In re OPM Data Security Breach Litigation
Whether the government's failure to safeguard sensitive personal data from a breach, and the resulting disclosure of that personal data, violated individuals' constitutional right to informational privacy and caused a cognizable injury under Article III
- D.C. Circuit Greenlights OPM Data Breach Case: The D.C. Circuit Court of Appeals ruled today that the OPM Data Breach case can move forward, reversing an earlier dismissal by a lower court. The case concerns the data breach at the U.S. Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and their family members. The Court ruled that victims of the breach have the legal right, or "standing," to sue over the failure to protect their personal data. "It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft," the Court wrote. EPIC filed an amicus brief supporting the victims' standing and arguing that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." The Court ruled that OPM did not violate the constitution in this particular case but left the door open to future lawsuits to enforce the right to information privacy. (Jun. 21, 2019)
- EPIC to DC Circuit: Informational Privacy is a Constitutional Right: EPIC has filed a "friend of the court" brief, joined by forty-four technical experts and legal scholars (members of the EPIC Advisory Board), in the OPM Data Breach case. The case concerns the data breach at the US Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and family members. In the brief to the federal appeals court, EPIC said that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." In a 2011 case NASA v. Nelson, EPIC urged the Supreme Court to limit data collection by federal agencies, citing the growing risk of data breach in the federal government. (May. 18, 2018)
More top news »
- EPIC Applauds FTC SpyFone Ban, Urges Similar Remedies in Future Privacy Cases » (Oct. 8, 2021)
EPIC has filed
comments with the Federal Trade Commission asking the agency to finalize a
proposed Consent Order that would permanently ban SpyFone from the surveillance business and require the stalkerware company to delete the personal data that it stole. According to an FTC
complaint, SpyFone sold surveillance tools that would allow purchasers to install software on another person’s device and surveil their victim surreptitiously. SpyFone also lied about its data security practices and its response to a 2018 data breach. Under a settlement announced by the FTC, SpyFone would be required to notify all affected users, delete any illegally collected personal information, and permanently refrain from selling, licensing, or marketing monitoring products in the future. In its comments, EPIC urged the FTC to finalize the proposed order and to impose similar requirements and bans in the future to protect consumer privacy. EPIC has
frequently challenged the FTC over its failure to address consumer privacy harms and has
long advocated for the creation of a U.S. Data Protection Agency. EPIC also published a report on the FTC’s unused statutory authorities,
What the FTC Could Be Doing (But Isn't) to Protect Privacy, in June.
- Facebook Breach Exposes Personal Data of Over 500 Million Users » (Apr. 6, 2021)
A trove of sensitive personal data from more than 500 million Facebook users was posted online over the weekend, according to
press reports. The leaked data includes names, phone numbers, email addresses, birthdates, location information, and biographical details. The original breach of personal data
appears to have occurred in 2019. At least one privacy regulator, the Irish Data Protection Commissioner, has
launched an investigation into Facebook's handling of the breach. The Commissioner's office said today that it had "received no proactive communication from Facebook" following the disclosure of personal data. EPIC has fought for transparency and accountability for Facebook's privacy abuses for over a decade, from filing the original
FTC Complaint in 2009 that led to the FTC's 2012
Consent Order with the company, to
moving to intervene in and filing an
amicus brief challenging the FTC's 2019
settlement with Facebook.
- Federal Appeals Court Dismisses CareFirst Data Breach Appeal » (Aug. 11, 2020)
The D.C. Circuit has
ruled that it lacks jurisdiction to hear the appeal of CareFirst customers whose data was stolen in a 2014 data breach. The lower court in
Attias v. CareFirst dismissed most of the plaintiffs and claims in the case for failure to allege damages and certified the dismissed claims for appeal. The D.C. Circuit determined that some of the claims could not be appealed until the remaining claims were resolved by the lower court, and it was not clear whether the district court judge intended to certify the claims of the dismissed plaintiffs alone. The decision comes over a year after the parties briefed the substantive questions on appeal. EPIC filed an
amicus brief that urged the court to impose a duty of reasonable data protection on businesses to ensure that companies protect the personal data they collect. EPIC also filed an
amicus brief in the case the last time it was in the D.C. Circuit on a challenge to consumer standing. The D.C. Circuit
held that the CareFirst consumers had standing to sue for the data breach.
- Small Business Administration Exposes Personal Data of 7,000 COVID-19 Relief Applicants » (Apr. 23, 2020)
The personal data of 7,000 small business owners applying for COVID-19 relief was recently
exposed in a Small Business Administration data breach. Names, social security numbers, and financial details were made accessible to other users of the SBA’s disaster loan website. Recent data
breaches have highlighted the need for stronger data protection laws. EPIC has urged Congress to
update federal privacy law and to
investigate whether systems adopted in response to the pandemic safeguard the privacy of Americans. In 2018, EPIC
argued in response to the
OPM data breach that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained."
- Chinese Military Charged with Equifax Breach » (Feb. 10, 2020)
The U.S. government has
indicted four members of China's military on charges of hacking
Equifax to exploit the personal data of 150 million Americans. They allegedly conspired to hack into Equifax's computer networks, maintain unauthorized access to those computers, and steal sensitive, personally identifiable information of nearly half of all American citizens. EPIC President Marc Rotenberg testified before the
House in 2018 and the
Senate in 2017 about the Equifax breach. Rotenberg warned lawmakers and regulators that the failure of the U.S. government to safeguard the personal data of Americans has placed American consumers at risk from foreign adversaries. And in the
Harvard Business Review, Rotenberg explained that "consumer privacy is not a goal achieved by markets. It must be mandated by Congress." EPIC has
called for passage of the
Online Privacy Act, H.R. 4978, and the creation of a
U.S. data protection agency.
- Congress Seeks Answers on Capital One Data Breach » (Aug. 5, 2019)
Top-ranking Republicans on the House Oversight and Reform Committee sent a
letter to Capital One and Amazon seeking briefings on the
data breach that compromised the personal information of 106 million people. Rep. Maxine Waters, Chair of the House Committee on Financial Services, released a
statement that said "I plan to work with my colleagues and take action in the Financial Services Committee on legislation to improve oversight of the cybersecurity of financial institutions." In testimony before the
Senate and the
House several years ago, EPIC warned Congress that US financial institutions were not doing to safeguard consumer data. Following the Capitol One data breach, EPIC President Marc Rotenberg wrote for
CNN that "Congress needs to update federal privacy laws, establish meaningful oversight, and encourage business practices that are more resilient when breaches occur."
- New York Passes Data Breach Law » (Jul. 30, 2019)
New York state passed the
Stop Hacks and Improve Electronic Data Security, which imposes new obligations on businesses collecting personal data on New York residents. The SHIELD Act requires notification to affected consumers when there is a security breach, broadens the scope of covered information, expands the definition of data breach, and extends the notification requirement to any entity with private information of a New York resident. Governor Cuomo
said: "The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data." Recent
breaches have highlighted the need for stronger data protection laws. EPIC has renewed calls for a
data protection agency in the U.S. and also warned that federal preemption of state privacy laws will lead to an increase in data breaches and financial fraud.
- "Equifax Settlement: Exercise Your Rights!" » (Jul. 30, 2019)
After a
settlement with Equifax, consumers can now
file a claim for free credit monitoring or a cash payment of $125. If you spent time recovering from the breach or lost or spent money because of the breach, you can request payment of up to $20,000. Credit monitoring or the $125 cash payment is easy and requires no documentation, though the actual amount provided may be less depending on the total number of claims. Supporting documents are necessary if you seek payment for time lost or costs because of the breach. The settlement also requires Equifax to provide all U.S. consumers with 6 free credit reports per year. EPIC President Marc Rotenberg
testified before the Senate Banking Committee and recommended free credit freezes and other consumer
remedies following the
2017 data breach.
- Capital One Breach Sets Record » (Jul. 30, 2019)
Capital One bank
announced that a criminal hacker stole the personal information of 106 million people who had applied for credit, including credit scores, social security numbers, and bank account numbers. By some measures, it is the largest data breach of a US bank in history. The FBI
arrested the alleged hacker and filed a
complaint in federal court. Capital One joins a long
list of companies that have had data breaches in recent years. In testimony before the
Senate and the
House several years ago, EPIC warned Congress that US financial institutions were not doing to safeguard consumer data. EPIC has recently renewed
calls for the creation of a US Data Protection Agency.
