Discussions on privacy laws have taken front and center in recent weeks as European Union (EU) member states begin enforcing the General Data Protection Regulation (“GDPR”) on May 25, 2018.  As we have been discussing for a while, there is confusion as data collectors try to figure out the impact of this legislation.  There is no question that large, multi-national corporations will have to comply and many of these corporations are already in compliance.  However, with this deadline just around the corner, smaller companies that do not actively target EU residents are struggling with how this legislation impacts them.

Until all these laws are harmonized, the safest route for smaller companies may be to comply with GDPR, state, federal, local and industry regulations as much as possible. While the GDPR deadline is looming, it is worthwhile for smaller data collectors to consider the following:

GDPR Overview

The GDPR website states this legislation “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”  (A guide to the EU GDPR can be found here.)

Importantly, GDPR will apply to all data collectors holding the personal data of EU residents regardless of the location of the data collector.  The definition of personal data is broadened to the extent to include any information “that can be used to directly or indirectly identify the person.”  Therefore, under GDPR, this information can include “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

GDPR also imposes new obligations on how the data is to be handled and stored.  For example, EU residents will have a “right of access” that requires data collectors to provide specific details about how information is processed.  GDPR grants EU residents a right to have their personal data deleted or erased by a data collector upon their request. The penalties for non-compliance may total anywhere from 4% of the annual global turnover of the breaching data collector or €20 Million (whichever is greater).

Should We be Concerned About GDPR Regulations?

We have been getting questions from our clients about how GDPR may impact them.  The knee-jerk reaction from many American companies appears to be to ignore GDPR if their business is not focused on EU residents.  Admittedly, there are many questions concerning how GDPR regulations can be enforced on data collectors outside of the European Union. Of course, betting on the fact that the EU will not be able to broadly enforce these regulations is not the best strategy.

The consensus is that general marketing to customers that may include EU residents will not trigger an obligation under the GDPR.  Rather, it appears at this time, that EU residents will need to be directly targeted for GDPR to apply to data collectors outside the United States.  Commentators have provided the following analysis on this issue:

For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.

Accepting currency of that country and having a domain suffix — say a U.S. website that can be reached with a .nl  from the Netherlands — would certainly seal the case.

Even if GDPR compliance may not be a priority for smaller data collectors, it is still worthwhile at this time for data collectors to consider compliance for the following reasons:

– GDPR compliance is not costly. At this point, compliance may be adding a few new disclosures to their website.

– GDPR compliance has a positive impact for customers that trust you with their data. Even if large, multi-national corporations have the most at stake, working toward GDPR compliance will only make data safer.  Keeping data safe may result in more business and cutting losses related to a cyber incident.

– GDPR compliance puts you ahead of the pack. There is no doubt that the GDPR regulations are the most-strict and punitive we have seen to date.  However, GDPR compliance is only going to help data collectors comply with state, federal and industry standards that they may already be required to follow.  Further, if the GDPR is successful, data collectors can be certain the U.S. will adopt similar standards.

The Initial, Practical Approach To GDPR Compliance

Now that it is clear that GDPR compliance may be a concern even for data collectors that are not necessarily targeting EU residents, a discussion as to the potential for liability can be guided by the following points:

1. Data Inventory. Data collectors need to first inventory the information and data that is being collected. A website that collects names and emails of visitors may gather EU resident’s data occasionally, but may not target the European Union for business.  A data collector cannot thoroughly access liability without taking stock of the origin of the collected data.
2. Consent? While it is still early in the process of GDPR compliance, it is assumed that most data collectors will find there is a peripheral chance that data belonging to an EU resident will be collected.  This is the proper time to determine whether consent should be obtained from all individuals providing any data or information.  Consent does not have to be an elaborate policy that no one would want to read (we are looking at you Apple).  Rather, consent can be obtained through clear language without legalese.  From a practical standpoint, data collectors may want to use a website such as SecurePrivacy.AI, which has recently begun offering a free tool that scans websites for GDPR compliance
3. Data/Privacy Officer. Reviewing GDPR compliance also provides an opportunity to consider whether a data/privacy officer should be appointed. This person will be responsible for handling data and information retention issues and would be a point of contact for anyone worried about how their data was gathered, used or retained.

