Information Intersection > Troutman Sanders LLP

New Jersey Bill Limits Use of Driver’s License Information by Retailers

The New Jersey legislature recently passed a bill that places restrictions on retailers’ ability to collect and use personal information gleaned from driver’s licenses.  The bill, known as the Personal Information and Privacy Protection Act, is intended to give consumers more control and security over their personal information.  A copy of the bill can be found here.

Under the new legislation, retailers can scan a driver’s license or identification card only for seven specific purposes:

(1)    to verify the authenticity of the identification card or to verify the     identity of the person if the person pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange;

(2)    to verify the person’s age when providing age-restricted goods or services to the person;

(3)    to prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system;

(4)    to establish or maintain a contractual relationship;

(5)    to record, retain, or transmit information as required by state or federal law;

(6)    to transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Fair Debt Collection Practices Act; or

(7)    to record, retain, or transmit information by a covered entity governed by the medical privacy and security rules under the Health Insurance Portability and Accountability Act (“HIPAA”).

If a driver’s license or identification card is scanned, the retailer can only collect the person’s name, address, date of birth, state of issuance, and identification card number.  The retailer must also securely store any retained information and not disclose it to any third party.

The Act establishes a civil penalty of $2,500 for an initial violation and $5,000 for any subsequent violation.

It is important to note that the Act is limited to retail establishments only and has no impact on any other uses of driver’s license information.

July 28, 2017   No Comments

Join Us on August 10 for a Webinar on A Review of the New York Cybersecurity Framework

Join Troutman Sanders attorneys Shannon VanVleet Patterson and Sheila M. Pham for a complimentary webinar on August 10, 2017 from 3:00 – 4:00 p.m. ET.

On March 1, 2017, the revised Cybersecurity Requirements for Financial Services Companies adopted by the New York Department of Financial Services (“NY DFS”) became effective.  This regulation requires banks, insurance companies, and other financial services institutions to establish and maintain a cybersecurity program and to take other measures to protect against data breaches and cyber attacks. This action by the NY DFS is a significant development in the regulatory landscape for cybersecurity. Even financial institutions not subject to regulation by the NY DFS should be aware that this regulation may be the first in a series of incremental steps by state and federal banking regulators as they continue to consider ways to enhance protection of digital information and management of cyber risks.

Registration is complimentary. Scheduling conflict? Register to receive the recording after the webinar.

July 24, 2017   No Comments

Second Circuit Affirms Dismissal of Putative Data Breach Class Action Against Michaels


On May 23, 2017, in Whalen v. Michaels Stores, Inc., the United States Court of Appeals for the Second Circuit issued a summary order affirming the district court’s dismissal of a putative data breach class action based on lack of Article III standing.

As background, the named plaintiff Mary Jane Whalen made credit card purchases at a Michaels stores in 2013.  In 2014, Michaels suffered a data breach of its systems.  Whalen’s credit card was thereafter allegedly presented for a payment to a gym in Ecuador. Whalen did not allege that any fraudulent charges were actually incurred on the card, or that she was in any way liable for the fraudulent presentations.

The United States District Court for the Eastern District of New York originally dismissed the putative class action complaint, holding that Whalen did not allege facts sufficient to establish Article III standing “because Whalen neither alleged that she incurred any actual charges on her credit card, nor, with any specificity, that she had spent time or money monitoring her credit.”  The Second Circuit agreed.

“Whalen does not allege a particularized and concrete injury suffered from the attempted fraudulent purchases,” held the Second Circuit.  For instance, Whalen was never “asked to pay, nor did pay, any fraudulent charge.  And she does not allege how she can plausibly face a threat of future fraud, because her stolen credit card was promptly canceled after the breach and no other personally identifying information . . . is alleged to have been stolen.”  Whalen’s Complaint also did not allege any “specifics about any time or effort that she herself has spent monitoring her credit.”  Without any such allegations, the Second Circuit found that Whalen “has alleged no injury that would satisfy the constitutional standing requirements of Article III, and her claims were properly dismissed.”

