Letter from Attorneys General to LivingSocial Can Serve as Guide for Companies Seeking to Protect Personal Information
Thursday, May 16, 2013
Print Mail Download i

On April 26, 2013, online daily deal company LivingSocial reported that personal information of as many as 50 million individuals may have been compromised as a result of a cyberattack. According to the company, "the information accessed includes names, e-mail addresses, date[s] of birth for some users, and encrypted passwords-technically 'hashed' and 'salted' passwords."

On May 1, 2013, Connecticut Attorney General George Jepsen and Maryland Attorney General Douglas Gansler sent a joint letter to LivingSocial's counsel that asked LivingSocial to provide additional information about the incident, as well as the company's data management policies and procedures. The letter is illuminating in that it can be read to suggest the types of data management policies and procedures the state enforcement agencies want organizations to have in place to help mitigate the likelihood or severity of a data breach.

The Attorneys General made the following requests, in pertinent part, about LivingSocial's policies and procedures:

  • Please describe how the various categories of user information LivingSocial collects is stored, including whether it is encrypted and whether it is separated from other data.

  • Please explain in detail the nature of the systems LivingSocial employs to store and protect user passwords.

  • How long is information provided by users stored by LivingSocial and is any of this information automatically deleted after a certain period of time? If so, when?

  • Please describe the means, if any, by which users can delete the information LivingSocial stores about them.

  • Please provide copies of LivingSocial's privacy policies at the time of the breach.

  • Please describe the internal security protections in place, before the intrusion occurred, to protect the information of LivingSocial customers from being accessed without authorization, particularly under circumstances reportedly involved in this incident.

  • Please provide an outline of any plan to prevent the recurrence of any such incident and a timeline for implementing that plan.

Letter from Att'y Gens. Gansler & Jepsen to LivingSocial (May 1, 2013), available here.

Businesses can expect to be asked similar questions by government enforcement agencies and plaintiffs' counsel in the event of a data breach and should therefore take the time to examine current policies and procedures and consider whether they feel comfortable with the way they would have to answer the types of questions posed to LivingSocial, or whether additional steps should be taken to protect personal information.

© 2024 Vedder Price

Current Legal Analysis

More from Vedder Price

New York Governor Vetoes Bill Banning Non-Compete Agreements
by: Jonathan A. Wexler
SEC’s Enforcement Director Comments on CCO Liability, Self-Reporting and Cooperation
by: Nathaniel Segal , Jacob C. Tiedt
SEC Staff Issues 2024 Examination Priorities
by: Nathaniel Segal , Jacob C. Tiedt
SEC Adopts Significant Amendments to Beneficial Ownership Reporting Requirements
by: Nathaniel Segal , Jacob C. Tiedt
SEC Adopts Securities Lending Disclosure Requirement
by: Nathaniel Segal , Jacob C. Tiedt
The Deal That Ended the SAG-AFTRA Strike
by: Labor and Employment Practice
Ringing in the New California Laws
by: Michael A. Wahlander
FTC and DOJ Publish 2023 Merger Guidelines
by: Brian K. McCalmon
The Corporate Transparency Act December 2023 Update
by: Joel R. Thielen
New York City Bans Employers from Creating Height and Weight Requirements
by: Jonathan A. Wexler

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins