP Privacy Partner Blog
Staying ahead in a data-driven world: insights from our Data Privacy & Security team
Related documents
High Court case Citation Court Procedural History Facts Issue
High Court case Citation Court Procedural History Facts Issue
Interested Industry Participant Registration Form
Interested Industry Participant Registration Form
Dynamic Access Control and IRM in Windows 2012
Dynamic Access Control and IRM in Windows 2012
Mending Fences After a Breach - Centre for Information Policy
Mending Fences After a Breach - Centre for Information Policy
DISCHARGE OF CONTRACT
DISCHARGE OF CONTRACT
Form 2 - Cost estimate
Form 2 - Cost estimate
Review, Grammar and Test
Review, Grammar and Test
Download