Sunday, October 4, 2020

Brexit effect on UK data protection Laws & GDPR

Brexit effect on UK data protection Laws & GDPR

The UK is coming to the end of the Brexit transition period with a resolution on the future relationship with the EU seemingly very far away. While a wide-ranging deal seems increasingly unlikely, it is still possible we will get a number of hastily organised last-minute sectoral agreements and in many ways, data protection would be a prime candidate for this kind of deal given that the UK has already made provision to continue with the current regime, at least in the short term. If, however, no deal is forthcoming, the UK will become a third country for GDPR purposes on 1 January 2021 (implementation day or ID). What does that mean?

The UK data protection regime from 1 January 2021

The UK has made preparations to adopt the GDPR to work as a piece of UK legislation in conjunction with the Data Protection Act 2018 (DPA18). The draft Data Protection, Privacy and Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019 will come into force on ID.

The Regulations consolidate and amend the EU GDPR and UK DPA18 to create a new UK GDPR. The responsibilities of controllers in the UK will not change and GDPR standards will continue to apply. However, the ICO has not sat on the EDPB nor participated in the GDPR consistency mechanism since the date of the UK's exit from the EU.

The extraterritoriality of the UK's data protection framework will continue to apply. This means controllers or processors based outside the UK processing personal data about individuals in the UK in connection with offering them goods and services or monitoring their behaviour, will be caught. Crucially, this includes controllers and processors based in the EEA.

The impact of the UK sitting outside the EEA without an adequacy arrangement will be felt in a number of areas.

Data exports/imports under GDPR

From ID, the UK becomes a 'third country' for the purposes of transfers of personal data from the EU.

Under the GDPR, personal data may not be transferred outside the EEA unless there are protections in place to guarantee individuals equivalent rights and protections to those they enjoy in the EU. Those countries which are considered to have a data protection regime which provides an adequate level of protection equivalent to that in the EU, may benefit from a Commission adequacy decision which allows the free flow of personal data from the EU. Currently, 12 jurisdictions (including the Channel Islands), have adequacy decisions. South Korea is currently being assessed.

While the UK will start from a position of alignment with the EEA on data protection, the EU has expressed some reservations which could prove a stumbling block to adequacy. Concerns have been heightened following the publication of the UK's National Data Strategy which hinted the UK might depart from the GDPR in future and followed Boris Johnson's statement in February 2020 that the UK would seek to establish "sovereign controls" in data protection. Scrutiny will focus on the UK's arrangements for sharing data with the USA under the Access to Electronic Data for the purpose of Countering Serious Crime agreement, and on onward transfers to the US more generally. The EU is also concerned about potential access to EU data by UK law enforcement and national security agencies, an issue highlighted in the recent CJEU decision in Privacy International.

If there is no adequacy decision, a number of other data transfer mechanisms can be used, principally the EC's standard contractual clauses (SCCs), or Binding Corporate Rules (BCRs). There are other limited options but these are not usually available for regular transfers.

Data exports from the UK to the EEA

On ID, the EEA countries will become third countries with regard to exports from the UK. Under the Regulations, the UK government has done what it can to preserve the free flow of personal data from the UK to the EEA. The UK will transitionally recognise all EEA States, EU and EEA institutions and Gibraltar as providing an adequate level of protection for personal data, allowing personal data to flow freely to them from the UK.

Data exports between the UK and EU-adequate countries

The UK has confirmed that it has secured agreements with twelve of the thirteen EU-adequate countries to preserve the free flow of personal data from them to the UK. This covers Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. Negotiations with Andorra are ongoing.

Data exports from the UK to third countries outside the EEA

Again, the Regulations provide reassurance in this area by essentially preserving the effect of existing mechanisms:

  • The effect of existing EU adequacy decisions will be preserved on a transitional basis.
  • SCCs previously issued by the Commission will continue to be an effective basis for international data transfers from the UK in a no-deal scenario, so organisations which transfer personal data to organisations overseas on the basis of SCCs can continue to rely on them. The ICO will have the power to issue new SCCs after exit day.
  • Existing authorisations of Binding Corporate Rules (BCRs) which allow for data to flow from the UK within a group, made by the ICO, will continue to be recognised in domestic law. The ICO will have the power to authorise new BCRs after exit day.

Onward transfers of data originating in the EEA could be more problematic as flow-down of EEA protections will be required.

