While the United States may not have data protections in place that are as extensive as those seen the European Union’s adoption of GDPR, there is still a comprehensive framework of state and federal regulations in place to protect personal information. Many industries are building on the foundation set by state and federal guidelines by creating industry-specific cyber standards. For example, various organizations in the insurance industry are taking steps to ensure their members have guidance on cyber security.

• The Insurance Industry’s Data Protection Standards

The National Association of Insurance Commissioners (“NAIC”), an organization that coordinates the efforts of state insurance regulators, provides one of the best examples of an industry taking steps on its own to regulate cyber security for the insurance industry. Early NAIC cyber security initiatives included creating Principles for Effective Cybersecurity Insurance Regulatory Guidance to “help state insurance departments identify uniform standards, promote accountability and provide access to essential information.” The NAIC’s initiatives are based on the realization that the insurance industry faces its own unique issues in protected sensitive data. In short, the NAIC’s initiatives provide one of the best examples of an industry taking steps to regulate itself rather than wait for state or federal regulations to plug the gaps.

• The Data Protections Found In The NAIC’s “Model Law.”

The NAIC furthered its track record on cyber security measures when it adopted the Insurance Data Security Model Law (“Model Law”) in October 2017 to encourage members of the insurance industry to adopt cyber security programs that would protect consumers’ personal information, create standards that would limit damage caused by a breach and create a protocols to investigate incidents and notify the state insurance commissioner. Specifically, the the Model Law is intended “to establish standards for data security and standards for the investigation of and notification to the Commission of a Cybersecurity Event” that involves an entity regulated under the insurance laws of a given state. (A copy of the Model Law can be found here.)

Insurance entities that operate in a state that has adopted a version of the Model Law may be subject to new regulations spanning the time prior to a cyber incident to points after an incident.  First, under the Model Law, an insurance entity may be required to create an “Information Security Program” and “Incident Response Plan” prior to an incident. The Model Law would also govern the insurance entities’ response to a cyber incident by creating guidelines to investigate and provide notification after an incident. The Model Law is currently being considered in a number of states (Connecticut, Mississippi, Nevada, Rhode Island and New Hampshire) and has been adopted in some form in Michigan and South Carolina.

• Ohio’s Adoption Of The “Model Law”

Ohio is one of the first states to adopt a version of the NAIC’s Model Law through Senate Bill 273. On December 19, 2018, John Kasich, Ohio’s governor, signed Bill 273 into law which requires entities subject to Ohio’s insurance laws to take certain steps to protect private information. While the Ohio legislature adopted a large portion of the Model Law, Senate Bill 273 had some notable changes that include:

• Affirmative Defense: Senate Bill 273 provides insurance entities that are in compliance with the statute with an affirmative defense to liability if they are sued for a cyber security incident;

• Other Considerations: The Ohio Department of Insurance can consider other factors related to a breach including the type of business and size of the insurance entity; and

• Easy Compliance: A streamlined process allows the insurance entity to file documents to comply with the provisions of this law with other corporate documents filed with the State of Ohio.

Ohio’s law is more than an abstract cyber security guideline. Rather, deadlines include all insurance entities must conduct a risk assessment to address the nature and likelihood of any internal threat to private information and implement a security program resulting from the risk assessment by March 19, 2020.  Therefore, Ohio’s insurance entities have work to do over the next year.

• Industry Standards Provide Guidance

While many data collectors struggle to comply with various state and federal privacy laws, industry standards provide a uniform set of regulations. Further, industry standards that are crafted by members of the industry provide guidance on the issues facing that particular industry. And, while there is an argument that more regulations may become burdensome, regulations such as Ohio’s Bill 273 are helpful to the extent they protect sensitive data, provide guidance to data collectors and may limit liability when there is a cyber security incident.

The post Industry Cyber Regulations Fill The Gaps Left By Federal And State Law appeared first on Privacy Risk Report.

On October 17, 2018, the American Bar Association published Formal Opinion (“F.O. 483) to directly address cyber security for lawyers. Specifically, F.O. 483 provides guidance on “attorney’s ethical obligations when a data breach exposes client confidential information.”  As an initial matter, F.O. 483 defines a “data breach” as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”  While F.O. 483 provides guidance based on a lawyer’s ethical responsibilities, F.O. 483 is not intended to address “other laws that may impose postbreach obligations, such as privacy laws or other statutory schemes that law firm data breaches might also implicate.”

F.O. 483 is based primarily on two ABA Model Rules.

First, ABA Model Rule 1.1 states “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” In recognizing the impact on the practice of law, F.O. 483 generally requires “lawyers to understand technologies that are being used to deliver legal services to their clients” and compels lawyers and their staff to use this technology to protect their clients’ private information.  F.O. 483 provides the following best practices to meet the lawyer’s ethical obligations:

• Monitoring for a Data Breach: F.O. 483 states “lawyers must make reasonable efforts to monitor their technology resources to detect a breach” in order to meet the requirements of Rule 1.1. In other words, F.O. 483 warns the “potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”

• Stopping the Breach and Restoring the System:  F.O. 483 also requires a “lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.” One method to meet this requirement is to adopt an incident response plan before an incident occurs.  Relying on the NIST standards, F.O. 483 reminds attorneys “[o]ne of the benefits of having an incident response capability is that it supports responding to incidents systematically (i.e., following a consistent incident handling methodology) so that the appropriate actions are taken. Incident response plans help personnel to minimize loss or theft of information and disruption of services caused by incidents.”

• Determining What Occurred: F.O. 483 obligates an attorney to “make reasonable attempts to determine whether electronic files were accessed, and if so, which ones” if a breach occurs.