- Equifax to Pay Up to 700 Million in 2017 Data Breach Case » (Jul. 22, 2019)
The CFPB, the FTC, and 48 State AGS today announced a
settlement with Equifax arising from the
2017 data breach that compromised personal data of 143 million Americans. The company, which offers authentication services, failed to safeguard the names, addresses, dates of birth and SSNs of 147 million Americans, and then failed to act once aware of the breach. EPIC President Marc Rotenberg testified before the
House in 2018 and the
Senate in 2017 about the Equifax breach. Rotenberg warned lawmakers and regulators that "the Equifax data breach is one of the most serious in the nation's history." EPIC urged lawmakers to update federal privacy laws and also
ensure that the CFPB pursues an effective investigation. In the
Harvard Business Review, Rotenberg explained the significance of the breach. "Reforms should not just fix these problems but also aim to transform the industry for the better," he wrote. Under the terms of the settlement, Equifax will pay up to 425 million to consumers impacted by the breach as well as a 100 million civil fine. EPIC has recently renewed
calls for the creation of a US Data Protection Agency.
- In Amicus, EPIC Proposes Duty to Protect Personal Data » (Jul. 3, 2019)
In an
amicus brief for the D.C. Circuit Court of Appeals, EPIC has recommended that courts recognize a common law obligation to protect the personal data that companies choose to collect. In
Attias v. CareFirst, Inc., inadequate security practices allowed hackers to obtain 1.1 million customer records from D.C.'s largest health insurer. A lower court
dismissed many of the privacy claims in the case. But EPIC argued to the appellate court that data breaches underscore the need for companies to be held liable for faulty security. EPIC said that courts should impose a duty of reasonable data protection on businesses to ensure that companies protect the personal data that they collect. EPIC previously filed an amicus brief in this case supporting data breach victims. EPIC regularly files briefs defending
consumer privacy.
- D.C. Circuit Greenlights OPM Data Breach Case » (Jun. 21, 2019)
The D.C. Circuit Court of Appeals
ruled today that the
OPM Data Breach case can move forward, reversing an earlier
dismissal by a lower court. The case concerns the data breach at the U.S. Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and their family members. The Court ruled that victims of the breach have the legal right, or "standing," to sue over the failure to protect their personal data. "It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft," the Court wrote. EPIC filed an
amicus brief supporting the victims' standing and arguing that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." The Court ruled that OPM did not violate the constitution in this particular case but left the door open to future lawsuits to enforce the
right to information privacy.
- Supreme Court Won’t Disturb Data Breach Decision » (Mar. 25, 2019)
The Supreme Court today
declined to review Zappos.com, v. Stevens, a
decision that allowed consumers to sue the online retailer following a breach of their personal data. More than 24 million Zappos customers were affected by the breach, which included account numbers and passwords. Zappos tried to block the lawsuit, claiming that consumers had to show additional damages. The Ninth Circuit rejected that argument, and the Supreme Court left the decision of the appeals court in place. EPIC has filed amicus briefs in similar data breach cases, including
Attias v. Carefirst, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches.” EPIC regularly
files amicus briefs defending consumer privacy and addressing emerging privacy challenges.
- Senate Report Finds Equifax failed to Address Known Cybersecurity Risks » (Mar. 7, 2019)
In a
report released this week, the Senate Homeland Security Investigations Subcommittee found that Equifax was aware of cybersecurity weaknesses for years before the massive
breach in 2017, which affected 148 million U.S. consumers. The Senate report found that Equifax chose "efficient business operations rather than security protocols" that allowed a foreign government to access the authenticating details, including dates of birth and SSNs, of American consumers. In December, the House Committee on Oversight released a
report which found that the Equifax breach was "entirely preventable." Following the Equifax data breach, EPIC President Marc Rotenberg
testified before the Senate Banking Committee and recommended free credit freezes and other consumer
safeguards to mitigate the risk of identity theft.
- D.C. Circuit to Hear Arguments in Case on Right to Informational Privacy » (Nov. 1, 2018)
The D.C. Circuit Court of Appeals will
hear arguments Friday in a
case about the 2015 data breach at the U.S. Office of Personnel and Management, which affected 22 million federal employees, their friends, and their family members. EPIC filed an
amicus brief in the case, joined by forty-four technical experts and legal scholars (members of the
EPIC Advisory Board). In the brief, EPIC said that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." In the 2011 case
NASA v. Nelson, EPIC
urged the Supreme Court to limit data collection by federal agencies, citing the growing risk of data breach in the federal government. Arguments are scheduled to begin at 9:30 AM ET and will be
streamed live.
- EPIC v. FTC: EPIC Obtains Facebook-FTC Emails About 2011 Consent Order » (Oct. 19, 2018)
In response to EPIC's Freedom of Information Act
lawsuit, the FTC has released agency emails about the
2011 Facebook Consent Order. Following a detailed complaint by EPIC and other consumer privacy organizations, the FTC issued an order in 2011 that required biennial audits of Facebook's privacy practices. EPIC pursued public release of these reports and related emails to understand why the FTC failed to bring an enforcement action action against the company. Today the FTC released to EPIC 89 emails between the FTC and Facebook from the years
2011,
2012,
2013,
2014,
2015,
2016,
2017, and
2018. In March 2018, following the
Cambridge Analytica data breach, the FTC
announced it was reopening the Facebook investigation. To date, there is still no announcement, no report, and no fine.
- EPIC Urges Illinois Supreme Court to Uphold Strict Limits on Biometric Data Collection » (Jul. 5, 2018)
EPIC has filed an
amicus brief with the Illinois Supreme Court in
Rosenbach v. Six Flags Entertainment Corp, about the collection of a child's biometric data in violation of the Illinois Biometric Information Privacy Act. EPIC explained that the Illinois biometric law "imposes clear responsibilities on companies that collect biometric identifiers" and said the company had failed to comply with the state law. EPIC made clear that "collection is the threshold safeguard in privacy law" and if corresponding provisions are "not enforced, the statute’s subsequent provisions are of little consequence." EPIC first identified the risk of collecting biometric data from children entering amusement parks in a 2005 report
"Theme Parks and Your Privacy." The state of Illinois adopted the nation's first biometric privacy law in 2008. EPIC has long advocated for
strict limits on use of
biometric data. EPIC also routinely submits
amicus briefs, including in the recent
OPM data breach case that concerned the breach of 5.1 million fingerprints, precisely the same biometric data at issue in this case.
- EPIC to DC Circuit: Informational Privacy is a Constitutional Right » (May. 18, 2018)
EPIC has filed a
"friend of the court" brief, joined by forty-four technical experts and legal scholars (members of the
EPIC Advisory Board), in the
OPM Data Breach case. The case concerns the data breach at the US Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and family members. In the brief to the federal appeals court, EPIC said that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." In a 2011 case
NASA v. Nelson, EPIC
urged the Supreme Court to limit data collection by federal agencies, citing the growing risk of data breach in the federal government.
- FTC Strengthens Penalties Against Uber for Covering Up Data Breach » (Apr. 12, 2018)
The Federal Trade Commission has
strengthened its
2017 settlement with Uber because the company hid a
massive data breach and bug bounty program in 2016. Under the revised settlement, Uber must submit all of its privacy audits to the FTC, and will face civil penalties if it fails to disclose another breach. In February 2018,
EPIC advised Congress that "bug bounty programs do not excuse non-compliance with data breach notification laws." The FTC's
2017 settlement with Uber was the result of EPIC's
2015 complaint to the Commission detailing Uber's numerous privacy abuses. In
public comments, EPIC advised the FTC to strengthen the settlement by making all of Uber's privacy audits available to the public.
- DC Circuit Sets Briefing Schedule in Information Privacy Case » (Mar. 26, 2018)
The D.C. Circuit has set the
briefing schedule for the
OPM Data Security Breach case, concerning a pair of data breaches in 2015 that affected 22 million federal employees, their friends, and family members. EPIC recently
informed the Court that it will file an amicus brief, which will now be due on May 17, 2018. EPIC has long
warned that federal agencies collect far too much personal data that they fail to protect. In the 2012 case
NASA v. Nelson, concerning repeated data breaches at the space agency, EPIC
urged the Supreme Court to recognize a right to "informational privacy" that would limit data collection by federal agencies.
- EPIC FOIA: CFPB Raise Further Questions About Equifax Investigation » (Mar. 26, 2018)
Through a Freedom of Information Act
request, EPIC obtained
records of email communications between Consumer Financial Protection Bureau staff members regarding the Equifax data breach investigation. The emails reveal that the CFPB was contacted by a Reuters reporter days before the
article alleging the CFPB halted the Equifax investigation was published to confirm certain facts about the story. At that time, the CFPB did not correct the allegations in the article but instead provided the reporter a brief official statement stating they will not comment to ongoing investigations but the CFPB has the "desire, expertise, and know-how, in-house, to vigorously hypothetically pursue matters such as these." In the aftermath of the Reuters Equifax article, the CFPB exchanged emails about how to respond to the story and one staffer stated, "no more specific reaction than 'reports are incorrect.'" Acting Director Mick Mulvaney has since publicly
confirmed that the CFPB's Equifax investigation is still ongoing.
