Why Data Security is the Biggest Concern in Healthcare

Your protected health information is among the most sensitive private data – and for criminals, it’s among the most valuable.

Electronic health records include identity information that is more comprehensive than almost any other type of record, which makes these records a hot commodity for hackers. Your health records include bank account numbers, credit card information, Social Security numbers, family members’ names and ages, residential history, and every medical visit and diagnosis. These records are so valuable that hackers have been known to sell an individual stolen medical record for up to $1,000. With this information, hackers or buyers of this information could be capable of fraud, identity theft, or extortion.

The FBI issued a warning in October that there was “an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”

The joint cybersecurity advisory — coauthored by the FBI, the Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services — reports that malicious cybercriminals are targeting the Healthcare and Public Health Sector with malware that is often leading to ransomware attacks, data theft, and the disruption of healthcare services. These issues will be even more challenging for organizations within the COVID-19 pandemic, the advisory warned. 

According to research from the Ponemon Institute, criminal attacks have increased by 125% since 2010 and now represent the leading cause of healthcare data breaches

In recent years, these cyberattacks on the health industry have increased dramatically. In 2019, a staggering 41+ million patient records were leaked during data breaches, according to HIPAA Journal’s 2019 Healthcare Data Breach Report. The report, which looks at figures from the Department of Health and Human Services’ Office for Civil Rights breach portal, found that there was a major increase in healthcare data breaches in 2019. According to the report, there was a 196% increase from 2018 to 2019 in reported healthcare data breaches of 500 or more records.

HealthTech reports that healthcare facilities are facing an increased risk of cyberattacks amid the coronavirus pandemic. “Despite billions of dollars spent annually to guard entry points to clinical data, many healthcare providers still underestimate the strategic value of improving data protection,” writes Josh Gluck, HealthTech contributor and vice president of Global Healthcare Technology Strategy. “As this pandemic continues, it is more important than ever that these essential services are able to not only use their data but also store it securely.”

In April, Microsoft warned hospitals that its Threat Protection Intelligence Team identified as vulnerable to impending ransomware attacks. The American Medical Association and American Hospital Association also issued guidance to physicians on how to keep their telehealth and remote work environments safe from cyber threats.

The consequences of these attacks can be severe. Hackers will sometimes require payment to the attacker, decryption tools, or the gamble of recovering sensitive data from infrequently tested backups. And the individuals who have their information stolen are at risk of identity theft or fraud.

If you or a loved one have been the victim of a healthcare data breach, an experienced attorney may be able to help. The attorneys at Classaction.com are dedicated to helping consumers who have suffered financial or reputational harm from a data breach. We have the resources to hold the powerful accountable. Our attorneys file lawsuits against the companies that were subject to these destructive breaches.

If your credit card information, Social Security number, email address, password, or other private information was stolen as result of a data breach, contact us today for a free legal consultation. There are never any upfront costs or expensive hourly fees to hire us. 

Yahoo! Data Breach Case: $117.5 Million Proposed Settlement Claims Period Begins

Below is some important information about the historic Yahoo! data breach class action

$117.5 Million Yahoo! Data Breach Settlement Claims Information

The following statement is being issued by Morgan & Morgan, P.A., Robbins Geller Rudman & Dowd LLP, Tadler Law LLP, Casey Gerry Schenk Francavilla Blatt & Penfield LLP, and Lockridge Grindal Nauen LLP (“Settlement Class Counsel”) to inform people of their rights and the claims process:

A class action settlement has been granted preliminary approval in the multidistrict litigation (“MDL”) against Yahoo! Inc. (“Yahoo”) arising out of one of the largest known data security breaches in history. As a result, on September 3, 2019, the first Court-approved notice of the proposed Settlement was disseminated, commencing the beginning of the Claims Period. The Claims Period ends on July 20, 2020. Settlement Class Counsel encourages all Settlement Class Members to make a claim for the benefits available under the Settlement.

The class-action litigation concerns several announcements made by Yahoo starting in September 2016, admitting that there had been several data security breaches between 2013 and 2016. The company also announced that in early 2012, they experienced data security intrusions.

Yahoo customers worldwide have been significantly impacted, from alleged identity and credit theft to bank fraud. Plaintiffs in the MDL, represented by Settlement Class Counsel, claim that Yahoo failed to adequately protect their personal information and that they were injured as a result.

Who Is Included?

Residents of the United States and Israel who received a Notice from Yahoo about the Data Breaches, or who had a Yahoo email account at any time between January 1, 2012 and December 31, 2016, are Settlement Class Members.

What Does the Settlement Provide? 

Yahoo has agreed to make changes to improve the security of its customers’ Personal Information stored on its databases. Defendants will also pay for a Settlement Fund of $117,500,000. The Settlement Fund will provide: a minimum of two years of Credit Monitoring Services to protect Settlement Class Members from future harm, or Alternative Compensation instead of credit monitoring for Class Members who already have Credit Monitoring Services (subject to verification and documentation); Out-of-Pocket Costs for losses related to the Data Breaches; and reimbursement of some costs for those who paid for Yahoo premium or Small Business Services. The Settlement Fund will also be used to pay for attorneys’ fees, costs, and expenses, and Service Awards for the Settlement Class Representatives. These are only a summary of the benefits. For complete information, dates, and details on the settlement benefits, visit the Settlement Website at www.YahooDataBreachSettlement.com.

What Are Yahoo Account Holders’ Options? 

To receive any benefits under the Settlement, Yahoo account holders must file a claim online or by mail by July 20, 2020. Yahoo account holders who want to keep their right to sue the defendants themselves must exclude themselves from the Settlement Class by March 6, 2020. Once excluded, account holders will not receive any credit monitoring or monetary relief from the Settlement. If they stay in the Settlement Class, they may object to the Settlement, and/or the amount of attorneys’ fees, costs, and expenses, and/or the amount of Class Representative Service Awards by March 6, 2020.  Account-holders who do nothing, will not receive any credit monitoring or monetary benefits, but will still be bound by the Court’s decisions. Complete information and instructions on how account holders can file a Claim, exclude themselves from the Settlement, or Object to the settlement are available on the Settlement Website at www.YahooDataBreachSettlement.com. Only those who File a Claim and are deemed eligible will be permitted to participate in the Settlement and the relief provided.

The Court has scheduled a hearing in this case at 1:30 p.m. on April 2, 2020, in Courtroom 8 of the U.S. Courthouse, 280 South 1st Street, 4th Floor, San Jose, CA 95113, to consider: whether to approve the Settlement as fair, reasonable, and adequate; any objections; a request for Class Representative Service Awards; and attorneys’ fees, costs, and expenses for investigating the facts, litigating the case, and negotiating the settlement. The motion for attorneys’ fees, costs, and expenses will be posted on the website on the date it is filed or as quickly thereafter as practicable. Yahoo account holders may ask to appear at the hearing but are not required to do so.

For More Information

This is only a summary. For complete information and to file a claim for benefits, visit the Settlement Website, www.YahooDataBreachSettlement.com, email info@YahooDataBreachSettlement.com, or call 844-702-2788.

How Secure Is Your Medical Device Really?

Pacemakers that fail to send electrical pulses to a patient’s heart when they need it the most; vital signs that are altered, resulting in unnecessary treatment; or insulin pumps that fail to administer insulin. These are all scenarios that hackers say are possible, because they’ve tried it themselves and know it can be done.

We spoke with Christian Espinosa, a white hat hacker, sometimes referred to as an “ethical hacker,” who has decades of cybersecurity experience. He is currently the CEO and Founder of Alpine Security, and cyber security instructor at Maryville University. Along with his team at Alpine Security, Christian hacks into medical devices in order to help manufacturers identify security vulnerabilities before someone with malicious intent catches on.

In the interview below, Christian explains why the medical industry is so ripe for cybersecurity attacks, and just how serious—and complicated—the problem is.

Could you provide an overview of the cybersecurity threats the medical field faces? How big is this problem?  

Medical devices have largely been neglected from a cybersecurity perspective. Many of these devices run legacy operating systems, are full of vulnerabilities, and were

Christian Espinosa, CEO and Founder of Alpine Security

not intended to be connected to hospital networks. For ease of management, data access, updates, etc., many medical devices are now connected to hospital networks, which have connections to the Internet.

Hospital networks are inherently unsecure; any threats to a hospital network are transferred to connected medical devices. Threats to implantable devices are primarily due to unsecure wireless communications. Implantables were designed to be easy to monitor and update via wireless technology. It is too risky to perform heart surgery every time a pacemaker or implantable cardioverter defibrillator (ICD) needs to be updated, for example.

The threats to medical devices are a big problem with severe and potentially lethal consequences.

As a white hat hacker, what’s your process for identifying security vulnerabilities? Do you try to hack everything and anything, or do you gravitate towards particular types of devices or networks?

Our process depends on the scope of the engagement. If we are asked to assess a medical device, we typically have several main phases—1) we perform a discovery to learn more about the device; 2) we define a security boundary for the device; 3) we perform a risk assessment of the device; 4) we identify all possible entry points in the system/device; 5) we develop attack trees and assess all entry points into the system using penetration testing and other techniques; 6) based on the results of 1-5, we determine a mitigation strategy; 7) we generate the report.

As for hacking everything and anything, the process I just mentioned applies a risk-based approach to our assessment. We focus on the big-ticket items first with the highest risk to patient safety, emphasizing how the device could be misused and the effect of attacks on data confidentiality, integrity, and availability. We work with manufacturers and providers to fix the most critical items first, then work down a prioritized list, based on the risk. We also run validation tests to ensure remediation steps worked.

How receptive are companies when you do identify a vulnerability? Do they usually address the issue?

Some are more receptive than others. Sometimes we are met with resistance, such as “there’s no way someone would think of doing that.” Most often though, our findings are well-received.

Unfortunately, company bureaucracy, cost, timelines, and other factors present obstacles to fixing devices under development or devices deployed in the field. It is very costly for medical device manufacturers to fix devices that are deployed across the world, or ones that are in the middle of development.

What do you think makes medical devices and hospital networks so appealing to hackers?

“If you can hack into a medical device, you can directly affect a person’s physical state and well-being.”

A couple reasons. One is that PHI (protected health information) is more valuable than other types of information. Patient records sell for more than other types of stolen sensitive data on the black market.

Another reason is the physical effects that can be caused by hacking medical devices. Normally, if you steal credit card data from a web application, you may inconvenience someone—that’s an indirect effect to the person. If you can hack into a medical device though, you can directly affect a person’s physical state and well-being.

What is the one type of security vulnerability that keeps you up at night?

There’s not one that keeps me up at night. I’ve come to terms with the fact that it’s just a matter of time before something catastrophic happens. There’s already been many warning signs, yet there is a head-in-the-sand mindset still. Almost like “if we pretend it’s not there, the threat doesn’t exist.”  

“I’ve come to terms with the fact that it’s just a matter of time before something catastrophic happens.”

If I had to pick one threat that would keep me up at night though, it is the threat of weaponized medical nanotechnology, a form of biomedical hacking. 

Nanotechnology, or “nanotech,” are basically extremely small computers, smaller than a pinhead. Nanobots can be used in the human body for items such as targeting cancer cells to destroy them by delivering chemotherapy to only cancer cells. These nanobots can also be used to deliver lethal toxins or carry out specific missions in the human body, such as making your arms temporarily unmovable, or similar. The scary thing is they can be introduced to the human body very easily. You could breathe them in and not even know.

Do you think the FDA is doing enough to prevent and respond to cyberattacks?

I think the challenge is identifying who is ultimately responsible for medical device security—the device manufacturer, the user, the hospital, clinic, the Department of Homeland Security, the FDA, the doctor, patient, etc.?

The FDA has basically issued premarket and postmarket guidance for medical devices and passed the responsibility to healthcare delivery organizations (HDOs). According to the FDA, “HDOs are responsible for implementing devices on their networks and may need to patch or change devices and/or supporting infrastructure to reduce security risks.  Recognizing that changes require risk assessment, the FDA recommends working closely with medical device manufacturers to communicate changes that are necessary.” 

We recently spoke with a medical professional who told us that “doctors don’t become doctors to protect data.” What role does the average doctor play in maintaining secure medical devices and networks?

I agree with this statement. Doctors have enough to worry about. They should be given a list of “approved medical devices” that they can use and recommend. These devices should be thoroughly vetted for cybersecurity vulnerabilities. Penetration testing and other methods should be used.