May 31, 2017   No Comments

NY AG Settles with IoT Company over Security Practices


On May 22, 2017, New York Attorney General Eric Schneiderman announced a settlement with Safetech Products LLC (“Safetech”) over allegations that the Internet of Things (IoT) company sold insecure wireless door and padlocks.  According to the Attorney General, the settlement marks the first time a state Attorneys General has taken legal action against a wireless security company for failing to protect their consumer’s personal and private information.

Safetech offers customers Bluetooth-enabled locks.  According to the Attorney General, Safetech represented to consumers that its products would allow users to protect personal belongings inside their homes by turning doors and closets into secure areas.  However, in 2016, independent researchers found that Safetech’s Bluetooth-enabled locks transmitted passwords between the locks and the user’s smartphone in plain text without encryption, allowing potential perpetrators to intercept the passwords and open the locks.  The researchers also discovered that the locks contained weak and insecure default passwords that could easily be solved or discovered through brute force attacks of automated software used to generate a large number of consecutive guesses.

As part of the settlement agreement, Safetech agreed to establish and implement a written comprehensive security program that is reasonably designed to (1) address security risks related to the development and management of new and existing devices that use security information, and (2) protect the privacy, security, confidentiality, and integrity of security information, including:

  1. The designation of an employee or employees to coordinate and be accountable for the security program;
  2. The identification of material internal and external risks to (a) the security of the devices that could result in unauthorized access to or unauthorized modification of the device, and (b) the privacy, security, confidentiality, and integrity of security information;
  3. The risk assessments considering each area of relevant operation, including, but not limited to: (a) employee training and management, including secure engineering and defensive programming; (b) product design, development, and research; (c) secure software design, development, and testing; (d) review, assessment, and response to third party security vulnerability reports, and (e) prevention, detection, and response to attacks, intrusions, or systems failures;
  4. The design and implementation of reasonable safeguards to control the risks identified through risk assessment;
  5. Regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures including reasonable and appropriate security testing techniques such as vulnerability and penetration testing, security architecture reviews and code reviews;
  6. The development and use of reasonable steps to select and retain service providers (if any are hired) capable of maintaining security practices consistent with the agreement, and requiring service providers by contract to implement and maintain appropriate safeguards consistent with the agreement; and
  7. The evaluation and adjustment of Safetech’s security program in light of the results of the testing and monitoring required by the agreement.

The New York Attorney General’s action is notable in that it marks the first time that a State Attorney General has taken action against an IoT company over security representations.  In recent years, the FTC has established itself as a lead regulator in the space. As we noted here, the FTC recently brought an action against D-Link alleging UDAP violations related to the company’s security vulnerabilities.  There, the FTC alleged that D-Link failed to adequately secure software for D-Link routers and IP cameras, and misrepresenting through their security event response policy, router and IP camera promotional material, and router graphical user interface that the software was secure.  Similarly, last year, the FTC settled with another IoT company, ASUSTek Computer, Inc. Read our blog post here.  There, the FTC alleged that ASUS had engaged in unfair and deceptive acts or practices by marketing their routers and cloud services as “secure” while knowing about and failing to fix serious vulnerabilities.

Going forward, IoT companies should expect continued scrutiny not only from the FTC, but also state Attorneys General.

The Cyber Security, Information Governance & Privacy team at Troutman Sanders is well-positioned to help companies develop procedures for effectively handling security issues.  Because of our team’s technical background, we are uniquely positioned to understand companies’ IoT technology concerns and to address any risks from a legal perspective.  We routinely advise businesses on security and privacy best practices with respect to connected devices, which help to avoid acts or practices that may be considered unfair or deceptive.

May 30, 2017   No Comments

State Attorneys General Reach $18.5M Agreement with Target Over 2013 Data Breach


On May 23, state attorneys general from 47 states and the District of Columbia announced a settlement agreement with Target Corporation to resolve the states’ investigation into the company’s 2013 data breach.  Under the terms of the Assurance of Voluntary Compliance (“AVC”), Target will pay $18.5 million to the states – the largest multistate data breach deal ever reached, according to a press release from Illinois Attorney General Lisa Madigan.