- EPIC to File Brief in D.C. Circuit on Right to Information Privacy » (Mar. 15, 2018)
EPIC has
informed the D.C. Circuit Court of Appeals that it will file an amicus brief in the
OPM Data Security Breach case. The case concerns a pair of data breaches in 2015 that affected 22 million federal employees, their friends, and family members. EPIC has long
warned that federal agencies collect far too much personal data that they fail to protect. In the 2012 case
NASA v. Nelson, concerning repeated data breaches at the space agency, EPIC
urged the Supreme Court to recognize a right to "informational privacy" that would limit data collection by federal agencies.
- Appeals Court Revives Data Breach Suit Against Zappos » (Mar. 9, 2018)
A federal appeals court has
ruled that consumers affected by a
Zappos.com data breach have the right to sue the online retailer. The 2012
breach exposed the personal data of more than 24 million Zappos customers. A lower court previously
held that the consumers lacked "standing" to bring a lawsuit against Zappos because their injuries were merely "conjectural." But the Ninth Circuit Court of Appeals reversed that decision and allowed the case to continue. "With each new hack comes a new hacker, each of whom independently could choose to use the data to commit identity theft," the court wrote. EPIC regularly files
amicus briefs defending standing in consumer privacy cases, most recently in
Eichenberger v. ESPN (where the Ninth Circuit also held for consumers),
Gubala v. Time Warner Cable, and
In re SuperValu Customer Data Security Breach Litigation.
- SEC Issues Guidance on Cybersecurity Disclosures » (Mar. 5, 2018)
The Securities and Exchange Commission has released
guidance for cybersecurity risks and incidents. The SEC stated that "in light of the increasing significance of cybersecurity incidents," it is "critical" for companies to routinely report cybersecurity threats. The Commission also emphasized that corporate officers must not trade on nonpublic information. Equifax
waited six weeks to notify the public of its data breach, and its executives were accused of insider trading after it was revealed that they
sold Equifax stock prior to informing the public of the breach. EPIC has
long advocated for mandatory breach notification. EPIC President Marc Rotenberg recently testified on data security and breach notification before the
House and
Senate, explaining that companies' failure to protect data threatens not only consumers but also national security.
- Rep. Lieu Introduces Two Consumer Data Protection Bills » (Mar. 1, 2018)
Today Rep. Lieu (D-CA) introduced two bills to safeguard consumer data: the
"Protecting Consumer Information Act of 2018" and the
"Ending Forced Arbitration for Victims of Data Breaches Act." The first bill will expand the Federal Trade Commission's enforcement authority over credit reporting agencies, while allowing state attorneys general to also bring enforcement actions. The second bill will prohibit entities from enforcing mandatory arbitrary clauses—which prohibit consumers from filing lawsuits—in data breach cases. In a
press release announcing the legislation, Rep. Lieu said, "these bills forge a path forward that can both prevent future breaches and ensure victims can seek due process when they occur." Rep. Lieu's announcement came the same day that Equifax
disclosed an addition 2.4 million people were impacted by last year's data breach, bringing the total to approximately 148 million people. EPIC President Marc Rotenberg recently
testified before Congress to call for comprehensive privacy legislation and the creation of a federal data protection agency.
- Supreme Court Leaves Data Breach Decision In Place » (Feb. 20, 2018)
The Supreme Court has
denied a petition for a writ of certiorari in
Carefirst, Inc. v. Attias, a case concerning standing to sue in data breach cases. Consumers had sued health insurer Carefirst after faulty security practices allowed hackers to obtain 1.1 million customer records. EPIC filed an
amicus brief backing the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The federal appeals court agreed with EPIC and
held that consumers may sue companies that fail to safeguard their personal data. Carefirst appealed the decision, but the Supreme Court chose not to take the case. EPIC regularly files
amicus briefs defending standing in consumer privacy cases, most recently in
Eichenberger v. ESPN, where the Ninth Circuit also
held for consumers, as well as
Gubala v. Time Warner Cable and
In re SuperValu Customer Data Security Breach Litigation.
- House Draft Data Security Bill Preempts Stronger State Safeguards » (Feb. 16, 2018)
Rep. Luetkemeyer (R-MO) and Rep. Maloney (D-NY) circulated a
draft bill, the "Data Acquisition and Technology Accountability and Security Act," that would set federal requirements for companies collecting personal data and require prompt breach notification. The Federal Trade Commission, which has often
failed to pursue important data breach cases, and state Attorneys General would both be responsible for enforcing the law. The law would only trigger liability if the personal data breached is "reasonably likely to result in identity theft, fraud, or economic loss" and would preempt stronger state data breach laws. Earlier this week, EPIC President Marc Rotenberg
testified before the House, calling for comprehensive data privacy legislation that would preserve stronger state laws. Last fall, EPIC
testified at a Senate hearing on the Equifax breach, calling it one of the worst in U.S. history.
- In Congressional Testimony, EPIC to Call For Comprehensive Privacy Law, New Privacy Agency » (Feb. 12, 2018)
EPIC President Marc Rotenberg will
testify before the
House Financial Services Committee this week. Rotenberg will say that "Data breaches pose enormous challenges to the security of American families, as well as our country's national security." EPIC will call for comprehensive data protection legislation and the creation of a federal data protection agency. EPIC also challenged the decision of the CFPB Director to
drop the investigation into the Equifax data breach. EPIC has
repeatedly urged Congress to address the
data protection crisis in the United States, warning that it endangers national security and international trade. Last year EPIC
testified before the Senate in the wake of the
Equifax breach, emphasizing the growing risks to American consumers.
- Following EPIC Letter, 31 Senators Demand Answers from CFPB on Equifax Investigation » (Feb. 8, 2018)
A group of 31 Senators
wrote to Acting Director Leandra English and Director Mick Mulvaney of the Consumer Financial Protection Bureau about the agency's failure to pursue the probe of the 2017 Equifax breach. The Senators wrote that "the CFPB has a clear duty to supervise consumer reporting agencies, investigate how this breach has or will harm consumers, and bring enforcement actions as necessary." Earlier this week, EPIC
urged the Senate Banking Committee to investigate the CFPB. EPIC also filed a
FOIA request seeking records about Mulvaney's decision to halt the CFPB's Equifax investigation.
- EPIC Files FOIA Request About Mulvaney's Decision to Halt CFPB Equifax Investigation » (Feb. 7, 2018)
EPIC has filed an urgent Freedom of Information Act
request for records about Acting Director Mulvaney's decision to shut down the
CFPB investigation of Equifax. The 2017 data breach, likely undertaken by a foreign adversary, compromised the personal data of 143 million Americans. Last year CFPB
warned that US servicemembers were at particular risk as a result of the Equifax breach. EPIC is seeking communication between Mulvaney and Equifax officials, as well as records of meetings and any related memos regarding the decision to close the investigation. In a
letter to the Senate Banking Committee yesterday, EPIC recommended that the Committee undertake a thorough investigation of the CFPB's recent decision regarding the investigation.
- EPIC Urges Senate to Investigate Mulvaney’s Failure to Pursue Equifax Probe » (Feb. 6, 2018)
According to recent reports, the Consumer Financial Protection Bureau has shut down the investigation of the 2017 Equifax data breach that exposed the personal data of 145.5 million Americans. CFPB Acting Director Mulvaney failed to seek subpoenas or obtain sworn testimony from Equifax executives. Mr. Mulvaney also ended plans to test Equifax’s security systems, and rejected offers from regulators to assist with the investigation. EPIC urged the Senate Banking Committee to investigate, stating: “If the reports are accurate, Director Mulvaney’s failure to pursue a thorough investigation of the Equifax matter verges on malfeasance.” Last fall, EPIC President Marc Rotenberg testified at a Senate hearing on the Equifax breach. EPIC described the data breach as one of the worst in U.S. history. EPIC’s Christine Bannan also proposed steps to strengthen data protection safeguards for American consumers.
- EPIC Advises Congress on Uber Data Breach, Bug Bounties » (Feb. 5, 2018)
EPIC submitted a
statement to the Senate in advance of a
hearing to examine the October 2016 Uber breach and the value of bug bounty programs. Last fall, Uber
admitted that hackers stole the data of 57 million Uber customers and drivers and that the company paid the hackers $100,000 to delete the data. This has raised legal
questions about Uber's failure to notify those affected by the breach and about "bug bounty" programs, where companies pay hackers that bring vulnerabilities to their attention. EPIC explained to the Senate that, "bug bounty programs do not excuse non-compliance with data breach notification laws." EPIC's 2015
complaint with the FTC regarding Uber's
abuse of personal data led to an
FTC settlement in August, 2017. EPIC has also
proposed a privacy law for Uber and other similar transportation companies.