The challenge becomes where does this “approved list of medical devices” come from? Who has the approval authority? This is not a simple problem to solve, because medical devices are complex systems with many vulnerabilities, both known and unknown. What is approved today, could be recalled tomorrow. This should not be the responsibility of the doctor.

Chili’s Grill & Bar Owner Sued Over Data Breach

Yesterday, Morgan & Morgan attorneys John Yanchunis and Patrick Barthle filed a proposed class action lawsuit against Brinker International, the owner of Chili’s Grill & Bar, after Brinker acknowledged a data breach compromised the payment card information of Chili’s customers.

The lawsuit was filed in the U.S. District Court for the Middle District of Florida on behalf of three plaintiffs—Marlene Green-Cooper, Shenika Thomas, and Fred Sanders—and all other customers who made a credit or debit card purchase at an affected Chili’s location during the data breach.

Read the Complaint

“It is surprising that payment card breaches continue to be a problem at retailers,” said Yanchunis. “Consumers need to be cautious when using a debit or credit card and ask how the retailer is protecting their payment card information. They need to be vigilant and closely monitor the transactions being made with their cards to ensure that each transaction is what they authorized.”

“Consumers need to be vigilant and closely monitor the transactions being made with their cards to ensure that each transaction is what they authorized.”

In March 2018, hackers gained access to Brinker’s network and installed malware on Chili’s point-of-sale (POS) systems. The malware allowed the hackers to steal the payment information of Chili’s customers.

Approximately two months after the breach, Brinker acknowledged that customers who used payment cards for transactions at certain corporate-owned Chili’s restaurants from March through April 2018 had their customer data stolen, including credit or debit card numbers and cardholder names.

As a result of the data breach, the plaintiffs were the victims of fraudulent credit card charges, the lawsuit alleges. Unfortunately, these may not be the only repercussions from their payment information being compromised. Data breach victims are also at an increased risk of becoming victims of identity theft and fraud months or even years after their information was stolen.

Brinker, Chili’s Ignored Industry Data Breach Warning Signs

“Their approach to maintaining the privacy and security of Customer Data was lackadaisical, cavalier, reckless, or at the very least, negligent.”

POS systems are on-site devices, much like an electronic cash register, which manage consumer transactions. After a payment card is swiped, very briefly the card’s data is stored within the system’s memory. Hackers often install malware to capture this information.

P.F. Chang’s, Arby’s, Chipotle, and Wendy’s have all suffered from data breaches involving their POS systems. Despite industry warnings that arose from these highly publicized data breaches, the lawsuit alleges that Brinker failed to act in order to prevent a similar incident from affecting their customers.

The complaint states, “Brinker’s approach to maintaining the privacy and security of the Customer Data of Plaintiffs and Class members was lackadaisical, cavalier, reckless, or at the very least, negligent.”

The lawsuit claims multiple damages, including the theft of plaintiffs’ personal and financial information, future injury as a result of identity theft and potential fraud, and untimely and inadequate notification of the data breach.

Brinker Will Face Nation’s Top Data Breach Attorneys

Data breaches are an all too common occurrence, but that doesn’t mean corporations should get away with their negligence and failure to protect consumer data. Our attorneys fight on behalf of consumers to ensure that they don’t.

Just last week, attorneys John Yanchunis and Ryan McGee filed a lawsuit against SunTrust Bank over the potential data theft that compromised the private information of 1.5 million SunTrust customers. And in March, Yanchunis filed the first civil lawsuit in response to the unlawful mining of 87 million Facebook users’ private data by Cambridge Analytica. Yanchunis also currently holds leadership positions on the Equifax and Yahoo data breach cases.

If you suspect your personal data has been compromised, learn more about data breach lawsuits and how to join them.

Morgan & Morgan Files Lawsuit Over SunTrust Bank Data Breach

Morgan & Morgan has filed a proposed class action lawsuit against SunTrust Bank over a possible data breach that exposed the information of an estimated 1.5 million customers. Class action attorneys John Yanchunis—a veteran of several data breach lawsuits, including the largest ever—and Ryan McGee filed the lawsuit.

The lawsuit was filed in the U.S. District Court for the Northern District of Georgia on behalf of three plaintiffs—Angelica LeRoy, Curtis Smith, and Loretta Smith—and anyone else who may have been a victim of the data breach.

Read the Complaint

“The lawsuit, which we filed on behalf of our clients and the 1.5 million consumers affected by the data breach, seeks to hold SunTrust accountable from its acknowledged failure to keep safe the information entrusted to it,” said Mr. Yanchunis. “In effect, SunTrust acted as the trustee for its customers, and it was the responsibility of SunTrust to ensure the security of customers’ information.”

SunTrust Bank announced the breach in a statement released on April 20, 2018, even though the breach was allegedly discovered more than a month prior in February. It is still unknown when the breach actually occurred and for how long customer information has been compromised.

Not Your Average Data Breach

Unlike many recent data breaches, there was no external hack to break into SunTrust’s computer network. Instead, an employee allegedly accessed the bank’s network and simply printed out lists with names, addresses, phone numbers, account balances, and other personally identifiable information (PII) and sold them to criminals, according to the allegations outlined in the complaint.

SunTrust then neglected to inform affected customers for several weeks, preventing them from taking the necessary steps to properly protect themselves. One and a half  million SunTrust customers are now at an increased risk of becoming the victims of fraud and identity theft but did not know about the risks for at least several weeks.

They must now take time—potentially hours—to implement the necessary precautions recommended to the victims of a data breach.

Complaint Alleges SunTrust Knew About Potential for a Breach

Attorneys Yanchunis and McGee filed the complaint on behalf of every SunTrust customer who may suffer damages as a result of the alleged breach. The complaint states, “SunTrust knew, or should have known, that their data systems and networks did not adequately safeguard Plaintiffs’ and the Class members’ PII.”

Specifically, the complaint seeks damages for several acts of negligence on the part of SunTrust Bank, including:

  • Theft of the plaintiffs’ personal and financial information
  • Imminent and impending injury as a result of identity theft and potential fraud
  • Untimely and inadequate notification of the data breach
  • Improper disclosure of personally identifiable information
  • Loss of privacy

The lawsuit also seeks to force SunTrust to improve its security measures to prevent another breach of its customers private and confidential information in the future.

If you were the victim of a data breach, learn more about the necessary precautions you should take and how to join a data breach lawsuit.

Facebook Sued Over Cambridge Analytica Data Mine

***NOTE: The case we filed will seek the certification of a class to include all 87 million users whose information was taken. As such, at this time there is no need to join the lawsuit, as we intend for all impacted users to be automatically enrolled.***

Morgan & Morgan attorney John Yanchunis has filed the first civil lawsuit in response to the unlawful mining of 87 million Facebook users’ private data by Cambridge Analytica. Mr. Yanchunis filed the complaint in the Northern District of California on behalf of Facebook user Lauren Price and all others similarly situated.

“The recent disclosure of the violation of the privacy rights of 87 million consumers who use and trusted Facebook represents yet another troubling example of a company’s failure to maintain the security of information consumers provided,” Mr. Yanchunis said.

Read the Complaint

“Even more alarming is the fact that Facebook executives knew several years ago that these violations occurred and chose to keep silent about it.”

In an online statement last Friday, Facebook announced that it had suspended Cambridge Analytica, a data-centric political consulting firm, after learning that it had failed to delete massive amounts of user data the company had obtained in violation of the social network’s privacy policies.

Among other clients, Cambridge Analytica worked with Donald Trump’s 2016 presidential campaign and allegedly used this unlawfully gained data to target Facebook users with campaign ads.

Mr. Yanchunis told Reuters, “Our client [Ms. Price] saw a tremendous uptick in political messaging during the campaign on her Facebook page, which she had never seen. She had a glimmer of understanding at the time, but now sees there was an attempt to influence her vote.”

On March 27, 2018, he filed a second lawsuit against Facebook for its allegedly improper collection of call and text histories from Android cell phone users who installed Facebook’s mobile application.

Facebook Disputes That Data Breach Occurred

While many have dubbed this violation one of the largest data breaches in history, Facebook is adamant that there was no security breach or hack and therefore the term does not apply. Regardless, 87 million users’ data wound up in the wrong hands, and Cambridge Analytica seemingly reaped enormous profits from this harvest.

The complaint filed today alleges that Facebook either knew about the data aggregation or “actively avoided discovering such knowledge in order to profess supposed ignorance.”

The complaint reads, “Plaintiff brings this suit to protect her privacy interests and those of the class,” which will likely consist of all 87 million impacted users (except for those who opt out). It seeks to prevent further “negligent, deceptive, unfair and unlawful business practices” from the defendants, Facebook and Cambridge Analytica.

Mr. Yanchunis said, “The filing of this lawsuit is a necessary step to secure and protect consumers’ private information, and to seek compensation for the companies’ bad acts.”

Yanchunis Is America’s Top Data Breach Attorney

Unfortunately for the defendants, this is not John Yanchunis’ first major data breach lawsuit. He is Lead Plaintiffs’ Counsel on the largest class action lawsuit in history—regarding the Yahoo data breach that allegedly compromised the data of three billion people around the world.

Moreover, last month U.S. District Judge Thomas W. Thrash named Mr. Yanchunis to the Plaintiffs’ Steering Committee in the Equifax data breach case. Mr. Yanchunis filed that lawsuit (now part of a multidistrict litigation) after unauthorized users accessed the private data of 145 million Americans, whose credit Equifax monitors.

Mr. Yanchunis has also represented consumers in the Home Depot and Target data breach lawsuits, which settled for $13 million and $10 million, respectively.

In short, he is perhaps the most accomplished—and feared—data breach attorney in America. And he sounds confident, telling Reuters that Facebook “leaves a footprint of what was taken that cannot be erased.”

Optically, at least, it doesn’t help matters that Facebook CEO Mark Zuckerberg sold 5.4 million shares in the company in the two and a half months leading up to the Cambridge Analytica announcement. By doing so, Mr. Zuckerberg allegedly saved around $70 million, as Facebook’s shares tanked after the Cambridge revelation.

This calls to mind the Equifax breach. Equifax’s former Chief Information Officer, Jun Ying, allegedly sold nearly 7,000 shares in the company after learning of its data breach (but before Equifax announced it). As a result, the Securities and Exchange Commission has charged him with insider trading.

Received an Email from the “IRS”? It’s a Scam

If you haven’t filed your taxes yet, you should do them as soon as possible—before someone else does.

The Internal Revenue Service (IRS) warns that tax refund fraud schemes have grown increasingly common in recent years. Criminals gain access to consumers’ private data, then use that information to file false tax returns and try to acquire the resulting refunds.

Tax refund fraud has grown increasingly common in recent years.

When the victim of this identity theft receives his or her (fraudulent) refund, the criminal contacts them, impersonates the IRS, says the refund is a mistake, and demands that they transfer the money to a different account.

Russell Schrader, head of the National Cyber Security Alliance, tells The New York Times, “It signifies the ingenuity of the fraudsters out there.”

In 2016, tax refund fraud accounted for an estimated $21 billion in false refunds—more than three times as much as in 2013.

The uptick in this type of fraud creates serious problems for businesses as well as individuals.

Businesses Suffer Phishing Scams, Data Breaches

To carry out tax refund fraud, criminals need a person’s name, birthdate, and Social Security Number. How do they acquire this information? Through phishing scams. The FBI states:

The most popular method remains impersonating an executive, either through a compromised or spoofed email in order to obtain W-2 information from a Human Resource (HR) professional within the same organization.

It’s obvious why this would be the most popular method: instead of having to acquire individuals’ data one by one, emailing an employee of a company’s human resource department allows criminals (if successful) to scoop up dozens or even hundreds of consumers’ data all at once.

To protect employees’ information, the FBI recommends that companies limit the number of people who can handle W-2 requests, require dual approval for wire transfer requests, and verbally confirm requests via phone calls to known contacts.

For individuals whose data was accessed—leading to identity theft and/or tax refund fraud—the best course of action may be a lawsuit.

Cyber criminals also obtain social security numbers in high volume by infiltrating companies that store personal identification information (PII) such as social security information. This form of theft and exposure of PII has become known as a data breach. It typically occurs due to lax cyber security measures on the part of the company that has sustained a breach.

For individual employees whose data was accessed in this manner—leading to identity theft and/or tax refund fraud—the best course of action may be to file a data breach lawsuit.

If you have fallen victim to identity thieves, contact us for a free consultation. You could be owed money for damages.

