Cybersecurity
Oregon Revises Data Breach Notification Law
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
On March 23, 2018, the Governor of Oregon signed a revised data breach notification law that takes effect in June. The law requires businesses that have suffered a data breach to notify affected consumers within 45 days, although delay may be permitted if requested by law enforcement. The law joins a growing trend of statutes that prohibit credit-reporting agencies from charging consumers to place a freeze on their credit reports. A notifying company that offers to provide free credit-monitoring services to affected consumers cannot condition acceptance of those services on the consumer providing a credit or debit card number, and any fees to be charged for additional services must be clearly explained to the consumer.
Data Privacy
Facebook Under the Gun
By Sherri Marie Carr, The S.M. Carr Law Firm, Ltd. Co.
The United States Senate sent a letter dated March 19, 2018 to Facebook's Chairman and CEO Mark Zuckerberg. In the letter, Facebook's user privacy policies are called into question and are being investigated by the United States Senate based on actions involving a personality test app on Facebook by Strategic Communications Laboratories (SCL) and Cambridge Analytica. Approximately 50 million Facebook users were impacted by privacy issues involving their data. The United Kingdom's Information Commissioner's Office is also investigating this data privacy issue involving Facebook.
Pennsylvania Takes Action Against Uber's Data Breach
By Sherri Marie Carr, The S.M. Carr Law Firm, Ltd. Co.
Did you hear about the Uber data breach that potentially impacted 57 million people? Uber knew of this data breach for over a year but failed to disclose it, and Pennsylvania's Attorney General Josh Shapiro filed a lawsuit on March 5, 2018, on behalf of the approximately 13,500 Pennsylvania Uber drivers affected by this breach. Attorney General Shapiro said, "Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year—and actually paid the hackers to delete the data and stay quiet. That's just outrageous corporate misconduct, and I'm suing to hold them accountable and recover for Pennsylvanians." This data breach is also being investigated by over 40 other state Attorneys General.
Ninth Circuit Finds Standing Based on Risk of Identity Theft
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The U.S. Court of Appeals for the Ninth Circuit has added to the litany of decisions addressing whether risk of identity theft is sufficient for Article III standing in data-breach litigation. In re Zappos.com, Inc., Customer Data Breach Security Breach Litig., No. 16-16860 (9th Cir. Mar. 8, 2018). In 2012, hackers allegedly stole the personal information of more than 24 million customers of online retailer Zappos. The U.S. District Court for the District of Nevada dismissed for lack of Article III standing the claims of plaintiffs who raised no allegations that the stolen information about them was used. The court of appeals reversed and remanded, concluding that the plaintiffs’ risk of identity theft was sufficient for standing. The court found Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), remained binding precedent because it was not irreconcilable with Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013). In Krottner, the court of appeals held that plaintiffs, who were among the 97,000 Starbucks employees whose unencrypted names, addresses, and Social Security numbers were on a stolen laptop, had standing based on their increased risk of future identity theft. By contrast, in Clapper, the Supreme Court concluded that “an objectively reasonable likelihood” that communications of domestic persons would be acquired as a result of foreign surveillance was not sufficient for standing. The Zappos stolen information was akin to that in Krottner because it could be (and for other plaintiffs had been) used to commit identity theft.
Lottery Winner Can Remain Anonymous Based on Privacy Interests
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
A New Hampshire state court has held that the winner of a $560 million jackpot prize can remain anonymous in collecting her winnings. Doe v. N.H. Lottery Comm’n, No. 226-2018-CV-00036 (N.H. Super. Ct. Mar. 12, 2018). The winner signed the back of her winning ticket with her name, address, and phone number and then consulted an attorney, who informed her she could remain anonymous by having a trustee collect the prize on the winner’s behalf. The lottery commission, however, maintained that it would be required to reveal the information filled in on the back of the ticket if requested under the state right-to-know law, and any redaction of that information would be a prohibited alteration. In Doe’s suit against the commission for permission to remain anonymous, she cited to articles about other lottery winners being solicited, harassed, and threatened, and noted that her lawyers had in fact already received solicitations for money. Accordingly, the court held that the winner’s privacy interests outweighed the public interest in disclosing her identity. In contrast, the winner’s hometown could be disclosed because it was unlikely Doe would be identified based on that revelation. The commission will not appeal the ruling.