The issues concerning GDPR are not new.  Data collectors have been struggling with compliance with federal, state, local and industry data collection requirements for years.  For example, an employer in Chicago, Illinois may hold information for its employees that are residents of Illinois, Wisconsin or Indiana.  This employer may have been trying to harmonize privacy regulations for years at this point.  Consequently, data collectors should use GDPR as another opportunity to access the safeguards they have in place to protect data.

The post Tick Tock: A GDPR Primer To Meet The Deadline Next Week appeared first on Privacy Risk Report.

While we have seen defendants in data breach cases argue that plaintiffs were not injured and therefore lack standing to bring suit, litigants in a recent data breach case have directly addressed issues some litigants have previously danced around.

On August 6, 2015, Pamela Chambliss and Scott Adamson (Plaintiffs) filed a class action complaint in a Maryland District Court against Carefirst, Inc. (which operates under the tradename Carefirst Blue Cross Blue Shield) related to a data breach at Carefirst in 2014. The Plaintiffs claim they have health insurance through Carefirst and, therefore, were required to furnish private information to Carefirst. The class action complaint seeks damages based on allegations that Carefirst failed to adequately secure its computer hardware that stored the Plaintiffs’ personal information. Carefirst discovered this breach on May 20, 2015. The breach released the names, birthdates, email addresses and “subscriber information” of 1.1 million individuals. The class action complaint indicates Carefirst did not encrypt the stored data and was viewed as a “soft target” by hackers.

The first cause of action was based on allegations that Carefirst was negligent by failing to safely store personal information and “potentially confidential health information” of its members. The class action Plaintiffs further claimed this breach “proximately caused an unauthorized disclosure” of Plaintiffs’ information. The second cause of action was based on allegations that Plaintiffs’ relied on Carefirst’s representations concerning its privacy and security before they purchased health insurance. The third cause of action alleged Carefirst was unjustly enriched when it did not pay for the security and protection promised to the Plaintiffs. Finally, the Plaintiffs alleged Carefirst’s conduct constitutes a violation of the Maryland Personal Information Protection Act.

On September 24, 2015, Carefirst filed its motion to dismiss the class action complaint, asserting Plaintiffs’ action is defective because “Plaintiffs have not alleged that they suffered an injury cognizable under Article III of the Constitution.” That is, Carefirst claims the Plaintiffs lacked standing to bring the action because the Plaintiffs’ data was not alleged to be misused in any manner.  In its supporting brief, Carefirst points out the difficulty class action plaintiffs are having surviving motions to dismiss:

Data theft is an unfortunate and increasingly common occurrence in contemporary life, victimizing literally millions of Americans. Fortunately, data loss does not always produce actual harm. Just as companies are learning how to harden their defenses against cyber theft, our Nation’s courts are learning to sort out the claims of truly injured victims from those who launch class actions without having suffered any real harm. This action falls into the latter category.

On November 5, 2015, the Plaintiffs filed their opposition to Carefirst’s motion to dismiss. The Plaintiffs wasted no time addressing what appeared to be the current trend of plaintiffs having difficulties showing damage from a data breach. The opening paragraphs take aim at Carefirst’s argument as follows:

Defendants, in their Motion, assert that data theft is a “common occurrence” as if that somehow excuses them from culpability for failing to take the reasonable, necessary steps to protect the plethora of sensitive, highly confidential personal and medical information in their possession and the harms that their insureds suffer as a result of that failure. Brief at 1.1 Defendants cannot get off so easily. In fact, the commonness of such breaches actually makes each subsequent breach all the more egregious. Just as the landlord in a high-crime area can be held liable when he fails to install a secure lock on a tenant’s door and a criminal breaks into a tenant’s apartment and harms her as a result, see e.g. Lay v. Dworman, 732 P.2d 455 (Okla. 1987), so, too, can a health insurer, who knows of the risk of cyberattack, be liable when it fails to secure its insureds’ confidential personal information.