Data transfers from the UK to the US

The Regulations provide for the effect of the EU-US Privacy Shield to be preserved with respect to UK personal data flowing to the US. However, the CJEU struck down the Privacy Shield in July 2020, a decision which applies to the UK under the terms of the transition period.

The UK will, in theory, be able to re-instate the Privacy Shield after ID, but if it does, it puts a future adequacy arrangement with the EU at risk given the concern about onward transfers. It is currently unclear whether or not the UK is likely to reach its own agreement with the US.

In the meantime, the Schrems II judgment cast doubt on all methods of data transfer from the EEA to the US and, by extension, from the UK to the US. This is a complex and developing area. See our article for more on data transfers to the US.

EEA to UK data transfers

The UK cannot unilaterally provide for the free flow of personal data from the EEA into the UK so these are the data flows most at risk. Those relying on such transfers will need to enter into one of the approved data transfer mechanisms in the absence of an adequacy decision. The most likely candidate being the easiest to arrange is Standard Contractual Clauses (SCCs) which should be in place by ID.

There are a number of potential issues with SCCs. They do not always match the data flow situation and cannot be used for the processor to processor transfers (although the EC hopes to have new SCCs in place by the end of the year). Another concern is that, following the CJEU judgment in Schrems II, exporters and importers are now required to assess whether or not the importing country allows its intelligence and law enforcement agencies access to EU data which would not adequately protect it by comparison with EU standards. In theory, as the UK was, until recently, an EU Member State, the level of protection should be adequate, but concerns have been raised that the UK regime is too intrusive and puts EU data at risk – something often cited as a potential stumbling block to the UK getting an adequacy arrangement and reinforced by the recent CJEU decision in Privacy International.

Whatever the pros and cons of the various transfer mechanisms, the message to take away are that something needs to be in place from ID in order to preserve the free flow of personal data from the EEA to the UK unless there is a last-minute deal on personal data flows.

What happens to current or pending BCRs?

The EDPB produced an information note on the impact of a no-deal Brexit on BCRs which have the ICO as their Lead SA. As the ICO will no longer play a part in the BCR community in the event of a no-deal/no adequacy ID, organisations headquartered in the UK will need to identify the most appropriate SA for BCRs under the Article 29 Working Party Opinion 263. Groups which currently have an application for BCRs pending with the ICO will also need go through the exercise and the new nominated SA will take over the application from the ICO. Where the ICO has approved an application which is before the EDPB for approval on ID, a new lead SA will have to be identified and will re-submit the application to the EDPB for approval. An organisation relying on EEA regulator-approved BCRs covering the UK will need to update them so that the UK is listed as a third country outside the EEA.

All Brexit-related changes to existing BCRs need to be made before the end of the transition period in order for data flows to be able to continue without interruption from 1 January 2021. See our article for more on BCRs.

Representatives

It's not just data exports/imports which are an issue. Businesses will also need to consider whether they have to appoint a representative in a third country jurisdiction. Under Article 27 GDPR, controllers and processors not established in the EU are required to appoint a representative unless they are a public authority; or their processing is only occasional, low risk and does not involve special category or criminal data on a large scale. With the UK outside the EU, businesses with establishments in the UK but not in the EU may be caught by Article 27 from ID.

Similarly, the UK GDPR replicates Article 27 so that controllers and processors not established in the UK (including those in the EEA) will be required to appoint a representative in the UK unless they are a public authority; or their processing is only occasional, low risk and does not involve special category or criminal data on a large scale. Read more about the role of the representative here.

The location of your Lead SA and DPO

One of the long-heralded advantages of the GDPR is the 'one-stop shop' regulatory regime for organisations processing personal data across the EU. The UK will no longer be able to participate in this after ID (which means that businesses which currently have their Lead SA in the UK will need to consider the location of a Lead SA in the EU). They may also want to consider whether they need a DPO based in the EU. 

Check your contracts

However you decide to handle the issue of Brexit, it is important to check that any existing contracts and terms and conditions match your intentions. This is particularly the case for data transfer agreements or data processing agreements.

Don't forget that whatever lawful basis you rely on to export and/or import personal data, you may also need a data transfer agreement or data processing agreement. For example, for data exports to a processor or sub-processor, the GDPR sets out detailed requirements that an agreement must include in addition to addressing the transfer.

Existing agreements, policies and terms and conditions may need to be amended or replaced if, for example, you decide to change the location of your DPO or your Lead SA, or, perhaps the law under which the contract is governed (to jurisdiction in the EU). You will also need to ensure that there is appropriate provision made for the initial and onward transfers in accordance with GDPR and UK GDPR requirements, especially as the first transfer may no longer be one envisaged by the relevant contract or terms and conditions. 