IRS Doesn’t Email People or Threaten Police Action

If you receive an email or phone call from someone claiming to be from the IRS, they are almost definitely lying. As a general rule, the IRS does not email or call people. The vast majority of the time, the IRS sends letters via the U.S. Postal Service.

The IRS also emphasizes the following:

  • They will not demand “immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer.”
  • They will always give you the opportunity to question or appeal how much you owe.
  • They will not threaten to “bring in local police, immigration officers or other law-enforcement to have you arrested for not paying.”
  • The IRS does not have the authority to take away your immigration status or driver’s license.
  • In the rare event of a home visit, IRS agents will always show two forms of official credentials.

In short, if someone is trying to bully or coerce you into swift payment with a specific kind of card, he or she most likely is a scammer.

Report phishing scams to phishing@irs.gov, file an identity theft complaint at the Federal Trade Commission site identitytheft.gov, and contact an attorney if you experienced financial or reputational damage because of a data breach.

How to Tell If a Company Is Taking Your Private Data Seriously

By following these protective measures, you can reduce the risk that you’ll end up victimized by a company with sloppy security—and the criminals that prey upon them.

Data breaches and malicious hacks unfortunately are a common occurrence. Every year, more companies admit that they’ve fallen victim to a hack or security breach. Their customers end up dealing with the fallout, including identity theft and long-term financial consequences.

The average U.S. internet user had over 150 different online accounts in 2017; each of those accounts required a password and other login details.

The problem is that no one can remember 150 different passwords—and most people reuse their passwords or forget them, which leads to the consumer having to request login details sent to their email. Over the last few years, email providers like Yahoo have been breached as well, leaving login details for many different accounts wide open for exploiting.

With such a dismal outlook, how can you know that a company is going to protect your information? Thankfully there are several actions you can take to help protect yourself.

Operate on a Need-to-Know Basis

Companies use your data as currency.

We’ve all done it—filled out an online form without really thinking about what we’re giving away or why the form is requesting it. But each time you hand over your email address, date of birth, or any other detail about yourself, you’re giving the company on the other end information they may not even need—and may not manage appropriately.

In many cases, companies use your data as currency. They’ll offer something for “free,” such as a guide to something, premium access, or some tangible object you might be interested in. All you need to do is enter your email, or name, or address, or other personal information. You get what you signed up for, but now that the company has that information, they’re free to do as they wish with it—and chances are you didn’t read their privacy policy to see what that includes.

The single easiest thing you can do to ensure that a company protects your information is not to give it to them unless they actually, absolutely need it. Next time you put your personal details into a web form, or sign up for a new account online, think about each piece of information. Is it something they need? If you know that they don’t need it, consider leaving it out. If it’s mandatory, you may want to reconsider whether you really need what the company is offering.

Check for Past Data Breaches and Security Problems

Another way you can check up on companies is by putting your email address into the search bar at http://haveibeenpwned.com. This will tell you if your information has already been compromised, and by whom.

The site, run by web security expert Troy Hunt, also maintains a list of companies whose data breaches have been added to their list. This gives readers an idea of which companies have already been caught failing to protect their users’ accounts.

If you see a company on this list, you may want to think twice before opening an account with them.

Read and Ask Questions About the Privacy Policy

The privacy policy outlines how companies will use your data—and whether they will sell it to a third party for marketing purposes.

This can end up being more difficult than it sounds. The average privacy policy, according to researchers at Carnegie Mellon, is 2500 words—a ten-minute read. What’s more, they’re written entirely in legalese, so they’re not the easiest to understand.

While many people think that the existence of a privacy policy means that a company protects your private information, that’s not the case. It actually means that the company has outlined how it will use your data—and that could even include selling it to a third party for marketing purposes.

When you are looking at signing up for an account or purchasing something, take the time to go through the privacy policy. Ask questions if you need to, including whether the company will be building a profile and what that profile will be used for.

Rather than wade through the legal language, you can use the search tool in your browser to find words like “marketing,” “waive,” or “opt-out.” Those terms can point to the parts that could have the biggest effect on your decision to buy from or deal with that company.

You Can’t Put a Price on Peace of Mind

Taking these extra steps can add a bit of time to your online dealings; you might wind up having to postpone a purchase. But the potential risks of identity theft, spam, telemarketers, and more are well worth the extra effort.

Not every company goes the extra mile to protect its customers’ information. Sadly, some companies don’t even do the bare minimum. But with the protective measures outlined above, you can reduce the risk that you’ll end up victimized by a company with sloppy security—and the criminals that prey upon them.

Bill Hess founded PixelPrivacy.com, a blog that wants to make the world of online security accessible to everyone. Visit the site if you’re interested in keeping your private information private.

John Yanchunis Named to Equifax Steering Committee

U.S. District Judge Thomas W. Thrash has named Morgan & Morgan attorney John Yanchunis to the Plaintiffs’ Steering Committee in the Equifax data breach lawsuit. Yanchunis filed the lawsuit—now part of a multidistrict litigation (MDL)—after unauthorized users accessed the private data of 145 million Americans.

Read the Order

Last fall, Equifax announced that a breach had compromised the personal information of tens of millions of consumers from mid-May through July 2017. The company knew about the breach for more than a month before coming clean to the public.

The Equifax breach impacted 145 million consumers.

As of this writing, the Equifax breach is the fourth largest data breach of all time. The largest ever—the Yahoo breach of 2013-2014—impacted roughly three billion users.

John Yanchunis is Lead Counsel on that case, which is the biggest class action lawsuit in history. He has also represented consumers in the Home Depot and Target data breach lawsuits, which settled for $13 million and $10 million, respectively.

What Does a Plaintiffs’ Steering Committee Do?

Though the term Lead Counsel seems self-explanatory, a layperson may be less familiar with the role of a steering committee. According to Judge Thrash’s order,

The Steering Committees shall meet and confer as needed regarding the completion of the Plaintiffs’ pretrial and trial activities. The Steering Committees may establish subcommittees to aid in the effective and efficient conduct of this litigation. The Steering Committees shall participate in the determination of any significant matters that arise in the litigation.

In short, the steering committee will help direct this complex litigation by making important decisions and delegating work amongst themselves and the other attorneys. Their job is to ensure that the plaintiffs are well represented and that the case moves forward in a timely and efficient manner.

Though one might expect that the Plaintiffs’ Steering Committee for a lawsuit filed on behalf of 145 million people might include dozens of attorneys, there are just seven on the Equifax committee. That makes the honor—and the scope of responsibilities—that much greater.

Equifax Breach Even Worse Than Initially Thought

Last September, Equifax announced that a breach had compromised the names, Social Security numbers, birthdates, addresses, and driver’s license numbers of consumers from mid-May through July 2017. Equifax also admitted that credit card numbers for approximately 209,000 U.S. consumers were accessed.

But just last Friday, the Wall Street Journal reported that the breach was even more impactful than it initially appeared to be. In addition to the data above, hackers allegedly gained access to tax ID numbers, email addresses, and “driver’s license information beyond the license numbers.”

The number of affected consumers (145 million) seems to remain unchanged. But the breadth of the breach has grown, meaning those affected are more vulnerable than they even realized.

In the wake of the Equifax breach, many experts suggested that consumers freeze their credit to protect against identity theft. In a recent post for ClassAction.com, attorney Marisa Glassman also advocated monitoring credit reports and filing one’s taxes as soon as possible in order to prevent fraudulent returns.

Equifax learned of the breach in late July 2017 and sat on the news for about five weeks before informing consumers that their data were at risk.

In the meantime, many shareholders sold their stock in the company.

How to Join a Data Breach Class Action Lawsuit

Marisa Glassman is an attorney in Morgan & Morgan’s Complex Litigation Group. Her practice focuses on complex litigation, class actions, and consumer protection—including data breach lawsuits. Ms. Glassman is currently co-liaison counsel for consumer plaintiffs in the Arby’s Restaurant Group, Inc. Data Security Litigation.

Below, she answers questions consumers often have about data breach lawsuits.

How do I join a data breach class action lawsuit?

If your information was compromised in a data breach and a class action lawsuit has already been filed for that breach, typically you don’t need to do anything to join the lawsuit.

You don’t need to do anything to join the lawsuit.

The named plaintiffs who filed the complaint are suing on behalf of themselves and others whose information was also compromised as a result of the data breach. As a class member, you should be automatically included in the lawsuit and do not need to do anything to participate in the case.

What types of damages can I recover in a data breach lawsuit?

Previous data breach class action lawsuit settlements have included relief such as credit monitoring, fraud resolution services, and reimbursement for out-of-pocket losses resulting from the data breach. Typically monetary damages are limited to reimbursing class members for their out-of-pocket losses resulting from the data breach, for example reimbursement for time spent having to resolve the fraudulent use of your identity. But each case is different and damages may vary.

Another component of data breach settlements has been the defendant agreeing to create data security policies to protect your information from future data breaches.

How will I know if there is a data breach lawsuit settlement?

When a data breach class action case resolves, a settlement notice will be used to inform class members of the settlement. The settlement notice will describe the terms of the settlement and the rights of the class members under that settlement. Notices may be mailed, e-mailed, or published in a magazine, newspaper, or online.

In the event of a settlement, how do I recover for my claims?

You must submit your claim to receive your portion of the settlement.

If a class action data breach case has settled, you will need to claim your portion of the settlement. A claim form is a court-required document that all class members must file to participate in a court-approved settlement. Instructions should be included with the notice and claim form on how to complete your claim.

You must submit your claim to receive your portion of the settlement.

What if there are several complaints filed over the same breach?

After a large data breach that affects hundreds of thousands or millions of individuals, such as the Equifax data breach, it is typical that many law firms will file similar complaints. This is because different individuals contact and retain different law firms to pursue the same matter.

Generally, the cases will be consolidated and heard by the court as one lawsuit. The court will determine which law firms will lead the litigation.

Are there different types of data breach lawsuits?

Each data breach case is different. Data breaches may contain different types of compromised information and different circumstances for how the information was compromised.

For example, some data breach cases involve only payment cards data, while other breaches include social security numbers or healthcare related information. Some breaches occur over many months or years, while some last shorter amounts of time. Payment card or computer systems may be breached by cybercriminals, or employers may fall for email phishing scams and send employees’ W-2 information to cybercriminals.

Our attorneys have experience with a wide variety of data breach litigations. If you believe your information was compromised in a data breach, we can investigate your facts to determine whether a class action lawsuit may be appropriate.

How long does a data breach class action take?

Each case is different, but a data breach class action case will typically take 1-3 years.

How can I protect my information after a data breach?

There are several steps you can take to protect your identity from being misused following a data breach:

  • Check and monitor your credit reports. Accounts or activity that you don’t recognize could indicate identity theft.
  • Monitor your existing credit card and bank accounts closely for charges you don’t recognize.
  • You may consider placing a fraud alert on your files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you.
  • Also, file your taxes as soon as you have the tax information you need, before a scammer can fraudulently file a return in your name. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond immediately to letters from the IRS.
  • You may want to set up a freeze on the websites of all three credit bureaus: Transunion, Equifax, and Experian. But there may be fees associated with doing so. (If you’re married, both you and your spouse should freeze your files, since the companies maintain separate files for every adult that they track.)

Fraudulent misuse of your identity may not happen immediately after a data breach. Criminals may wait months or years to misuse your data, so it’s important to continue to monitor and review your information to identify any potential fraud.

Medical Providers Sue Allscripts for Ransomware Attack

“The failure to have an adequate cyber security system allowed a malicious actor to lock Allscripts’ system.”

A ransomware attack affecting Allscripts’ healthcare cloud-based software disrupted patient care for days throughout the country.

Early morning on January 18, Allscripts Healthcare Solutions, an electronic health records (EHR) vendor, was infected with the SamSam ransomware. Allscripts immediately encrypted the affected files to protect patient data, but this blocked client access to key software features for days.

Health care providers were unable to access medical records, billing, and online prescription services, causing some to send employees home and turn away patients.

Our firm filed a class action lawsuit on January 26 on behalf of lead plaintiff Surfside Non-Surgical Orthopedics and similarly affected health care providers who suffered financial losses as a result of Allscripts’ negligence.

Read the Complaint

What Caused Allscripts’ System to Go Down?

The lawsuit alleges that Allscripts did not properly secure its servers, which allowed a strain of the SamSam ransomware to compromise Allscripts’ data centers.