Next, ABA Model Rule 1.6(a) requires that “‘[a] lawyer shall not reveal information relating to the representation of a client’ unless certain circumstances arise.”  As for cyber security, F.O. 483 requires an attorney to take “reasonable efforts” to preserve client confidentiality in order to meet their ethical obligations.

Finally, F.O. 483 provides guidance for lawyers to provide notice to current and former clients. Overall, a lawyer has a duty to notify their clients of an unauthorized disclosure of their personal information “irrespective of what type of security efforts were implemented prior to the breach.”  As with many data breach laws, F.O. 483 requires the client disclosure “to provide sufficient enough information for the client to make an informed decision as to what to do next, if anything.”  The lawyer should also inform the client of the plan to respond to the incident and efforts to protect the client’s data.  Finally, F.O. 483 directs lawyers to evaluate their obligations under state and federal law.

Law firms have been plagued by cyber issues. The ABA’s Formal Opinion concerning a lawyer’s cyber security obligations does not necessarily go beyond the obligations that any other data collector may have. That is, all data collectors, regardless of whether they are lawyers, must take reasonable steps to protect data and provide proper notification if personal data is disclosed without authorization.  While these obligations may not go beyond existing state and federal obligations, the Model Rules of Conduct make the analysis of cyber issues slightly different for lawyers when a cyber security issue may result in a ethical issue.

The post New ABA Formal Opinion Indicates Data Breach May Present Ethical Issue for Lawyers appeared first on Privacy Risk Report.

While some courts have found coverage for data breach claims under CGL policies, there should be little dispute that the best way to limit risk is to obtain a cyber policy rather than hoping for coverage under a CGL policy.

The decision in St. Paul Fire & Marine Ins. Co. v. Rossen Millennium, Inc., case no. 17-cv-540, provides the latest example of a court finding no coverage for a data breach under a commercial general liability insurance policy (“CGL”).  In Rosen Millennium, the Federal District Court for the Middle District of Florida issued an order on September 28, 2018, finding no coverage for a data breach under two CGL policies issued to defendant, Rosen Millennium (“Rosen”).

Rosen was providing data security services to Rosen Hotels & Resorts (“RHR”) when they discovered a potential breach of credit cards at a hotel in February of 2016.  The forensic investigator determined information related to the credit cards provided by hotel patrons was breached and RHR took steps to notify the patrons in March of 2016.

Rosen submitted a notice of claim to its insurer, St. Paul Fire & Marine (“Travelers”) in December of 2016, which stated RHR claimed the breach was the result of Rosen’s negligence. Travelers issued a reservation of rights denying coverage and requesting Rosen provide any information it believes may impact St. Paul’s coverage determination. Shortly thereafter, Travelers filed this declaratory seeking a determination of its duty to defend Millennium against RHR’s negligence claims.  Even though RHR did not file suit, they claimed a demand letter from RHR and Millennium’s Notice of Claim and created a controversy as to Traveler’s duty to defend Millennium under the CGL policies.

• The Allegations Against Rosen Did Not Constitute “Property Damage” Under the CGL Policies

In granting Traveler’s motion for summary judgment, the District Court first opined that the Notice of Claim (which contained only the relevant dates of the breach) and demand letter (which provided only that Rosen exposed private information to third parties) did not trigger Traveler’s defense obligation under the policy.  In particular, the District Court found these documents “make no mention of, let alone a claim for, property damage or the costs incurred from complying with notification statutes.”  Consequently, the District Court found Rosen’s claims for coverage not ripe and held Travelers had no “duty to defend a hypothetical claim.”

• The Allegations Against Rosen Did Not Constitute “Personal Injury” Under the CGL Policies

The District also rejected Rosen’s assertion that RHR’s allegations constituted “personal injury” as that term is defined under the CGL Policies.  In particular, the CGL Policies defined personal injury as “injury, other than bodily injury or advertising injury, that’s caused by a personal injury offense.”  And, the CGL policies defined “personal injury offense” as “[m]aking known to any person or organization covered material that violates a person’s right of privacy.” The central question in the District Court’s analysis is whether the material, or personal information, was “made known” by Rosen and, therefore, constitutes a personal injury offense.  Both parties agreed “making known” “is synonymous with ‘publication.’”

In addressing this question, Travelers argued that the allegations against Rosen do not constitute publication because “third-party data breaches are not covered under” CGL policies. That is, there is no coverage because the alleged injuries do not result from Rosen’s “business activities but rather the actions of third parties.”  In other words, there is no coverage for these claims because, if there was a publication, the publication was not done by the insured, Rosen.

This decision serves as another reminder that only a sliver of the data breach cases even arguably trigger coverage under a CGL policy. On the other hand, the insurance marketplace has solved the problem Rosen faced in this matter by offering cyber insurance policies that are specifically designed to provide cyber coverage.

Please contact Todd M. Rowe (trowe@tresslerllp.com) for additional questions or for a copy of this decision.

The post Another Court Finds No Coverage Under CGL Insurance Policy for Data Breach appeared first on Privacy Risk Report.

A recent lawsuit filed by Tesla, Inc. provides a reminder of the potential threat caused by employees and other insiders to data collectors’ security. While there is a balance between proper security and creating a pleasant work environment for employees, data collectors should take a closer look at employees’ opportunities to steal information and employees’ motive to steal information.