Other resources

The UK's ICO has published guidance for businesses and SMEs on preparing for a no-deal Brexit ID. This includes a 'six-step' plan, broader guidance, FAQs, and an interactive tool to help assess whether SCCs are an appropriate data transfer solution. It also covers methods of preserving data flows and looks at when a business might need to appoint a representative in the EU. 

- 6 comments:
Labels:

Friday, October 2, 2020

CCPA Cases 2020

 


CCPA Cases 2020 

Atkinson et al v. Minted, Inc., No. 3:20-cv-03869 (N.D. Cal.)

Date Filed: June 11, 2020

Cause of Action / Trigger of Claim

Suit against Minted.com arising out of an April 2020 data breach that resulted in the exfiltration of 73.2 million records that included passwords, names, email addresses, and other information. Complaint alleges a violation of § 1798.150 by defendant’s failure to prevent the unauthorized access and exfiltration, theft, or disclosure of class members’ non-encrypted PII.

Claims for Relief

Plaintiffs and class members seek injunctive or other equitable relief to ensure the defendant safeguards customers’ PII in the future. Plaintiffs will also seek statutory damages if the defendant “cannot cure the data breach within 30 days.”

Status

Pleadings

Alma Fidela Cercas et al v. Ambry Genetics Corp., No. 8:20-cv-00791 (C.D. Cal.)

Date Filed: April 27, 2020

Cause of Action / Trigger of Claim

Suit against a clinical genomic diagnostic company arising out of a January 2020 data breach that resulted in the exposure and exfiltration of sensitive personal and medical information of more than 232,200 patients. Defendant began notifying effected patients in April 2020.

Claims for Relief

Plaintiffs seek injunctive relief, and under § 1798.150(b)'s written notice to defendant provision, plaintiffs state “If Defendant fails to respond to Plaintiff’s notice letter or agree to rectify the violations detailed above, Plaintiff also will seek actual, punitive, and statutory damages, restitution, attorneys’ fees and costs, and any other relief the Court deems proper as a result of Defendant’s CCPA violations.” 

Plaintiffs claim defendant violated § 1798.150(a)'s prohibition of unauthorized access and exfiltration, theft, or disclosure of PII.

Plaintiffs also bring various claims for violations of California Confidentiality of Medical Information Act, California Medical Records Act, California UCL, negligence, and unjust enrichment.

Status

Pleadings

In Re: Zoom Video Communications, Inc. Privacy Litigation, No. 5:20cv2155 (N.D. Cal.)

Date Filed: April 24, 2020

Cause of Action / Trigger of Claim

Claims arise out of a Vice Media report detailing unauthorized sharing and data vulnerabilities of Zoom. The claims specifically allege that Zoom collected personal data in the form of unique advertiser identifier data and shared that data with third party operators such as Facebook and LinkedIn without notifying consumers or giving them the right to opt out.

Buxbaum v. Zoom also tries to characterize the sharing of information as a data breach or “exfiltration” under §1798.150 alleging: “[b]y allowing user names and passwords to be exfiltrated, Zoom violated the CCPA.”

Under 798.100(b), Plaintiffs gave written notice of alleged violations forcing Zoom to “cure” the alleged violations within 30 days.

Plaintiffs claim that the Defendant violated:

  • § 1798.100(b): Failure to provide adequate notice
  • § 1798.150(a) and § 1798.120(b): Sharing information with a third party without notifying or giving individuals a right to opt out
  • § 1798.150: Data breach or exfiltration violation

Plaintiffs also bring various claims for violations of UCL and CLRA and for negligence, invasion of privacy, and unjust enrichment.

Claims for Relief

  • Injunctive Relief
  • Declaratory Relief
  • Attorneys Fees

Status

Pleadings

Sweeney v. Life On Air, et al., No. 20cv742 (S.D. Cal.)

Date Filed: April 17, 2020

Cause of Action / Trigger of Claim

Claim against Houseparty, a video chat and social media app, alleges that the company shared PII (including personal identifiers, IP addresses, time zone details, phone carrier, device information, and unique advertiser identifier (“IDFA”)) with Facebook and other third parties without notifying users or giving them the option to opt out. Similar to the operative facts in the Zoom cases, the complaint focuses on the use of Facebook’s software development kits (“SDKs”).

