JD Supra provides users with access to its legal industry publishing services (the “Service”) through its website (the “Website”) as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement (“Policy”). By using the Service, you signify your acceptance of this Policy.
Information Collection and Use by JD Supra
JD Supra collects users’ names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.
The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user’s experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.
JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.
If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.
Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the “opt-out of future email” option in the email they receive from JD Supra or in their JD Supra account management screen.
JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.
If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at [email protected] In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.
Sharing and Disclosure of Information JD Supra Collects
Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms Conditions of Use.
In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.
Links to Other Websites
This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.
Contacting JD Supra
If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: [email protected]
Casino Owner Sues Cybersecurity Services Provider, Alleging Botched Response to Data Breach – On December 24, 2015, Nevada casino owner Affinity Gaming filed suit against Trustwave in federal district court, alleging that Trustwave failed to contain and remediate a data breach at Affinity Gaming.
Card brands like Visa and MasterCard require companies that accept credit or debit cards to comply with the Payment Card Industry Data Security Standards (“PCI DSS”). In the event of a data breach involving credit or debit card information (“cardholder data”), such companies are usually compelled to retain a PCI Forensic Investigator (“PFI”) to investigate the cause and extent of the breach, and issue a report that is shared with the card brands.
According to the complaint, Affinity Gaming received reports of credit card fraud from customers and law enforcement in late October 2013, and Affinity Gaming’s IT department concluded that company data systems with cardholder data may have been compromised. Affinity Gaming retained Trustwave as its PFI based on a recommendation from its cyber insurer. According to Affinity Gaming, Trustwave conveyed that, as PFI, it would (i) identify the cause of the breach, (ii) remediate any issues, and (iii) facilitate implementation of measures to help prevent future breaches. Trustwave issued its PFI Report on January 13, 2014 and represented that the “compromise has been contained” and the breach terminated.
On April 16, 2014, Ernst Young performed a penetration test of Affinity Gaming data systems and identified suspicious activity. Affinity Gaming retained Mandiant to conduct a more thorough forensic investigation, and Mandiant found that the breach identified in October 2013 had not been fully contained or remediated, specifically finding that hackers still had “backdoor” access to Affinity Gaming’s data systems. Based on Mandiant’s findings, Affinity Gaming alleges that Trustwave’s “misrepresentations, omissions, and failures” resulted in significant monetary damages. The complaint asserts various state claims for fraud, negligence and breach of contract.
Trustwave has not yet responded to the complaint, but the case has already attracted attention in the cybersecurity industry and is particularly noteworthy for a few reasons.
First, the case may shed some light on the precise role served by a PFI retained to investigate a data breach, as well as the impact of particular provisions in PFI engagement agreements. Card brands and the PCI organization tend to view the PFI’s role as identifying the cause and extent of a breach to assist card brands and banks in (i) determining whether the company was complying with PCI DSS at the time of the breach, and (ii) identifying which credit or debit cards were compromised. By contrast, companies retaining a PFI may expect more comprehensive services that include thorough remediation and guidance for preventing similar cyber-attacks in the future.
Second, while it may be impossible for cybersecurity services providers to provide guarantees when combatting criminal hacking, the court may attempt to ascertain the point at which a failure to detect or remediate a cybersecurity issue could constitute negligence or fraud by a cybersecurity services provider. Such a decision could have major ramifications for the cybersecurity industry.
Third, the facts giving rise to this lawsuit may provide a valuable case study on best practices when responding to an incident. During the fast-paced, high-pressure and costly response to a significant data breach, effective interaction between internal and external responders is crucial, and misunderstandings, lack of communication and poor decisions will exacerbate a company’s business and legal exposure.
The case is Affinity Gaming v. Trustwave Holdings Inc., 2:15-cv-02464-GMN-PAL (D. Nev.). The complaint is available here.
Reporter, Mark H. Francis, New York, +1 212 556 2117, [email protected]
Missoula County Public Schools released information Thursday that said over 200 alumni and two deceased students were included in Hellgate High School’s December data breach of confidential student records. The district was not available for comment Thursday or Friday.
NBC Montana spoke with John Ulrigg, a Hellgate High School parent whose children’s medical, academic, attendance and discipline records were among those leaked.
Ulrigg is frustrated with the way the district handled the situation. He said, “I teach my children values and respect, and I’m not seeing values and respect from the people who are taking care of my kids and teaching them.”
Ulrigg believes the information should not have been available to begin with.
His son is a senior and his daughter graduated over two years ago. Ulrigg said she has autism and is upset the breach left a permanent impact on her well-being.
“Any information that was hers should have been up on a secure server not just on any administrator’s desk where any ‘oops’ can determine the outcome of someone’s life,” Ulrigg added.
He said he has spent the better part of her life preparing her for the real world after high school, but now fears all his work is lost.
“It’s a setback that we worked really hard not to have any issues with after she got out of school,” Ulrigg said.
She works as a customer service representative and regularly speaks with Missoula residents. “Now how many of those customers have read that and tie it to her name and go ‘Oh that’s the girl!’ You know, and that’s her fear. It’s not fair for her to have that fear,” Ulrigg said.
He said when his daughter received the district’s notice in the mail she could not believe it. He said she’s worried about people judging her for her disability.
The state’s student records policy says to destroy all but basic student records such as a student’s name, years attended and transcripts after graduation. But Missoula schools keep almost all of their student records post-graduation.
Since the damage has been done, Ulrigg is now looking for the district to be accountable.
“When you’re working in public administration you work for me — us and everyone in the state, or everyone who pays taxes and pays your salary — please, on behalf of all students, stop this madness and become accountable. Teach our children accountability,” he said.
VTech’s clever defence against data breaches – shift liability to the customer
In one of the most bizarre developments in computer security, Chinese toy maker VTech thinks it has invented the perfect solution to the expensive business hazard of data breaches – make them the end user’s problem, not the company’s, using a defensive shield made out of nothing more technical than words.
Only days ago, a sharp-eyed security researcher noticed something extraordinary in paragraph 7 of the company’s latest Terms Conditions for anyone accessing the Learning Lodge online app store that can be used with its toy products:
“You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties. You acknowledge and agree that your use of the site and any software or firmware downloaded therefrom is at your own risk.
“Recognising such, you understand and agree that, to the fullest extent permitted by applicable law, neither VTech or its suppliers […] will be liable to you for any direct, indirect, incidental, special, consequential, punitive, exemplary or other damages of any kind…”
On the face of it, should the site be breached in the future and customer data stolen, the legal liability for this will rest not with the company that failed to secure it, VTech, but the end user. Caveat emptor.
End User License Agreements (EULAs) have long been used by software companies to limit liability for software problems, including those which create security holes but on the face of it VTech is trying to extend this principle to include data loss. Legally, the issue here is liability not moral fault. The TCs appear to be trying to shft the liability to the customer because they agreed to use a product in a universe in which their data might be stolen from VTech.
Why is VTech doing this?
On 14 November 2015, toy maker VTech suffered a serious data breach that compromised the personal details of 11.6 million customers, 6.4 million of whom were children. Unencrypted data lost included names, addresses, email addresses, download history and secret security questions. Account passwords had been encrypted but so weakly using the inadequate MD5 hash.
The company suspended the trading of its shares on the Hong Kong Stock Exchange, a drastic and unusual move that underlined the seriousness of events. In an era of almost routine data breaches, the poor security left the firm looking unusually incompetent, complacent and foolish.
Is the move sound?
It is important to distinguish between a company’s legal responsibility to its customers and a company’s responsibilities to local information and regulatory authorities. In both cases, laws vary by country but in the UK the recompense that must be given to end users in the event of a data breach unless are surprisingly vague. As for the UK ICO, it can fine companies up to £500,000 (about $750,000) for breaches of the Data Protection Act (DPA) but rarely does so. Users can always try their luck under civil law, assuming they have plenty of money to fund such a thing.
Overwhelmingly, the financial harm to a breached company comes from any remedial work it has to carry out to alert users, reset accounts, track the source of the breach and put in place new security or credit checking should financial data be lost in countries that require such recompense such as the US.
And the EU General Data Protection Regulation?
In future, this would cause VTech serious problems because the maximum fine for a breach would rise from hundreds of thousands of pounds under national laws to tens of millions. The revised TCs make no odds here because the GDPR is an EU-wide legal framework for data protection that isn’t affected by what individuals agree or don’t agree to in such documents. Individually, users would also have the right to ask VTech to remove their data from its database. Failure to do that could increase fines.
Can end users protect themselves?
If they buy the company’s toys then in terms of absoute certainty the only defence is not to use its online services. On the basis of such TCs, we suggest it is no longer worth it.
What precedent does this set?
Probably none whatsoever although some will see the action as changing the atmosphere around breaches. On top of the bad publicity after the November data breach, VTech will not get more bad publicity for attempting to shift liability away from itself for security that only it can possibly assess.
