Altaba Inc., the successor company of Yahoo Inc., recently noted in a filing with the Securities and Exchange Commission that after its settlement of consumer and shareholder suits relating to Yahoo’s data breach that affected all 3 million of its users, it will have paid a net $47 million in expenses.

This estimate is based upon a tentative agreement to resolve pending state and federal class action suits, as well as a shareholders derivative suit, which is on top of a securities class action suit settlement of $80 million (including $14.4 million in attorneys’ fees) that recently received final approval from the court. That settlement has been touted as the largest securities class action in history involving a data breach.

Choice Hotels International Inc., was recently sued for failing to provide disabled users with information about its rooms’ and grounds’ accessibility. The suit, referencing the Comfort Inn in Gainesville, Florida, states that the hotel’s online reservation system fails to provide users with information about the accessible features for those using wheelchairs or canes.

According to the suit, the hotel has “failed to make its reservations services fully and equally accessible to individuals with disabilities, thereby denying those individuals the same benefits and privileges afforded to guests without disabilities” which is required under the Americans with Disabilities Act (ADA).

Another area that has experienced increase litigation under the ADA is when companies failure to follow ADA guidelines for their websites to be accessible to the visually impaired.

These suits provide incentive for companies to take a fresh look at their websites to determine whether they are compliant with the myriad of laws that apply to websites, including the ADA.

As of last week, the Federal Aviation Administration’s (FAA) Low Altitude Authorization and Notification Capability (LAANC) is nationwide. We wrote about the FAA’s initiation of LAANC in April, with incremental deployment at air traffic facilities and airports, with the final deployment on September 13 (last week). That last deployment occurred in the Central North region of the U.S. Now, LAANC has expanded to 288 air traffic control facilities and 470 airports across the country. Drone pilots using LAANC can receive an authorization to fly in certain restricted airspace in near real-time (as opposed to completing an application through the FAA’s DroneZone and obtaining a waiver for the operation). This is a huge step for the safe and efficient deployment of drones in the national airspace. To learn more about LAANC click here.

While inspecting a cracked window at San Francisco’s tilting Millennium Tower, a drone fell from the sky, just missing pedestrians below. The Millennium Tower’s homeowners association hired a drone pilot to take photos of a cracked window. However, during the aerial inspection, the drone lost its satellite signal. Once the signal was lost, the drone was no longer under the pilot’s control. The drone drifted and hit another building across the street from the Millennium Tower. The drone crashed on the sidewalk below just missing several pedestrians walking by. The homeowners association attorney said, “We’re trying to evaluate whether the tilting [of the building] has anything to do with [the cracked window] but we’re also looking at all other aspects of it, structural, whether it’s part of the window assembly, the manufacturing process, the installation process.” The hope is that the drone footage (obtained before it crashed) will help experts determine what is causing the window to crack. The drone’s pilot had to launch the drone from three different locations due to interference with his GPS and satellite signals. Congested cities are often difficult to get a signal due to all of the high-rise buildings like the Millennium Tower. This is something to consider when conducting drone operations in cities.

It’s true. Utility and power companies really love using drones. While it seems like drones are everywhere now, with trillions of dollars’ worth of industrial infrastructure aging across the country, worker safety and terrorism concerns, climate change putting strain on power grids, manufacturing facilities and oil and gas production, drones offer a cheaper and more effective way of monitoring infrastructure. Drones are being used to spot faults or overgrown foliage in transmission and distribution liens across the U.S. Monitoring hot, dry areas (like Northern California) is becoming increasingly important –one corporation may owe as much as $17.3 billion in liabilities from the 2017 fires in wine country. Drones were also used to restore power lines in Puerto Rico after Hurricane Maria shut off nearly 80 percent of the island’s electricity.

And, while threat detection and power-restoration services are certainly beneficial, there’s another set of services that drones can provide that is just as significant: operations and maintenance. Further, as drones improve, so will the services they provide. Drones that can only collect video footage or photos are limited to inspections. With machine vision, enhanced sensors and grabbing arms and probes, drones may be able to fix minor faults in wind turbines, clear away foliage and defend assets from bad actors. Drones will be able to fly longer, act independently and replace dangerous or boring human labor as advances in 3-D vision and computational photography, cheaper communications networks and lightweight batteries improve and make their way into the market.

