identity theft

Subscribe to identity theft

The FTC has pursued enforcement actions against more than 50 companies for inadequate data security, and to date only two, Wyndham Hotels and LabMD, have pushed back. On the heels of a Third Circuit victory in its Wyndham litigation, the FTC recently suffered a blow when its administrative complaint against LabMD was dismissed – by an FTC administrative judge, no less.

As the FTC pursues an appeal to its commissioners, are there lessons to be learned? First, reports of the death of the FTC’s Section 5 data security enforcement authority have, once again, been greatly exaggerated – the FTC will remain in the data security enforcer role post-LabMD, as strong as ever. And second, the real lesson of LabMD is what it teaches us about grey hat security firm tactics, and how businesses need to trust their gut and do their homework.
Continue Reading FTC v. LabMD – 50 shades of white hat

There are at least 1,040 reasons to love Florida. Who isn’t drawn to the sunshine, the pristine beaches, the food… and the tax fraud racket? For decades, South Florida has been the Silicon Valley for scam artists, drawn by the weather and the opportunity to make lots of money without actually doing much work. According to the Federal Trade Commission, Florida holds the highest per capita rate of identity theft complaints, followed by Georgia and California. While Medicare fraud, mortgage fraud, and securities fraud have traditionally been the bread and butter of South Florida scam artists, tax refund scams are definitely the new darling. But as the IRS recently announced, it’s the dawn of a new day for tax fraud prevention.
Continue Reading IRS shines the light on tax ID theft

For years, federal district courts have reliably dismissed data breach consumer class actions at the outset, citing the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International. Defendants’ tried-and-true argument goes like this:  (1) under Clapper, plaintiffs must allege at least an imminent risk of a concrete injury to have standing under Article III of the U.S. Constitution; (2) the data breach plaintiffs haven’t alleged such an injury, and any future alleged injuries are too speculative; (3) so no standing, and no case.  But last week, in Remijas v. Neiman Marcus Group, the Seventh Circuit disagreed. The Neiman Marcus decision pumps new life into consumer data breach claims, and plaintiffs will undoubtedly argue that it sounds a death knell for Clapper in data breach litigation.
Continue Reading Breach litigation standing — the bell tolls for Clapper

Ah, Federalism. In countless ways we benefit from a system in which individual states can express their respective policy interests in differing state laws, with the resulting quilt bound together by the Constitution, federal law, and judicial interpretation. But on some topics we end up with a “crazy quilt” … and PII breach notification is trending crazy.

Since 2002, when California enacted the seminal state law mandating notification of individuals whose personally identifiable information (PII) is breached, virtually every state has followed suit. Forty-seven states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands now have such statutes.  Only Alabama, New Mexico, and South Dakota are without one, and under Texas’ statute, companies doing business in Texas that have a PII breach must follow the Texas notification requirements for affected residents of these three states.

These laws are triggered by the affected individual’s residency, not where the breach occurred. So, when an organization with employees or customers in many states suffers a data breach, it must comply with a wide variety of differing and potentially conflicting state breach notification laws. And differ and conflict they do, as the following three examples illustrate.
Continue Reading State breach notification laws: the quilt is getting crazier

Companies suffering a data breach have a lot to worry about. High on that list is Norman Siegel, a founding member of Stueve Siegel Hanson LLP. Siegel is a prominent data breach plaintiffs’ lawyer – he helped lead the team representing consumers in the consolidated Target data breach lawsuits, and currently serves as lead counsel representing consumers in the pending Home Depot data breach litigation. He also is co-chair of the Privacy and Data Breach Litigation Group of the American Association for Justice.

I recently asked Siegel for his thoughts on the current landscape of data breach consumer litigation. Here is what he shared.
Continue Reading Words from the wolf at the door

After years of debate, Congress last December passed three bills focused on combating cybercrime. President Obama quickly signed each bill into law.

They include:

  • National Cybersecurity Protection Act of 2014. The most notable piece of legislation for the private sector, this Act establishes a framework for private entities and government authorities to share intelligence about cyber threats and incident response plans. However, much to the dismay of many private entities, this stripped-down version of an earlier House bill lacks the liability protections that many companies had desired.
  • Federal Information Security Modernization Act. This Act creates a structure for maintaining safeguards to protect federal government data. It encourages government agencies to use automated security tools to identify and correct security deficiencies, building upon the risk management framework originally established by the Federal Information Security Management Act of 2002. It also requires that agencies report major cyber incidents to Congress within seven days of discovery.

Continue Reading Federal Cyber Legislation Update #1