By Antonia Dumas, Associate at XPAN Law Group LLC
A data breach equates to data security and privacy compliance targets. The easiest way for regulators or authorities to make a business a target for enforcement is a data breach (see our previous blog post about data breaches bringing you in front of regulatory eye). A breach automatically highlights a business’ security vulnerabilities and potential non-compliance with security and privacy regulations. A business’ reaction and transparency with consumers about a breach also triggers potential violations of law, including data breach notification laws.
It is more important than ever to prepare for a potential breach now that some states have strengthened Attorney General data privacy enforcement authority and created data subject rights for consumers to file suits against businesses on their own. (See our recent blog post and video regarding Attorney General enforcement).
Most recently, AG enforcement in California as of July 1st has been a top concern for businesses (see XPAN’s step-by-step CCPA guide). But it is not just the CA that poses increased risk of AG enforcement and/or consumer lawsuits because other states have passed data privacy laws and/or task forces (e.g., Nevada, Maine, etc.) or have data privacy laws in review (e.g., Maryland, Hawaii, etc.). Note, many other states across the country have introduced data privacy laws as well.
Big Name Breaches in 2020
A side effect of Covid-19 has been the increased vulnerability of companies to data breaches. A higher risk of data breaches has resulted due to the shift of entire workforces transitioning to a remote work environment and an increase of reliance on tools and applications for business operations and video communication (e.g., Zoom).
Here is a list of some breaches of big name companies and brands which have already occurred in 2020:
- Minted – May database breach of customer personal information of 5 million customers which has led to a CCPA class action lawsuit (see Minted breach update)
- Home Chef – May breach of personal information of 8 million customers (see Home Chef incident information)
- Carnival Cruise Lines (including Princess Cruises and Holland America) – breach between April and July (but detected in March) affecting unknown number of employees and guests affected but potential personal, financial and health-related information breached
- Bank of America – April breach affecting a “small number” of Paycheck Protection Program applicants of business information
- Zoom – April breach resulting in sale of user account data of over 500k user accounts and zoom “bombers”
- T-Mobile – March breach of employee email accounts including employee and some customer information (see T-Mobile’s notice)
- Marriott – breach occurring between January and February of personal information of potentially 5 Million worldwide customers (See Marriott news update)
Other 2020 Breaches and Ransomware Attacks
In 2020 and the era of Covid-19 there has been an increased number of breaches as a result of viruses and phishing (including ransomware attacks).
Here is a list of some other breaches and ransomware attacks that have affected companies of all sizes:
- Maze ransomware attacks on LG, Xerox and MaxLiner
- Breaches affecting social media (e.g., Twitter), social media marketing firm, and dating apps
- Breaches affecting cloud platforms (e.g., Oracle’s BlueKai) and online entertainment businesses
- Breaches affecting remote learning platforms (e.g., OneClass)
- Database breaches leading to sale on dark web forums
Data Security and Privacy Proactive Measures
In this modern day, it appears that a potential data breach or unauthorized disclosure of personal data is a question of when and not if. So, for all businesses it is important to take steps to prepare for a breach and any resulting enforcement measures or lawsuits.
In general, “cyber distancing” (i.e., keeping distance from potential vulnerabilities – suspicious requests, unknown contacts, unsolicited information, etc.) and proactive measures to prepare for a potential breach or unauthorized disclosure of data is key.
Key Steps To Prepare Yourself For When You Experience a Breach
Here are some key steps to prepare for a potential breach and enforcement:
- Take steps to be compliance with potentially applicable data security and data privacy regulations.
- Ensuring your employees are trained and maintain security awareness to meet regulatory training requirements (e.g., CCPA training requirements).
- Take steps to protect your systems from a breach and prevent unauthorized disclosure of personal data.
- Be prepared to respond and resolve to a data breach (including data breach response and notification plans).
- Get ahead of an investigation from a regulatory authority or a consumer (i.e., data subject) action by taking steps to maintaining compliance.
Our team at XPAN is prepared to help your business to prepare for potential breaches and address cyber and privacy liability. And, remember, luck favors the prepared!
* * * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.