- Data Breaches on the Rise » (Jan. 25, 2018)
2017 marked the "worst year ever" for data breaches, according to a pair of reports by
Thales and the
Online Trust Alliance. Data breaches nearly doubled from 2016 to 2017, and 73% of all U.S. companies have now been breached. Noteworthy were the data security failures of
Equifax and
Uber. In
testimony before the Senate Banking Committee following the Equifax breach last year, EPIC called on Congress to enact
meaningful reforms, including default credit freezes and prompt data breach notification. Two years ago, EPIC launched the
DataProtection2016 campaign to promote stronger privacy safeguards in the U.S.
- Senators Warren and Warner Introduce Bill To Hold Credit Reporting Agencies Accountable » (Jan. 10, 2018)
Senators
Elizabeth Warren (D-MA) and
Mark Warner (D-VA) have introduced
legislation to hold credit reporting agencies accountable for data breaches. The
Data Breach Prevention and Compensation Act establishes an office of cybersecurity within the FTC to give it direct supervisory authority over the credit reporting industry and imposes mandatory penalties for breaches involving consumer data at credit reporting agencies. The bill is a direct response to the
Equifax data breach last year that exposed the sensitive personal information of over 145 million Americans. "Senator Warner and Senator Warren have proposed a concrete response to a serious problem facing American consumers," said EPIC President, Marc Rotenberg. EPIC
testified before Congress last year following the Equifax breach, urging legislation to give consumers
more control over their credit reports. Senators Warren and
Brian Schatz (D-HI) also introduced a
bill last year that would allow consumers to freeze and unfreeze their credit reports for free.
- Federal Student Aid Office Not Protecting Student Privacy, GAO Audit Finds » (Dec. 6, 2017)
The Federal Student Aid office (FSA) at the Department of Education is not doing enough to protect student privacy, according to an
audit by the Government Accountability Office. The GAO found that FSA has failed to hold schools accountable for their lax data security practices that have resulted in numerous data breaches, and has not assessed the privacy risks for its own electronic records system. FSA collects personal information on students and their families to evaluate schools that receive federal student aid. The FSA claims that the FTC can manage privacy protection. EPIC has done extensive work to protect
student privacy including a
2014 complaint to the FTC about a massive data breach that impacted students in Maricopa County. The FTC failed to act even though Maricopa county violated the
FTC Safeguards Rule by failing to protect students' financial information. EPIC also
urged Congress to strengthen student privacy protections following a
FAFSA data breach. In 2012 EPIC
sued the Department of Education for weakening student privacy protections. EPIC has proposed a
Student Privacy Bill of Rights.
- Senator Warner Questions Uber CEO On Why It Hid Data Breach » (Nov. 28, 2017)
Senator Mark Warner sent a
letter to the Uber CEO, Dara Khosrowshahi, questioning him about why the company covered up a data breach that affected 57 million consumers last year. Uber recently
admitted that it hid a massive data breach from the public and paid the hackers $100,000 to delete the data. The stolen data included names, e-mail addresses, phone numbers, and drivers' licenses. Senator Warner told the Uber CEO that he had "grave concerns about your handling of a breach," including the fact that the company disclosed the breach to investors but not the public. Senator Warner has co-sponsored bipartisan
legislation that would provide consumers with one free credit freeze per year and protect the credit ratings of veterans wrongly penalized by medical bills. EPIC's 2015
complaint with the FTC regarding Uber's
abuse of personal data led to an
FTC settlement in August, 2017. EPIC has also
proposed a privacy law for Uber and other ride-sharing companies.
- EPIC Provides U.S. Report for Privacy Experts Meeting » (Nov. 27, 2017)
EPIC has provided a comprehensive
report explaining the latest developments in U.S. privacy law and policy to the
International Working Group on Data Protection in Telecommunications. The Berlin-based Working Group includes
Data Protection Authorities and experts, from around the world, who work together to address emerging privacy challenges. The EPIC report details legislative proposals to address privacy and security risks of
automated vehicles, pending Supreme Court case concerning cell phone location tracking
Carpenter v. United States, U.S. investigation of the
Russian interference in the 2016 election, the
Equifax data breach, and more. The 62nd meeting to the IWG will take place in Paris, France on November 27-28. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the
Goethe-Institut, Germany's cultural institute.
- Uber Hid Massive Data Breach For Over A Year And Paid Hackers » (Nov. 21, 2017)
Uber just
admitted that hackers stole the personal data of 57 million Uber customers and drivers in October 2016. The data included names, e-mail addresses, phone numbers, and the license numbers of 600,000 drivers. Rather than disclose the data breach to the public, as required by law, Uber paid the hackers $100,000 to delete the information. Uber has a
well-documented history of
abusing consumer privacy. EPIC recently
testified in the Senate for strong data breach legislation that would require companies to immediately notify affected consumers of data breaches. EPIC filed a
complaint with the FTC in 2015 regarding Uber's
egregious misuse of personal data. That complaint led to an FTC
settlement with Uber in August, 2017. In 2015, EPIC also
proposed a privacy law for Uber and other ride-sharing companies.
- Senator Leahy Introduces Legislation To Protect Consumer Privacy » (Nov. 15, 2017)
Senator Patrick Leahy (D-VT), joined by six other Senators, introduced
comprehensive legislation to protect consumers from data breach and identity theft. The
Consumer Privacy Protection Act of 2017 requires companies to provide notice to consumers after a data breach and meet certain baseline privacy and data security standards. The Consumer Privacy Act also prohibits companies from using a data breach to force consumers into
individual arbitration, and would punish companies for concealing security breaches. Senator Leahy stated, "Companies that profit from our personal information should be obligated to take steps to keep it safe." Senator Leahy added, "In today's world, data security is no longer just about protecting our identities and our bank accounts; it is about protecting our privacy and even our national security." EPIC recently
testified before the Senate Banking Committee in the wake of
Equifax breach calling for consumer control over their personal data. EPIC President Marc Rotenberg also outlined several steps for Congress to reform the credit reporting industry in the
Harvard Business Review.
- Equifax, Yahoo Testify Before Senate on Data Breaches » (Nov. 9, 2017)
The Senate Commerce Committee heard testimony this week from Equifax, Yahoo, and Verizon executives in a
hearing on "Protecting Consumers in the Era of Major Data Breaches." A witness for a company selling identification systems
recommended an "identity framework," with fingerprints and facial recognition to replace the
Social Security Number. EPIC President Marc Rotenberg recently warned against replacing the SSN with a national biometric identifier in
testimony before the Senate Banking Committee. Rotenberg has
detailed how the credit reporting industry is broken and the steps Congress should take to give consumers greater control over their personal data. EPIC has urged the
Senate Judiciary Committee,
the House Financial Services Committee, and the
House Energy Committee to establish new safeguards for consumers following the Equifax data breach.
- Senate Restores Forced Arbitration, Undermines Data Protection » (Oct. 26, 2017)
The Senate
voted 51-50 (with Vice President Pence breaking the tie) to repeal the
CFPB rule that prevented financial companies from forcing consumers into individual arbitration. Fine-print arbitration clauses in consumer contracts have proliferated ever since a pair of
Supreme Court rulings held that courts must enforce these clauses. Equifax generated
public outrage after its breach when it lured consumers into signing away their rights to sue the company. As the CFPB
found, arbitration clauses that ban class actions inhibit consumers from obtaining meaningful relief and holding financial institutions like Equifax and Wells Fargo accountable when they break the law. Senators Franken (D-MN) and Leahy (D-VT) have introduced
legislation that would prohibit companies from denying individuals their right to go to court. EPIC President recently
testified before the Senate Banking Committee on the Equifax data breach. Rotenberg said, the "company tried to trick consumer into an arbitration agreement, guaranteeing that there would be few legal remedies for consumers following the breach."
- In Senate Testimony, EPIC Calls for Reform of Credit Reporting Industry » (Oct. 16, 2017)
EPIC's President Marc Rotenberg will
testify this week before the
Senate Banking Committee on reform of the credit reporting industry following the Equifax breach. The
hearing, "Consumer Data Security and the Credit Bureaus,"
follows several Congressional hearings with Equifax CEO Richard Smith. Rotenberg will emphasize the need to limit the use of the
Social Security number in the private sector and to give consumers control over their personal data. EPIC will recommend a national credit "freeze" and free life-term credit monitoring services for all U.S. consumers. Rotenberg detailed how the credit reporting industry is broken in a recent article in the
Harvard Business Review. He also warned that the failure to update U.S. privacy law has placed the digital economy at risk and may lead to the suspension of trans-border data flows. EPIC has previously testified before the
House and
Senate on the need for Congress to address data breach and identity theft.
