Wendy’s Successful in Trimming Data Breach Class Action Suit But No Dismissal

We have previously discussed the class action case filed against Wendy’s as a result of a data breach [view related post]. The case was initially dismissed based upon lack of standing, but the plaintiffs were given the opportunity to amend the Complaint. After the filing of the Amended Complaint, Wendy’s filed a Motion to Dismiss.

On March 21, 2017, the Court dismissed some of the claims, but found that the plaintiffs were able to demonstrate injury to prove standing because the named plaintiff could show that he had to pay a $3 late fee when he was unable to pay his utility bill on time because of the data breach. Six additional plaintiffs were added who allege that their payment card data and personal information was compromised and as a result, they suffered actual harm when they were unable to cash in reward points or cash-back rewards while they waited for replacement cards to be issued.

The Judge found that these allegations were “injuries sufficient at this stage to plead standing” and that they were particularized and concrete injuries to allow the case to move forward.

The Judge also allowed the plaintiffs’ negligence and breach of implied contract claims to move forward. The Judge didn’t buy the plaintiffs’ allegations of violations of the consumer protection laws of Florida, New York, New Jersey, Mississippi, Tennessee and Texas, the Court dismissed them, but is allowing the plaintiffs to replead the consumer protection claims.

In a parting shot, the Court stated: “[T]he privacy of consumers remains extremely important, and retailers such as Wendy’s need to be held accountable to consumers when they accept and store important private information of consumers, and then fail to protect that information [from] hackers who seek to exploit the information for their own illicit gain.”

Third Circuit Holds Criminal Defendant in Contempt for Refusing to Decrypt Hard Drives

In a precedential ruling, the Third Circuit Court of Appeals this week upheld a lower court’s ruling holding a criminal defendant in contempt for refusing to decrypt two external hard drives that were seized during a child pornography investigation.

During the investigation, the government seized the defendants’ property, including two iPhones, a MacBook Pro and two external hard drives following a search of his home. All of the devices were password protected. U.S. Department of Homeland Security agents were able to unlock the MacBook Pro, but were unable to decrypt the external hard drives, or thousands of images and videos on one of the iPhones.

A magistrate judge ordered the defendant under the All Writs Act to decrypt the devices. The defendant refused, alleging a violation of his Fifth Amendment right against self-incrimination.

The magistrate denied the motion to quash the order stating that since the government possessed the devices and had evidence that alleged they contained child pornography, decrypting them wouldn’t rise to the level of testimony protected by the Fifth Amendment.

The defendant unlocked the iPhone, which contained child pornography, but he claimed he couldn’t remember the passwords for the external hard drives. The lower court held him in contempt and the Third Circuit agreed. It held that the decryption order was a necessary and appropriate means for effectuating the initial search warrant and did not violate the defendant’s Fifth Amendment rights.

It will be interesting to see if he will be able to remember those passwords now.

Neiman Marcus Settles Data Breach Class Action Case for up to $1.6 Million

We have followed the Neiman Marcus case from the moment the data breach was announced [view related posts here, here, and here]. After winding through the judicial system, Neiman Marcus has agreed to settle, and the plaintiffs have requested that the Judge approve the proposed settlement, reached after mediation proceedings.

The settlement includes a payment of up to $100 to each class member who submits a valid claim (there are potentially 350,000 class members), $2500 for each class representative for their “service,” and up to $530,000 in attorneys’ fees and costs to the plaintiffs’ attorneys.

IRS Files Petition to Enforce Summons Issued to Virtual Currency Company

The Internal Revenue Service (IRS) obtained authorization from a California federal court last November to serve a John Doe summons on the virtual currency firm Coinbase in order to obtain customer information to determine whether customers were using virtual currency to avoid paying income taxes.

Although the summons was issued in December, Coinbase has not provided the information requested in the summons and the IRS filed a petition with the Court requesting that the summons be enforced.

This is another example of how the government is using different techniques in the ever growing digital age to obtain access to customer information from companies in order to further an investigation. Virtual currency accounts can be added to cell phone location data, social media accounts and email accounts.

DJI Releases Report on Lifesaving Drone Operations

DJI, market leader in drones and aerial systems, released a new report, “Lives Saved: A Survey of Drones in Action,” on lifesaving drone operations using data collected from around the world. DJI reports that drones have helped rescue at least 59 people from life-threatening conditions in 18 separate incidents. The notable take away from this report was that most of these lifesaving drones were operated by civilian bystanders and volunteers offering to help professional rescue personnel. This indicates a benefit to public safety even with just the widespread adoption of personal drone use; with greater use by professional rescue personnel teams the numbers and benefit will likely increase.

The cases reported in this report were “only those in which media accounts clearly demonstrated that people in imminent peril were directly located, assisted and/or rescued with drones” as opposed to those cases where drones “indirectly helped save lives by taking part in successful searches for missing people.” These rescue operations occurred on land and in water (in flooded areas), and ranged from locating missing people to bring them water and supplies (via the drone) or to bring them life jackets or rescue ropes (again, via the drone).