The AVC did not provide factual allegations regarding the breach.  However, press releases from various state attorneys general asserted that Target’s 2013 data breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.  The press releases further alleged that cyber attackers had accessed Target’s gateway server through credentials stolen from a third-party HVAC vendor.  The stolen credentials were then used to exploit weaknesses in Target’s system, allowing the attackers to access a customer service database, install malware on the system, and capture customer data.  The stolen data included customers’ full names, telephone numbers, email addresses, mailing addresses, payment card numbers, expiration dates, credit card verification (CVV1) codes, and encrypted debit PINs, according to the attorneys general press releases.

Under the terms of the agreement, Target will pay $18.5 million to the state attorneys general.  In addition, Target will be required to adopt the cybersecurity standards that include the following:

  • Develop, implement, and maintain a comprehensive information security program;
  • Employ an executive or officer who is responsible for executing the plan;
  • Hire an independent qualified third party to conduct a comprehensive security assessment:
  • Maintain and support software on its network for data security purposes;
  • Maintain appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
  • Segment its cardholder data environment from the rest of its computer network; and
  • Undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication.

As we previously reported here, state attorneys general have been active in investigating data breaches and in promoting effective cyber security standards.  This settlement is noteworthy since the amount appears to be twice as much as the next largest state A.G. data breach settlement.  In 2009, T.J. Maxx entered into a settlement agreement with 41 state attorneys general for $9.75 million over an alleged breach involving more than 94 million credit and debit cards.  More recently, in 2015, online retailer Zappos reached a settlement with nine state attorneys general over a 2012 data breach that compromised personal and financial information of nearly 24 million of the company’s customers.  Under the settlement, Zappos agreed to pay more than $100,000 to the states and to implement enhanced privacy policies and security standards.  The recent settlement with Target demonstrates the states’ continued interest in investigating data breaches.

Madigan and Connecticut Attorney General George Jepsen, long considered leaders in the cybersecurity and privacy space, led the investigation.  Other states that signed the agreement were Alaska, Arizona, Arkansas, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, and West Virginia, and the District of Columbia.  California, long considered a leader in the cybersecurity and privacy space, is negotiating an independent settlement that incorporates the substantive terms of the AVC, and the $18.5 million dollar payment includes payment to California.

May 26, 2017   No Comments

Class Action Filed Against Chipotle for Data Security Breach Involving Payment Processing System


On May 4, Bellwether Community Credit Union filed a class action suit on behalf of a proposed class of financial institutions in Colorado federal court against Chipotle Mexican Grill, Inc., claiming that the chain’s recently announced data breach caused significant financial harm to the credit union.  Bellwether’s complaint alleges that Chipotle’s purportedly lax security standards violated Section 5 of the Federal Trade Commission Act.  Bellwether claims that it and other similarly situated financial institutions incurred substantial costs related to canceling and reissuing compromised cards as well as investigating and refunding fraudulent charges as a result of Chipotle’s alleged negligence.

As we previously wrote here, Chipotle announced on April 26 that the restaurant detected a security breach in its electronic processing and transmission of confidential customer and employee information.  Chipotle has not disclosed the scope of the security breach.  However, the chain stated in its quarterly report to the U.S. Securities and Exchange Commission that 70% of its 2016 sales were attributable to debit and credit card transactions.

Less than two weeks after Chipotle’s disclosure, Bellwether filed its complaint against Chipotle, alleging that Chipotle failed to mitigate potential data damage and failed to comply with industry best practices.  Bellwether alleges that Chipotle “failed to ensure that it maintained adequate data security measures, failed to implement best practices, failed to upgrade security systems and failed to comply with industry standards by allowing its computer and point-of-sale systems to be hacked, causing financial institutions’ payment card and customer information to be stolen.”

Bellwether alleges that Chipotle failed to mitigate potential risk by not implementing EMV technology, a global standard for debt and credit cards equipped with computer chips and technology used to authenticate chip card transactions.  The complaint further alleges that Chipotle failed to upgrade its payment terminals despite the payment card industry’s minimum EMV chip card and terminal requirements implemented in October 2015 because the upgrades would “slow down customer lines.”  According to the payment card industry’s Card Operating Regulations, businesses accepting payment cards that failed to meet the October 1, 2015 deadline agreed to be liable for damages from resulting data breaches.

