After MyFitnessPal Breach, In-House Counsel Should Consider Segregating Sensitive Data
This week's hack holds a simple but important lesson for legal departments about how to handle data storage.
March 30, 2018 at 04:07 PM
3 minute read
Photo credit: umarazak/Shutterstock.com
This week, sportswear apparel retailer Under Armour became the latest U.S. company to make an announcement that no company wants to have to make—its systems had suffered a massive data breach.
The Baltimore-based company revealed Thursday that approximately 150 million users of its MyFitnessPal app, which allows users to track their diet and exercise, had been infiltrated in a February hack that was uncovered by parent company Under Armour on March 25.
In a statement from MyFitnessPal, the subsidiary said that the majority of information stolen “included usernames, email addresses, and hashed passwords,” but not payment card data, because that was “collected and processed separately.”
Lawyers and cybersecurity specialists say that such a separation of private payment data, whether done on purpose or not, is helpful to minimize damage in a data breach.
“It is a good practice to separate payment systems into a different server, and to segregate sensitive data,” said Brenda Sharton, litigation partner and chair of privacy and cybersecurity at Goodwin Procter.
Robert Cattanach, a partner at Dorsey & Whitney, says that hackers often seek the “weakest link” in a company's data security. While that may initially lead to data that's not extremely sensitive, if information isn't segregated hackers can move horizontally and access private, personal data.
“There are lots of different ways to thwart the intruders, so to speak,” Cattanach said. “Compartmentalizing, siloing information is a very good idea, but you're never going to be perfectly keeping them out, no one can. The most important thing is a good detection system so that once they're in, before they can do anything, you shut them down. The third line [of defense] is don't give them much data.”
It's unclear whether Under Armour segregated MyFitnessPal's payment card information internally for security purposes, or whether the company was simply using a third-party payment processor for other reasons. Under Armour declined to comment on the breach beyond the initial announcement.
Larry Ponemon, chairman and founder of privacy and data protection think tank the Ponemon Institute, says its not uncommon for companies to use third-party payment processors. He said these companies should make sure their outside providers have high data privacy and security standards.
“You want the company that is going to process your payment information to be very legitimate and to have good controls in place,” Ponemon said.
Regardless of whether companies are segregating sensitive data via third-party processors or internally, Ponemon says it's a smart move to keep important, personal data separate and harder for hackers to locate en masse.
“Then, if you hack into one system you can't get it all because you have to go to all the places [data is housed],” he said. “Network segmentation is a very good idea, especially for networks in e-commerce where you have super amounts of data.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllHow Marsh McLennan's Small But Mighty Legal Innovation Team Builds Solutions That Bring Joy
Aggressive FTC May Force Merging Companies to Bolster Legal Defenses
4 minute readBest Legal Departments: How Blackstone's Legal and Compliance Team Got the All-Clear to Grow Business
CEOs Want Data-Based Risk Management; GCs Lack the Tech to Do So.
Trending Stories
- 1Decision of the Day: Judge Reduces $287M Jury Verdict Against Harley-Davidson in Wrongful Death Suit
- 2Kirkland to Covington: 2024's International Chart Toppers and Award Winners
- 3Decision of the Day: Judge Denies Summary Judgment Motions in Suit by Runner Injured in Brooklyn Bridge Park
- 4KISS, Profit Motive and Foreign Currency Contracts
- 512 Days of … Web Analytics
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250