DJI mentions in its report that it undercounts the number of lifesaving activities that have actually been undertaken with this technology, using the count of 38 lives saved by drone operations, between May 2016 and February 2017. Broken down—drones saved almost one life per week. DJI said that this undercount is due to the underreporting of the tools used in emergency operations and challenges in searching news reports across multiple languages.

The conclusion: drones are regularly helping to save lives around the globe. It is already happening thanks to civilians who have adopted the technology to their daily lives just as professional rescue crews are beginning to adopt this new drone technology themselves.

Maryland Sheriff’s Office Recovers Stolen Construction Goods Through Drones

Last week, Maryland’s Cecil County Sheriff’s Office used an unmanned aerial vehicle (UAV) to recover nearly $400,000 worth of stolen construction equipment, which also led to the arrest of the culprit. The New Jersey State Police, Pennsylvania State Police and Delaware Fish and Wildlife Natural Resources Police were all investigating this case—the construction equipment had been stolen across all four states.

Sheriff Scott Adams, who has his Federal Aviation Administration (FAA) Part 107 drone pilot’s certification and license, deployed the UAV from Cecil County headquarters after obtaining a warrant to obtain aerial views of the properties in question. Sheriff Adams and his colleagues were able to spot 17 pieces of construction equipment at one property and three pieces at another. So far, $243,000 worth of construction equipment has been returned to its owners.

Privacy Tip #79 – Consumer Reports Will Help Us With Privacy + Security of Products

What a great idea!

Trusty Consumer Reports has announced that it is collaborating with three cybersecurity firms to “create a new standard that safeguards consumers’ security and privacy—and we hope industry will use that standard when building and designing digital products such as connected devices, software, and mobile apps.” The standard is a response to the fact that most Americans do not have confidence in the privacy of their personal information. 

The standard is designed to test products specifically on their security and how that impacts the ability of the product to protect a consumer’s privacy. According to Consumer Reports, “[T]he goal is to help consumers understand which digital products do the most to protect their privacy and security, and give them the most control over their personal data.”

Consumer Reports has posted the standard as a public document and requests feedback from the technical community.

It is a challenging time when it comes to protecting privacy, particularly with new mobile apps and other products that can collect and use our personal information. Even those of us who make a living staying on top of these issues have a hard time keeping up with all of the new products and technology that impact our privacy. This standard by Consumer Reports is a welcome tool to assist all of us in the ability to keep track of which products are collecting and using our data, and which ones care the most about protecting it.

Congress, FCC Weigh Measures to Repeal ISP Privacy Rules

Last October, the Federal Communications Commission (FCC) approved new privacy rules governing how Internet Service Providers (ISPs) are permitted to use and share its customers’ personal information. The rules have been fiercely contested by telecom companies that contend they are being unfairly held to more stringent regulations than so-called edge providers (Google, Facebook, etc.), which are subject only to less restrictive guidelines established by the Federal Trade Commission (FTC). In particular, the FCC rules go beyond FTC regulations in defining “sensitive” customer information to include web browsing and application usage history and requiring ISPs to obtain affirmative “opt-in” consent before using or sharing such information. Certain data security obligations under the rules were scheduled to go into effect on March 2nd, with the remaining provisions relating to data breach notification and opt-in requirements slated for implementation later this year. Continue Reading

Federal Agencies Hit with 30,899 Cyberincidents in 2016

The Office of Management and Budget (OMB) released a report this week indicating that federal agencies experience almost 31,000 cyberincidents in 2016. The Federal Deposit Insurance Corporation was responsible for 10 of 16 major incidents. These incidents resulted when personally identifiable information was able to be downloaded onto removable media.

Despite the dismal number of incidents, the report commented that the situation is improving in that agencies are implementing more sophisticated data security measures, including two factor authentication and identifying and protecting high risk data.

The biggest culprits for data loss in 2016 were “other” (which were unable to be categorized and loss or theft of equipment (5,300 incidents). Web and phishing attacks continued to be a problem, as well as improper usage of government assets.

House Bill Would Allow Employers to Require and Access Genetic Testing Results

House bill HR 1313, introduced by Representative Virginia Foxx (R-N.C.), proposes to allow companies to require employees to undergo genetic testing, then allow employers to see the results, and impose financial penalties on any employees who request to opt out of the requirement.

The bill, which was before the House Committee on Education and the Workforce, was supported by all 22 Republicans and opposed by all 17 Democrats on the Committee.

Those in support of the bill state that the legislation would give employers the ability to offer wellness plans and promote a healthy workforce and lower health care costs.

Critics say the bill would eviscerate the Genetic Information Non-Discrimination Act (GINA) and the Americans with Disabilities Act (ADA) which specifically prohibit employers from asking for, accessing or using genetic information for certain actions that are considered discriminatory.

We will be watching this bill closely.