Plaintiff claims that the defendant violated:

  • 1798.100(b): Failure to provide adequate notice of collection, use or sale of PII
  • 1798.120(b): Sharing information with a third party without notifying or giving individuals a right to opt out
  • 1798.135(a)(1): Failure to provide a clear and conspicuous “do not sell my personal information” link on webpage
  • 1798.135(a)(B)(6): Failure to keep PII private

Claims for Relief

Plaintiffs seek injunctive relief in the form of an order enjoining Defendant from continuing to violate CCPA and actual damages.

Status

Pleadings

Rahman v. Marriott International, No. 20-cv-00654 (C.D. Cal.)

Date Filed: April 3, 2020

Cause of Action / Trigger of Claim

Cal. Civ. Code § 1798.150(a)(1)

The CCPA provides consumers with the right to institute a civil action where the consumers’ “nonencrypted and nonredacted personal information” was the subject of “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”

This action arises out of a cybersecurity breach affecting 5.2 million consumers. Marriott announced the data breach on March 31, 2020 and sent e-mails to affected customers.

Claims for Relief

  • injunctive relief
  • enjoining Marriott from continuing to violate the CCPA
  • requiring Marriott to employ adequate security practices consistent with law and industry standards to protect class members’ personal information
  • requiring Marriott to complete its investigation
  • issuing an amended statement to the public and affected guests that is not evasive and contains no equivocations (e.g., phrases such as “may have,” the investigation is “ongoing,” “no reason to believe,” etc.) and to instead confirm and confess, with certainty, what categories of data were stolen and accessed without class members’ authorization, how the data breach occurred, and what specifically occurred to cause the breach

Status

Pleadings

Fuentes v. Sunshine Behavioral Health Group, No. 8:20-cv-00487 (C.D. Cal.)

Date Filed: March 10, 2020

Cause of Action / Trigger of Claim

Sensitive PII including medical information of patients of a drug and alcohol rehabilitation center was searchable, findable, viewable, and downloadable by anyone with access to an internet search engine. The breach occurred for a period of almost 30 months from March 2017 to September 2019, and the company put up a public notice in January 2020.

CCPA is mentioned towards the end of the pleadings as Count X action (over less than a page, so it seems that it is not a significant part of this lawsuit).

Defendant violated CCPA by subjecting the nonencrypted and nonredacted Personal and Medical Information of Plaintiff and Class members to unauthorized access and exfiltration, theft, or disclosure as a result of Defendant’s violation of its duty to implement and maintain reasonable security procedures and practices appropriate to the nature and protection of that information. Cal. Civ. Code § 1798.150(a).

Claims for Relief

  • Injunctive relief
  • Plaintiff seeks injunctive relief in the form of an order enjoining Defendant from continuing to violate the CCPA. If Defendant fails to respond to Plaintiff’s notice letter or agree to rectify the violations detailed above, Plaintiff also will seek actual, punitive, and statutory damages, restitution, attorneys’ fees and costs, and any other relief the Court deems proper as a result of Defendant’s CCPA violations.

Status

Pleadings

In Re Ring Litigation, No. 2:19-cv-10899 (C.D. Cal.)

Date Filed: February 18, 2020

Cause of Action / Trigger of Claim

Ring is a provider of smart security devices, notably a video surveillance doorbell. Ring disclosed PII of users with unauthorized third parties. PII included names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on devices of customers.

CCPA is mentioned at the very end of the pleadings as the final (8th) cause of action (over less than a page, so it seems that it is not a significant part of this lawsuit).

Plaintiff claims that the defendant violated:

  • Cal. Civ. Civil Code § 1798.100(b): Use of PIIA without providing notice.
  • Cal. Civ. Civil Code § 1798.120(b): Failure to provide notice to consumers regarding their right to opt-out.

Claims for Relief

  • Injunctive relief
  • On behalf of Class members, Plaintiff seeks injunctive relief in the form of an order enjoining Defendant from continuing to violate the CCPA. If Defendant fails to respond to Plaintiff’s notice letter or agree to rectify the violations detailed above, Plaintiff will seek actual, punitive, and statutory damages, restitution, attorneys’ fees and costs, and any other relief the Court deems proper as a result of Defendant’s CCPA violations

Summary of the Claim

  • Ring devices used third-party trackers and disclosed a plethora of user PIIs with four analytics and marketing companies. Ring devices did not follow industry standards and did not require even basic measures like dual factor authentication to use its devices.
  • Reasonable expectation of privacy was violated by failure of adequate security and disclosure of private and personal information to unauthorized third parties without consent.
  • PII shared zone, device model, language preference, and unique identifiers in addition to sensor data exposing Plaintiffs to risk.
  • Ring was negligent and breached its duty of care by ignoring consumer complaints as well as implied contracts of privacy with consumers.
  • Ring’s video doorbell was not a product fit for merchantability as they were not secure and could easily be accessed by third parties.
  • Ring received unjust enrichment by selling its products to the consumers.
  • Ring violated CCPA by collecting PII without providing notice to consumers and by not proving consumers with an option to opt-out.

