Categories
News

FTC ends probe of data breach at Morgan Stanley, offers guidance to businesses

If they haven’t already, companies that handle customers’ personal information should read a letter released recently by the Federal Trade Commission that concludes an investigation by the agency into data security practices at Morgan Stanley.

The probe by the FTC followed Morgan Stanley’s firing in January of a financial adviser who downloaded and took home with him details for the accounts of 350,000 of the firm’s roughly 3.5 million wealth-management clients. Morgan Stanley later discovered some of the information on Pastebin, a file-sharing site.

Though the information reportedly included account names and numbers, account values and states of residence, the bank said that no clients incurred financial harm as a result of the breach. Law-enforcement officials later investigated whether hackers obtained the information from the adviser’s computer and posted the details online.

Two factors influenced the FTC’s decision to end its investigation without charging Morgan Stanley with failing to secure the information in violation of federal law, which prohibits unfair or deceptive acts or practices by businesses.

First, the FTC found that Morgan Stanley maintained “comprehensive policies designed to protect against insider theft of personal information.” According to the agency, the firm limits access by employees to data for which they have a business need, monitors data transfers by employees, prohibits use of USB flash drives and other devices that can be used to remove data, and blocks access by employees to websites the firm regard as high-risk.

Second, although the adviser was able to obtain a “narrow set of reports” for which Morgan Stanley had configured controls improperly, the company fixed the problem quickly after the breach came to its attention.

“We continue to emphasize that data security is an ongoing process,” the FTC wrote. “As risks, technologies, and circumstances change over time, companies must adjust security practices accordingly. As employees increasingly use personal websites and a host of online applications, companies should deploy appropriate controls to address the potential risks of broad access to such resources on work devices.”

Categories
cybersecurity Law

EU readies rules to bolster cybersecurity, require notice of data breaches

The European Union is readying an approach to cybersecurity that may subject services as Google and Facebook to breach notification requirements that mirror those for banks and health-care providers.

The Network and Information Security Directive, a proposal under consideration by the European Commission, would require companies in industries deemed critical to strengthen digital safeguards and report breaches to national authorities.

The directive represents one of the first attempts to legislate a rule for security breaches that crosses borders. That stands in contrast to the U.S., which has yet to adopt a national notification law and leaves companies to comply with a series of notification requirements set by states.

Members of the European Parliament who have been negotiating the rules have agreed to extend the reach of the directive to social networks, cloud computing platforms, commerce sites and other digital platforms, according to a report Friday by Reuters.

Under the terms of the directive, which was proposed in 2013, companies that operate so-called critical infrastructure in any of the 28 countries that constitute the EU will be required to report “significant security incidents” as well adopt measures to lessen the risk of cyber threats.

In addition to Internet companies, the directive would require companies in the financial, energy, health and transportation industries to report incidents “having a significant impact on the security of core services.” The EU currently requires telecommunications companies to report such incidents.

Members of the commission are expected to start work this September on a final version of the rule.

Ninety percent of large corporations and 74% of small businesses in the U.K. experienced a security breach in the past year, according to survey published recently by PwC.

Categories
Law Privacy

Neiman Marcus customers can sue over data breach

The hassle of straightening out unauthorized charges and the cost of protecting oneself against identity theft give consumers whose personal information is swiped in a data breach standing to sue a company that controlled the information, a federal appeals court in Chicago ruled Monday.

Customers who shopped at Neiman Marcus over roughly three months in 2013 during which hackers used malware to steal payment card information from the retailer’s terminals suffered injuries concrete enough to support their claims, according to the U.S. Court of Appeals for the 7th Circuit.

The customers, who include people who discovered fraudulent charges on their credit or debit cards after using the cards at Neiman Marcus stores in New York and California two years ago, filed a class-action lawsuit in March 2014 charging the luxury chain with failing to maintain security sufficient to protect their personal information and waiting six months from the start of the breach to notify customers their information had been compromised.

The plaintiffs alleged that the breach exposed 350,000 cards, of which 9,200 were known to have been used fraudulently. In all, the breach may have exposed as many as 1.1 million payment cards.

The trial court tossed the lawsuit, finding the plaintiffs’ claims of financial harm they might experience insufficient to support standing. Judge Diane Wood, writing for a three-judge panel of the appeals court, disagreed:

“At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal customers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”

The court distinguished the case of the data breach before it with a ruling in 2013 by the Supreme Court that found human rights organizations lacked standing to challenge the Foreign Intelligence Surveillance Act because they could not show that the government actually intercepted their communications with suspected terrorists.

“This is a really consequential decision” notes Alison Frankel of Reuters. “It’s the first time a federal appeals court has looked at a data breach class action that was dismissed because the trial judge said it fell short of [the Supreme Court’s] standing requirements.”

The customers of Neiman Marcus “should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur,” wrote Wood, citing the Court’s ruling from two years ago.

According to Wood, an offer by Neiman Marcus to pay the cost of a credit-monitoring service that costs $4.95 for the first month and $19.95 a month thereafter reflects the type of injury the plaintiffs suffered. She added:

“It is telling in this connection that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers for whom it had contact information and who shopped at their stores between January 2013 and January 2014. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.”

That some lenders will not hold customers responsible for unauthorized charges neither eliminates injury to the cardholders nor shows that their injury cannot be redressed by a decision in their favor, the court found.

According to the court, the fact that the plaintiffs’ injuries might be traced to a data breach at Target or another of the retailers whose systems hackers infiltrated around the same time also does not rule out a lawsuit against Neiman Marcus.

If it happens that more than one company may be responsible for exposing the plaintiffs’ personal information to hackers, the companies themselves will have an opportunity to prove that they were not the cause of the injury, the court said.