In its complaint, Bellwether also states that Chipotle’s security practices violated industry best practices by failing to comply with a payment card industry data security standard.  The Payment Card Industry Security Standards Council, a group established by American Express, Discover, JCB International, MasterCard and Visa Inc. in 2006, promulgated a standard of 12 requirements for all organizations involved in storing, processing, or transmitting cardholder data to follow in constructing and sustaining safe and secure networks.

Interestingly, Bellwether’s complaint does not allege the extent of damages claimed to have been incurred by the credit union and other class action members.  The proposed class, as defined in the complaint, is all U.S. financial institutions that issue payment cards or support card-issuing services.

Chipotle’s data breach is the latest in a series of large breaches targeting customer payment card data at restaurants and retailers nationwide.  Bellwether’s complaint highlighted the recent data breaches at Target, Neiman Marcus, Michaels, Kmart, and several other retailers.  According to the complaint, given the foreseeability of a data breach based on industry warnings from Visa and the U.S. Computer Emergency Readiness Team, as well as several well-documented and highly publicized data breaches, Chipotle was on notice of the security risks in its system and thereby negligently failed to use reasonable measures to protect customer and employee data.

Chipotle has stated that it will share more information with affected customers as it becomes available.

May 19, 2017   No Comments

Join Us for the ISSA Summit in LA on May 18-19

We are pleased to announce that Troutman Sanders partner Ronald Raether will be a featured speaker at the Ninth Annual Information Security Summit hosted by the Los Angeles Chapter of the Information Systems Security Association (ISSA) at the Universal City Hilton.  During a lunch panel discussion on May 19, Ron will address emerging topics in privacy and security.

The Ninth Annual Information Security Summit offers comprehensive, cutting-edge educational sessions presented by a world-class lineup of keynote and featured presenters.

For additional information or to register, click here. Enter this code for a 50% discount on registration: ISSA@Summit9.

May 15, 2017   No Comments

Chipotle Discloses Data Security Breach Related to Network Supporting Payment Processing for Restaurant


In its Form 10-Q dated April 25, 2017 for the quarterly period that ended on March 31, 2017, Chipotle Mexican Grill, Inc. announced that it had detected a data security breach in its electronic processing and transmission of confidential customer and employee information.  Specifically, Chipotle’s information security team detected unauthorized activity on the network that supports payment processing for its restaurants in April 2017.  Chipotle reported that it immediately began an investigation with the help of leading computer security firms, and self-reported the issue to payment card processors and law enforcement agencies.  Chipotle stated that its investigation, which is ongoing, is focused on card transactions at its restaurants that occurred from March 24 through April 18, 2017.

Chipotle stated that 70% of its sales in 2016 were attributable to credit and debit card transactions – meaning that the extent of the breach could be quite large. Chipotle also stated that it plans to provide notification to affected customers once it obtains more details about “the specific timeframes and restaurant locations that may have been affected.”

Chipotle disclosed that as a result of the breach, the company could be “subject to lawsuits or other proceedings in the future relating to this incident or any future incidents in which payment card data may have been compromised.  Proceedings related to theft of credit or debit card information may be brought by payment card providers, banks and credit unions that issue cards, cardholders (either individually or as part of a class action lawsuit), or federal and state regulators.”  Chipotle added that “any such proceedings could distract our management from running our business and cause us to incur significant unplanned losses and expenses.”

In response to the breach, Chipotle noted that it has implemented additional security enhancements and “will continue to work vigilantly to pursue this matter to resolution.”

Chipotle has set up a web page to provide updates on the breach, and it has recommended that consumers monitor their payment card statements and notify the bank that issued the card if they see unauthorized charges.  Chipotle wrote on its web page that payment card network rules state that cardholders are not responsible for unauthorized charges.

May 4, 2017   No Comments

FTC and NHTSA to Hold Workshop on Connected Vehicles


The Federal Trade Commission and the National Highway Traffic Safety Administration are teaming up to hold a workshop on June 28, 2017 related to privacy and security issues posed by connected vehicles.  The FTC has requested that comments related to this issue be submitted online or by mail by May 1.