Status

Pleadings

In Re: Hanna Andersson and Salesforce.com Data Breach Litigation, No. 20-cv-00812 (N.D. Cal.)

Date Filed: February 3, 2020

Cause of Action / Trigger of Claim

Personally Identifiable Information (PII) of customers of Hanna Andersson was scraped through a ‘malware’ on Salesforce’s cloud-based platform used by the company. Stolen PII included customers’ names, addresses, credit card numbers, credit card expiration dates, and CVV codes.

Law enforcement found unauthorized information on the dark web and informed Hanna Andersson of the breach that occurred from September 16, 2019 to November 11, 2019.

Claims for Relief

Plaintiff’s claim violation of California’s Unfair Competition Law and seek the following reliefs:

  • Class Action Certification
  • Enjoin Defendants from engaging in inadequate protection of Plaintiff’s PII
  • Defendants provide funds for Credit Monitoring of all class members
  • Compensatory, statutory, and punitive damages
  • Equitable relief and restitution of revenues retained by Defendants as a result of wrongful acts
  • Legal fees and costs of Plaintiffs

The CCPA is only mentioned incidentally:

“… (iv) deprivation of rights they possess under the California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200) and California Consumer Privacy Act (Cal. Civ. Code § 1798.100, et seq.);” …

“Whether Defendants violated California’s California Consumer Privacy Act by failing to maintain reasonable security procedures and practices appropriate to the nature of the PII.”

Summary of the Claim

Hanna Andersson (retailer of high-end children’s apparel) and Salesforce (provider of e-cloud based services) both failed to:

  1. adequately safeguard PII of users
  2. warn users of inadequate information security practices and
  3. effectively monitor their platforms for security vulnerabilities and incidents.

Defendants’ conduct amounts to negligence and violates several California statutes.

At least 10,000 California residents and multitudes nationwide were affected by the breach.

Some of this information is still being sold on the dark web and poses a lifetime risk of identity theft to users of Hanna Andersson.

Status

Pleadings

Shadi Hayden v. The Retail Equation, Inc., et al, No. 8:20-CV-01203 (C.D. Cal.)

Date Filed: July 7, 2020

Cause of Action / Trigger of Claim

Claim against Sephora USA, Inc., and The Retail Equation, Inc., alleging the sharing of consumer data collected for a consumer report and “risk score” used to advise Sephora whether attempted product returns and exchanges are fraudulent. Complaint alleges that Sephora shared PII, specifically customers’ name, date of birth, race, sex, photograph, street address, and zip code with the Retail Equation to create the reports and “risk scores” without their knowledge or consent. Complaint alleges Defendants unlawfully invaded Plaintiff’s and Class Members’ right to privacy under sections 1798.100(b), 1798.110(c), and 1798.115(c) of the CCPA.

Claims for Relief

Plaintiff seeks an order that Defendants are permanently enjoined from their improper conduct and practices as alleged, a judgment awarding appropriate monetary relief, and costs associated with the action, including attorneys’ fees and expenses.

Status

Pleadings

Flores-Mendez et al v. Zoosk, Inc., No. 3:20-cv-4929 (N.D. Cal.)

Date Filed: July 22, 2020

Cause of Action / Trigger of Claim

Claim against Zoosk, Inc., an online data company, arising out of a May 2020 data breach in which 30 million user records were subject to unauthorized access. The customer information disclosed in the data breach included a combination of individuals’ names, email addresses, dates of birth, demographical information, gender, and password information.

Complaint alleges a violation of § 1798.150 by Defendant’s failure to prevent the unauthorized access and exfiltration, theft or disclosure of Class Members’ PII.

Claims for Relief

Plaintiff and Class Members seek declaratory, injunctive, and other equitable relief necessary to protect their PII, including, but not limited to, an order compelling Defendants to adopt reasonable security procedures and practices to safeguard customers’ PII and prevent future data breaches.

