U.S.-EU Data Sharing Pact Invalidated; Two Lawsuits Based on October Breaches; Dow Jones & Co. Breached; California’s New Comprehensive Privacy Law; California Revises Breach Notification Requirements; California Smart TV Notice Requirements; California Targets “Hackers for Hire”; Cybercrime Costs Increase
Top EU Court Invalidates U.S.-EU Safe Harbor
On October 6, 2015, the European Court of Justice (ECJ) invalidated the safe harbor agreement that governed the transfer of digital information between the U.S. and the European Union. The ECJ found U.S. data protection policies offer inadequate protection to EU citizens’ privacy rights, a result of the broad data access practices for U.S. national security and law enforcement purposes. The European Commission announced its intent to provide guidance on transatlantic sharing policies in light of the decision, and also identified other mechanisms for data sharing in the absence of the safe harbor agreement. For more coverage of this decision and its impact, see our recent alert here.
California Class Action Suits Filed Based on October 2015 Data Breaches
Two proposed class action suits have been filed in California federal courts in connection with recent breaches announced by T-Mobile and Scottrade. One suit alleges that T-Mobile and Experian’s negligence and breaches of contract led to the exposure of more than 15 million T-Mobile subscribers’ information. The compromised information includes encrypted Social Security numbers and driver’s license information. The complaint also alleges that Experian’s failure to secure customer information recklessly violated the Fair Credit Reporting Act. The second suit seeks relief from Scottrade for a breach affecting 4.6 million users of the brokerage firm’s services. Scottrade confirmed that customer mailing information was compromised, but could not rule out exposure of more sensitive data. In addition to the California class action against Experian, a coalition of more than 20 consumer advocacy organizations have asked both the CFPB and the FTC to investigate Experian’s privacy and data security practices in light of the T-Mobile breach.
Dow Jones Hacked, Customer Info Compromised
Dow Jones & Co. announced that hackers accessed customer data, including names, addresses, and payment card information. It is currently unknown how many customers were affected by access to databases containing names, addresses, and contact information for subscribers between 2012 and 2015. The publisher of the Wall Street Journal and Barron’s notified the less than 3,500 customers whose payment card information was compromised. This comes on the heels of other significant data breaches this month affecting T-Mobile, Trump Hotels, and Scottrade.
California Enacts Comprehensive Digital Privacy Law
On October 8, California Governor Jerry Brown capped a busy week by signing the California Electronic Communications Privacy Act. Under the law, all California law enforcement must obtain a warrant in order to receive metadata or any digital communications, including e-mails, text messages, and documents stored in the cloud, from businesses. The landmark legislation also requires a warrant prior to law enforcement searches of digital devices such as phones, tablets, and laptops. The law contains exceptions for certain circumstances such as where loss of life or evidence is possible. Privacy advocates and several notable technology companies, including Apple, Google, and Facebook, supported the measure, which takes effect January 1, 2016.
Three California Laws Bolster Data Breach Notification Requirements
Governor Brown signed three bills that revised and enhanced notification requirements under California’s 2003 data breach statute. The law currently requires state agencies and businesses operating in California to notify consumers when there is reason to believe unencrypted personal information has been compromised. The first bill, A.B. 964, defines “encrypted” data as that which is “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” The second bill, S.B. 570, identifies what information a breach notification must contain, as well as certain formatting requirements. It also includes a sample notification that complies with the statue. The third bill, S.B. 34, extends the breach notification requirements to information collected by automated license plate recognition (“ALPR”) systems. S.B. 34 also requires ALPR operators and end-users to implement security procedures to protect collected data. The bills take effect January 1, 2016.
California: TV Manufacturers Must Provide Notice of Voice-Recognition Services
Governor Brown signed a bill requiring television manufacturers to provide consumers “prominent” notice about voice-recognition features. The amendment to A.B. 1116 mandates manufacturers must notify consumers if smart TVs that connect to the Internet and contain voice-recognition software can record conversations and transmit that data to the manufacturer and/or a third party. The law prohibits manufacturers and third parties from selling recorded information or using it for advertising purposes, and from being compelled to install recording features for law enforcement purposes.
California Criminalizes “Hackers for Hire“
The busy week in California data and privacy law continued as Governor Brown signed a law cracking down on hiring hackers. California law already prohibited unauthorized access to a computer network but did not address the hiring of another to do the same. A.B. 195 criminalizes the solicitation of another to join or assist in computer access crimes. The law also makes it a crime “to offer to obtain or procure assistance for another to obtain unauthorized access, or to assist others in locating hacking services.” Violation of the new law is a misdemeanor.
Study: U.S. Firms Spend $15M Annually to Fight Cyber Attacks
The Ponemon Institute’s annual “Cost of Cyber Crime” report revealed that in 2015, U.S. companies spent an average of $15 million annually in response to cyberattacks. This number is nearly double the worldwide average of $7.7 million, and represents a 19% one-year net increase for U.S. firms. Based on a survey of 252 companies in seven countries, the report also showed that on average, companies require approximately 46 days from the date of discovery to resolve a cyberattack and spend about $21,000 per day during that period. Organizations in the financial services and utilities & energy sectors incurred substantially higher costs than firms in other sectors. For a full copy of the 2015 Ponemon Institute Report on the Cost of Cybercrime, see http://www.hp.com/go/Ponemon (must provide contact information to download report).