The ransomware that affected Allscripts was a variant of the SamSam malware. This malware is somewhat unique in that it doesn’t rely on email attachments to infect a system, but instead is distributed through unpatched servers. Attackers use the remote desktop function on Windows to change network privileges and distribute the malware.  

The company reported that between 2 a.m. and 6 a.m. on January 18, a ransomware attack affected their Raleigh, North Carolina and Charlotte, South Carolina data centers. 

Allscripts encrypted files to protect client data, but this blocked client access to electronic health records and prescription services. On January 22, Allscripts reported that the electronic prescription system was restored, but users still couldn’t access medical records.

The class action lawsuit alleges that Allscripts did not properly secure its servers, which allowed a strain of the SamSam ransomware to compromise and incapacitate Allscripts’ data centers.

Allscripts isn’t the first healthcare IT system to be hit with SamSam. Hancock Health, a hospital in Indiana, was infected with the malware on January 11. Hackers encrypted and renamed all of the hospital’s files to “I’m sorry.” The hospital paid a $55,000 ransom to recover the data.

Lawsuit Seeks Greater Cyber Security, Damages for Medical Providers

“Our suit will not only require cyber security measures to prevent this from occurring again, it also seeks damages for the loss of revenue.”

Allscripts estimates that 1,500 clients were affected by the ransomware attack. For many of these clients, the downed software wasn’t a mere inconvenience—it meant an unexpected financial loss.

On Twitter, healthcare providers complained that they were unable to perform basic activities, like access patients’ medical records and process billing. Complained one user, “Cloud is still down? We’ve had zero patient info available all day. Completely unacceptable.”

ClassAction.com filed a lawsuit against Allscripts on behalf of medical providers who suffered economic losses because of the attack, including those like Florida-based Surfside Non-Surgical Orthopedics who treat patients because they did not have access to the EHR system.

John Yanchunis, one of the nation’s leading data breach attorneys who has led litigation against corporations like Yahoo, Home Depot, and Target for failing to protect consumer data from the nation’s worst data breaches on record, is representing the class against Allscripts.

“The failure to have an adequate cyber security system allowed a malicious actor to lock Allscripts’ system, thereby jeopardizing the delivery of healthcare to consumers, impacting the many medical healthcare providers who were unable to practice medicine, and losing revenue,” Attorney Yanchunis said. “Our suit will not only require cyber security measures to prevent this from occurring again, it also seeks damages for the loss of revenue.”

Were You Affected by the Allscripts Ransomware Attack?

If you are a healthcare provider whose practice was interrupted by the Allscripts ransomware, you may be eligible for a lawsuit against the company. A lawsuit can help recover financial losses incurred while the EHR system was unavailable. Contact us today for a free, no-obligation legal review.

Uber Paid Hackers to Cover Up Data Breach

Uber’s very bad year got even worse with the revelation that the ride-hailing company failed to disclose a data breach for over a year and paid cyber attackers $100,000 to delete the stolen info and keep quiet.

A post on Uber’s blog written by CEO Dara Khosrowshahi and dated November 21 says that, “in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use.”

Hackers stole the license numbers of 600,000 U.S. drivers and the names, email addresses, and phone number of 57 million Uber riders.

According to Bloomberg, hackers obtained security credentials uploaded to a GitHub repository and used them to steal the data of 57,000,000 Uber drivers and riders. The stolen data included the names and license numbers of around 600,000 U.S. drivers and the names, email addresses, and phone numbers of 57 million Uber users worldwide. Uber paid a $100,000 ransom to the hackers for their cooperation in keeping the incident under wraps.

Uber has reportedly “obtained assurances that the downloaded data had been destroyed” and seen “no evidence of fraud or misuse tied to the incident.” The company will provide drivers whose license numbers were compromised with free credit and identity theft protection.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi wrote on Uber’s blog. “We are changing the way we do business.”

Fallout and Legal Repercussions

State and federal laws require that companies inform the government and affected persons about breaches of sensitive data—such as driver’s licenses.

Chris Hoofnagle of the Berkeley Center for Law and Technology told The Guardian that, “The only way one can have direct liability under security breach notification statutes is to not give notice. Thus, it makes little sense to cover up a breach.”

Uber has fired Joseph Sullivan, its chief security officer, and one of Sullivan’s deputies. New York Attorney General Eric Schneiderman announced an investigation into the hack in response to Uber’s disclosure.

The federal government may also get involved. Earlier this year, Uber settled Federal Trade Commission (FTC) allegations that it failed to reasonably secure sensitive consumer data.

If, despite Uber’s assurances to the contrary, riders and drivers are the victims of identity theft or other fraud stemming from the stolen data, they may have limited legal options due to Uber’s arbitration agreement. The agreement states that Uber is not liable for damages, including lost data, resulting from any use of their services. Anyone who uses Uber’s services are bound by the agreement.

Arbitration agreements disallow individual and class action lawsuits and force legal disputes to be handled by a private arbitrator. Arbitration tends to be less generous to plaintiffs than jury trials.

Uber’s Tough Times Continue

While Uber (valued at $68 billion) is the most valuable U.S. startup company, the company has recently endured a string of scandals and is said to be losing money.

Khosrowshahi replaced co-founder Travis Kalanick as CEO after an investor mutiny earlier this year. Kalanick built an aggressive “tech bro” culture that turned Uber into a unicorn, but investors, led by Fidelity Investments, felt his brash leadership put the company at legal risk. They asked for his resignation in a letter titled “Moving Uber Forward.”

The data breach is a setback for Uber, which is trying to repair its reputation as one of America’s most-hated companies.

Uber pledged $5 million to sexual assault and domestic violence prevention following a scandal that involved hundreds of sexual harassment allegations. The company stands accused in a lawsuit of stealing intellectual property from Waymo, Google’s self-driving car division. In March, the New York Times revealed that Uber used software to avoid authorities in cities where it was illegally operating. Drivers have repeatedly sued Uber, claiming they are wrongly classified as independent contractors.

These incidents are just the tip of a scandal iceberg that has made Uber one of America’s most-hated companies. As Uber tries to repair its image under new leadership, the hacking scandal is a significant setback.

ClassAction.com is following the Uber data breach carefully, and we encourage anyone who may have been affected to contact us for a free legal consultation.

Self-Driving Car Companies Lobby Congress, Win Big

A gridlocked Congress that can agree on almost nothing has found common cause on the issue of self-driving cars.

On October 4 the U.S. Senate Commerce Committee approved a bill that would get self-driving cars to market faster by loosening regulatory controls. The bill is similar to one the House of Representatives passed in September, allowing hundreds of thousands of autonomous vehicles per year on public roads. Both bills give the National Highway Traffic Safety Administration (NHTSA) sole authority to regulate autonomous vehicle design and performance.

Safety groups and the driving public remain skeptical about whether driverless vehicles are ready for wide deployment.

Proponents say the sweeping legislation is needed to address a patchwork of state and federal laws. They hail driverless technology as a transportation panacea that will save lives, create jobs, cut down on gridlock and pollution, and reshape communities.

But safety groups and the public remain skeptical about whether driverless vehicles are ready for wide deployment. And lurking in the background are powerful corporate interests with a huge stake in rapid adoption of the technology—regardless of the risks.

House and Senate Bills Agree on Major Points

While the legislation is a work in progress—the Senate bill still requires a full vote, and then the House and Senate versions would have to be reconciled before being sent to President Trump—both bills aim to put self-driving cars on the road faster through several major changes to existing laws.

NHTSA at the Wheel

The House and Senate bills grant the NHTSA authority on autonomous vehicle design and performance standards. States retain authority over licensing, insurance, and public safety laws. States can allow or prohibit self-driving cars on their roads, but they must defer to the NHTSA on vehicle regulations.

This arrangement is similar to how state and federal governments regulate traditional cars. Local officials, however, have expressed concerns over their ability to protect residents from the largely unproven technology. They claim their authority is meaningless if no one is technically driving a car.

Reduced Barriers to Deployment

Under the new legislation, automakers could obtain more exemptions from federal motor safety standards that apply to all new vehicles.

Current standards reflect human drivers and require features like steering wheels and brake pedals, which aren’t relevant for driverless cars. As of now the NHTSA permits an annual exemption to cover 2,500 vehicles per manufacturer. That number would increase under the House bill, allowing up to 25,000 autonomous vehicles per manufacturer in year one; 50,000 in year two; and 100,000 in years three and four. The Senate bill tops out at 80,000 exemptions after three years and lifts the cap completely after four.

Exempted vehicles must be shown to be at least as safe as human-driven cars. A manufacturer granted an exemption is required to provide information about all crashes involving exempted vehicles. The House bill gives the NHTSA two years to issue a final rule regarding how safety is being addressed by each manufacturer.

Cybersecurity and Privacy

Automated driving systems present serious cybersecurity risks, including the disclosure of passenger data and the ability of hackers to remotely control a vehicle. Thankfully the House and Senate bills recognize these risks and call for manufacturers to develop cybersecurity and privacy plans.

Manufacturers are required to develop and execute a comprehensive plan for identifying and reducing vulnerabilities and responding to unauthorized intrusions. Likewise, manufacturers must have a privacy plan in place describing how they’ll collect, use, share, and store passenger data. They must also describe how customers are notified about the privacy policy and what choices they have regarding their data.

Commercial Vehicles Exempted, but Roll On

Vehicles over 10,000 pounds were not included in either bill, reflecting labor union concerns about commercial driver job losses.

Many in the industry, however, see a silver lining. Chris Spear, president of the American Trucking Associations, likened truck drivers to pilots last year in a statement to Congress, noting that drivers will still be needed to do the pickups and deliveries in cities, much the way that pilots control taxiing, takeoff, and landing, but revert to autopilot at cruising altitudes.

Autonomous heavy trucks carrying human back-up drivers could be making regular deliveries in five or ten years.

Autonomous trucking could cut down on the primary contributors to truck accidents, factors such as fatigue, boredom, and distractions. There are also significant economic incentives for trucking companies. Unlike human drivers, self-driving trucks can be on the move all day long, helping to complete routes sooner. And tech-optimized speeds and acceleration could improve fuel efficiency.

Daimler, Otto (Uber), and other companies are developing and testing autonomous trucking technology. Autonomous heavy trucks carrying human back-up drivers in the cab could be making regular deliveries in five or ten years.

An Otto-made autonomous truck last year completed a 132-mile beer run in Colorado.

Some Remain Leery of Autonomous Vehicles, New Regulations

Those pushing autonomous vehicles assure the public that a transportation revolution is right around the corner, and that delaying legislation to free up the technology is akin to a utopia roadblock.

The most common argument in favor of self-driving cars is their ability to dramatically reduce traffic fatalities. U.S. road deaths surpassed 40,000 in 2016, the highest level in nearly a decade. The previous two years marked the sharpest two-year increase in traffic deaths in 53 years. According to the NHTSA, human error is to blame for 94 percent of crashes.

“More than 90 percent of these tragedies are linked to human error, driver choices, intoxication, and distraction,” said John Thune (R-SD) at a March 2016 public hearing on self-driving cars before the Senate Committee on Commerce, Science, and Transportation. “Automated vehicles have the potential to reduce that number dramatically. Unlike human drivers, automated vehicles don’t get tired, drunk, or distracted.”

Mr. Thune and fellow senator Gary Peters (D-MI) formed the Senate Smart Transportation Caucus, which focuses on transportation technology solutions aimed at improving safety and efficiency. They introduced the Senate version of the autonomous vehicle legislation.

In a statement announcing the bill, Mr. Peters said, “Self-driving vehicles will completely revolutionize the way we get around in the future. Our government can help save lives, improve mobility for all Americans… and create new jobs by making us leaders in this important technology.”

The senators’ talking points are nearly identical to those advanced by self-driving car makers.

He and Mr. Thune have also touted the ability of self-driving cars to reduce traffic congestion, fuel use and emissions, and to meet future infrastructure, environmental, and economic challenges.

The senators’ talking points are nearly identical to those advanced by autonomous vehicle manufacturers like Ford, Lyft, Uber, Volvo, and Waymo (Google). This is not a coincidence.

(Click below for page 2.)

10 Ways to Protect Your Child from Identity Theft

With each new data breach to hit the headlines, Americans become more concerned about protecting their personally identifiable information (PII) against potential thieves.

But there is an important set of data they may be overlooking: their children’s information.

While children don’t have bank accounts or credit card numbers that thieves can exploit, they do offer blank records that are appealing to anyone looking to assume a new identity. Plus, since credit reports are rarely run for children until they reach 18, identity theft can go undetected for years.