- EPIC Urges Congress To Hold Equifax Accountable, Update Data Protection Law » (Oct. 3, 2017)
EPIC has sent
statements to Congress ahead of
hearings in the
House and
Senate on the Equifax data breach. EPIC underscored the risk to American consumers of
data breaches which are
increasingly severe. EPIC urged Congress to require prompt data breach notification, data minimization, and privacy enhancing techniques. In 2011 EPIC testified in the
House and
Senate on data breaches in the financial services sector. EPIC President Marc Rotenberg
recently outlined in the Harvard Business Review steps Congress should now take to protect American consumers.
- Court Dismisses Suits Against OPM Over Data Breach that Affected 22 Million » (Sep. 20, 2017)
A federal court in Washington, DC has
dismissed two lawsuits against the Office of Personnel Management over the
data breaches that compromised the records of 22 million federal employees and family members. The court acknowledged the "troubling allegations" raised by OPM's victims but ruled that "the fact that a person's data was taken" is not "enough by itself to create standing to sue." EPIC
has long argued that data breach victims should not wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC also filed
comments last year with OPM recommending limits on data collection, has recommended
updates to the federal
Privacy Act, and has
urged the Supreme Court to recognize a right to "informational privacy" and to ensure
Privacy Act damages for non-economic harm.
- Senators Introduce Data Breach Legislation In The Wake Of Equifax Breach » (Sep. 15, 2017)
Senator Markey (D-MA) and several other Senators have introduced
legislation that would provide consumers with more control over their personal data. The
Data Broker Accountability and Transparency Act would allow consumers to access and correct their personal data and stop data brokers from using, disclosing, or selling their information for marketing purposes. The bill also requires data brokers to develop comprehensive privacy and data security measures and provide "reasonable notice" in the event of a breach. For years, EPIC has
supported stronger data breach notification laws, and EPIC has testified before the
Senate and
House in support of a federal law. EPIC supports consumer control over personal data, and EPIC recommends mandatory breach notification procedures to ensure the consumers are aware when their personal data is wrongly obtained by others. Additionally, last year EPIC created
http://www.dataprotection2016.org/ to promote the adoption of stronger privacy safeguards in the U.S.
- 143 Million US Consumers Suffer Massive Data Breach, Equifax at Fault » (Sep. 8, 2017)
In one of the most serious data breaches in U.S. history, the credit records of more than 140 million consumers, maintained by Equifax, have been compromised. Credit reports typically include social security numbers, drivers license infomation, and other personal data that make possible identity theft and financial fraud. Senator Warner said the breach, “represents a real threat to the economic security of Americans." For years, EPIC has urged Congress to strengthen privacy laws and to require Privacy Enhancing Techniques that minimize or eliminate the collection of personal data. In 2011, EPIC testified before the House and the Senate on the specific risk of data breaches in the financial services sector. Equifax has set up www.equifaxsecurity2017.com to help consumers. But last year EPIC created www.dataprotection2016.org to promote the adoption of stronger privacy safeguards in the U.S.
- EPIC Backs Privacy Act Protections for "Insider Threat" Database » (Jul. 5, 2017)
EPIC has sent
comments to the Department of Justice criticizing a proposed
"insider threat" database. This database replaces a
similar database that was proposed and later rescinded by the FBI last fall and would allow the DOJ to collect virtually unlimited amounts of personal data from employees, contractors, interns, and visitors to DOJ facilities. Citing the size and scope of the database combined with
recent government
data breaches, EPIC warned that the database was putting federal employees and contractors at risk. EPIC has consistently warned against
inaccurate,
insecure, and
overbroad government databases.
- EPIC to Congress: Protect Student Privacy » (May. 2, 2017)
EPIC has sent a
statement to the House Committee on Oversight for the upcoming
hearing on the FAFSA ("Free Application for Federal Student Aid") data breach, which
compromised more than 100,000 taxpayer records. EPIC urged the Committee to protect
student privacy. EPIC's testimony: (1) explained how the U.S. Education Department weakened key safeguards for student records, (2) described the privacy risks that students today face, (3) underscored the need for data security safeguards for student information, and (4) recommended that Congress adopt EPIC's Student Privacy Bill of Rights. EPIC has previously urged
Congress, the
Education Department, and the
Federal Trade Commission to strengthen student privacy.
- D.C. Circuit Hears Arguments in Data Breach Case » (Mar. 31, 2017)
A federal appeals court in Washington, D.C. heard arguments today in a major data breach
suit. The faulty security practices of Carefirst, a health insurer, allowed hackers to obtain the personal information of more than 1,100,000 customers. But a lower court
dismissed the case because the judge believed that consumers must suffer actual identity theft before before filing a lawsuit. EPIC's amicus
brief explained that the judge misunderstood the law and confused the harm consumers eventually suffer with the failure of companies to uphold obligations to safeguard the data they choose to collect. The appellate judges today voiced similar doubts about the lower court's decision, suggesting that consumers don't have to wait until their identity is stolen to bring a lawsuit. One judge compared the case to a person putting down her driver's license to rent a Segway, only to have it stolen from the rental company. EPIC regularly
files briefs defending the privacy rights of consumers.
- Yahoo Responds to Senators About Data Breach » (Feb. 24, 2017)
Yahoo has
responded to a
letter from Senators John Thune (R-SD) and Jerry Moran (R-KS) inquiring into data breaches that exposed over a billion user records in
2013 and
2014. Yahoo said in its response that it has notified users affected by the breaches, required users who had not changed their passwords since 2014 to do so, and encouraged all users to review their passwords and security questions. Yahoo's letter also discussed the steps the company has taken to improve its security program. EPIC testified in support of strong data breach notification laws in
2009 and
2011, launched
"Data Protection 2016" to make privacy a campaign issue and recently filed an
amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.
- Trump Order Threatens Consumer Protection, Public Safety » (Jan. 31, 2017)
The President has issued an
executive order requiring every new regulation to be offset by the repeal of at least two existing regulations. The Order could directly impact rules that safeguard consumers against
data breach,
financial fraud, and
identity theft. EPIC has also recommended new public safety regulations concerning
aerial drones,
connected vehicles, and the
Internet of Things. In
EPIC v. FAA, EPIC is challenging the failure of the agency to protect the public from aerial surveillance.
- White House Publishes Privacy Report, Data Breaches Continue to Rise, as Obama Leaves Office » (Jan. 19, 2017)
As one of the final acts of the outgoing President, the White House has
released "Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation." In 2008, President Obama announced "Change We Can Believe In" and
said he would "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy." Beginning after his election, privacy groups across the county urged the President to strengthen privacy in America. In 2012, Obama
proposed a Consumer Privacy Bill of Rights but no legislation followed. After the Snowden revelations, Congress enacted the
Freedom Act and Obama
reformed intelligence practices, but the US failed to limit data collection outside the US. The
"Privacy Shield," a framework to gather data for commercial use without legal protections, was put in place even after NGOs
urged comprehensive reforms in the US and the EU. Between 2009 and 2016, the levels of
data breach,
identity theft, and financial fraud in the United States skyrocketed, even as Americans
called for stronger protections. The 2016 Presidential election was marked by
data breaches,
email disclosures and
cyber attack The U.S. is still one of the few democratic nations in the world without a
data protection agency.
- EPIC Defends Right of Data Breach Victims to Seek Legal Relief » (Jan. 18, 2017)
EPIC has filed a "friend-of-the-court"
brief urging a federal appeals court to protect consumers' ability to sue companies that fail to safeguard personal information. A group of consumers
sued health insurer Carefirst after the company's faulty security practices allowed hackers to obtain the personal information of 1,100,000 customers. A lower court wrongly
dismissed the case because the judge believed that consumers must suffer identity theft before a court can consider violations of legal obligations. In the amicus brief, EPIC explained that the court misunderstood the relevant law, and confused the legal responsibility of companies to maintain good security with the harms that consumers eventually suffer. EPIC said courts should focus on whether companies have breached a legal obligation to safeguard personal data. EPIC regularly
files briefs defending consumer privacy.
- EPIC Urges TSA to Drop REAL ID Data Collection Plan » (Jan. 10, 2017)
In
comments to the TSA, EPIC urged the agency to abandon a
proposed information collection plan under the REAL ID Act. REAL ID is a federal to turn the state driver's license into a national identity statement. Many states have opposed REAL ID. The TSA now plans to subject Americans, without a TSA "compliant" ID, to broad information collection requirements. EPIC,
supported by a broad coalition, opposed REAL ID because it compromised privacy and enabled government surveillance. EPIC provided
detailed comments to DHS later issued a
report. Since adoption of REAL ID, many states have suffered
data breaches of DMVs because of criminals seeking REAL ID mandated documents.
