Skip to content

The Small Business Administration (SBA) is having some technical issues, to say the least. Small government agencies are notorious for suffering from technological inadequacy and poor information security measures, and the SBA appears to be no exception as it forms a bottleneck between small businesses and federal aid.

As part of its compliance with law, the SBA sent a “Data Breach” notification to as many as 8,000 Economic Injury Disaster Loan (EIDL) applicants. The SBA recently expanded the EIDL’s coverage to assist small businesses affected by the fallout of COVID-19. Though the loans were targeted at providing quick relief and funds were supposed to be delivered just a few days after application, many applicants waited weeks and continue to wait. The SBA seemingly did not have the technical processes in place to handle the deluge of applications it received. Unsurprisingly, delays, system crashes, and even a data breach occurred. Specifically, a flaw in the SBA’s loan application portal allowed applicants to see another user’s information if the back button was clicked. The SBA disabled that part of the site and fixed the bug, but not before inadvertent disclosures occurred.


Continue Reading Technical Woes at the SBA Cause Data Breach and Continue to Cause Delays

By Nicole Hyland and James Mariani

Every day, clients entrust their lawyers with confidential information.  Whether in a matrimonial dispute, high-stakes corporate acquisition, commercial litigation, criminal defense matter, or any other sensitive legal issue, clients rely on their lawyers to safeguard information that could be detrimental or embarrassing to the client if disclosed.  A lawyer’s ethical obligation to protect such confidential information is embodied in Rule 1.6 of the Rules of Professional Conduct (“RPCs”), which states in relevant part that “a lawyer shall not knowingly reveal confidential information.” The duty of confidentiality is not limited, however, to intentional disclosures.  Rule 1.6(c) also requires a lawyer to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to” confidential information.
Continue Reading Once More Unto the Breach: A Timely Lawsuit Raises Questions About the Duty to Notify Clients of a Data Breach

On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. The settlement comes as no surprise to the privacy community – Facebook has been closely scrutinized by the public and regulators since the Cambridge Analytica data incident in March 2018 and indicated to investors earlier this year that it anticipated a fine from the FTC between $3 and $5 billion.

We have read the complaint, settlement, and press releases issued by the FTC and Facebook, and provide our thoughts below on what it means for business:
Continue Reading Business Takeaways from the FTC $5 Billion Settlement with Facebook

An Internet advertising agency that specializes in lead generation for law firms failed to properly secure databases that included the records of about 150,000 individuals. The ad agency, X Social Media, utilizes campaigns on Facebook that target potential plaintiffs for personal injury cases, medical malpractice lawsuits, and mass tort claims. Since the Facebook ads that X Social Media uses to generate these leads are designed to collect and store medical information along with contact details, the database records themselves likely trigger many state breach notification statutes that list “medical information” as “personally identifiable information” — including California’s.


Continue Reading Just Ahead of CCPA, Ad Agency Fails to Secure Leads Data

Once upon a time, Larry Page said “you can’t have privacy without security.” California clearly agrees and may test the sincerity of Mr. Page and other tech leaders innovating in the field of connected devices with new legislation signed by Governor Brown in September.

With the ink barely dry on the infamous California Consumer Privacy Act (the CCPA)—a first-of-its-kind data privacy bill in the United States—Brown signed a new Internet of Things cybersecurity bill into law, SB 327. Perhaps not so coincidentally, both laws will take effect on January 1, 2020, marking a substantial compliance deadline for technology companies big and small.


Continue Reading Your Vacuum Cleaner, Your Coffee Maker, and Your Baby Monitor May Be Watching You, So They Better Be Secure: California Passes New Connected Device Cybersecurity Law

On October 25, 2016, the Federal Trade Commission (FTC) issued a guide — Data Breach Response: A Guide for Business — on steps companies should take in responding to a data breach. This latest regulatory guidance at the federal level is only the most recent in a long list of resources with which companies that deal in data (yes, that means every company) are expected to acquaint themselves for purposes of their incident response preparedness efforts. Those resources include, but are not limited to, the 47 state breach notification laws (constantly subject to amendment) and related State Attorney General guidance, the Health Insurance Portability and Accountability Act (HIPAA), and FTC consent decrees entered into with organizations that have been the victims of a data security breach and with respect to which the FTC has brought an enforcement action under its Section 5 authority.

Continue Reading Latest on the FTC Data Security Front