Ten percent of minors were victims of identity theft before they reached adulthood.

Identity thieves have unfortunately caught on to this unassuming trove of data. In a 2011 study conducted by the Carnegie Mellon CyLab, 10 percent of minors were victims of identity theft before they reached adulthood.

It isn’t just the number of victims that is alarming, but also the severity of these crimes.

If a child is a victim of identity theft, they can inherit years of fraudulent charges and a decimated credit score by the time they reach adulthood. When Dr. Axton Betz-Hamilton, a child identity theft researcher, discovered in college that her identity was stolen at the age of 11, she had ten pages worth of fraudulent charges to resolve. Her credit was so damaged that she was forced to claw her way up from an abysmal 380 credit score.

Unlike an adult who may be able to rest on their previously healthy credit to dispute fraudulent charges, a minor doesn’t have any credit to fall back on. For someone like Dr. Betz-Hamilton, it can take years to resolve a stolen identity.

The best way to fight childhood identity theft is to ensure it doesn’t happen in the first place. Here are ten ways that parents can secure their children’s identities.

1. Check to see if your child has a credit report. 

If they don’t have a report, that’s a good thing—it means there aren’t any lines of credit attached to their name. If they do have a report, you’ll have a detailed account of the fraudulent activity with which to work.

Experts recommend checking for a credit report on a yearly basis, but especially around your child’s 16th birthday. If their identity has been compromised, you will have enough time to resolve it before they apply for student loans or jobs.

2. Don’t overshare on social media.

Yes, it’s thrilling when your family welcomes the arrival of a new baby or your teenager receives their driver’s license, but not every one of your 500-plus Facebook “friends” need to know every detail. Never share your child’s full name or birthdate, and don’t post images that may contain personal information (like your child holding their license or a college acceptance letter).

It should go without saying that if you are sharing any information about your family, your accounts should be private.

3. Ask questions.

Who has access to your children’s personal identifiable information? Why do they need it? How do they store it? How do they dispose of it?

You should especially familiarize yourself with the data privacy policies of your child’s school, pediatrician, child care facility, and extracurricular programs. In addition to checking that your child’s Social Security number isn’t exposed, keep an eye out for the more innocent (and common) ways that your child’s PII may be shared, like birthday calendars or classroom contact lists.

4. Limit who has your child’s Social Security number.

You should never share your child’s SSN unless the other party has a legitimate reason for needing it. In some cases, you may be able to provide the last four digits of their social instead.

If you have a new baby, family members may ask for their SSN in order to purchase a savings bond in their name. While this is necessary to purchase a savings bond online, it isn’t necessary to obtain a paper version through a financial institution. Your friend or family member can provide their SSN instead.

5. Properly store your child’s personally identifiable information.

If you have physical documents with your child’s Social Security number, lock them up in a file cabinet or safe. If you ever need to dispose of documents with your child’s PII (even if it’s junk mail with their name and address), make sure you shred it.

Any sensitive documents on your computer should be encrypted. You can even encrypt the file they are stored in and hide it within a larger file so it is difficult for a thief to find.

6. Freeze your child’s credit.

This is helpful if your child’s information was exposed in a data breach. A freeze will prevent someone from opening new lines of credit or accounts under your child’s name.

You must contact each credit reporting agency and pay your state’s fee, which is typically no more than $10. You can lift the freeze when your child turns 18, or temporarily for a specific length of time or party.

7. Request an initial fraud alert.

With a fraud alert, companies must verify your identity before issuing new credit. An initial fraud alert is intended as a precautionary measure, like after a data breach that compromises your child’s information. It can stop fraudulent credit before it happens.

Unlike the extended seven-year fraud alert, you do not need an identity theft report to obtain the initial alert. You can get this free alert by contacting one of the three major credit reporting agencies (each is required to alert the other two). The alert lasts for 90 days but can be extended if necessary.

8. Enroll in an identity theft alert system.

Services like LifeLock can help you detect when your PII has been compromised before it results in a stolen identity.

LifeLock has a service specifically for minors called LifeLock Jr. For $5.99 a month, it will alert you if your child’s PII is listed on the black market, credit is opened in their name, or if their identity has been compromised.

9. Be careful with smart toys.

In July, the F.B.I. issued a warning for smart toys. These interactive toys gradually tailor the play experience to each child using data from previous interactions. In some cases, they store conversations with children or require personal information like a child’s birthdate or name to create their user profile.

When these toys are connected to the Internet, they may be vulnerable to getting hacked. Make sure your child only plays with these toys on secure and trusted Wi-Fi providers.

10. Talk to your children.

Long before your child joins social media they will use apps, online games, and other digital toys. Just like you would warn them about trusting strangers, you should teach them to be cautious when sharing any personal information online.

Were You Hacked?

If your identity was stolen after a data breach, you may be eligible for compensation. Our attorneys have filed lawsuits in response to some of the largest data breaches in history, including Yahoo and Equifax. Contact us today for a free, no-obligation legal consultation.

This Is Why Cyber Criminals Want Your Medical Records

2017 toppled 2016’s record-breaking 1,093 data breaches. As of December 27, 2017, there were 1,339 reported data breaches, according to a report from the Identity Theft Resource Center and CyberScout. This is a 23% increase from the year before. 

By hacking an insurance company or hospital, criminals can access all of your sensitive information in one fell swoop.

Data breaches have become so common that credit card numbers are virtually worthless on the black market because there’s so many available. That’s disturbing in itself, but what’s even more scary is that this oversupply has caused cyber criminals to set their sights higher by targeting the health care industry. More than a quarter of records breached in 2017 were medical records.

The Anthem data breach is just one example of how severe these breaches can be. In 2015, the insurance provider announced that 80 million patient records were compromised, which included sensitive data like Social Security numbers and health care ID numbers. In June of this year, they offered to pay a $115 million settlement, which if approved by the judge, would make it the largest data breach settlement to date.

Health Care Records Offer One-Stop Shop for Criminals

Health care records are essentially microcosms of your life, containing everything from your medical history and contact information, to your financial information and Social Security number.

By hacking the private records of an insurance company or hospital, a criminal can gain access to all of your sensitive information in one fell swoop. And, with often little invested in cyber security, the health care industry may make it easy for criminals to do so.

“Doctors don’t become doctors so they can protect data.”

“As other sectors, such as financial services, put measures in place to protect their electronic data, it is typical for fraudsters to move to what they consider the next low-hanging fruit. With the amount of personal health information now available in electronic format, it is a natural progression for cyber criminals to migrate to health care,” Ann Patterson, Senior Vice President of the Medical Identity Fraud Alliance, explained to us.

“Doctors don’t become doctors so they can protect data. In fact, by law, insurers are required to not exceed certain amounts of ‘administrative’ spending (including anti-fraud measures) to ensure that the majority of money is applied toward paying claims for actual health care.”

Four out of every five doctors said they experienced a cyber attack.

While they may not have the resources to prevent cyber attacks, the majority of U.S. doctors have been affected by one. In a study conducted by Accenture and the American Medical Association, four out of every five doctors said they have experienced a cyber attack. The most common form of attack cited was phishing: emails sent by a scammer posing to be an authority within an organization in order to obtain sensitive data.

As health care data breaches climb, so do medical identity thefts. Consumer Reports estimates that in 2014, there were 2.3 million cases of medical identity fraud. Health care providers may not be in the business of cyber security, but it’s time they make it a priority. 

Victims Spend Thousands to Resolve Medical Fraud

On average, companies pay $380 for every health care record breached. That’s more than the $225 average for breached records in other industries. These estimates cover direct expenses (like legal costs and identity protection services) and loss of business.

Consumers pay an even higher price for data breaches though if their identities are compromised. In 2015, the average medical identity theft victim spent $13,500 to resolve fraudulent activity, while other victims of identity fraud only spent $55 on average.

What makes medical identity theft even more problematic is that victims cannot simply shut down their medical records and open new ones like they can with credit cards. Their information could theoretically be used for life to open bank accounts, obtain medical care, reroute prescriptions, and more.

And, medical fraud is often harder to detect than stolen credit card information.

“Unlike financial identity fraud, medical ID fraud is hard to quickly identify and remediate,” explained Ann Patterson. “There is no mechanism for a hospital to alert you when someone with your identity has obtained services at their facility. There is no central repository of health care accounts in your name where you can obtain a report to review.”

Medical Identity Theft Can Create Medical Inaccuracies

A doctor may base treatment on a medical condition the victim doesn’t have, a surgery they never received, or a prescription they don’t take.

Undetected medical fraud can be far more serious than a damaged credit score. If a criminal assumes someone else’s identity to obtain medical care, it can negatively affect the health of the victim.

Victims can receive the wrong form of medical treatment or diagnosis if their medical information is mixed up with a criminal’s. A doctor may base treatment on a medical condition the victim doesn’t have, a surgery they never received, or a prescription they don’t take. And, even if incorrect data is detected, it can be nearly impossible to remove from health records.

“Your health history is what it is; if you’re sick or have been sick, that is a historical fact that doesn’t change,” said Patterson.

In other cases, patients may not receive their prescribed treatment at all. Criminals can change the mailing address for prescription drugs, leaving victims without their medication.

This is particularly a problem for opioids—prescription pain medication like oxycodone, hydrocodone, and methadone which are responsible for one of the worst drug epidemics in history. Some criminals may use someone’s medical identity to obtain new opioid prescriptions or reroute existing ones for their own benefit.

Opioid prescriptions are closely monitored because patients can easily develop a dependency on the medication. If a thief visits multiple health care providers to fraudulently obtain opioid prescriptions under a victim’s name, it could even lead to a warrant for their arrest.

This is what happened to Deborah Ford. Her medical identity was stolen after a thief stole her wallet which held her health insurance identification cards. The criminal used her identity to obtain multiple opioid prescriptions until it was flagged by law enforcement. Ms. Ford had to fight an arrest warrant and multiple charges on her previously clean record.

Were You Hacked?

If you suspect that you are a victim of medical identity theft, the Medical Identity Fraud Alliance provides multiple resources on what you should do next. To find out if your information was compromised in a data breach (regardless of industry), you can look up your email address on Have I Been Pwned.

ClassAction.com attorneys have fought on behalf of consumers in some of the largest data breach lawsuits to date, including lawsuits filed against Home Depot, Target, and Yahoo. If your information was stolen in a data breach, you may be eligible for a lawsuit. Contact us for a free, no-obligation legal review.

Self-Driving Cars Are Almost Here, but Questions Remain

Ready or not, the driverless car era is upon us. And depending on whom you ask, some are more prepared than others to embrace automated vehicles.

Manufacturers—eager to establish themselves as top players in the emerging market—are investing billions of dollars in research and development and spending millions on government lobbying.

States, meanwhile, are rolling out competing autonomous vehicle regulations as they court technology companies and the cash cow potential driverless cars represent.

Disruptions from self-driving and flying cars will be widespread.

But while patchwork state regulations may be useful for finding out the best path forward in the driverless era, comprehensive federal regulations will likely be needed sooner rather than later to avoid state-to-state rule conflicts. At the same time, over-regulating the industry early on could dampen innovation right at the time growth is exploding.

Then there is the public, who, despite assurances that self-driving cars will vastly reduce accidents and lead to a brave new world of on-the-go leisure, expresses reservations about autonomous technology.

Public fear of the driverless car is not unfounded. Many have asked how automated vehicles should respond to the moral dilemma of whether it’s preferable to, say, run down pedestrians in a crosswalk or crash into a tree.

Whichever choice the car makes, it raises another question being hotly contested by lawyers and insurance brokers: who is responsible for the damages?

These are just a few of the issues that self-driving cars pose. As we move into the driverless era, numerous industries will be disrupted in a society that currently revolves around the personal, self-driven vehicle.

Self-driving cars are just the beginning, too. Companies are working on flying cars, which will open up a brand new Pandora’s box of regulatory, infrastructure, and legal questions.

The New Arms Race

Traditional auto manufacturers, newer electric car makers, auto suppliers, and tech companies are battling for supremacy in the emerging self-driving car market.

Navigant Research ranked 18 companies on the cutting-edge of self-driving technology based on criteria that includes vision, go-to market strategy, technology, and product quality.

The companies most likely to get their autonomous cars to market first, according to Navigant, are Ford, General Motors, Renault-Nissan, Daimler, and Volkswagen.