Status

Pleadings

P. et al v. Shutterfly, Inc., No. 4:20-cv-04960-KAW (N.D. Cal.)

Date Filed: July 23, 2020

Cause of Action / Trigger of Claim

Claim against Shutterfly, Inc., arising out Shutterfly’s use of facial recognition technology to extract biometric identifiers associated with minors’ faces from user-uploaded photographs. The complaint further alleges that Shutterfly subsequently stored said biometric information of users and non-users in its database.

Complaint alleges a violation of § 1798.100(b) by Defendant’s failure to disclose the personal information of minors it collects and not giving consumers the right to decide whether their personal information is collected or have their information deleted.

Complaint also alleges a violation of § 1798.150 by equating the disclosure of minors’ nonencrypted and nonredacted personal information to other companies as a data breach.

Claims for Relief

Plaintiff seeks an order declaring that Defendant’s conduct violates the CCPA and requiring Shutterfly to cease alleged unlawful activities, in addition to an award of damages.

Status

Pleadings

Brekhus et al v. Google LLC and Alphabet Inc., No. 5:20-cv-05488 (N.D. Cal.)

Date Filed: August 7, 2020

Cause of Action / Trigger of Claim

Complaint against Google and Alphabet arising out of allegedly false representations by Google to consumers that it would not record or process conversations or other audio picked up by voice-activated hardware devices unless users say a specific activation phrase. Plaintiff and Class Members allege that information picked up through these devices included recordings of communications and activities inside users’ homes.

Complaint alleges a violation of § 1798.100 by failing to inform Plaintiffs that Google would collect categories of personal data beyond those that Google had identified in its Privacy Policy as being subject to collection. Complaint further alleges that Google’s inability to implement and maintain reasonable security procedures and practices violated § 1798.150 since it subjected the Plaintiffs to a scheme whereby Defendants gained unauthorized access to their private information.

Claims for Relief

Plaintiff and Class Members seek an order enjoining Defendants from continuing to violate the CCPA.

Status

Pleadings

Guzman v. RLI Corp, et al., 2:20-cv-08356 (C.D. Cal.)

Date Filed: September 10, 2020

Cause of Action / Trigger of Claim

Proposed class action arising from an alleged data breach of RLI, a federal sureties company that contracts with an immigration bail bond company, when it failed to redact the personal information of respondents’ date of birth, ssn, addresses and names and contact information of family members, including minor children, in PACER filings.

Complaint alleges violations of § 1798.100(b) and § 1798.115(d) for failing to inform the proposed California Sub-Class of the collection of their personal information and sharing access to that personal information with third parties in violation of § 1798.110(c).

Plaintiffs also allege a violation of § 1798.150(a) because the PACER filing failed to prevent nonencrypted and nonredacted personal information from unauthorized disclosure.

Claims for Relief

Plaintiffs seek actual, punitive, and statutory damages, attorneys’ fees and costs, and any other relief the Court deems proper as a result of RLI’s alleged CCPA violations.

Status

Pleadings

Stoffers v. Dave, Inc., et al., 20STCV35381 (L.A. Superior Court)

Date Filed: September 16, 2020

Cause of Action / Trigger of Claim

Proposed class action arising from a July 2020 data breach of users of Dave, an application that monitors bank accounts and notifies users when their expenses are likely to exceed available funds. The hack allegedly accessed personal information, including names, emails, birth dates, physical addresses, phone numbers, and encrypted social security numbers of over seven million individual user records, and then posted the entire database on a hacker forum.

Complaint alleges a violation of § 1798.150(a) for the exfiltration, theft or disclosure of users’ PII. Complaint also alleges violations of § 1798.81.5(c) for failure to require the third party handling the users’ PII to implement and maintain reasonable security procedures and processes.

Claims for Relief

Plaintiffs seek actual damages, injunctive relief, including public injunctive relief, and declaratory relief, and any other relief as deemed appropriate by the court.

Status

Pleadings

Deborah Wesch v. Yoddlee Inc., et al, No. 3:20-cv-06534-AGT (N.D. Cal)

Date Filed: September 17, 2020

Cause of Action / Trigger of Claim

Proposed class action against Yoddlee, a financial data aggregator, alleging that the company used its API to access the Plaintiff’s bank account and sensitive personal data without her knowledge or consent when she used her PayPal account.

Complaint alleges a violation of § 1798.100(b) for failure to give notice that the business was allegedly collecting personal information.

Claims for Relief

The CCPA is not a cause of action, but rather plead as an example of how the Defendant’s alleged “failure to disclose violates several privacy laws.”