On June 20, 2018, Tesla, Inc. filed suit in the United States District Court for Nevada alleging one of its former employees, Martin Tripp (“Tripp”) unlawfully hacked the company’s confidential and trade secret information to third parties.  Tesla did not waste any time filing suit as it alleges it began its investigation of this matter on June 14, 2018. Even after filing suit, Tesla still alleges that it has only begun to understand the full scope of Tripp’s illegal activity. Tesla claims Tripp admitted to writing software that hacked Tesla’s manufacturing operating system and transferring several gigabytes of Tesla data to outside entities. Tesla also alleges Tripp wrote computer code to periodically export Tesla’s data off its network and into the hands of third parties.

In additional to hacking Tesla’s data, Tesla claims Tripp made false claims to the media about the information he stole. In particular, Tesla asserts Tripp’s claims that punctured battery cells had been used in certain Model 3 vehicles were untrue. Tripp is also accused of spreading rumors that Tesla delayed bringing new manufacturing equipment online.

Despite providing limited background, the Complaint paints Tripp as a disgruntled employee while at Tesla. After being hired Tripp in October 2017 as a process technician, Tripp complained that he deserved a more senior role at Tesla. Further, within a few months of being hired, Tesla had identified Tripp as having problems with job performance and at times being disruptive and combative with his colleagues. Tripp was angry when he received word that he was transferred to a new role.

By mid-June, Tripp is confronted with evidence that he is the source of a hack at Tesla and admits to writing software that transferred Tesla’s data to entities outside Tesla. Tesla refers to its investigation as being still in the early stages.

In addition to causes of action for federal and state unfair trade practices violations and breach of contract, Tesla’s Complaint also contains a claim for breach of fiduciary duty of loyalty.  In this claim, Tesla claims Tripp as a “trusted employee,” had a duty to act in Tesla’s best interests. Tesla also claims Tripp’s actions violate Nevada’s Computer Crimes Law which prohibited all unauthorized access to Tesla’s “computers, computer systems, and/or computer networks.”

The allegations against Tripp provide the latest example of cyber security and privacy violations have a substantial employment law component. As this action was being filed, Elon Musk, Tesla’s Chief Executive sent an email to employees states that an unnamed Tesla had engaged in “extensive and damaging sabotage” to Tesla. Musk further stated “[t]he full extent of his actions are not yet clear, but what he has admitted to so far is pretty bad.”  And, moving past Tripp’s conduct, Musk continued in his email that there “may be considerably more to this situation than meets the eye,” since “there are a long list of organizations that want Tesla to die.” Musk included “oil & gas companies” and “Wall Street short sellers” as being included on this list.

Data collectors may want to look at this problem by analyzing the employee’s opportunity to hack and motive to hack. First, employers must decrease the opportunity to hack by limiting unnecessary access an employee has to data. Employers should not retain any data that is unnecessary to run their business. The risk of a hack increases with the amount of data stored. Here, there was a need for balance since it appears Tripp needed access to sensitive data in order to do his job. Employee training is another way to make sure the employee understands that while there may be an opportunity to access data, the employer is willing to entrust the employee with sensitive data.

Additionally, after limiting the opportunity to steal data, employers should monitor whether employees have motive to steal data. As seen in this case with Tesla, Tripp appeared “disruptive” and “combative” and gave the general impression of being angry that he was overlooked for a promotion. These are red flags.  Further, as seen in Musk’s recent comments, Tesla has a genuine fear of being hacked by competitors and other entities that want to slow the development of the electric car. Given these concerns, employees must understand the need for safeguards that are in place to protect data.  This is also where well-trained human resources professionals can be just as useful to an organization as well-trained tech professionals.

Regardless of whether this hack was the result of an employee simply being disgruntled or whether it is related to a conspiracy by corporations “that want Tesla to die,” this case makes it clear the cyber security has moved beyond merely having proper technological safeguards in place. Employees and other insiders present a completely different threat than a remote hacker trying to gain access from the outside.

The post Tesla Lawsuit Demonstrates Need To Take Closer Look At “Disruptive” Employees appeared first on Privacy Risk Report.

Over the last few years, we have seen a number of common themes and concepts run through privacy cases and legislation.  We have seen plaintiffs struggle with surviving motions to dismiss because they failed to properly allege an injury.  Likewise, we have seen courts struggle with how to protect unfamiliar types of data, including biometric information.

On May 31, 2018, the District Court for the Northern District of Illinois provided the latest analysis of what is necessary for a viable claim under the Illinois Biometric Information Privacy Act (“BIPA”). In finding that data collectors can be liable for merely failing to obtain proper consent to use biometric data, we are seeing another step in the trend where no breach is necessary to impose liability.

In Dixon v. The Washington and Jane Smith Community, 17-cv-08033 (May 31, 2018), the plaintiff, Cynthia Dixon (“Dixon”), claimed her former employer, Smith Senior Center (“Smith”)  violated her privacy by requiring her to use fingerprint scanners to punch in and punch out at work.  In particular, Dixon claimed the Senior Center’s use of her biometric information violated her rights in the following manner:

• “Smith did not inform Dixon of the specific purpose or length of time for which her fingerprint was to be collected, stored and/or used;”
• “Nor did Smith make available information about its biometric data retention policy (if it had such a policy) or other guidelines regarding the permanent destruction of the biometric information it possessed;”
• “Smith also neglected to obtain a written release from Dixon authorizing Smith to collect or store her fingerprints.”
• “Lastly, Dixon alleged that, in addition to collecting and storing her biometric information, Smith also ‘systematically disclosed’ that information to Kronos, the out-of-state, third-party vendor of Smith’s biometric clocks, without informing her that it was doing so.”

Motion To Remand Denied:  The Federal District Court Was The Proper Venue For This Litigation

The District Court’s first order of business was to deny Dixon’s motion to remand the case back to Illinois state court.  In arguing her case should be heard back in state court where she originally filed the action, Dixon took the position that the defendants’ motions to dismiss “effectively asserted that she does not meet the injury-in-fact requirement for Article III standing.”