It’s no coincidence that each of the companies in the top-five are auto manufacturers. In fact, only two non-automakers crack Navigant’s top ten.

Navigant explains that car companies, unlike tech companies, have the manufacturing capabilities to mass produce self-driving cars. Navigant expects tech companies to eventually provide auto makers with autonomous technology.

This scenario is already playing out through strategic partnerships between Volvo and Uber, Waymo (Google) and Fiat Chrysler, BMW and Intel, and General Motors and Lyft. Since suppliers already provide auto makers with most of their vehicle parts, these types of partnerships are nothing new. The key difference is that self-driving cars will rely more on technology such as computer processors, cameras, radar, and software.

States Vie for Footholds in Self-Driving Industry

Autonomous vehicles represent a major new market opportunity not only for manufacturers, but for states that want to attract jobs and revenue from the emerging market.

California has long been seen as the most tech-forward state, but the Golden State’s penchant for strong regulations is creating an opening for others to take leadership roles in self-driving cars.

Different states have different claims to the self-driving throne. California’s Silicon Valley is where major tech players are headquartered. Michigan has its auto industry roots. Pennsylvania and Massachusetts are home to Carnegie Mellon University and MIT, respectively, two front-running institutions in driverless car research.

For now, states are serving as laboratories in the self-driving car experiment.

Other states, like Virginia, that have no natural industry connections, are seeing the opportunity that autonomous vehicles represent and attracting companies with friendly legislation and rulemaking.

Driverless cars, after all, can only stay on the test track for so long. They must be tested on roads, in real-life traffic, before they can be deemed ready for commercialization.

Virginia makes no bones about its aggressive sales pitch.

“We have no rules that prohibit autonomous vehicles, no law. A lot of states do. That’s intentional that we’re doing that,” said Virginia Transportation Secretary Aubrey Layne.

California, which is taking a more cautious approach, is working on the country’s most comprehensive self-driving car regulations. The state presumably wants a functioning regulatory system in place before self-driving cars go mainstream, but a potential downside of their strategy is stifling innovation.

California’s approach has “made it more difficult for the industry,” said Stan Caldwell of Carnegie Mellon. “They’re trying to keep it safe. But they can’t keep up with the technology curve.”

For now, a patchwork of state regulations may benefit growth as states compete and the most safe, effective regulatory solutions take shape in jurisdictional laboratories.

Florida, for example, passed legislation making it the first state to allow autonomous vehicles on roadways without a human backup driver, while it is now legal in Michigan to purchase autonomous cars.

Autonomous Vehicles Need Federal Regulations

At some point, the federal government will almost certainly have to impose nationwide self-driving car regulations that set basic performance and safety standards. Otherwise, manufacturers would have to produce vehicles with different standards in accordance with different state laws.

Joseph Okpaku, Lyft’s Vice President of Government Relations, told a congressional committee that “inconsistent and conflicting” state laws create “the worst possible scenario for the growth of autonomous vehicles.”

Federal law preempts state law wherever there is legal overlap. The National Highway Traffic Safety Administration (NHTSA) is the federal agency traditionally in charge of regulating vehicle performance.

Last September the NHTSA issued guidance that lays out automated vehicle performance guidelines and a 15-point model state policy. But the recommendations are strictly voluntary. They also leave many questions unanswered, such as the open-ended definition of an “operational design domain,” a safety assessment that proposes not allowing autonomous vehicles on public roads until the manufacturer tests under controlled conditions the different traffic and environmental variables the vehicle is likely to encounter.

Ford, GM, Uber, and Tesla poured millions into lobbying the federal government in the first quarter of 2017.

Weather is one operational design domain, although the NHTSA does not mention, for example, if a car intended for use in the South should be equipped to handle the ice and snow of New England. Vehicles also may or may not encounters variables like rock slides, busy pedestrian centers, and wildlife in the road. Should all vehicles be tested and prepared for all conceivable domains? If so, what testing criteria must manufacturers meet to prepare vehicles for these different scenarios?

Such discrepancies could likely be addressed via engineering tweaks for vehicles marketed in different regions. A simple software upgrade might be enough to make a vehicles sold in Arizona ready for a road trip to Alaska. But the broader point is that there are many gray areas to consider when crafting self-driving vehicle regulations.

Making matters even murkier, Elaine Chao, new head of the Transportation Department under President Trump, suggested early in her tenure that the Obama-era guidelines were too restrictive and would be revisited.

But if you follow the money, automakers and tech companies appear confident that federal regulations in some form are on their way. Ford, General Motors, Uber, Tesla, and others poured millions into lobbying the federal government on self-driving car policies in the first quarter of 2017 alone. Lobbying is taking place on the state level as well.

(Click below for page 2.)

Uber Uses Scare Tactics to Turn Drivers from Unions

Without the rights or voice that come with an employee classification, some Uber drivers are seeking union representation.

Uber loves to have their cake and eat it too. Especially when it comes to classifying their drivers.

Are Uber drivers employees? According to Uber, no, which is great, they argue, because it allows drivers to work on their own schedules. And, it happens to save Uber a ton of money by not having to pay minimum wage, sick days, and benefits like unemployment or health insurance.

But, unlike contractors, Uber drivers can’t set their own fares, and they are constantly at risk of being deactivated from the app.

Without the rights that come with an employee classification, nor the ownership and independence that freelancers enjoy, Uber drivers are stuck in a no man’s land without a voice, leading some drivers to seek representation from unions or drivers guilds. 

Judge Temporarily Blocks Seattle’s Collective Bargaining Law

Seattle is currently the battleground for Uber’s union fight. The city passed the For-Hire Driver Collective Bargaining Law at the end of 2015, the first of its kind that allows Uber and Lyft drivers to unionize.

Though limited to Seattle, the law could lead to changes throughout the country in how Uber and Lyft drivers are represented and which rights they are entitled to.

The U.S. Chamber of Commerce (which represents Uber) retaliated by suing the city, claiming that since drivers are contractors, they cannot organize. It would be an issue of price-fixing, they argued, if they had representation to advocate for minimum pay or higher fares.

Last week, a judge ruled in their favor, temporarily blocking the law from going into effect.

“A drivers guild may be a good start, but it’s unlikely that older union models would apply in the face of federal laws regarding independent contractors.”

Interestingly though, a separate federal lawsuit in New York argues that Uber is already guilty of price-fixing since they set the fares for their drivers, all of whom are contractors. 

We asked Ehsan Zaffar, a law professor at American University Washington College of Law, what his thoughts are on the matter. He believes that an entirely new regulatory structure needs to be created which would allow “drivers to pool resources and bargain collectively, while still allowing Uber and its drivers to partake in and fairly benefit from independent contractor provisions.”

“A drivers guild may be a good start, but it’s unlikely that older union models would apply in the face of federal laws regarding independent contractors,” said Zaffar.

Uber Launches Anti-Union Ad Campaign

Uber warns that a union could “essentially stalk drivers” to get them to join and pay dues, referring to them at one point as being “super scary.”

Recognizing the implications of Seattle’s law, Uber deployed a major PR campaign to influence drivers’ opinions on collective organizing.

The company aired TV commercials and made phone calls to drivers to convince them that a union would hurt drivers. Uber’s Seattle podcast even features entire anti-union episodes.

In one podcast episode, Brooke Steger, the General Manager of Uber in Seattle, passionately says that Teamsters, the union that is trying to represent drivers, is trying to “silence drivers.” In another episode, Steger warns that the union could “essentially stalk drivers” to get them to join and pay dues. She refers to them at one point as being “super scary.”

The podcast features comments from Uber drivers that echo the company’s message. Eric, an Uber driver, declares in one episode that “it’s so great that Uber is standing up for its drivers.”

However, it’s unclear how authentic Eric the Uber driver’s testimony is. He mentions in one episode that he is a member of the nonprofit Drive Forward that is fighting for the flexible rights of Uber drivers. If you read the fine print on their website though, you’ll see that the nonprofit was founded by Uber.

Uber’s primary argument that union representation could restrict drivers’ flexibility has been struck down by the Teamsters Union. The union claims that drivers would vote on proposed contracts and any changes in terms. 

Uber Drivers Don’t Have a Voice

If any group of workers needs the right to work together to improve their conditions, and to demand accountability from their employer, it’s Uber drivers.”

Whether or not union representation is the best course of action for Uber drivers remains to be seen, but it’s clear that something has to change to ensure drivers are treated fairly. 

Uber has used drivers’ contractor status to ensure they remain voiceless. 

“Uber drivers are managed by inscrutable and unfair algorithms, and have no way to raise any concerns with the company,” Tom Slee, author of What’s Yours is Mine: Against the Sharing Economy, told us. “If any group of workers needs the right to work together to improve their conditions, and to demand accountability from their employer, it’s Uber drivers.”

“Sharing Economy” is One-Sided for Uber Drivers

“The company is seeking a unique combination of control without responsibility.”

Right now, many Uber drivers are barely getting by, frequently making less than minimum wage, without a safety net for periods of low ridership.  

When Uber decides to offer discounted rides, drivers are forced to comply, even though it often means a cut in their earnings. Uber argues that promotions result in more passengers for drivers, but it also means longer hours. 

There have even been accounts of drivers seeing lower fares on their apps than the fares charged to passengers, causing some to believe that Uber is pocketing the difference.

Drivers are even subject to psychological “gaming” techniques to incentivize them to work longer hours, as a recent New York Times piece detailed. The app used to present drivers with a new passenger before they dropped off the one that was already in their car. Failing to accept at least 90% of rides, or receiving poor ratings—even if a driver doesn’t deserve them— are common grounds for sudden deactivation.

“Uber micro-manages its drivers through software, from tracking driving habits to firing drivers for low ratings. The company is seeking a unique combination of control without responsibility,” said Slee.

As contractors, drivers shoulder a huge amount of Uber’s business risk by not having a steady income or schedule, but they lack the true benefits of “flexibility” that the company likes to promote.

With the pending price-fixing lawsuits in Seattle and New York, and the ongoing employee misclassification class action lawsuits in California and Massachusetts, it’s now up to the courts to decide what exactly Uber is, and how their drivers should be rightfully defined under federal labor law.


GameStop Looks to Level Up Its Site’s Cybersecurity

It could be game over for GameStop shoppers.

The video game store GameStop has confirmed that it is investigating a potential data breach that may have occurred on its website between September 2016 and February 2017. The compromised data may include credit card numbers, verification codes, and expiration dates, as well as names and addresses.

In an email to Fortune, a GameStop spokesperson issued the following statement: “GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website. That day a leading security firm was engaged to investigate these claims.”

GameStop also expressed regret for any concern the incident may have spurred, and reminded customers to monitor their credit cards for suspicious charges.

This alleged incident is just the latest attack to take place in the increasingly rocky cybersecurity landscape. If you or a loved one suffered financial losses that you believe were caused by a data breach, please contact us today for a free, no-obligation legal consultation.

1.4 Billion Records Breached in 2016

The potential GameStop breach is one of many high-profile incidents involving companies like Arby’s, Saks Fifth Avenue, Neiman Marcus, and of course Yahoo. These breaches finally prompted the state of New Mexico to enact cybersecurity legislation, leaving just two states—Alabama and South Dakota—without these types of laws on the books.

Even two states holding out is surprising given the ever-growing prevalence and threat of data breaches. Cybersecurity company Gemalto recently found that worldwide there were 1,792 breaches in 2016—an 86% increase from 2015. Roughly sixty percent of those breaches (1,100) occurred in the U.S.

The 1,792 global breaches compromised 1.4 billion records. Here are a few of Geralto’s other disturbing findings:

  • Identity theft was the most common type of breach, comprising nearly 60% of incidents.
  • Malicious outsiders—which only accounted for 13% of breaches in 2015—accounted for 68% of breaches in 2016.
  • Fewer than half (48%) of breached organizations reported the full extent of the breaches when they first announced them.

These figures paint a frightening picture: more and more, data breaches are carried out by someone with malicious intent, i.e., identity theft. And all too often, companies not only fail to protect their customers, but they don’t even disclose all (or any) of the details upon learning of the breach.

Gemalto Regional Director Graeme Pyper said, “Hackers are casting a wider net and are using easily attainable account and identity information as a starting point for high-value targets. Clearly, fraudsters are also shifting from attacks targeted at financial organizations to infiltrating large databases such as entertainment and social media sites.” 