“Connected vehicles” include most modern vehicles that are equipped with some form of wireless technology.  In some cases, this wireless technology may enable a vehicle to communicate with another vehicle, known as vehicle-to-vehicle (“V2V”) communication, or with the roadway infrastructure.  As we reported in our annual edition of Data Privacy: The Current Legal Landscape, the NHTSA is currently considering mandating V2V communications for new light consumer vehicles.

“Autonomous vehicles” are a subset of connected vehicles and include those vehicles in which a critical safety control or function is performed without human intervention.  Automating these controls and functions can reduce or eliminate the traditional human-error component of driving a vehicle, but can also present other problems.  For example, the sheer amount of personal and sensitive data, like geographic location and driver communication data, could be targeted by hackers.  Therefore, securing this data from vulnerabilities will be a key component of emerging connected vehicle technology.  It is these issues and more that the FTC and NHTSA would like to explore more during their workshop.

Specifically, the FTC and NHTSA would like to address – and have requested information on – the following:

  • What data is collected, stored, transmitted and shared by connected vehicles;
  • How data collection can be a benefit;
  • What challenges may be encountered with the technology;
  • Self-regulatory standards that may be employed; and
  • How privacy and security will be addressed by various key sector participants, including vehicle manufacturers, technology companies, and government agencies.

The Cyber Security, Information Governance & Privacy team at Troutman Sanders monitors developments related to connected devices and vehicles, and routinely advises clients on best practices, developing security standards, and addressing new and emerging threats.

April 24, 2017   No Comments

NY AG Announces Settlement with Health App Developers Over Marketing and Privacy Practices


On March 23, New York Attorney General Eric Schneiderman announced settlements with three health-related applications sold in Apple’s App Store and Google’s Play Store.  The settlements arose from allegations of misleading claims and irresponsible privacy practices.  Under the terms of the settlements, the developers agreed to provide additional information about how the apps were tested, to change their ads to eliminate allegedly misleading content, and to pay $30,000 in combined penalties to the Office of the Attorney General.

According to the A.G.’s press release, two of the app developers, Cardiio and Runtastic, claimed that their apps accurately measured heart rate after exercise using only a smartphone camera and sensors.  A third developer, Matis, claimed that its app transformed a smartphone into a fetal heart monitor that could be used to play an unborn baby’s heart rate, even though the app was not a fetal heart monitor approved by the Food and Drug Administration.  The A.G. alleged that the three developers marketed these apps without sufficient information to back up their marketing claims.

In addition to the settlement payment, the app developers must post clear and prominent disclaimers informing consumers that the apps are not medical devices and are not approved by the FDA.  The developers also were required to make changes to protect consumers’ privacy.  According to the A.G., the developers are  now required to obtain affirmative consent from consumers to the developers’ privacy policies, and the developers must disclose that they collect and share information that may be personally identifying.  This includes users’ GPS location, unique device identifier, and “de-identified” data that third parties may be able to use to re-identify specific users.

As we have discussed previously, Schneiderman’s office has been active in privacy enforcement matters in the past year.  For example, the New York A.G. recently reached a settlement with Acer for $115,000 over a data breach involving more than 35,000 credit card numbers, including the credit card information and other personal information of 2,250 New York residents.  Last year, the A.G. settled a case against then-presidential nominee Donald Trump’s hotel chain arising from a series of malware-enabled breaches that occurred in 2014 and 2015, which the chain allegedly failed to report for several months.  The A.G. also settled a case against EZcontactsUSA, alleging that the online contact lens retailer misrepresented the security of its website, failed to secure customers’ payment information, and neglected to report a data breach once discovered.

Most recently, on February 9, the A.G. announced settlements with two mobile app developers for their failure to disclose their data collection practices in a privacy policy.  According to the A.G.’s Office, the two developers, AB Mobile Apps LLC and Bizness Apps LLC, lacked a privacy policy or any statement as to how AB Mobile collects, uses, or discloses a user’s personal information.  Interestingly, unlike in many cases that prompt regulatory action, the A.G. did not find that these developers had misused their customers’ personal information or disclosed it to third parties.  Instead, the A.G. indicated that the mere failure to disclose how a company collects, uses, and discloses customers’ personal information in a privacy policy is a deceptive trade practice under New York Executive Law § 63(12) and New York General Business Law § 349.

March 28, 2017   No Comments