As stated in many privacy cases before this one, the U.S. Supreme Court has held that a litigant cannot “avail themselves of the federal courts” unless they can show (1) they suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.”  Spokeo Inc. v. Robbins, 136 S. Ct. 1540, 1547 (2016).

After a substantial discussion on civil procedure and the legislative intent behind BIPA, the District Court found it had jurisdiction over this matter because “where privacy rights are concerned, the dissemination to a third party of information in which a person has a right to privacy is a sufficiently concrete injury for standing purposes.”  Of course, in this case, Dixon alleged Smith disseminated her biometric information to Kronos, the third-party vendor.  (“The Court concludes that this alleged violation of the right to privacy in and control over one’s biometric data, despite being an intangible injury, is sufficiently concrete to constitute an injury in fact that supports Article III standing.”)

Given the above, the District Court held it had subject matter jurisdiction over this matter and the case should not be remanded back to the state court.

Motion To Dismiss Denied: Dixon Has A Viable Claim

Both Smith and Kronos argued Dixon failed to assert an actual injury “sufficient to confer a right of action under BIPA.”  Prior to analyzing Dixon’s claim, the District Court provided the following background on BIPA:

“BIPA provides that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  The statute further provides that, for each negligent violation of the Act, a prevailing plaintiff may recover ‘liquidated damages of $1,000 or actual damages, whichever is greater,’ in addition ot obtaining other relief such as an injunction.”

Given this statutory framework, the District Court found Dixon could survive the motion to dismiss based on her allegations that “the defendants violated her right to privacy in and control over her personal biometric data.”  Further, the District Court found Dixon’s allegation that Smith “fails to inform its employees that it discloses employees’ fingerprint data to an out-of-state third-party-vendor, Kronos,” to be problematic.  In denying the motions to dismiss, the District Court held:

“BIPA established a right to privacy in such information and that obtaining or disclosing a person’s biometric data without her consent or knowledge necessarily infringes on the right to privacy in that data.  Even though this may not be tangible or pecuniary harm, it is an actual and concrete harm that stems directly from the defendants’ alleged violations of BIPA.” 

This case signals a willingness by a number of courts to acknowledge the significant risk with the storage and disclosure of biometric data. Importantly, there were no allegations of a breach in the classical sense of Dixon’s fingerprint information.  In Dixon, the data collector merely provided biometric data to its vendor and yet the District Court found Dixon’s allegations were sufficient because, “obtaining or disclosing a person’s biometric data without her consent or knowledge constitutes an actual and concrete injury because it infringes on the right to privacy in that data.”

Therefore, data collectors will need to make sure they are obtaining proper consent to store data and to provide it to third parties. A breach of this information is no longer required to impose liability.

The post No Breach Required: Illinois Court Finds Providing Biometric Data To Vendor Without Proper Consent May Give Rise To Injury appeared first on Privacy Risk Report.

The March 26, 2018 decision in Hopper v. Schletter Inc., 17-cv-01, 2018 WL 1472485 (W.D. North Carolina 2018) leaves no question that courts are now prepared to hold employers liable if they disclose their employees’ information by mistake. And, if courts around the country adopt the reasoning in Hopper, employers can expect to have their cybersecurity protocols closely scrutinized after a breach or other incident.

On April 19, 2016, the defendant in Hopper, Schletter Group, sent a letter advising its employees and former employees that Schletter had sent its employees’ W-2 forms by mistake to a third-party after it fell prey to a phishing scam. Schletter offered credit monitoring and identity theft protection to those impacted. After the plaintiffs filed a lawsuit seeking alleged damages as a result of this incident, Schletter filed a motion to dismiss the complaint. The District Court denied Schletter’s motion to dismiss the plaintiffs’ claims for negligence and breach of implied contract, invasion of privacy and violations of North Carolina’s Unfair Trade Practices and Privacy Acts. The District Court, however, dismissed the breach of fiduciary duty claim.

As an initial step, the District Court discussed all the warnings it believed Schletter had about phishing scams before it fell prey. In finding Schletter had ample notice of the potential for an incident, the District Court listed various FBI warnings, IRS alerts, articles and examples available of emails used in similar scams that it believed Schletter should have been aware of before the incident. After discussing all the ways the District Court believed the Defendant should have been aware of this scam, the District Court stated that “[d]espite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, [Schletter] provided its employees with unreasonably deficient training on cybersecurity and information transfer protocols prior to the Data Disclosure.” The District Court called Schletter’s preparation and response into question. The District Court provided the following examples of how it believed Schletter failed to properly train its employees:

• How to detect phishing and spoofing emails and other scams including providing employees examples of these scams and guidance on how to verify if emails are legitimate;
• Effective password management and encryption protocols for internal and external emails;
• Avoidance of responding to emails that are suspicious or from unknown sources;
• Locking, encrypting and limiting access to computers and files containing sensitive information;
• Implementing guidelines for maintaining and communicating sensitive data; and
• Protecting sensitive employee information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients.

Based on this criteria, the District Court concluded “[t]he Data Disclosure was caused by the Defendant’s failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems.” In further support of its conclusion, the District Court listed the various ways it found Schletter had failed to implement the proper security measures to protect the W-2s.

Finally, the District Court opined that the two years of identity protection provided to Schletter’s employees was inadequate because the service “has neither prevented the Plaintiffs from experiencing fraudulent activity using their Personal Information nor alerted them that they had fallen victim to identity theft.”