Complaint seeks relief for violation of the Stored Communications Act (18 U.S.C. § 2701); the Computer Fraud and Abuse Act (18 U.S.C. § 103); California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200); California’s Comprehensive Data Access and Fraud Act (Cal. Pen. Code § 502); California’s Anti-Phishing Act of 2005 (Cal. Bus. & Prof. Code § 22948.2); Unjust Enrichment, and Common Law Invasion of Privacy.

Status

Pleadings

- 2 comments:
Labels:

Sunday, September 13, 2020

Cyber Security Threats in Online Schooling or Colleging

 Cyber Security Threats in Online Schooling and Colleging

With all the talk about washing hands, students need to also think about how to practise good cyber hygiene using encryption, VPNs, software updates and password management. Software that takes over a device can expose the user to spyware, malware or data exfiltration that can compromise health and personal information, or academic research and intellectual property in a competitive field.

With more teachers and students online, particularly if they’re doing it from less controlled environments outside of the school, the attack surface of the school community is increased, Schools and Universities tend to be quite careful about doing intrusion detection, and putting up fairly sophisticated access controls.

Threat from Zoom Video meetings

Video-teleconferencing platform Zoom has security and privacy issues, prompting Indian Government and later even New York’s Department of Education to ban its use as a digital classroom, Singapore banned teachers from using Zoom after hackers crashed sessions, sharing obscene images and making lewd comments. Yes but in India schools and colleges which charge their student's considerable fees yet use free Zoom and bring the whole family of a student at Privacy risk.

Hijacking control of Zoom calls, also called “Zoom-bombing,” In Chandigarh, when a science teacher was about to begin a lecture on the reproductive system for her Class X students over video conferencing app Zoom. The teacher had recently learned how to use the app from her son. After about 45 students had joined the session, the teacher locked the conference room and stepped out to do a final audio and video test on her son’s computer. While she was away, a pornographic movie began playing on the screen from a student’s screen. It took almost five minutes for the teacher to realize what was happening and rush back to end the session. The victim girl from whose screen the movie was shared has been traumatized due to repeated questioning by school authorities and classmates and is reluctant to rejoin the school after the lockdown ends, just imagine the trauma.

The pandemic era is creating an apparent gold mine for cyber spies, according to an April report co-authored by researchers Bill Marczak and John Scott-Railton, based at The Citizen Lab research centre at the University of Toronto. The researchers found vulnerabilities with Zoom’s encryption and “waiting room” feature, which it had raised with the company.


    Screengrab of Zoom encryption in The Citizen Lab's April report. Photo via citizenlab.ca


What Can be done more

It’s often not the technology that fails. It’s teachers and students behaving in ways that put educational institutions at risk by not using a complex password or showing reluctance to using multifactor authentication, These are the kinds of simple behaviours that we emphasize but often aren’t followed across school systems, where sometimes convenience wins over cybersecurity hygiene.

That’s why educating teachers and students is so important, especially with looming budget cuts that may affect spending on security improvements such as firewall upgrades and higher-level endpoint protection,  But that training needs to be ongoing and should include everyone in an educational institution. cyber awareness training can cover basics like creating strong passwords, social engineering, social media behaviour and about phishing attacks.

Not just one session at the start of the school or college year, I mean ongoing messaging throughout the year that makes cyber safety a part of the school culture and is embedded in how we teach and how we learn, The key learning piece is that you can’t treat cybersecurity as a one-and-done. It’s not a checklist that you go through, because the next day, the entire environment has changed.


- 2 comments:
Labels:

Tuesday, September 8, 2020

Types of digital wallet frauds



Digital Wallets unawareness and greed  have created an enabling environment for fraud, the explosion of smartphones with internet and multiple modes of payment through apps. While there is enough protection built into UPI and card payments, fraudsters use various tricks to get users to part with critical information. 

Methods used by tricksters range from payment requests made on the Unified Payments Interface (UPI) to sharing of QR codes on WhatsApp. Here are some common ones doing the rounds.