- White House Issues Data Breach Guidance for Federal Agencies » (Jan. 4, 2017)
The White House Office of Management and Budget has released guidance establishing common standards and practices for how federal agencies manage data breaches. The
Data Breach Memorandum sets out a risk-based framework for evaluating data breaches and requires each agency to develop a data breach response plan. Not all breaches will trigger individual notification under the guidance. The new guidance comes four months after a House Government and Oversight Committee
report criticized the Office of Personnel Management about the 2015
data breaches that compromised the records of 22 million federal employees and family members. EPIC testified in
2009 and
2011 in support of strong data breach notification laws, filed
comments with the Office of Personal Management recommending limits on data collection, and has
urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information.
- Data Stolen from Over One Billion User Accounts in Second Yahoo Data Breach » (Dec. 15, 2016)
Yahoo
announced this week that data was stolen from over one billion user accounts in August 2013. The breach included names, email addresses, telephone numbers, dates of birth, passwords, and security questions and answers. More than 150,000 U.S. government and military employees are
among the victims. Yahoo's
earlier breach drew wide-ranging concern from
U.S. Senators to
European privacy officials. EPIC testified in support of strong data breach notification laws in
2009 and
2011 (urging Congress to establish a short timeline for notification to users of breaches), launched the
Data Protection 2016 campaign to make privacy a campaign issue, and recently filed an
amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.
- EPIC Scrutinizes FBI "Insider Threat" Database » (Oct. 20, 2016)
In
comments to the FBI, EPIC criticized a
proposed "Insider Threat" database that would gather virtually unlimited amounts of personal data outside the protections of the federal
Privacy Act. EPIC urged the FBI to limit the scope of data collection and drop
proposed Privacy Act exemptions. Citing the
recent surge in government data breaches, including the
breach of 21.5 m records at OPM, EPIC warned that FBI data practices pose a risk to federal employees. EPIC has consistently
warned against
inaccurate,
insecure, and
overbroad government databases. Earlier this year, EPIC filed comments with
DOD and
DHS regarding similarly flawed proposals to expand data collection without adequate privacy safeguards.
- Senators Seek Answers About Yahoo's Massive Data Breach » (Sep. 27, 2016)
Led by Senator Patrick Leahy, several senators sent a
letter to Yahoo’s CEO, Marissa Mayer, seeking answers about the massive data breach that compromised the sensitive data of 500 million accounts. The Senators were troubled by the delay in breach notification, stating “We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week.” EPIC testified in support of strong data breach notification laws in
2009 and
2011 and urged Congress to ensure that users are “notified promptly” when personal information is wrongfully disclosed. EPIC launched “
Data Protection 2016” to make privacy a campaign issue and recently filed an
amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.
- Data Protection 2016: 500 Million Yahoo Users Victims of Massive Data Breach » (Sep. 22, 2016)
Yahoo has
announced that the personal data of at least 500 million users was breached in late 2014. The breach included users’ names, email addresses, telephone numbers, dates of birth, passwords and security questions and answers. For many years, EPIC has
urged the Administration and
Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. This year EPIC launched “
Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election.
- House Report Criticizes OPM Handling of Massive Data Breach Last Year » (Sep. 7, 2016)
In a press release, the House Oversight and Government Reform Committee released a report criticizing the Office of Personnel Management’s handling of the data breach in 2015. The breach compromised the information of over 21.5 million individuals, including federal employees, their families and friends. The report concluded the OPM breach was preventable and recommended numerous measures including less use of social security numbers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also supported new limits on the collection and use of the SSN. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.
- Data Protection 2016: Nationwide Hotel Data Breach » (Aug. 15, 2016)
Sheraton, Hyatt, Westin, and Marriott hotels in 10 states and Washington, D.C. have
announced that
hotel payment records were breached beginning as early as March 2015. Malware discovered in at least
20 hotels across the country collected customers’ names and payment card numbers, card expiration dates, and verification codes. Surprisingly, the hotels
said that they will not notify individual customers of the breach. Almost
every state in the country has a mandatory breach notification law. Hyatt announced
another payment card breach earlier this year at 250 hotels in approximately 50 countries. EPIC launched “
Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election.
- EPIC Defends Right of Data Breach Victims to Seek Legal Relief » (Jul. 20, 2016)
EPIC has filed an
amicus brief urging a federal appeals court to protect a consumer’s ability to sue companies that fail to protect their personal information. A group of consumers
sued a grocery chain after faulty security practices left their credit card information exposed to hackers. A lower court dismissed the privacy case because consumers had not yet suffered from fraudulent transactions. In its brief, EPIC explained that the court misunderstood the relevant law, confusing the legal obligations of companies to maintain good security with the harm that consumers eventually suffer. For the purposes of filing a lawsuit, EPIC said courts should focus on whether companies have violated a legal obligation such as safeguarding personal data, including credit card information. EPIC regularly
files briefs defending consumer privacy.
- NY Attorney General Reports 40% Increase in Data Breaches » (May. 5, 2016)
New York Attorney General Eric Schneiderman announced that his office has received 459 notices of data breaches impacting New Yorkers so far in 2016, representing a 40 percent increase over the same period last year. The office expects to receive a record-setting thousand notices or more this year. "Data breaches are an escalating threat to our personal and national security, and companies need to do more to ensure reasonable security practices and best standards are in place to protect our most sensitive information," said Schneiderman. EPIC recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.
- California AG Releases 2016 Data Breach Report, Retail and Financial Sectors Most Vulnerable » (Feb. 18, 2016)
A new
report from California Attorney General
Kamala Harris examines
data breaches in California from 2012 to 2015. There were 657 data breaches during the last four years, which compromised over 49 million records. The retail sector experienced the largest share of breaches at 25%, followed by the financial sector at 18%. Among several recommendations, the report recommends that organizations adopt strong encryption. "Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security," Attorney General Harris
stated. The Attorney General received a
2015 EPIC Champion of Freedom Award. EPIC recently launched
"Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election.
- Hackers Breach US Government Database, No Recourse for Non-Americans » (Feb. 9, 2016)
Less than a week after the European and US governments struck a deal for a framework to permit transborder data flows of personal data, hackers
breached sensitive personal data at the US Department of Homeland Security. The DHS stores vast amounts of personal information on non-US persons, including detailed travel information. Under
current law, non-US persons have
no legal rights when federal agencies fail to safeguard their personal data. EPIC is
seeking release of the so-called "Privacy Shield" and has launched a
new campaign to promote Data Protection in the United States.
- Federal Appeals Court Recognizes "Substantial Risk of Future Harm" » (Jul. 29, 2015)
In a landmark opinion, the Seventh Circuit Court of Appeals has
ruled that a class action lawsuit against Neiman Marcus may continue because of the ongoing risk to customers whose personal information was compromised in a data breach. The case stems from a
breach of the Neiman Marcus customer database that led to the release of 350,000 credit cards and exposed more than 9,200 customers to fraud. A
lower court ruled that since the identified fraud victims had been reimbursed, Neiman Marcus was off the hook for future claims. However, the Seventh Circuit ruled that the plaintiffs, customers who were not yet aware of fraud, faced a "substantial risk of future harm," and that risk was enough to allow the class action to continue. According to the Federal Trade Commission,
identity theft remains the top concern of American consumers.
- Massive Government Data Breach Even Worse than Reported » (Jun. 25, 2015)
A Congressional
hearing on the Office of Personnel Management data breach has now revealed one of the worst data breaches in US history. The agency initially
reported that the personal information of 4 million government employees was obtained, but
news reports suggest the breach was much larger--exposing the social security numbers of more than 18 million people. EPIC has
urged the White House and
Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also testified in
Congress and the
Senate in support of stronger security measures to protect personal data.
- California AG Urges Congress to Reform Data Breach Notification Bill » (May. 21, 2015)
California Attorney General Kamala Harris has admonished the House Energy and Commerce Committee about the proposed
Data Security and Breach Notification Act. In a letter to Committee leadership, Harris wrote, "I urge you to recognize the important role that states play in developing innovative approaches to consumer protection, and to reject a one-size-fits all law that establishes a ceiling rather than a floor on data security and data breach notification and consumer protection." California's
Constitution guarantees the right to privacy, and California passed the first ever
state data breach notification law. EPIC has also
warned that the House bill would preempt stronger state laws and strip the FCC of its
authority to defend consumer privacy.
- EPIC Launches State Policy Project » (May. 5, 2015)
EPIC has launched the
EPIC State Policy Project to track legislation across the county concerning privacy and civil liberties. The EPIC State Project will identify new developments and model legislation. The Project builds on EPIC's extensive work on emerging privacy and civil liberties issues in the states. The new State Project will focus on
student privacy,
drones,
consumer data security,
data breach notification,
location privacy,
genetic privacy,
the right to be forgotten, and
auto black boxes.
- House Reconsiders Data Breach Bill » (Apr. 15, 2015)
Members of the
Energy and Commerce Committee have convened to rework the
Data Security and Breach Notification Act. The Act, introduced by Reps. Blackburn and Welch, would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its
authority to protect consumer privacy.