Research conducted by Bloomberg L.P. also found that in-house drones are cheaper than third-party drone inspection as a service, which means that while in-house drones require up-front costs, such as the drone itself, the software, the payload, appropriate policies and procedures to comply with Federal Aviation Administration (FAA) regulations and training programs (perhaps new hires), in-house drones have better economics than using a third-party service.

Additionally, drones can be used to detect methane leaks coming from oil and gas pipelines at 1,000 times the accuracy of traditional methods, saving pipeline owners significant money on leaked product and potential fines.

However, of course, there are pitfalls –FAA regulations require drone pilots to stay within line of sight of the drone, heavy batteries limit flight times (sometimes only 20 minutes), buzzing rotors are often thought of as a nuisance to passersby. However, as technologies improve and regulations evolve these issues will likely be resolved.

The recent tragedy with gas customers in Massachusetts has everyone focused on their utilities. Which makes it a perfect time for scam artists to take advantage of worried customers—both individuals and small businesses.

One scam making headway is when a fraudster calls a customer over the telephone telling them that their water, electricity or gas will be shut off due to an outstanding bill. You don’t think that any of your past bills are outstanding, but they make it urgent and threatening that your utility will be shut off immediately if you don’t pay the outstanding bill. They can be very convincing and are well-trained.

The sure signs of a scam are if the caller requests your banking information, or asks you to pay by gift card, cash reload card, wiring money or through cryptocurrency. Utilities will not request this information over the telephone or force you to pay over the telephone as your only option.

The issue has become so widespread, that the Federal Trade Commission has been receiving complaints and has issued a Consumer Information notification about the scam.

The guidance provided by the FTC if you receive a call like this includes:

  • “Concerned that your bill is past due? Contact the utility company directly using the number on your paper bill or on the company’s website. Don’t call any number the caller gave you.
  • Never give banking information over the phone unless you place the call to a number you know is legitimate.
  • Tell the FTC. Your reports help us fight these scams. And report it to the real utility company. If you already paid, tell the payment provider – such as the wire transfer or gift card company. You may not get your money back, but it’s important to tell them about the scam.
  • Find out how you can protect yourself and your business from scams [by visiting ftc.com].”

Scammers know when to hit vulnerable individuals following a disaster or crisis, like the gas incident in Massachusetts. Be aware of their intent and protect yourself from becoming a victim from scare tactics.

We all know that it is important to protect our Social Security number. But sometimes companies still try to use the last four digits of our Social Security numbers as identifiers or to verify identity in some way. The use of Social Security numbers began in 1936 long before computers, the internet, and identity theft were on anyone’s radar screen. They started out being assigned geographically by region. So if you had a list of all the first three numbers of assigned Social Security numbers, you could tell whether someone was born in Rhode Island (with a low number) or in California (with a higher number). The middle two numbers represent a group number (01-99) so the middle two digits and the last four digits are random. To date, more than 453.7 million Social Security numbers have been issued by the federal government. For more information on the history of Social Security, see https://www.ssa.gov/history/hfaq.html.

Why might companies think that it’s ok to only reference the last four digits of a Social Security number? Probably because there’s a false sense of security in thinking that with only those last four, there’s less of a chance of identity theft or fraud.

A determined thief, however, can take that credit card application out of your trash (the one that is already pre-filled out with your name on it) and apply for a credit card in your name that will of course, go to a new address. It’s pretty easy today to obtain just a few key pieces of information such as name, address, perhaps even date of birth, (some people put their date of birth on Facebook and other social media sites). When combined with other key identifiers, thieves can use the last four to get keys to the identity kingdom.

Some states have protections in place that limit what companies can do with respect to Social Security numbers. In Rhode Island, companies actually can’t require you to use the last four digits of your Social Security number to access an internet website (unless also using a password or PIN number) or print all or part of a Social Security number on materials mailed to an individual. R.I. Gen. Laws § 6-48-8 (a) (4)-(5), known as the Consumer Empowerment and Identity Theft Protection Act of 2006.

What can you do to protect your Social Security number from thieves? Some things to consider are to not use the last four as your PIN# or in passwords, check your credit with the four credit reporting bureaus. You can go to www.usa.gov/credit-reports and get information on how to obtain a free credit report from each of the three major credit bureaus or click here [view related tip]. This will allow you to see if any new accounts have been opened that you didn’t authorize. Create an account with Social Security to check that your Social Security and wage information is accurate. www.ssa.gov/myaccount/. Also, as we have written before [view related posts], be careful not to respond to email or phone calls asking for your personal information.