Anthem Scares Off Data Breach Plaintiffs

Anthem, Inc. suffered a 2015 data breach that impacted as many as 78.8 million people. The compromised data allegedly included social security numbers, addresses, birthdates, income data, and medical IDs. Experts presume that the data has been sold or will be sold on the black market (which is common after a massive breach).

Anthem’s strategy in battling these lawsuits has been coldly effective.

Naturally, this breach resulted in several class action lawsuits filed by affected consumers. Anthem’s two-pronged strategy in battling these lawsuits has been brilliant and coldly effective.

First, Anthem has released as few details about the breach as possible, which could help the company preserve its innocence in court. Unlike Yahoo, for example, which acknowledged that it took more than a year for the company to announce its massive breaches—a blatant violation of California state law (among others).

Second, Anthem has demanded that plaintiffs turn over their personal computers, ostensibly to prove that any alleged breach did not occur prior to the Anthem incident. As a result of this request, many plaintiffs have dropped their lawsuits. (Many people feel squeamish about turning over their browser histories and other computer habits to a stranger, let alone an attorney.) So even if Anthem loses or settles these cases, the payout will be smaller than it would have been prior to this request.

Until these cases go to trial, we won’t know how many plaintiffs (if any) actually suffered breaches that were unrelated to the Anthem incident—or if Anthem can effectively make the case that these breaches were consumers’ faults, not the company’s.

But if this continues to be an effective strategy, one can expect more and more companies—including, potentially, GameStop—to adopt it in the future.

Saks, Arby’s Data Breaches Spur State Legislation

Data breaches aren’t going away anytime soon, and the latest rash of privacy violations has spurred not just consumer concern but state legislation.

This year has already featured major breaches at Saks Fifth Avenue, Arby’s, and JobLink.

U.S. data breaches hit an all-time high in 2016, with nearly 1,100 breaches—a 40 percent increase compared to 2015. They may peak again in 2017, with several high-profile breaches already endangering Americans’ private information.

This year has already featured major breaches at Saks Fifth Avenue, Arby’s, and JobLink. Those breaches may have compromised hundreds of thousands of consumers’ data.

These attacks also prompted the state of New Mexico—previously one of the few states with no data breach notification laws on the books—to finally enact a Data Breach Notification Act.

Free Case Review

Saks Breach Allegedly Threatens Tens of Thousands

As first reported by BuzzFeed News last week, Saks Fifth Avenue allegedly posted customers’ email addresses, phone numbers, IP addresses, and product codes (of the times they were interested in purchasing) on unencrypted pages on their website. If true, this vulnerability would have endangered the data of tens of thousands of customers.

“This is as bad as security gets. Everyone is vulnerable.”

A spokesperson for Canada-based Hudson’s Bay Company—which owns and runs the Saks website—told BuzzFeed News, “The security of our customers is of utmost priority, and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses.”

The spokesperson added, “We have resolved any issue related to customer phone numbers, which was an even smaller percent.”

But cybersecurity expert Robert Graham told the site, “This is as bad as security gets. Everyone is vulnerable.”

As a result, many consumers are exploring data breach lawsuits against Hudson’s Bay Company. If you or a loved one have suffered financial or reputational damage as a result of this alleged breach, please contact us today to find out if you might qualify for compensation.

Neiman Marcus Settles Data Breach Lawsuit for $1.6M

Coincidentally, Saks owner Hudson’s Bay Company is reportedly in talks to merge with Neiman Marcus—which recently settled a data breach lawsuit filed by ClassAction.com attorney John Yanchunis for $1.6 million. (If the rumored merger occurs, it may be hard for customers to feel safe using their credit cards at Hudson’s Bay stores.)

The Neiman Marcus breach in December 2013 allegedly exposed the credit card information of 350,000 shoppers. Neiman Marcus claimed the number was much lower, just 9,200 accounts.

Under the terms of the settlement, each member of the class can receive up to $100, while class representatives may receive up to $2,500 for their service.

Mr. Yanchunis has established himself as perhaps the foremost data breach attorney in the country. Recently he was named lead plaintiffs’ counsel in the Yahoo data breach case—the largest class action lawsuit in history, one that includes more than a billion plaintiffs.

New Mexico Finally Passes Data Breach Law

In the wake of these large-scale breaches—along with those of Arby’s and JobLink, among others—the state legislature of New Mexico has finally enacted a piece of cybersecurity legislation: the Data Breach Notification Act, or H.B. 15. That act will now go to Governor Susana Martinez’s desk for her signature.

H.B. 15 states the following:

  • Companies and entities must dispose of personal identifying information once those records are “no longer reasonably needed for business purposes.”
  • Companies and entities must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.”
  • Companies and entities must notify affected parties of a data breach within 45 days of learning of it. That said, no notice is required if the breach does not create “a significant risk of identity theft or fraud.” (“A significant risk” is something attorneys will presumably hash out in the courts.)
  • If a breach impacts more than 1,000 New Mexico residents, the attorney general and credit bureaus must also be notified.

If the above measures seem fairly common-sense, they are. All but three states—New Mexico, Alabama, and South Dakota—have similar data breach laws on the books. With New Mexico joining the rest of the country in the 21st century, that leaves just Alabama and South Dakota’s consumers relatively unprotected.

If you or a loved one fell victim to fraudulent credit card charges and/or identity theft as result of a data breach, contact an attorney today for a free, no-obligation legal consultation.

FCC Blocks Privacy Laws While Americans Ask For More

New FCC Chair Ajit Pai blocked the first of the internet privacy rules from going into effect, which required internet providers to protect consumers’ information and disclose data breaches.

Yahoo isn’t the only company that is too cavalier when it comes to your online privacy. In addition to companies left and right leaving your private information vulnerable to hackers, there are those that intentionally hand your personal details to third parties without your consent.

Last year, the Federal Communications Commission (FCC) passed legislation regulating how Internet Service Providers (ISPs) collect, share, and protect your online data. The rules require that companies like AT&T and Comcast ask you to “opt-in” before selling your personal details (like browsing history, location, and more) to advertisers. 

New FCC Chair Ajit Pai, a former Verizon attorney, blocked the first of the internet privacy rules from going into effect last week. The rules required ISPs to protect consumers’ information and disclose data breaches. Critics of the privacy rules, including Pai, argued that they were confusing and unfair because they would have resulted in websites like Google and Facebook being treated differently than internet providers.

“All actors in the online space should be subject to the same rules, and the federal government shouldn’t favor one set of companies over another,” one of Pai’s representatives said last week.

Putting “Corporate Interest Before Consumers”

It’s not about favoring one business over another. In response to Pai’s actions, Senator Edward Markey (D-Mass.) said that we cannot let the FCC “put corporate interest before consumers.”

Supporters of the rules point out that Google and Facebook are free services—as creepy as they sometimes are, it isn’t surprising that users are “paying” in some way. If Americans are uncomfortable with how these websites use their information, they have the ability to cancel their accounts. Internet providers are the “gatekeepers” though; it’s much more difficult for consumers to opt out of these services.  

These arguments aside, any regulation is better than none. While the FCC can hold companies accountable for violating online privacy agreements and using deceptive practices, they can only step in once harm has been done—often, it’s too little too late.

Verizon Fined $1.35 Million for Supercookies

When it comes to deceptive tracking, Verizon may be one of the worst offenders.

In 2015, it was discovered that Verizon installed supercookies on users’ devices which not only tracked phone activity (like websites visited, links clicked, etc.), but were also impossible to remove. The company installed the supercookies without consumer consent to collect information for advertisers.

Verizon “rectified” the situation by directing users to MyVerizon.com to delete the supercookie but this installed yet another cookie. Last year, the company paid a $1.35 million fine to the FCC for deceiving users.

Verizon’s actions are especially discomforting since Pai has a former history with the company.

Majority of Americans Want More Control Over Their Privacy

In a time that is characterized by partisan feuding, one thing that Americans can all agree on is that protecting their online privacy is important, and that the federal government needs stronger laws to protect consumers.

According to a PEW study published in September 2016:

  • 68% of Americans believe current laws are not strong enough to protect online privacy.
  • 74% say it is very important that they are in control of who can get information about them. 
  • 91% agree or strongly agree that consumers have lost control over how their information is collected and used by companies.

Tips for Maintaining Online Privacy

Unfortunately, without strict regulations consumers can only do so much to protect their information from advertisers and potential data breaches. However, you can enhance your privacy by following these steps wherever possible:

  • Change your passwords regularly (make sure they aren’t predictable) and use an app like LastPass to store them.
  • Check your browser’s privacy settings and disable location tracking, cookies, etc. as much as possible. (These are often hard to find. In Chrome, go to: Preferences→Settings→Advanced Settings→Content Settings.)
  • Regularly delete your web history and cookies. Note that this may remove your privacy settings on some platforms.
  • Browse privately using your browser’s incognito mode and use a search engine like DuckDuckGo that doesn’t track your searches.
  • Avoid linking sites, apps, and other accounts to Facebook or Google profiles—which track your activity across platforms—and log out of these accounts when you aren’t using them.
  • Check your app settings to monitor what types information they are collecting. For example, does your favorite game really need to access your contacts?
  • Assume you don’t have privacy and be mindful of what information you share online.

Our lives are so intertwined with the devices we use that this is just the tip of the iceberg for maintaining privacy. Check out The Guardian’s 21 tips for more.

If you were harmed by a data breach, you may be eligible for compensation. Contact ClassAction.com for a free, no-obligation legal review.

John Yanchunis Is Lead Counsel in Yahoo Data Breach Case

ClassAction.com attorney John A. Yanchunis will serve as Lead Counsel on the largest class action lawsuit in history—the Yahoo data breach that allegedly compromised the private data of hundreds of millions of people around the world.

In an order filed Thursday, February 9, 2017 in the Northern District of California, U.S. District Judge Lucy H. Koh appointed John A. Yanchunis of Morgan & Morgan and ClassAction.com to serve as Lead Plaintiffs’ Counsel and Chair of the Plaintiffs’ Executive Committee.

Read the Order

Four firms filed motions to serve as lead counsel: Morgan & Morgan, Kaplan Fox & Kilsheimer LLP, Kessler Topaz Meltzer & Check LLP, and Susman Godfrey LLP. At a hearing in San Jose before Judge Koh made her decision, Mr. Yanchunis argued that a large firm of Morgan & Morgan’s stature—with more than 300 attorneys at its disposal—would be the best choice to take on a case of such magnitude.

At a press conference Saturday, Mr. Yanchunis said, “Morgan & Morgan is the biggest law firm of its type in the country. We have the legal talent and financial strength to take on anyone in this country.”

Mr. Yanchunis also noted that Morgan & Morgan (motto: “For the People”) only represents consumers, and never large companies.

Yahoo’s 2013 data breach (announced last year) compromised the data of roughly one billion users. A separate breach in 2014 compromised the data of 500 million users.

Mr. Yanchunis said Saturday that the lawsuit will represent everyone in the world whose data was breached.

Yanchunis Heads Five-Person Executive Committee

The other firms that filed motions to serve as lead counsel argued that the case was not as complex as it appeared, despite its mammoth size. They also claimed that a single firm should work the case, instead of the committee of firms helmed by Mr. Yanchunis.

Judge Koh thought they made “excellent points,” but ultimately disagreed.

Joining Mr. Yanchunis on the Executive Committee are Gayle Blatt of Casey Gerry Schenk Francavilla Blatt & Penfield LLP, Stuart Davidson of Robbins Geller Rudman & Dowd LLP, Karen Riebel of Lockridge Grindal Nauen PLLP, and Ariana Tadler of Milberg LLP.

As Lead Counsel and the Plaintiffs’ Executive Committee, Mr. Yanchunis and the abovementioned attorneys must review and record all billing records and “impose and enforce limits on the number of lawyers assigned to each task,” among other key duties.

Lawsuit Seeks Tighter Security, Hundreds of Millions in Damages

At the press conference, Mr. Yanchunis cited the long gap between the breaches and their announcement as one of the most concerning aspects of Yahoo’s actions.

“Those breaches either remained undetected or Yahoo failed to inform the public [for years].”

“What’s alarming about this is that the first breach occurred in 2014, but Yahoo did not announce it until September of 2016,” Mr. Yanchunis said. “The breach announced in December occurred in 2013. And yet, those breaches either remained undetected, or Yahoo failed to inform the public about the breaches.”

He also noted that most states have laws on the books requiring companies to inform consumers of data breaches within 30 days of discovering them.