Rep. Frank Pallone and others have raised concerns. EPIC
previously urged Congress to adopt baseline federal law that would allow states to develop innovative legislative responses to privacy risks.
- Data Breach Bill Would Preempt State Law, Weaken FCC Authority » (Mar. 13, 2015)
Representatives Burgess, Blackburn, and Welch have proposed a
bill for data breach notification. The Data Security and Breach Notification Act would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its
authority to protect consumers privacy. In 2005, EPIC
testified before Congress on "Identity Theft and Data Broker Services" and urged the regulation of data brokers following the disclosure that
Choicepoint sold personal information to identity thieves. In
2009 and again in
2011, EPIC favored baseline federal law that would allow states to innovate and develop new legislative responses to privacy risks.
- Anthem breach Shows Risks of "Big Data" » (Feb. 5, 2015)
One of the largest health insurers in the country has lost millions of medical records of American consumers. The most recent breach of sensitive medical information shows the dangers of "Big Data" and the mistaken conclusion of the report of the
Presidents Science Advisors, which simply assumed the benefits of data collection. EPIC has urged the
FTC to establish data minimization procedures for companies limit the risks of data breaches.
- EPIC Urges House to Safeguard Consumer Privacy » (Jan. 26, 2015)
EPIC has sent a
statement to the House Commerce Committee for the hearing, "What are the Elements of Sound Data Breach Legislation?". EPIC had
testified before the House Committee in 2011 on data breach notification, urging Congress to set a national baseline standard. EPIC also supports enactment of the
Consumer Privacy Bill of Rights. EPIC also urged the House Committee to promote "
algorithmic transparency." EPIC
has warned that “[t]he ongoing collection of personal information in the United States without sufficient privacy safeguards has led to staggering increases in identity theft,security breaches, and financial fraud.”
- Data Breach Legislation Moves Forward in the Senate » (Sep. 26, 2011)
Three data breach bills are headed to the Senate floor after a favorable vote in the
Senate Judiciary Committee. The bills [
S. 1151,
S. 1535,
S. 1408] set out a variety of approaches to protecting user data and warning users when personal data is improperly released. Testifying recently before the
Senate and the
House, EPIC has supported new measures for online privacy but warned against a federal law that would "preempt" stronger state laws.
- California Passes Updated Data Breach Legislation » (Sep. 1, 2011)
California has enacted
Senate Bill 24, first introduced in 2001 by Senator Joe Simitian, which strengthens existing state breach notification law. Since 2002,
California law has required data holders to notify individuals if their data is breached, but the law did not specify what information should be included in the notification. This new law specifies the information that should be provided, including instructions on how to contact credit agencies. The law also requires that the state Attorney General be notified in the event of a breach. EPIC
testified in 2009 before the House Commerce Committee against "federal preemption" in national data breach legislation, citing important legislative innovations to protect consumers that take place in states such as California. For more information, see
EPIC: ID Theft.
- House Subcommittee Approves Weak Data Breach Bill » (Jul. 21, 2011)
A House Commerce Subcommittee voted in favor of the
SAFE Data Act, a data breach bill sponsored by Rep. Bono Mack (R-CA). The bill requires companies to act quickly in the case of breach and encourages minimization of data collection. However, the bill preempts stronger state laws and does not adequately protect personal information. EPIC Executive Director Marc Rotenberg
testified before the Subcommittee on this bill. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. For more information, see
EPIC: Identity Theft.
Webcast.
- In Response to Mounting Evidence of Data Breach Risk, EPIC Urges Congress to Act » (Jun. 21, 2011)
EPIC Executive Director Marc Rotenberg
testified before the
Senate Banking Committee, urging lawmakers to apply breach notification regulations to financial institutions and promote authentication techniques that reduce risks to consumers. EPIC observed that "current laws do not adequately protect consumers," and highlighted a series of recent high profile data breaches in the financial sector. The hearing,
"Cybersecurity and Data Protection in the Financial Sector" follows May 2011 data breaches at Citigroup and Bank of America. The breaches exposed sensitive financial data linked to hundreds of thousands of consumers; individuals lost millions of dollars from their accounts. EPIC previously
testified before the House concerning data breach legislation. For more, see
EPIC: Identity Theft and
EPIC Testifies in Congress on Data Breach Legislation.
- EPIC Testifies in Congress on Data Breach Legislation » (Jun. 15, 2011)
EPIC Executive Director Marc Rotenberg
testified today before the
House Commerce Committee on the SAFE Data Act, a bill introduced by Rep. Bono-Mack to require greater protection for sensitive consumer data and timely notification in case of breach. EPIC emphasised the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC supported recent changes in the bill that would require companies to act more quickly in case of breach and encourage minimization of data collection. EPIC recommended changes in the bill to strengthen enforcement, require notification, protect identifiers linked to individuals, and ensure that state governments are able to respond on behalf of consumers as new problems emerge.
Webcast
- Epsilon Data Breach Threatens E-mail Privacy of Millions » (Apr. 7, 2011)
Epsilon, a large marketing firm, has lost the names and e-mail addresses of customers of Walgreens, JP Morgan Chase, Capitol One, Tivo, and other large companies. The firm announced
the data breaches late last week. Data service providers, such as Epsilon, are not well known by consumers and are not typically regulated. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Previously, EPIC provided
comments to the Federal Trade Commission and
testimony to the United States Congress on the need for comprehensive privacy protection for customer data. For more information, see
EPIC: Identity Theft.
- Senate Holds Hearing on Data Security and Breach Notification Bill » (Sep. 24, 2010)
The Senate Commerce Committee held a
hearing on
S. 3742, The Data Security and Breach Notification Act of 2010. This bill requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. EPIC director Marc Rotenberg
testified on a similar bill in the House recommending support but also urging lawmakers to strengthen the proposed law by adopting a broader definition of "personally identifiable information" and permitting stronger state laws to remain. The Senate thus far has not addressed these concerns. For more information, see
EPIC: Identity Theft.
- California Governor Vetoes Consumer Privacy Bill, but Signs Bill to Strengthen Celebrity Privacy » (Oct. 16, 2009)
Governor Schwarzenegger has terminated
S.B. 20, a bill that would have strengthened California's data breach laws by requiring that consumers be notified every time their privacy was compromised. But the Governor and "Terminator" star signed
A.B. 524, an amendment to California's current
anti-paparazzi law that will protect the privacy of celebrities by making it easier to sue photographers and media outlets for taking or purchasing unauthorized pictures. For more information about privacy in California, see the
California Office of Information Security and Privacy Protection.
- New Cybersecurity Legislation Introduced in Congress » (Jul. 23, 2009)
Senator Patrick Leahy (D-Vt)
introduced The Personal Data Privacy and Security Act of 2009. The statute requires data brokers, business entities and federal agencies to create and implement data privacy and security practices. The bill requires data breach notification, enforces disclosure and accuracy requirements, and
establishes an Office of Federal Identity Protection within the
FTC. However, the bill preemepts stronger state privacy laws and fails to provide a right of private action for consumers. For more information, see
EPIC Identity Theft,
EPIC Personal Data and Privacy Protection, and
EPIC Preemption Page.
- EPIC Submits Comments on Health Breach Notification to the FTC » (Jun. 1, 2009)
The
Federal Trade Commission proposed a
rule requiring notification when the security of medical information is compromised. EPIC
recommends that all entities handling health records be subject to standard security; tightening exemptions for de-identified data, enhancing media notification of health data breaches, ensuring additional breach notification through means such as text messages and social networking sites, and verification of receipt of notifications. See also EPIC's Page on
Medical Privacy.
“When the State takes a person’s data and holds it in a fashion outside the person’s control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has ‘by the affirmative exercise of its power’ taken the data and ‘so restrain[ed]’ it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government’s ‘affirmative duty to protect’ the data ‘arises . . . from the limitation which it has imposed on his freedom to act on his own behalf’ to keep the data secure.”
A. Michael Froomkin, Government Data Breaches, 24 Berkley Tech. L. J. 1019, 1049 (2009),
as quoted in In re OPM Data Security Breach Litigation, 266 F.Supp.3d 1 (D.D.C. 2017).
