The United States District Court for the Northern District of Georgia was recently tasked with determining whether a shareholder derivative action against Home Depot, challenging the adequacy of the company’s cyber security strategy, should be dismissed. The action was filed on the heels of a 2014 data breach in which over 56 million customers’ personal information was stolen by unknown hackers. Prior to the hacking, Home Depot broke up the committee responsible for IT oversight, forming the basis for the shareholders’ actions.
Recognizing that cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data, the New York State Department of Financial Services (“DFS”) has proposed new rules regarding cybersecurity requirements for financial services companies (Proposed 23 NYCRR 500). The proposed rules have been given an effective date of January 1, 2017. However, covered entities, as defined below, will have 180 days from that day to comply with all of the requirements.
According to a statement this past Thursday, WikiLeaks published more than 200,000 internal Sony Pictures Entertainment documents and e-mails in connection with the data breach incident involving Sony Corp.’s Hollywood studio late last year. The release included 30,287 documents and 173,132 e-mails, sent from or received by more than 2,200 Sony Pictures e-mail addresses. The material is searchable, giving legions of journalists and Sony competitors access to the information that was quickly taken down after it was first posted by hackers.
The Federal Communications Commission (FCC) reached a $25 million settlement with AT&T for failing to protect the privacy, personal information and social security numbers of its customers. According to the FCC’s complaint, AT&T employees actively stole this information from an estimated 300,000 people at call centers working in Mexico, Colombia and the Philippines.
On March 19, 2015, Target and the class of consumer plaintiffs which sued following the December 13, 2013 data breach filed a motion seeking approval of their settlement. Among other things, the settlement calls for Target to create a $10 million settlement fund from which class members who prove documented losses would be made reimbursed. Class representatives would receive an award for their “service” to the plaintiff class, and the balance distributed to class members who submit a “self-certification” claim.
Target also agreed to certain non-monetary measures, including:
In a recent decision from the United States District Court for the Western District of Pennsylvania, the Court found a that bank who made a voluntary reimbursement to its client for an unauthorized wire transfer, pursuant to state statute, should not have their policy disclaimed on this basis.
HHS announced that the Hospice of North Idaho (HONI) agreed to pay $50,000 and enter into a CAP as part of a settlement involving a breach of unsecured ePHI. This was significant in that it was the first settlement by HHS involving a breach affecting less than 500 individuals.
A University of Pittsburgh Medical Center (“UPMC”) employee filed a lawsuit in U.S. District Court for the Western District of Pennsylvania against her employer and Ultimate Software Group, Inc. in the wake of a data breach that saw hackers use the personal information of UPMC employees to file fraudulent federal income tax returns.
According to a report recently released by IBM Security, there has been a decreased of more than 50% in the number of cyber-attacks between 2012-2014. However in 2014, retailers still suffered the theft of more than 61 million customer records. Additionally, not surprisingly, retailers remain cyber-thieves’ top targets.