The Internet of (insecure) Things
This is where it gets more interesting and troubling. Like a lot of firms that have a foot in tech, VTech fancies itself as a future player in the home security and Internet of Things market, one which depends on competent security surely. It’s hard to imagine informed consumers and businesses installing a security system made by a firm that uses these sorts of TCs to protect itself. The move communicates the wrong set of values, as if the company doesn’t see any moral obligation to secure the technology it sells.
What does the industry think?
Overwhelming incredulity, starting with the researcher who verified the scale and incompetence of the original November 2015 breach, Troy Hunt.
“The bigger picture here is that companies are building grossly negligent software and then simply not being held accountable when it all goes wrong,” Hunt wrote on VTech’s new TCs on 9 February.
Varonis vice president of strategy David Gibson told Computerworld UK by email: “protecting customer, partner and employee data is a business requirement. It’s possible that VTECH may have run afoul of the US’s COPPA [Children’s Online Privacy Protection] laws for protecting children’s data. The larger point is that consumers should expect reasonable data security without having to be personally liable.”
Javvad Malik, security advocate at AlienVault:
“This is a bad stance for a company to take. It’s trying to take a completely zero accountability approach to a product they are selling. On top of that, it could potentially set a terrible precedent for other technology companies.
“In today’s digital age, personal data is in some ways worth as much as currency. Imagine if the banks turned around and stated in their terms and conditions that by placing money with them, you lose any expectation that the money will be kept safe because bank robbers may loot the vault. I really hope VTech takes a look at their statement and the data they hold and reconsiders their position on the matter.”
VTech shifts data breach liability to customers – the bottom line
In computer security moral hazard always lies with the maker not the consumer, no matter what the law demands. VTech needs to understand that security tech products is about reputation and not simply legality.
On Nov. 27, VTech, which makes interactive toys such as tablets, toy cars and smart watches, warned customers that a hacker had accessed customer data on Learning Lodge, the PlanetVTech website, and Kid Connect servers.
Electronic toys maker VTech has recently been a victim of a cyber-attack, which has seen the data of more than 6.3 million children exposed. The hackers got access to chat logs and photos.
Following the breach, VTech has updated its End User License Agreement, saying the company can’t provide a 100 percent guarantee that it won’t be hacked. It also shifts the responsibility back to the parents:
You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded.
You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.
You acknowledge and agree that your use of the site and any software or firmware downloaded there from is at your own risk.
Commenting on the move, security expert Jonathan Lieberman, VP of Product Strategy at Lieberman Software says:
It’s only a matter of time before every online business has TCs attempting to limit their liability in the case of cybercrime. This kind of avoidance language is all around us. When you park your car in the city, there’s a sign saying they aren’t responsible if someone steals something. When you leave your valuables in a gym locker, there is a notice that it’s at your own risk. It’s natural that when you put your information into a website or data in the cloud that they will hang up a sign telling you criminals may attempt — and succeed — to take it.
As the money associated with online crime grows both in the form of rewards criminals can reap and premiums insurance firms insuring against those losses, you will see lawyers crafting ever more creative and complex terms to protect their clients from liability associated with data breach. The key is how well they will work to protect you while you use their online service and how well you will protect yourself.
He advises parents to read the terms and conditions carefully, and see if the company is taking reasonable measures to protect the data. If you can’t sit through countless pages of legal language, limit the exposure of your information.
Mark James, Security Specialist at ESET said:
Every company has a responsibility to protect the data they harvest while you use their products. I agree with VTech that no company can protect 100 percent against the possibility of being hacked, but taking sufficient precautions and ensuring a good level of security is maintained should be the fundamentals of any policy where user’s private data is being held.
To shift ownership over to the users is bad enough in itself, but to make it known through walls of text in TCs or EULAs is a bad way to do it, no one honestly reads it, especially a parent trying to setup something for their children. Can you imagine telling your three year-old that they need to wait a little longer while you read, digest and decide if you want to keep the toy based on the terms and conditions?
Our minors’ data should be ultra-important for any organization and protecting that should be their number one priority. If voting with your feet is the best way to make them understand then maybe that’s the right thing to do. It’s our data, but more importantly it’s the data of our possible future leaders that’s at stake here, we must take it very seriously indeed.
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.