Of course, the current dispute in the Carefirst case is based on what is becoming a substantial body of law concerning standing for data breach cases. In just the last year, we have seen the following developments on the standing issue:

• 7th U.S. Circuit Court of Appeals: On July 20, 2015, the 7th Circuit issued its decision in Remijas v. Neiman Marcus Group, LLC, directly addressing Article III of the U.S. Constitution, the standing for data breach plaintiffs. In reversing the District Court, the 7th Circuit held that “[a]llegations of future harm can establish Article III standing if that harm is ‘certainly impending,’ but ‘allegations of possible future injury are not sufficient.’” In short, the 7th Circuit found the plaintiffs met the requirement under Clapper “that injury either already [has] occurred or [was] ‘certainly impending.’”
• District Court for Southern District of Texas: In Peters v. St. Joseph Serv., Corp., the District Court dismissed plaintiff’s claims on a 12(b)(1) Motion after finding that allegations of an increased risk of future harm were not sufficient to confer standing.
• District Court for Northern District of Georgia: Home Depot filed a motion to dismiss asserting the Class Action Plaintiffs lacked standing to bring suit for its data breach.
• District Court for Minnesota: In the Target litigation, the District Court held the Financial Institutions’ action survived Target’s Motion to Dismiss.

All of these cases trace their origins back to the Supreme Court’s 2013 opinion in Clapper v. Amnesty Int’l finding that the mere increased risk of future harm does not confer Article III standing.

The briefs in the Carefirst case demonstrate that litigants are starting to directly address the difficult questions related to data breach cases as courts gain a better understanding of these cases. While plaintiffs have hit a number of hurdles in establishing damages, defendants’ argument that everyone is suffering a data breach may lose credibility with courts.

The post Let’s Get Ready to Rumble: Gloves Come Off in Data Breach Standing Case appeared first on Privacy Risk Report.

While large cyber attacks and data breaches may get the headlines, a recent study prepared by the Ponemon Institute and Hewlett-Packard and a recent criminal conviction of a Los Angeles Times reporter that disclosed corporate passwords on a hacker website serve as additional reminders that “malicious insiders” still pose the largest security threat to an organization.

Ponemon Institute/Hewlett-Packard Study: Malicious Insiders Can Cause the Most Serious Cyber Incidents

The Ponemon Institute and Hewlett-Packard (HP) published the study, “2015 Cost of Cyber Crime Study: Global,” which provides insight into the increasing frequency and costs of cyber attacks against governments and businesses around the world. Specifically, the study examines the “economic impact of cyber attacks and observes cost trends over time” and relies on data taken from 252 organizations in seven countries. Most importantly, the study finds that the most costly cyber crimes are caused by “malicious insiders,” people from within an organization.

For example, the study found cyber attacks committed by malicious insiders cost the responding organizations, on average, $144,542 to resolve. The costs related to malicious insiders exceeded costs related to denial of service attacks, phishing scams and stolen devices. Further, the study found the time required to resolve issues created by malicious insiders greatly exceeded the time to resolve issues related to other attacks. Specifically, time to resolve issues related to malicious insiders (54 days) exceeded web-based attacks (28 days) and denial of service attacks (19 days). While the threat created by malicious insiders has been understood for some time, this study puts these threats into context when measured against other cybersecurity threats.

Matthew Keys’ Conviction Demonstrates Real World Dangers Associated with Malicious Insiders

The findings in the Ponemon/HP Study related to the malicious insiders threat were further supported when earlier this month a former Los Angeles Times reporter was convicted under the Computer Abuse and Fraud Act (CFAA). Matthew Keys was convicted of posting confidential server passwords on a hacker website and urged hackers to “go [expletive] some [expletive] up” on websites maintained by his employer, the Tribune Company. Keys had access to the passwords during his employment. After Keys posted the passwords, a hacker gained access to the Los Angeles Times website and created a fake headline for a story.

While there may be questions as to whether Keys was properly charged and convicted under the CFAA, another important consideration is the fact that he does not fit the mold of a “traditional” hacker. During the criminal trial it became clear that Keys had nothing more than a basic working knowledge of computers and no experience as a “hacktivist.” Costs related to the investigation of the hacks, related vandalism, security issues repairs and lost employee productivity were estimated to be nearly $1 million.