1.  Pre approved link fraud
Fraudsters misuse the request feature on UPI by sending fake payment requests with messages like ‘Enter your UPI PIN to receive money, “Payment successful receive Rs. xxx” etc. You need to enter PIN only for sending money.
Do not: 'Pay' or enter your UPI pin to receive money.
2. QR Code Fraud
Fraudsters share a QR code over WhatsApp asking for the code to be scanned to receive money in their account. This QR code, a feature in some UPI apps, is in fact a collect request and scanning and entering your PIN is acceding to their request. Again you need to scan QR only to make payments.
Do not: Share card number, expiry date, PIN, OTP etc. with anyone.
3. Remote Desktop sharing app fraud
Fraudsters ask users to install screen-sharing apps such as Screenshare, Anydesk, Teamviewer and use them to get access to bank credentials. These apps are not malware, but they do grant access of your mobile data to the third party.
Do not: Download third-party apps such as Screenshare, Anydesk, Teamviewer to enable/receive payments.
4. Impersonation Fraud
Fraudsters track complaints in social media and share fake contacts or impersonate bankers or RBI officials in response to a post and ask for confidential information which no banker is supposed to ask for.
Do not: Search for helpline numbers on Google, Facebook, Twitter. Instead, check the official website.
5. Sim swap fraud
Fraudsters manage to get a duplicate SIM which provides them access to one-time passwords. They do this by pretending to be from a mobile company and asking you to forward an SMS containing the SIM card number to activate the duplicate SIM.
Do not: Respond to texts, emails from unknown addresses to click on links.

- 1 comment:
Labels:

Wednesday, August 12, 2020

Strategic Cybersecurity Thinking














Strategic Cybersecurity Thinking

The ability to come up with effective plans in line with an organization's objectives within a particular cybersecurity situation. Strategic thinking helps cybersecurity managers review policy issues, perform long term planning, set goals and determine priorities, and identify potential risks and opportunities.

Clearly, there needs to be a clear strategy as to what needs to be done with respect to security. Such a strategy should determine the policies and procedures. However in practice rarely a strategy for security is created. Most emphasis is placed on policies, implementation of which is generally relegated to the lowest levels. Rather it is assumed that most people will follow the policy that is created. 

A strategic cybersecurity programme does not begin with tools and tactics, but with an articulation of one or more programme goals. Sun Tzu once said in The Art of War: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Essentially this means that before you start with strategic planning you have to know what you are and what you are not because the way you operate can either make or break a successful execution. First, the strategy-minded CISO gets executive buy-in to those goals. To that end, the CISO must incorporate all levels of strategic thought, starting with the board and CEO – everyone must feel ownership and participation. 

The smart CISO recognises that security is a journey, not a destination, and that relationship building requires an ability to translate between technical and non-technical vocabularies. The CISO ensures that the programme goals accurately govern the objectives of the enterprise’s digital security programme. In our scenario, the CISO, board, and CEO all agree that, with respect to intellectual property, trade secrets, and sensitive data, the new policy goal is to minimise loss due to intrusion. 

This statement implies that everyone understands that stopping all adversaries and all attacks is simply not possible, especially when dealing with nation-state actors and some advanced criminal groups. The primary objective of this exercise is to achieve consensus on a simply stated, non-technical programme goal. No in-depth technical discussion is needed to achieve consensus, although the CISO must ensure that all goals, policies, and strategies are technically feasible. With a mandate in hand, the CISO can confidently work with his or her security team to plan the necessary operations and campaigns and, if necessary, acquire new tools and tactics to facilitate them. Together, they decide to implement a network security monitoring (NSM) operation, defined as the collection and escalation of indications and warnings to detect and respond to intruders. 

The security team begins the long-term, strategic process of hunting for hostile cyberattack campaigns, encompassing both known and unknown intrusion patterns. The CISO, board, and CEO all agree that a second programme goal is a rapid detection, response, and containment of cyber threats. This goal helps to ensure that when intruders breach the perimeter defences, the game is far from over. 

Defenders can still win, so long as they contain the threat before the attacker can accomplish his or her ultimate mission. Therefore, the security team will develop strategies to identify compromises quickly, determine their nature, give them some level of attribution, and above all develop a plan to stop the attacker from accomplishing his or her mission. At the tactical level of individual engagements with the adversary – the equivalent of battles in war – the security team will have myriad decisions to make, including whether to dislodge the intruder immediately or whether to watch the intruder for a time in order to collect valuable intelligence.

Some tactics govern how specific tools or techniques can be used, such as when Star Trek personnel switch their hand phasers between ‘stun’ and ‘kill’. As always, the adversary gets a say in what happens, but from the enterprise’s point of view, programme goals, policies, and guidelines should be written to govern this entire process.

- 5 comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)

FIR : All you want to know about in a criminal case

FIR - What is?  The first information report is a report giving information of the commission of a cognizable crime,  which may be made by t...