Since my last post on the subject (“LinkedIn Grapples with the Ripples of a 2012 Data Breach”), there have been several developments related to LinkedIn’s 2012 data breach. First, in May, LinkedIn announced it has finished the process of invalidating passwords at risk, specifically LinkedIn accounts that had not reset their passwords since the 2012 breach:
A robust cybersecurity strategy involves sophisticated, overlapping protections. Along with up-to-date technology, well-trained employees and vigilant IT professionals, comprehensive insurance coverage is an often necessary ingredient of any protective “moat” shielding a company from damaging cyberattacks. Yet does a company’s cyber insurance package actually protect it from one of the most common forms of cyberattack—when a hacker goes phishing? In her post “Phishing for Insurance Coverage” on Pillsbury’s Policyholder Plus insurance blog, our colleague Peri Mahaley examines a variety of surprising phishing-related exclusions one might discover in a company’s cyber coverage.
Last week on the official LinkedIn blog, the company’s chief information security officer, Cory Scott, reported the company had become aware of an additional set of data that has just been released consisting of e-mail and hashed password combinations of more than 100 million LinkedIn members. This recent release is related to a 2012 unauthorized access and disclosure of LinkedIn members’ passwords:
Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach. –Linkedin Official Blog, May 18, 2016
On April 29, 2016, Judge Ross issued his ruling on Ashley Madison’s motion for a protective order, prohibiting Plaintiffs from using the leaked documents, reports quoting the leaked documents, and information “stolen from Avid” in drafting their consolidated class action complaint. The result was largely policy driven, with Judge Ross stating broadly, “the Court cannot and will not allow Plaintiffs to take advantage of the work of hackers to access documents outside the context of formal discovery. To do so would taint these proceedings and, if left unremedied, potentially undermine the integrity of the judicial process.” The Court also ruled that it had inherent authority to issue a protective order with respect to documents obtained outside the course of normal discovery, and distinguished cases cited by the Plaintiffs in opposition. Rejecting Plaintiffs’ First Amendment argument, Judge Ross notes, “[j]ournalists … are in a completely different position than parties involved in private litigation. No doubt exists that the news media enjoy the freedom of ‘the press;’ however, the conduct of attorneys is informed by their ethical responsibilities as officers of the Court.” The amici briefs submitted by other Ashley Madison users made an impact on the Court as the Court found that the leaked information could not truly be considered “readily available to the public” due to the efforts of the other users to protect their privacy following the leak, as asserted in their briefs. Ultimately, Judge Ross emphasized the need to “protect the integrity of the internet and make it a safer place for business, research and casual use.”
Earlier posts on the topic:
Ashley Madison and Coming to “Terms” with Data Protection
From Ashley Madison to the Panama Papers: Is Hacked Data Fair Game?
We’ve previously written about the distinctions between hacking credit and other financial data in comparison to hacking private information. (See Ashley Madison and Coming to “Terms” with Data Protection.) The issue of how much protection the latter receives when it relates to attorney-client communications is currently before the District Court of the Eastern District of Missouri in the multi-district litigation arising from the July 2015 Ashley Madison leaks. Plaintiffs—former users of the site who claim that Ashley Madison defrauded the public by creating fake female profiles to lure male users—hope to use leaked information in their consolidated complaint against the site, due to be filed June 3 of this year. The leaked information sought to be used includes references and citations to emails between Ashley Madison’s parent company, Avid Dating Life, and its outside counsel.
Recently, the Fourth Circuit handed down one of the first appellate-level decisions involving insurance coverage for a cyber-related event. The ruling is likely to create ripples among both carriers and company insureds, as it establishes the possibility that, under a general liability policy, a carrier may still be on the hook to cover cyberattacks or data breaches that are the result of a company’s negligence (as opposed to those stemming from a criminal attack, in which the company is the victim). In their Client Alert on the Fourth Circuit’s ruling, colleagues James Bobotek, Peri Mahaley and Benjamin Tievsky break down the ruling and its takeaways.
Recently, we noted vulnerability issues from use of the Internet of Things and how that has come to impact the health industry. Recent events continue to highlight this development. Since the start of the year, there have been cyber attacks targeting hospitals. Perhaps recognizing the extensive disruption and potential privacy concerns to patients, the hackers have targeted these institutions to either make a point or seek large sums in exchange for returning access to the hospital data. In January, Hurley Medical Center, based in Flint, Mich., was attacked, although a spokesperson stated that policies and protocols were followed and patient care was not compromised. The hacktivist group Anonymous released a video with the hashtag #OpFlint prior to the cyber attack and suggests responsibility for the breach to make a point regarding the city’s water crisis, although no confirmation has been made.
The cybersecurity ramifications of the Internet of Things (IoT) are perhaps nowhere more crucial—potentially a matter of life and death, in fact—than in the realm of medical devices. Until recent times, a potential hack of the data-sharing that is a hallmark of the IoT raised far more privacy concerns than actual health risks. However, as medical devices begin to evolve and make use of the connectivity of the IoT, this balance may change. For one example, think pacemakers, where a malicious glitch in a networked piece of equipment could have fatal consequences.
Continue Reading →
Stories of interest this week include a developers showcase for the HoloLens, robots able to feel textures like humans, a cool billion invested in AI, and more.
In their recent Alert on the Senate’s passage of the Cybersecurity Information Sharing bill, colleagues Brian E. Finch, Elizabeth Vella Moeller and Craig J. Saperstein explore and evaluate the U.S. Senate’s approval of legislation (long sought by industry) that would facilitate information sharing (including threat indicators) across government and industry lines in real time, and provide liability protection to companies that participate.
Internet & Social Media Law Blog