Based on these findings, the District Court held Plaintiffs could survive Schletter’s motion to dismiss. In particular, the District Court denied Schletter’s motion to dismiss on the following grounds:

• Negligence and Breach of Implied Contract Claims: The Plaintiffs claimed that they were required to provide their Personal Information as a condition of their employment and Schletter failed to protect that information. The District Court found the allegations were sufficient to survive a motion to dismiss on the negligence/breach of implied contract claims.
• Invasion of Privacy: The Plaintiffs claimed Schletter’s unauthorized disclosure of Personal Information resulted in an invasion of the Plaintiffs’ privacy by intrusion. The District Court found Plaintiffs’ allegations that their names, birthdates, addresses and Social Security numbers were disclosed without authorization was sufficient to survive a motion to dismiss.
• Breach of Fiduciary Duty: The Plaintiffs claimed that Schletter was a “fiduciary in matters connected with their employment.” The District Court rejected Plaintiffs’ claim by finding Plaintiffs’ allegations that Schletter had a fiduciary duty merely by virtue of being an employer was insufficient to survive a motion to dismiss.
• Unfair Trade Practices and Privacy Acts: The Plaintiffs final causes of action were based on claimed violations of North Carolina’s Unfair and Deceptive Trade Practices Act and Identity Protection Act. The District Court found Plaintiffs’ allegations were sufficient to survive a motion to dismiss when they allege that Schletter “intentionally disclosed their Social Security numbers to an unauthorized third party and that the Defendant should have known in the exercise of reasonable diligence that the third party lacked a legitimate purpose for obtaining this information.”

The District Court’s reasoning should cause all data collectors to look at their cybersecurity protocols. This case may signal a shift by courts to start holding data collectors responsible for cyber incidents even though the disclosure was the result of being tricked by a sophisticated criminal. The outcome of this case may have been dramatically different a few years back before there was a large body of information available on proper safeguards. The District Court’s decision should not be misinterpreted to require all data collectors be liable if they have an incident. Rather, this decision merely establishes that a data collector may be held liable if a court finds the data collector failed to take necessary steps which includes employee training.

The post Here It Is: The Decision That Tells Data Collectors Exactly What They Should Have Known Before They Had A Breach appeared first on Privacy Risk Report.

Over the years there have been questions whether the term “cyber” is adequate in light of the exponential growth of privacy law.  First, the term “cyber” tried to do too much when it was used to describe everything from large-scale data breaches to small instances of corporate espionage.  Further, the term “cyber” did not do enough to distinguish between personal information being compromised through sophisticated computer attacks and information compromised through unsophisticated employee negligence.  Finally, the “one-size fits all” use of the term “cyber” has recently been called into question by a federal court.

In American Health Inc. v. Dr. Sergio Chevere, 2017 WL 6561156 (Dec. 22, 2017), the District Court for Puerto Rico examined the term “cyber” while determining the litigants’ cross-motions for summary judgment.  The dispute arose when the Defendant, Dr. Sergio Chevere, an employee of the Plaintiff, American Health Inc., forwarded fifty-four emails from his work email account, which was stored on the Plaintiff’s servers, to his personal email account.  Importantly, the District Court noted “Defendant did not cause damage to or erase data from plaintiffs’ computer systems.” Rather,  Plaintiff claims it was damaged because the emails contained confidential and proprietary information which violated state and federal law.  Plaintiffs further claim they spent more than $170,000 in litigation costs related to this incident.  Both parties moved for summary judgment thus prompting the District Court to decide if Plaintiff had a viable cause of action under federal or state laws.

In the section of the District Court’s opinion entitled “The Mise-En-Scène: An Overview of Malicious Cyber Acts and Plaintiffs’ Claims” the District Court first considered “some introductory notes on malicious cyber acts” that include:

Cyber technologies are a minefield of technical nuances. Naturally, the legal landscape that affects cyberspace can be seemingly riddled with gray areas and be difficult to navigate. Before jumping into the proverbial Minotaur’s maze, the court will, for clarity’s sake, consider some introductory notes on malicious cyber acts.

It is well-settled that malicious cyber acts can lead to civil liability and criminal prosecution. Indeed, criminal enterprises, malign actors, and those seeking to gain unfair advantages in their ventures increasingly turn to cyberspace to carry out or facilitate malicious acts.

 Based on this analysis, the District Court views malicious cyber acts as being separated into the following three distinct categories:

 Put plainly, malicious cyber acts consist of the use of computer driven technologies to commit malicious acts. They can be parceled into three distinct categories:

(1) acts in which a computer is the target of the malicious activity,

(2) acts in which a computer is used as a tool that is essential for the malicious activity, and

(3) acts in which the use of a computer is incidental to the malicious activity.

These distinctions are important when applying the law to malicious cyber acts. The court will discuss the first and second categories in more detail, insofar as the latter is immaterial to the issue at hand.

 In further developing the three distinct categories of malicious cyber acts, the District Court provided the following concerning the “first category:”

Acts in the first category, in which a computer is the target, can ordinarily only exist in cyberspace (e.g. hacking and distributed denial of service attacks). They are an entirely “new” breed of malicious activity. Traditional statutes are often ill-fitted or otherwise insufficient to carry civil claims and criminal prosecutions addressing malicious cyber acts of this sort. Thus, to properly make malicious cyber acts that fall into the first category actionable, specialized statutes that specifically target conduct in cyberspace are necessary.