Finally, be vigilant and protect the last four digits of your Social Security number when receiving phone calls, email or other requests for your Social Security number. Remember that the Social Security administration or other government agencies are not going to call you and ask for your Social Security number by telephone.

As Hurricane Florence was making landfall, Department of Health and Human Services Secretary Alex Azar issued HIPAA guidance that outlined when hospitals in declared state of emergency areas can qualify for a waiver of certain provisions of the HIPAA Privacy Rule, including fines and penalties.

According to the guidance, “the HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need….while the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of HHS may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004…and section 1145(b) of the Social Security Act.”

The Secretary declared a public health emergency in North Carolina, South Carolina and Virginia as a result of Hurricane Florence and has “waived sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).”

The waiver “only applies:

  • in the emergency area and for the emergency period identified in the public health emergency declaration.
  • to hospitals that have instituted a disaster protocol.
  • for up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.”

The guidance reminds covered entities and business associates that “in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.”

We all remember Kronos—the malicious malware that was sold by Russian underground forums in 2014 for $7,000. If you bought it, you were promised updates and development of new modules.

The Kronos developers recently released a new update (dubbed Osiris), which is presently attacking individuals in Germany, Japan, and Poland, with the U.S. in the queue.

This week, Securonix researchers published research indicating that Osiris uses phishing campaigns and fraudulent emails that contain Microsoft Word documents or attachments with macros that when dropped or opened, may exploit a vulnerability in Microsoft Office Equation Editor Component, which was discovered in 2017. Microsoft has issued a patch to address the vulnerability. If the patch has not been implemented, Osiris can introduce arbitrary code that can be used by the thieves to steal data, including when individuals are accessing their online banking account.

If infected, the malware modifies the Windows registry to inject malicious code into browsers, so when an individual visits his or her bank domain, a man-in-browser attack is launched. It can then introduce keylogging in order to obtain the user’s bank credentials, thereby allowing the thieves to divert funds posing as the user.

Online banking customers are at risk, and being aware of the malware, as well as utilizing good cyber hygiene and vigilance is important as new variants are introduced into the environment.

On June 28, 2018, Adidas released a statement announcing that it recently “became aware that an unauthorized party claims to have acquired limited data associated with certain Adidas consumers.” Adidas believed the breach was limited to contact information, usernames and encrypted passwords, and not any stored credit card or fitness information, relating to millions of its customers.

Subsequently, on July 3, 2018, a plaintiff, on behalf of himself and all others similarly situated, filed a complaint in the San Diego County Superior Court. The complaint set forth five separate counts: 1) negligence; 2) breach of contract; 3) breach of implied contract; 4) violation of the California Customer Records Act; and 5) unlawful and unfair business practices under the California Business and Professions Code.

The named plaintiff—Christian Duke—alleges that his claims are typical of the class because “[his] information, like that of other members of the class, was misused and/or disclosed by [Adidas] and requires responsive efforts.” As further justification for the class, he also notes that, individually, the putative-class’s damages may be insufficient to warrant the costs of litigation.

With regard to the breach, Duke alleged that Adidas failed to implement appropriate security processes, including that it:

[F]ail[ed] to ensure that the companies with which it shared members’ Personal Information implemented and maintained adequate security measures to safeguard such information, including encryption, implementation of multi-factor authentication, and usage of behavior monitoring technology to detect unusual activity and transfers of data.

Plaintiff further claims that Adidas failed to timely notify those members whose information had been compromised—despite the representations in Adidas’s statement that it was notifying customers within roughly forty-eight hours of being made aware of the breach. The complaint also asks the court to require Adidas to “notify customers of any future data breaches by email within 24 hours of a breach or possible breach.” (Emphasis supplied.) Plaintiff further seeks compensatory damages, statutory damages, and equitable relief, along with fees and costs.

Last Friday, September 7, 2018, Adidas removed the action to the United States District Court for the Southern District of California, where it is now pending before District Judge Larry Alan Burns. It will be interesting to see what challenges Adidas is able to raise, based on the Ninth Circuit’s fairly liberal view of standing in data breach cases. See, e.g., Ree v. Zappos.com, Inc. (In re Zappos.com, Inc.), 888 F.3d 1020, 1027 (9th Cir. 2018) (finding standing where “the information taken in the data breach […] gave hackers the means to commit fraud or identity theft”). It will also be fascinating to see if the court has the opportunity to consider Plaintiff’s claim for more stringent breach notification requirements—a rather unique remedy. We’ll keep an eye on this case as it potentially makes its way through the Southern District of California.