The Greatest Threat Comes from Inside an Organization

The Ponemon/HP Study and Keys’ conviction demonstrate that while large-scale hacks from foreign countries make news, employees continually prove to be the greatest threat to cybersecurity. Monitoring the conduct of employees and former employees continues to be just as important as maintaining cutting-edge technology in order to safeguard data or other valuable information. Further, the difficult question related to the amount of damages Keys actually caused leads into an interesting issue related to cyber insurance.

For example, while Keys’ employer claimed it suffered $1 million in damages, this amount was called into question by Keys because many of the hours logged to fix the damage caused by leaked passwords were attributed to journalists and executives rather than technical staff. This dispute over what costs were justified and attributable to Keys’ conduct illustrates the importance that insurers and insureds have a complete understanding prior to a cyber incident of the costs and damages covered under cyber policies.

The post New Study and Recent Criminal Conviction Sheds Light on the “Malicious Insiders” Threat appeared first on Privacy Risk Report.

On October 17, President Barack Obama signed an Executive Order addressing the growing concerns over data security in the United States. One of the most notable aspects of the Order is its requirement that all federally-issued credit and debit cards include chip-and-PIN technology. The chip-and-PIN technology enhances the security of the more traditional magnetic strip cards by replacing the magnetic strip with a computer chip that uses cryptography to protect data contained within the card. While the Order only applies to those cards issued by the federal government, several private sector companies, including Target, Wal-Mart, and Home Depot, have agreed to implement chip-and PIN technology starting in 2015.

The Order also addresses the need for improved resources for identity theft victims following a data breach. It orders federal agencies with publicly available resources for victims of identity theft to share such information with the FTC, so that the FTC can continue to develop and streamline these resources at its website for identity theft victims, IdentityTheft.gov.

In conjunction with signing the Order, Obama called on Congress to pass data breach legislation, writing in a statement that “[t]he current patchwork of laws governing a company’s obligations in the event of a data breach is unsustainable, and helps no one.” While members of the Senate have proposed several cybersecurity and data breach bills, Congress has yet to enact any of these bills into law.

The post President Obama Signs Executive Order Addressing Data Security appeared first on Privacy Risk Report.

On September 30, 2014, California passed Assembly Bill 1710 which will create two major changes related to breaches involving the private data of California residents when it comes into effect on January 1, 2015.

First, the amended data breach law will expand the scope of the entities subject to the law. California’s existing data breach law requires entities that own or license personal information to implement and maintain security procedures to protect that information. Assembly Bill 1710 expands this requirement to include any entity that maintains personal information concerning a California resident. The amendment of the current law may include entities that store information on cloud servers. While the current version of the bill imposes notification requirements on entities that own or license personal information, the amended bill will not require an entity that maintains personal information to notify those individuals involved in a breach.

Second, the amended bill changes the obligations related to notification of a breach. Previously, an entity that owns or licenses private information was required to issue a notification of the breach. Under the amended bill, an entity that owns or licenses private information must “provide appropriate identity theft prevention and mitigation services, if any, to the affected person at no cost for not less than 12 months if the breach exposed or may have exposed specified personal information.”

The post Mark Your Calendars: California’s Amended Data Breach Law Will Take Effect in 2015 appeared first on Privacy Risk Report.

In a letter to the National Telecommunications and Information Administration, Microsoft vocalized its support for swift action on comprehensive privacy legislation in the United States. Microsoft argues that such legislation is necessary to gain the trust of consumers, as well as the trust of other countries that have already adopted comprehensive privacy laws. Microsoft stands apart from the majority other big-name tech companies like Amazon, Google and Twitter, all of which have voiced concern over any privacy legislation at this time.

As discussed in a previous post, the U.S. Senate is close to debate on at least one cybersecurity bill.

The post Microsoft Takes a Stand in Support of Comprehensive Federal Privacy Legislation appeared first on Privacy Risk Report.

The U.S. Senate is getting closer to debating a cybersecurity bill, the Cyber Information Sharing Act, which will create a voluntary process aimed at protecting private information. A “discussion draft” of the proposed bill includes provisions that would send threatening data to the Department of Homeland Security which would then share it with other federal agencies.

The post Federal Cybersecurity Bill Moves Closer to Becoming Law appeared first on Privacy Risk Report.