And, the District Court provided the following concerning the “second category:”

On the other hand, acts in the second category, in which a computer is an essential tool, are mostly age-old malicious acts (e.g. fraud and theft) being committed in new ways. They are, in that sense, “old wine in new bottles.” Take, for example, a fraud committed in cyberspace and one committed in the physical world: both are fraud, but only the former is a malicious cyber act. They are different in that a computer was used as an essential tool in one but not in the other. A malicious cyber act falling into the second category can be properly addressed through a traditional statute, though specialized legislation could nonetheless streamline litigation or prescribe particular remedies. That is to say, while Congress could very well choose to enact legislation that specifically targets, say, instances of fraud committed through the use of a computer, traditional statutes addressing fraud could be perfectly adequate to carry the day.

After creating the framework for its decision, the American Health Court found Plaintiff’s allegations that Defendant engaged in the illegal misappropriation of confidential information was conduct falling within the second category of malicious cyber acts (acts in which a computer is essential for the alleged criminal action).  Using this methodology, the District Court found Plaintiff had no recourse under its alleged federal question claims (the Computer Fraud and Abuse Act (CFAA), the Wiretap Act, and the Stored Electronic Communications Act (SECA)). In particular, the District Court held “[t]hese three statutes are not catch-all nets for malicious cyber acts…[and] they target specific forms of conduct in cyberspace, under specific circumstances.” (“Hence, traditional laws may be more suitable conduits for plaintiffs legal action, rather than statutes that specifically target malicious cyber acts.”)  Consequently, the District Court found any relief due to the Plaintiff would be limited to traditional state laws.

While the District Court held Plaintiff may arguably be entitled to relief under state law, the Court did not have to analyze the state claims when the federal claims were dismissed.  Specifically, the District Court found it could not exercise supplement jurisdiction over Plaintiff’s state law claims (breach of contract, breach of duty of loyalty, breach of implied contractual and legal duty, and conversion under Puerto Rico’s Civil Code) when the federal claims were dismissed.  Consequently, Defendant’s motion for summary judgment was granted.

The American Health decision demonstrates the difficulty in using the term “cyber” for any activity that happens to involve a computer.  Here, the Defendant’s use of a computer was incidental to his alleged wrongful conduct.  That is, the Defendant could have printed out the confidential information found in the emails stored on the Plaintiff’s server and misappropriated the information with the hardcopies of the documents rather than transferring the information to his personal account through his computer.  Further, the District Court may have arrived at a different decision if Defendant actually destroyed the information stored on Plaintiff’s server.

Under the reasoning in the American Health decision, we may start to see the evolution of the term “cyber” be limited to incidents where “a computer is the target of the malicious activity.”  These activities, which may include hacking as an example, are what the District Court refers to as an “entirely ‘new’ breed of malicious activity.”  If the District Court’s analysis gains traction we may see legislation that would directly address this new breed of malicious activity rather than seeing various privacy claims being crammed into traditional laws.  Further, we may also see the evolution of cyber policies to be geared to providing coverage for this first category while possibly not providing coverage for the other two categories found in the American Health Court’s distinction of the use of the term “cyber.”

The post One-Size Does Not Fit All: Court Finds Not Every Crime Involving A Computer Is A Cyber Crime appeared first on Privacy Risk Report.

Uber’s technology and business plan has consistently presented a number of interesting privacy issues.   Another interesting privacy issue involving Uber came to light on November 28, 2017 when the City of Chicago and Illinois (“plaintiffs”) filed their Complaint in a case entitled City of Chicago et al. v. Uber Technologies, Inc., Case No. 2017CH15594 (Nov. 28, 2017). The Complaint is based on allegations that “[f]or the past several years, Uber has repeatedly failed to protect the privacy of its customers’ and drivers’ personal information.”  More specifically, the plaintiffs assert Uber took steps to cover up its breach in an effort to avoid negative publicity.  This case, regardless of whether the allegations are proven, should cause “data collectors” to consider what information they are putting (or not putting) out concerning any incidents prior to notification of the incident.

The First Breach

The plaintiffs assert that in 2014, Uber left personal information of more than 50,000 users vulnerable to hackers. In particular, the plaintiffs claim an Uber employee left Amazon Web Services login credentials exposed to the general public.  By September 17, 2014, Uber detected that its customers’ information had been accessed without authorization.  After the 2014 breach, Uber entered into a settlement agreement with the federal government where Uber agreed to fix vulnerabilities and create safeguards to protect against future breaches.

The Second Breach

Despite making “basic corrections to its data security platform,” Uber suffered another data breach involving 57 million users in October 2016. The Complaint alleges this Second Breach was similar to the First Breach in that customer data was exposed when hackers found exposed passwords.  While Uber put out a statement, the plaintiffs claim Uber failed to inform the public that sensitive information may have been compromised, including drivers’ passwords, credit card and banking numbers and Social Security numbers.

The Alleged Cover Up

The Complaint further asserts that after the second breach, “Uber opted to cover up the breach, both inside and outside the company.” The plaintiffs contend that, in order to avoid “negative public attention, Uber paid hackers $100,000 to delete the data based on the hackers’ agreement to never speak publicly of the incident.”  The plaintiffs claim the alleged cover up came to light because “criminal hackers couldn’t possibly be trusted to protect user data” and they ultimately disclosed the breach.  The Complaint states that “Uber went so far as to even track down the criminal hackers and enter into nondisclosure agreements with them as if they were common business partners…”  Further, the plaintiffs claim Uber made this payment so that it appeared to be related to its “bug bounty program” rather than a ransom payment.  The Complaint asserts “[t]his concealment kept riders, drivers, and government agencies in the dark for over a year about Uber’s substandard security practices…”

The alleged cover up continued until November 21, 2017, when Uber’s Board of Directors investigated the practices of Uber’s security team. Uber has still not disclosed this incident to its customers or drivers.