Mr. Yanchunis said the lawsuit will seek stronger cybersecurity measures from Yahoo “to make sure that this never happens again.” Moreover, for those who suffered financial losses as a result of the breach, the lawsuit will seek damages.

Asked how much those damages might total, Mr. Yanchunis said it’s too early to say, but likely in the hundreds of millions of dollars.

“It will be extensive,” he said.

Experience with High-Profile Breaches Proved Crucial

In determining whom to name Lead Counsel for the largest class action ever, Judge Koh weighed the following chief criteria:

  • “Knowledge and experience in prosecuting complex litigation, including class actions, data breach, and/or privacy cases”
  • “Willingness and ability to commit to a time-consuming process”
  • “Ability to work cooperatively and efficiently with others”
  • “Access to sufficient resources to prosecute the litigation in a timely manner”
  • “Commitment to prioritizing the interests of the putative class”

The first criterion, experience, may have clinched the win for Mr. Yanchunis. He and Morgan & Morgan previously litigated two massive data breach cases—the Home Depot Inc. and Target Corp. cases. Those lawsuits were settled for $19 million (Home Depot) and $10 million (Target), respectively.

Now Mr. Yanchunis and his team will take on the biggest breach of all, and aim to hold Yahoo accountable for allegedly endangering the privacies and identities of hundreds of millions of people.

The Regulatory Battles Uber Faces in 2017

In 2016, Uber unleashed a host of innovations: self-driving cars, UberFreight, and more. But with innovation comes new regulations—something Uber consistently demonstrates it doesn’t have the patience for.

Some cities and states believe that by siding with Uber, they are standing for innovation, while others are taking a more cautious approach and are trying to rein in the company. It has created a complicated legal landscape that is still trying to catch up with the new technology.

Here are some of the major legal issues we think Uber will wrestle with in 2017.

State Battles Over Self-Driving Legislation

In November 2016, the Department of Transportation created the first Federal Automated Vehicles Policy, leaving the manufacturing of self-driving cars to companies, and the development of laws and regulations to the states.

Though the document warns against states creating inconsistent legislation, it also says that “states may wish to experiment with different policies and approaches.”

These “experiments” have already been tested during Uber’s self-driving car pilots. In Pittsburgh, the pilot has been relatively uneventful, compared to San Francisco, where the company received a cease-and-desist letter from the Attorney General within two days of the pilot’s launch.

Uber refused to obtain an autonomous vehicle testing permit from the state—which only costs $150.

Uber refused to obtain an autonomous vehicle testing permit from the state—which only costs $150—arguing that their vehicles still required human drivers and therefore did not fit within California’s definition of self-driving. Making matters worse, cameras captured their autonomous cars running red lights and making unsafe turns in bike lanes.

Though Uber dismissed traffic violations as human error from their operators, in the end they shipped their cars to Arizona.

Arizona Governor Doug Ducey welcomed the company, saying, “While California puts the brakes on innovation and change with more bureaucracy and more regulation, Arizona is paving the way for new technology and new businesses.”

In addition to Arizona, Uber may also test their autonomous vehicle technology in Michigan this year. Though there haven’t been any announcements, the state just legalized self-driving cars without licensed drivers, steering wheels or brakes.

Without clear, consistent oversight, though, the legal skirmishes and unsafe driving that we saw in California will likely continue. Increased federal regulation is likely to come, but it may favor Uber and other autonomous vehicle manufacturers: Uber CEO Travis Kalanick and Elon Musk are both on the President-elect’s Strategic and Policy Forum.

Transit Partnerships Demand Greater Transparency

In 2016, some city officials cut back on public transit spending and began offering residents vouchers for Uber rides instead. These programs are often referred to as “First Mile Last Mile” since they replace the first and last few stops of a route where there are the fewest passengers.

Is it wise to give Uber even more power?

For a city’s budget, it often makes financial sense to replace low-traffic bus routes with subsidized Uber rides. Florida cities like Pinellas Park and Altamonte Springs (which pays 20% for all Uber rides within city limits) have done this and claim it’s a success.

It’s a worrisome trend, though, and may negatively affect citizens who rely on public transportation the most. Citizens who don’t own smartphones or credit cards can’t order a ride. And the disabled would likely have a harder time getting around, as it’s still difficult for passengers to find Uber drivers who can accommodate wheelchairs and guide dogs.

Swapping out bus routes for Uber rides also shifts the power away from local authorities to a private company. In addition to replacing public sector jobs with poor contract jobs (see below), it also limits government access to ridership data, which Uber considers confidential information.

New York City is currently battling this issue. The city requires drivers to report pick-up locations and times, but they want to extend this to include drop-off locations and times. Officials argue the data would be used to identify incidents of driver fatigue, but Uber thinks it’s an invasion of privacy.

At the moment Uber and Lyft are subsidizing U.S. ridership, and one day they’re going to start profiting from it.”

While New York City’s argument certainly has some holes, Uber hasn’t proven to be the best privacy protector: Former employees revealed last year that workers tracked the locations of ex-partners and celebrities.

More importantly, is it wise to give Uber even more power? What happens if Uber decides to end these partnerships and local cities are left without efficient bus or train routes?

And, as Slate author Henry Grabar points out, “At the moment Uber and Lyft are subsidizing U.S. ridership, and one day they’re going to start profiting from it.”

Drivers Push to Be Employees, Not Contractors

Will 2017 finally settle Uber’s longest fight, over whether drivers are employees or contractors?

The company has maintained that by classifying drivers as contractors they are providing them with the flexibility drivers desire. “Flexibility” is a common term the company uses to defend why they deny drivers basic employee rights, like informing them when fares are reduced or ensuring that drivers are paid at least the minimum wage.

Two pending class action lawsuits representing drivers in California and Massachusetts will lend weight to the classification debate.

U.S. District Judge Edward Chen rejected the $100 million settlement, saying that it was unfair to drivers.

In April 2016, Uber proposed a $100 million settlement that, if accepted, would have maintained drivers’ contractor status. But U.S. District Judge Edward Chen rejected the settlement, saying that it was unfair to drivers. (The two parties have since resumed negotiations.)

A new thorn for drivers is the Ninth Circuit Court of Appeal’s decision to uphold Uber’s arbitration agreements—an agreement that Judge Chen declared was “unconscionable.” The September 2016 decision ruled that drivers who joined Uber in 2013 and 2014 must settle their disputes in private arbitration, rather than class action lawsuits. This decision will likely disqualify thousands of drivers who were originally in Massachusetts and California’s employee misclassification suit.

ClassAction.com will continue to follow this debate to provide Uber drivers with the latest information on their worker classification and legal rights. If you are an Uber driver, contact us today with your legal questions.

VW Enters New Mobility Market With Moia Brand

Hoping to put the Dieselgate scandal in its rearview mirror, Volkswagen is focusing less on individual vehicle ownership and investing more in ride-hailing, autonomous driving, and electric cars.

MOIA’s focus is changing urban mobility.

These efforts will take place under Moia, a new standalone mobility services company.

Moia signals VW’s intent to compete with tech companies such as Google, Apple, and Uber as a provider of innovative transport solutions.

Volkswagen officially launched Moia at the Tech Crunch Disrupt technology event in London on December 5.

Moia (a Sanskrit word meaning “magic”) will operate as an independent brand under the VW umbrella, which also includes the brands Audi and Porsche.

Global Aspirations

The Moia brand is VW’s second step away from its traditional vehicle manufacturing business. In May, VW invested $300 million in Gett Inc., a ride-hailing company that operates in more than 100 cities.

Moia’s initial focus is on ride-hailing and on-demand pooling services. It also plans to introduce an electric car as soon as 2021. European pilot projects start in 2017, but Moia eyes an international market.

“Even though not everyone will still own a car in future, Moia can help make everyone a customer of our company in some way or another,” said Volkswagen CEO Matthias Mueller in a statement.

“We’re a startup with VW group’s resources and we have a global aspiration,” said Moia CEO Ole Harms. “Our sights are set on becoming one of the global top players for mobility services in the medium term.”

Automakers Facing Seismic Industry Changes

An industry that since its inception has focused on selling internal combustion vehicles to individual drivers is under technological assault.

Dieselgate may have been a blessing in disguise for Volkswagen.

Not only is the industry moving towards electric cars with automated features, it’s also facing a future in which drivers themselves are obsolete.

Companies like Uber and Lyft that provide on-demand ride hailing are obviating the need for personal vehicles. Under legal pressure to classify drivers as employees, Uber and Lyft may scrap drivers altogether and introduce driverless taxis. If they do, they’ll have competition from Google and Apple, which are investing heavily in driverless cars. Vehicles from Tesla, Volvo, Ford and other automakers already feature sophisticated automation systems and may be fully automated within a decade.

Volkswagen is a latecomer in this competitive, rapidly-changing, tech-driven environment. Daimler AG, for example, already has a car-sharing service as well as public-transit and cab hailing apps. General Motors is investing $500 million in Lyft and planning an on-demand network of self-driving cars.

While VW brand Audi offers car sharing in San Francisco and Hong Kong and plans to offer self-driving and fully electric cars in 2017 and 2018, overall VW lags behind the competition from an innovation standpoint.

Ironically, Dieselgate may have been a blessing in disguise for the world’s second-largest automaker. The scandal delivered a near-fatal blow to its “Clean Diesel” passenger car campaign, and VW now seeks a strategic revamp as a leaner, more efficient, and future-looking automotive company.

VW recently announced it would lay off 30,000 workers—5 percent of its global workforce—while adding 9,000 new technology positions.

Berlin-based Moia currently employs 50 workers and will have about 200 employees by the end of 2017. Volkswagen intends to generate a substantial share of its revenue from the startup by 2025.

John Yanchunis Files Data Breach Lawsuit Against Yahoo

Less than a week after Yahoo announced that a 2014 data breach had compromised the private information of 500 million users—and two months before Yahoo said that a separate 2013 breach had endangered the data of 1 billion usersour attorneys filed a negligence lawsuit against the tech giant for failing to protect and inform consumers.

Lead plaintiff Edward McMahon filed the lawsuit in the Northern District of California on behalf of himself and all others similarly situated, leaving the door open for a class action.

The complaint argues that Yahoo failed to safeguard its users’ personal information: names, email addresses, passwords, phone numbers, security questions and answers, etc.

Read the Complaint

It also says that Yahoo did not provide timely, accurate, or adequate notice of the data breach, and alleges breach of implied contract and violation of the California Unfair Competition Law, Business & Professions Code.

“It’s inconceivable that Yahoo either failed to detect the breach for two years,” said attorney John Yanchunis, “or it knew of the breach in 2014 and intentionally disregarded the privacy interests of consumers and breach notification laws by failing to inform consumers of the breach for two years.”

Yahoo Breach Could Have Major Aftershocks

Cyber-security experts say the Yahoo breach could trigger a chain reaction in which tens or even hundreds of thousands more accounts are hacked.

Matt Blaze, a security researcher at the University of Pennsylvania, tweeted that “data breaches on the scale of Yahoo are the security equivalent of ecological disasters.”

“Data breaches on the scale of Yahoo are the security equivalent of ecological disasters.”

These types of mega-breaches don’t just stop at the site that was breached, because the hackers now have vital information that can grant them access to other sites as well.

Hackers may use the passwords obtained in the Yahoo breach on other sites, gaining access to some of these accounts, too. Even if just 0.1% of the 500 million passwords work elsewhere, that would equal another 500,000 breaches.

And, as Mr. Yanchunis notes, while many Yahoo users may not actively use their breached Yahoo accounts, that does not mean they closed those accounts prior to 2014—which means their information was still there for the taking.

“The ramifications of this breach may be extremely devastating,” Mr. Yanchunis said.

How to Protect Yourself from Data Breaches

The complaint alleges that the lead plaintiff in the case, Edward McMahon, has noted suspicious activity on his Yahoo accounts, including not being able to access his accounts. He believes the hackers changed his passwords.

Mr. McMahon “has very important sensitive information in his emails that he… believes have been accessed,” according to the complaint.

If your personal information was compromised in the Yahoo data breach, the first thing you should do is change your passwords (Yahoo and others). Make sure they are all strong and unique. Other tips for protecting your data:

  • Enable multi-step verification whenever possible
  • Don’t recycle passwords across sites
  • Use apps like LastPass to store complex, hard-to-crack passwords
  • Check Have I Been Pwned? to determine if/when you’ve been hacked

If you have suffered financial or reputational harm as a result of a data breach, contact us immediately to explore your legal options. You may qualify for a data breach lawsuit.