Cyber Security & Data Privacy Law Blog

Cyber Security & Data Privacy Law Blog

The Race to File - Cybersecurity Risks Involving Tax Returns

By Karen Painter Randall

The average American consumer has become accustomed to, and even relies upon, receiving their tax refund during this time of the year. Unfortunately, so have hackers, who use tax refund season as an opportunity to obtain data and, of course, cash from unsuspecting victims.

Not surprisingly, based on a recent survey performed by CyberScout, about six out of every ten people stated that they were not worried about tax fraud. It is tough to reconcile the findings of CyberScout’s survey with data obtained by the IRS, which estimated that it stopped more than $4 billion in refunds that were claimed by scammers on 787,000 tax returns. Clearly, this is a bigger problem than most people realize.

The Business Judgment in Cyber Security Decisions

By Karen Painter Randall

The United States District Court for the Northern District of Georgia was recently tasked with determining whether a shareholder derivative action against Home Depot, challenging the adequacy of the company’s cyber security strategy, should be dismissed. The action was filed on the heels of a 2014 data breach in which over 56 million customers’ personal information was stolen by unknown hackers. Prior to the hacking, Home Depot broke up the committee responsible for IT oversight, forming the basis for the shareholders’ actions.

New York Proposes New Cybersecurity Rules for Financial Institutions

By Karen Painter Randall

Recognizing that cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data, the New York State Department of Financial Services (“DFS”) has proposed new rules regarding cybersecurity requirements for financial services companies (Proposed 23 NYCRR 500). The proposed rules have been given an effective date of January 1, 2017. However, covered entities, as defined below, will have 180 days from that day to comply with all of the requirements.

Cyber Security & Data Privacy Law Blog Contacts

Karen Painter Randall

Chair, Cyber Security & Data Privacy Group

WikiLeaks Publishes Sony Emails and Documents Stolen in Recent Data Breach

By Karen Painter Randall

According to a statement this past Thursday, WikiLeaks published more than 200,000 internal Sony Pictures Entertainment documents and e-mails in connection with the data breach incident involving Sony Corp.’s Hollywood studio late last year.  The release included 30,287 documents and 173,132 e-mails, sent from or received by more than 2,200 Sony Pictures e-mail addresses. The material is searchable, giving legions of journalists and Sony competitors access to the information that was quickly taken down after it was first posted by hackers.

FCC Fines AT&T $25m for Data Privacy Lapse

By Karen Painter Randall

The Federal Communications Commission (FCC) reached a $25 million settlement with AT&T for failing to protect the privacy, personal information and social security numbers of its customers.  According to the FCC’s complaint, AT&T employees actively stole this information from an estimated 300,000 people at call centers working in Mexico, Colombia and the Philippines.

The Consumer Plaintiff Class Settles with Target for a Package Including $10 million

On March 19, 2015, Target and the class of consumer plaintiffs which sued following the December 13, 2013 data breach filed a motion seeking approval of their settlement.  Among other things, the settlement calls for Target to create a $10 million settlement fund from which class members who prove documented losses would be made reimbursed.  Class representatives would receive an award for their “service” to the plaintiff class, and the balance distributed to class members who submit a “self-certification” claim. 

Target also agreed to certain non-monetary measures, including:

Financial Institutions Face Risks Regarding Coverage for Cyber Risks Under GL Policy

By Karen Painter Randall

In a recent decision from the United States District Court for the Western District of Pennsylvania, the Court found a that bank who made a voluntary reimbursement to its client for an unauthorized wire transfer, pursuant to state statute, should not have their policy disclaimed on this basis.

HHS Announces First HIPAA Breach Settlement Affecting Less Than 500 Individuals

By Karen Painter Randall

HHS announced that the Hospice of North Idaho (HONI) agreed to pay $50,000 and enter into a CAP as part of a settlement involving a breach of unsecured ePHI.  This was significant in that it was the first settlement by HHS involving a breach affecting less than 500 individuals. 

Recent Data Breach of Hospital Employees Sparks Lawsuit

By Karen Painter Randall

A University of Pittsburgh Medical Center (“UPMC”) employee filed a lawsuit in U.S. District Court for the Western District of Pennsylvania against her employer and Ultimate Software Group, Inc. in the wake of a data breach that saw hackers use the personal information of UPMC employees to file fraudulent federal income tax returns.