The Plaintiffs’ Causes Of Action And Violations Of Illinois’ Personal Information Protection Act (“PIPA”)

Plaintiffs first seek a recovery under Chicago Municipal Code Section 2-25-090 which prohibits any “unlawful practice” under the Illinois Consumer Fraud and Deceptive Business Act (“ICFA”).  In this regard, the plaintiffs claim “Uber intended that the public, including Chicago residents, rely on its deceptive representations and communications regarding the security of their personal information.”  The plaintiffs also claim Uber violated the Illinois Personal Information Protection Act (“PIPA”) when it failed to notify Chicago residents of the breaches.  Based on ten causes of action, the plaintiffs request the court fine Uber $10,000 for each day the Chicago Municipal Code was violated, $50,000 for violating the ICFA and $10,000 for each violation “involving an Illinois resident 65 years of age or older for each day such violation has existed and continues to exist.”

“Data Collectors” Must Put Thought Into Response If It Is Unclear If Formal Notification Is Necessary

This case, while only in the pleading stages, signals a shift in considerations for “data collectors” when responding to an incident. First, if true, it should be clear that paying off hackers and disguising the payment as a legitimate expense should be avoided.  Beyond this alleged payment, these allegations demonstrate the difficult balance between providing information to the public but not unnecessarily causing negative publicity.  For example, it is alleged that Uber put out a blog post in response to the 2016 incident that failed to address all the information that may have been compromised in the breaches.  The Complaint refers to this blog post as being “notably vague.”  Therefore, even if it is shown that Uber did not intentionally cover up these incidents, these allegations against Uber provide a reminder that a “data collector’s” response can create additional liability beyond the incident.

The post Claims Against Uber In New Lawsuit Show The Potential For Liability Beyond Not Protecting Data appeared first on Privacy Risk Report.

For many years, governmental bodies and some commercial companies have had a responsibility to provide information conveniently to the public.  Specifically, under Open Records Acts, Freedom of Information Action requests and other similar requirements, many governmental bodies have to provide sensitive information to the public.  However, over the last few years, these same governmental bodies and commercial companies have also started to face additional requirements to adopt cyber security safety measures to protect data.  It is not difficult to see how these various requirements may become competing interests that cause confusion.  Therefore, we are starting to see new methods to address the need to provide information to the public in a convenient format while properly securing information.

One recent example of the need to strike a balance between providing information and safeguarding information is seen in Taylor v. School Administrative Unit #55, 2017 WL 4172944 (September 21, 2017), when the New Hampshire Supreme Court found providing information on a thumb drive, rather than through email, was acceptable given the cyber security concerns in protecting that information.

On May 12, 2016, the School Administrative Unit #55 (“School District”) voted to go into a nonpublic session to discuss the superintendent’s evaluation and “emergency functions.”  The School District voted to seal the minutes while in the nonpublic session.  The following month, the plaintiff, David Taylor, requested the superintendant’s office send him the minutes of the May 12, 2016 nonpublic session. Taylor was told the minutes could not be provided because they were sealed.  In response to a second email sent by Taylor, the superintendent’s office denied the request based on the School District’s “Right-To-Know” procedure which allowed records to only be provided  to a member of the public that brings a sealed thumb drive (or purchases a thumb drive directly from the School District) for the records to be downloaded.

By August of 2016,  Taylor had filed a complaint initiating this lawsuit based on allegations that the School District had violated New Hampshire law by voting in a closed session to seal the minutes of the nonpublic meeting and “refusing to forward to him, by email, the records he requested.” Taylor sought a declaration that the School District’s policy requiring information to be downloaded on a thumb drive violated New Hampshire and an order requiring the records be transferred via email.

The School District argued a number of “cyber security concerns” validated its procedure for using thumb drives rather than transferring the information through email. In agreeing with the School District, the New Hampshire Supreme Court held “we find valid the [School District’s] concern that responding to records requests by e-mail ‘would introduce unreliability into the process because sometimes e-mails are too big to be received, and there is no way for the [School District] to confirm receipt of e-mails it sends.” The Supreme Court was further concerned over the potential for mistakes once the School District started sending a number of responses to “Right-To-Know” requests via email.  Specifically, the Supreme Court agreed with the trial court’s finding that “while plaintiff may be correct that the simple forwarding of one email poses a very small cyber security risk, the greater potential risk comes from repeated email exchanges with multiple parties making Right-To-Know-Requests.”  Further, the Supreme Court held that the thumb drive policy did not necessarily diminish the use of records provided on thumb drives and “serves the governmental interest of protecting public bodies’ and agencies’ information technology systems…”

Governmental bodies have to walk a thin line between the need to make information available to the public and the need to have cyber security safeguards in place to protect the public. Here, the School District was required to provide access to information, but it also had a fiduciary duty to protect private information.  The School District’s agreement to provide the requested information on a thumb drive provides another example of how entities can use all available technology to overcome cyber security concerns.  While downloading data to a thumb drive may not be the most convenient method to provide this information, it allowed the School District to meet is fiduciary obligation to protect information.

The post The Line Between Obligations To Disclose Information And Obligations To Protect Private Information appeared first on Privacy Risk Report.

The best strategy for data collectors to prepare a breach response plan may be to look at what others did right and wrong in response to a cyber incident.  After reviewing a number of responses to large-scale data breaches, it has become clear that some responses are better than others. It is also clear that all large-scale breaches and the responses have a number of moving parts.  Therefore, in order to analyze all these moving parts to prepare for an incident, the best method for data collectors may be to break their strategy into the following three phases:

• Pre-Breach Preparations should include discussing breach scenarios in the abstract. This timeframe should be dedicated to identifying an internal and external response team and create a general roadmap for a response.
• Post-Discovery Preparations should include refining the roadmap to address the specific breach facing an entity. By this point, a data collector will have more information on the incident and should be able to prepare for the announcement of the incident.
• Post-Announcement Response should include re-working any portion of the response plan that is not going as intended and responding according to the roadmap created in the earlier phases.