Summary
In Re: U.S. Office of Personnel Management Data Security Breach Litigation, Nos. 17-5217, 17-5232, concerns constitutional and statutory claims based on data breaches that affected 22 million federal employees and family members in 2015. The Office of Personnel Management (“OPM”) disclosed that hackers had stolen troves of data on federal employees in two separate breaches. The stolen information included names, birthdates, current and former addresses, and Social Security numbers. In 2015, the American Federation of Government Employees ("AFGE") and individual government workers filed a class action lawsuit against OPM, alleging that the breach stemmed from gross negligence by federal officers and violated both federal and state laws. A separate suit was brought by the National Treasury Employees Union ("NTEU") alleging a violation of federal employees' constitutional right to informational privacy. On September 19, 2017, the U.S. District Court for the District of Columbia granted OPM’s motion to dismiss both suits. The court concluded that the NTEU plaintiffs failed to "allege a legally cognizable constitutional claim" and that only the two named plaintiffs who suffered out-of-pocket identity theft expenses could establish standing to sue under Article III. On appeal, the D.C. Circuit is evaluating the grounds for dismissal and determining both the scope of the constitutional right to informational privacy and the application of Article III standing doctrine to data breach victims.
Background
Factual Background
Defendant OPM is a federal agency that handles portions of the federal employee recruitment process. Defendant KeyPoint Government Solutions (“KeyPoint”) is a private contractor that conducts background investigations and security clearance checks for OPM. Plaintiffs are victims of alleged OPM data breaches that occurred in 2013 and 2014. Several times, hackers infiltrated OPM’s systems and stole sensitive information, including security system documents and electronic manuals about the agency’s systems and the user log-in credentials of a KeyPoint employee. The login information was subsequently used to access OPM’s network and install malware, creating “a conduit through which data could be ex-filtrated.” This breach affected nearly 22 million federal employees and family members. Hackers had stolen information including federal employees’ names, birthdates, current and former addresses, and Social Security numbers.
On April 27, 2015, OPM notified approximately 48,000 federal employees that their personal information might have been exposed in a data breach that compromised about 4.2 million federal employees and contractors. On June 12, 2015, OPM announced that the scope of the breach was broader and likely affected 14 million. On July 9, 2015, this number again increased to almost 22 million, majority of which was information included in background checks. The agency notified each individual whose private information had been compromised and offered free identity theft protection services for up to three years, depending on the sensitivity of the information.
Procedural Background
A number of lawsuits were filed around the country after the data breaches had been announced. The United States Judicial Panel on Multidistrict Litigation consolidated the cases before the District Court of the District of Columbia. In the consolidated complaint, the AFGE plaintiffs alleged that OPM violated the Privacy Act, the Little Tucker Act, and the Administrative Procedure Act, and that KeyPoint is liable for “negligence, negligent misrepresentation and concealment, invasion of privacy, breach of contract, and violations of the Fair Credit Reporting Act and various state statutes governing unfair and deceptive trade practices and data security.” Plaintiffs seek declaratory and injunctive relief against both OPM and KeyPoint. The NTEU plaintiffs alleged that the disclosure of their personal information by the federal government violated their constitutional right to informational privacy.
OPM and KeyPoint each filed motions to dismiss the complaint, arguing that the court lacked subject matter jurisdiction and that plaintiffs do not have standing. Furthermore, defendants argued that they are protected by sovereign immunity and plaintiffs failed to state a claim upon which relief could be granted under Rule 12(b)(6) of the Federal Rules of Civil Procedure.
The lower court focused on the question of whether the NTEU plaintiffs could assert a violation of their constitutional right to informational privacy and whether the AFGE plaintiffs had standing under Article III. As to the right to informational privacy, the lower court provided a detailed overview of the cases that have gone before the Supreme Court and the D.C. Circuit addressing the right to informational privacy. The court discussed the three Supreme Court cases that addressed the constitutional right to privacy - NASA v. Nelson, Nixon v. Adm'r of Gen. Servs., and Whalen v. Roe. In these cases, while the holding did not ultimately hinge on finding a violation of the constitutional right to informational privacy, the Court did assume the existence of such a right. For instance, in discussing Whalen, the court re-emphasized that "the government's right to collect and use private data for public purposes is 'typically accompanied by a concomitant statutory or regulatory duty to avoid unwarranted disclosures,' and 'that in some circumstances, that duty arguably has its roots in the Constitution." Also, the court cited Nixon in establishing that "when Government intervention is at stake, public officials, including the President, are not wholly without constitutionally protected privacy rights in matters of personal life unrelated to any acts done by them in their public capacity."
The lower court opinion also cited Professor Michael Froomkin's article on Government Data Breaches, stating:
"when the State takes a person's data and holds it in a fashion outside the person's control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has 'by the affirmative exercise of its power' taken the data and 'so restrain[ed]' it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government's 'affirmative duty to protect' the data 'arises … from the limitation which it has imposed on his freedom to act on his own behalf' to keep the data secure."
Nonetheless, the court found that, similar to other cases acknowledging the constitutional right to privacy, it would "avoid wading into the legal waters surrounding the existence or scope of any constitutional right to informational privacy in general when it is not necessary to do so."
As to standing, the court found a distinction between a data breach caused by a cyberattack against the United States from other cases (including Carefirst) involving breaches of retail establishments and financial entities. The court posited that a data breach occurring as a result of a cyberattack on the United States might not be done for the purpose of facilitating identity theft.
Ultimately, the lower court granted defendants’ motion to dismiss on failure of the NTEU plaintiffs to state a claim under the constitution and failure of the AFGE plaintiffs to meet the Article III standing requirements and the Privacy Act damages requirements.
Both sets of plaintiffs filed appeals in the D.C. Circuit. The NTEU plaintiffs appeal was docketed on September 27, 2017, No. 17-5217. The AFGE plaintiffs appeal was docketed on October 12, 2017, No. 17-5232.
EPIC's Interest
EPIC has a strong interest in ensuring privacy lawsuits proceed to redress the harms of privacy violations and ensure greater privacy protections thereafter. EPIC has long argued that data breach victims should not have to wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC filed comments last year with OPM recommending limits on data collection; has recommended updates to the federal Privacy Act; and has urged the Supreme Court to recognize a right to “informational privacy” and to ensure Privacy Act damages for non-economic harm.
In NASA v. Nelson, 562 U.S. 134 (2011), EPIC filed an amicus brief arguing that the right to informational privacy is well recognized and that NASA violated that right when it required contractors to submit sensitive personal data without adequate protections. The Supreme Court found that the government's invasive background checks for government contractors implicated "a privacy interest of Constitutional significance." The Court had earlier recognized in Whalen v. Roe, 429 U.S. 589 (1977), that the constitutional right to informational privacy protects "the individual interest in avoiding disclosure of personal matters." And also considered the right in Nixon v. Administrator of General Services, 433 U.S. 425 (1977). The Court in NASA confirmed that both of these seminal cases recognized a constitutional right to informational privacy. EPIC subsequently filed amicus briefs in IMS Health, Inc. v. Sorrell v. IMS Health, Inc., 564 U.S. 552 (2011), arguing that data-mining of prescriber information Implicates the constitutional right to informational privacy, and in Doe v. Luzerne County, 660 F.3d 169 (3d Cir. 2011), arguing that the constitution protects public employees from surreptitious video surveillance while undressed as they shower at their workplace.
EPIC has also filed several briefs in cases concerning the right of individuals to seek redress for data breach. In 2017, EPIC filed a brief in the D.C. Circuit in Attias v. CareFirst, Inc., . In 2016, EPIC filed a brief in the Eighth Circuit in In re Supervalu Consumer Data Security Breach Litigation, which involved a very similar question as Carefirst. EPIC also filed a brief on this issue in the Third Circuit in Storm v. Paytime, Inc.. EPIC argued that consumers are facing unprecedented threat from data breaches and subsequent misuse of their personal data. Accordingly, now is not the time to be limiting consumers’ options for recourse. EPIC also argued that consequential, downstream harms such as identity theft and financial fraud are irrelevant to whether data breach victims have standing to sue breached companies.
In January 2016, EPIC launched Data Protection 2016, a nonpartisan campaign to make data protection an issue in the 2016 election. The campaign advocates for reduced identity theft and financial fraud and for investigations of the misuse of personal data.
Legal Documents
United States Court of Appeals for the D.C. Circuit, No. 17-5232
United States District Court for the District of Columbia, No. 15-1394
News
- Chris Strohm, Hacked OPM data hasn’t been shared or sold, top spy-catcher says, Bloomberg (Sept. 28, 2017)
- Amul Kalia and Cindy Cohn, Will the Equifax data breach finally spur the courts (and lawmakers) to recognize data harms?, Electronic Frontier Foundation (Sept. 26, 2017)
- Alex Swoyer, Government workers plan to appeal after judge tosses OPM data breach lawsuit, The Washington Times (Sept. 21, 2017)
- Eric Yoder, Federal court denies cash awards to 22 million OPM data theft victims, The Washington Post (Sept. 20, 2017)
- Allison Grande, Data theft not enough to keep OPM breach suit, Judge says, Law360 (Sept. 20, 2017)
- Morgan Chalfant, Court dismisses lawsuits over OPM data breach, The Hill (Sept., 19, 2017)