Any person with disabilities who needs help accessing the content of the FCC Public file should contact Katie Bowman
at [email protected] or (651) 646-5555
Copyright © 2016 – KSTP-TV, LLC
A Hubbard Broadcasting Company
CHERRY HILL, N.J.–(BUSINESS WIRE)–On February 11, 2016, the Honorable Judge Andrew J. Guilford of the
Federal District Court for the Central District of California signed an
order appointing Locks Law Firm to the Plaintiffs’ Steering Committee in
the Experian Data Breach Litigation. The Plaintiffs’ Steering Committee
will be in charge of prosecuting the more than 30 class actions filed
against Experian because of its conduct with regard to the exposure and
subsequent theft of the personal information of approximately 15 million
In addition, Tina Wolfson of Ahdoot Wolfson, PC and Daniel S. Robinson
of Robinson Calcagnie Robinson Shapiro Davis, Inc., were appointed
Co-Lead Counsels in the case. Furthermore, a Plaintiffs’ Steering
Committee was named, consisting of the law firms: Locks Law Firm; Berger
Montague, PC; Girard Gibbs LLP; Keller Rohrback LLP; Zimmerman Reed;
and Feinstein Doyle Payne Kravec, LLC.
The claims in the case, captioned In re Experian Data Breach,
arise out of Experian’s loss of T-Mobile customers’ private personal
information. Experian conducted credit checks for T-Mobile customers who
financed the purchase of phones through T-Mobile. Experian failed to
properly secure the personal information of the T-Mobile customers, and
the private, personal financial information of approximately 15 million
customers was hacked. The breach of Experian’s security and exposure of
consumers’ personal information can be used by thieves to open financial
accounts, take out loans in customers’ names, incur charges on existing
accounts, and clone ATM, debit or credit cards. Consumers’ personal
identifying information is regularly sold by criminals to be used by
identity thieves around the world.
“Experian is a credit reporting agency trusted with consumers’ most
sensitive financial information. The data breach at Experian has exposed
such information to identity theft criminals and has resulted and will
continue to result in the immediate future in harm and damage to the
members of the Class,” said Locks Law partner Andrew P. Bell.
With offices in Cherry Hill, Atlantic City, Philadelphia and New York
City, Locks Law Firm is known for protecting the rights of consumers
throughout the country, as well as individuals and families who have
suffered injuries or death as a result of the recklessness or negligence
of another party. Attorneys at the Locks Law Firm practice with the
highest level of professional integrity and have extensive courtroom
experience. For additional information, contact Thomas Derr of Simon
PR, (215) 545-4715, ext. 29, or cell:(215) 620-7723.
A former Dakota County employee has pleaded guilty to violating Minnesota’s data privacy laws.
Thomas Berry pleaded guilty to the misdemeanor Thursday. Berry was charged with forwarding an internal report about two state lawmakers who were found in a romantic encounter in a park last summer.
Republican Reps. Tara Mack of Apple Valley and Tim Kelly of Red Wing were cited Aug. 25 by a park ranger who said he saw them making out in a car.
The charge alleged Berry improperly accessed and shared a document with details about that incident.
Defense attorney Phil Villaume tells the Star Tribune (http://strib.mn/1KeAfqh ) Berry will serve a year of probation and pay a $345 fine.
Berry worked for the Dakota County Water Resources Department. He resigned from his job after being charged.
Article source: http://www.newsobserver.com/news/technology/article59877871.html
UK companies no longer believe data breaches are something that usually happens to someone else – they’re now expecting it, and expecting it to cost.
According to the latest Risk:Value report from NTT Com Security, the majority of businesses in the UK (57 per cent) nowadays expect to be breached, and anticipate it would cost them £1.2 million on average. This is the highest number globally, the report adds. This does not include hidden cost like brand erosion and reputational damage. UK’s businesses expect the recovery to last at least two months, following a 13 per cent drop in revenue.
That’s not all the report has to say – 48 per cent of UK business decision makers consider information security ‘vital’ to their organisation, 50 per cent believe it’s ‘good practice’, while 20 per cent consider it the ‘single greatest risk’ to business.
“Attitudes to the real impact of security breaches have really started to shift, and this is no surprise given the year we have just had,“ says Stuart Reed, senior director for Global product marketing at NTT Com Security. “We’ve seen several major brands reeling from the effects of serious data breaches, and struggling to manage the potential damage, not only to their customers’ data, but also to their reputation. While the majority of people we spoke to expect to suffer a cyber security breach at some point, most fully expect to pay for it as well – whether that’s in terms of third party and other remediation costs, customer confidence, lost business or even possibly their jobs.”
Leave a comment on this article