While it is still early in Equifax Inc.’s response, Equifax’s recent breach provides the perfect backdrop to take a closer look at these three phases for preparing for and engaging in a successful breach response.  Admittedly, we are just learning the full scope of Equifax Inc.’s massive data breach which was announced on September 8, 2017. While different numbers have been discussed, it appears about 143 million people may be impacted.  Suffice it to say, this was a huge data breach.  The FTC’s website provides the following facts:

The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.

The analysis of this latest breach can be expected to go down the well-worn path of other large-scale breaches seen at Target, Home Depot or Yahoo.  And, over the coming months, we can expect to see more information concerning Equifax’s breach.  For example,  Sens. Orrin Hatch, R-Utah, and Ron Wyden, D-Oregon, respectively the chairman and ranking member of the Senate Committee on Finance, sent Equifax detailed questions about the breach seeking “a detailed timeline of the breach, information about the company’s efforts to identify the number of consumers affected, the breadth of information compromised and the steps Equifax has taken to identify and limit potential consumer harm.”  This information, and being able to analyze this information, will be key for any data collector to review their own breach response plans.

Pre-Breach Preparations Allow A Stress-Free Review Of Safeguards And The Response Game Plan

During the Pre-Breach Preparations, a data collector will have the opportunity to confirm that it has taken all steps necessary to safeguard information and have a roadmap in place if there is an incident.  Once an incident occurs, it may be too late to thoroughly review the roadmap and the general structure must be created in order to fill in the details as the breach unfolds.

First, Equifax’s breach, involving a credit reporting agency, is different than a prior breaches which took place at retailers, financial institutions or medical care providers. That is, Equifax is often called on to provide credit monitoring to individuals that may be caught up in a cyber incident at a retailer, financial institution or medical care provider.  For example, the Illinois Personal Information Protection Act states that any breach notification shall include “the toll-free numbers and addresses for consumer reporting agencies.” See, 815 ILCS 530/10  Therefore, notification letters prepared in accordance with Illinois law would most-likely direct Illinois residents to Equifax.  Equifax and the other credit reporting agencies build their entire business on keeping information safe.  At present, there is no information concerning what Pre-Breach Preparations Equifax had in place but there will undoubtedly be a substantial amount of information disclosed over the coming months.

Post-Discovery Preparations Allow A Response To Address The Specific Facts Of The Incident

Post-Discovery Preparations allow a data collector to address the specific information it has learned from its initial investigation into its response roadmap.  That is, the roadmap can now be revised and supplemented because the investigation will show if this is a case of ransomware, a data breach or some other cyber attack.  The data collector can also determine whether it will notify any individuals and if so, what law governs that notification.  The decision to contact law enforcement should be made during this phase as well.  This phase may be the last time the data collector has full control over the incident.

News reports indicate Equifax discovered the breach on July 29, 2017.  Therefore, Equifax had more than a month, post breach, to formulate a response to this particular breach before it was announced to the public.  However, there is still little information concerning Equifax’s Post-Discovery Preparations at this time.

Post-Announcement Response Allows An Entity To Address Issues That May Have Been Missed In The Other Breach Response Phases

Hopefully, the response plan will only need to be slightly tweaked by the time a data collector reaches the Post-Announcement Response.

Equifax’s breach response at this point includes offering one free year of its credit monitoring service and providing information via its website created just for this breach.  However, over the last week, Equifax has faced a backlash including the following complaints related to its response:

• News reports indicate that a number of people are struggling to determine if their information was included in Equifax’s breach using a website provided by Equifax. After making a number of attempts to use the website, many commentators found the website “hopelessly broken.” By September 8, 2017, Equifax had to issue a statement claiming to have fix problems with its website.
• Equifax’s offer to provide free credit monitoring for a year is being called into question as not providing sufficient time to properly monitor one’s credit and as a marketing ploy to get subscribers after the first year has expired. Leaving some commentators to say “so, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach.”
• Equifax had to issue a statement to address growing concerns that the terms of service that consumers must accept before enrolling in the free credit monitoring service required them to waive their rights to sue Equifax for a breach. Equifax’s statement attempted to clarify its position that nothing in the terms of service would apply to this breach.
• More than 20 proposed class-action lawsuits have been filed around the country in less than a week since the breach was announced.
• Shares of Equifax closed down 8.2% on September 11, 2017 after falling more that 13% on September 8, 2017.
• SEC filings show that three Equifax executives sold nearly $2 million in shares in the company days after the cyberattack was discovered.   Equifax had to issue another statement after its announcement indicating that while the three executives sold a “small percentage” of their shares August 1 and August 2, 2017, they “had no knowledge that an intrusion had occurred at the time they sold their shares.”

Unfortunately, Equifax’s various supplemental announcements after the initial announcement have placed Equifax’s response under further scrutiny. Equifax is now being called on to respond to a variety of issues since its announcement of this breach.  The Equifax breach makes it clear that the Post-Announcement Response phase can be the most stressful phase and will require a solid roadmap formulated in the earlier breach response phases.

As we learn about the Equifax breach (or any other data breach) it will be key for data collectors to look at all the information related to the breach response to determine if their own brief response roadmap is sufficient.  Analyzing the various phases of a response and how those phases are connected will be necessary to continuously improve their own response plans.

The post Responses To Large-Scale Breaches, Such As Equifax, May Need To Be Analyzed In “Phases” By Data Collectors appeared first on Privacy Risk Report.