Header graphic for print

Password Protected

Data Privacy & Security News and Trends

When Botnets Attack: How Hackers Shut Down the Internet

Posted in Cybersecurity, Data Security

Beginning early on October 21, 2016, Dyn, a New Hampshire based internet service company, was the victim of three distributed denial of service (DDoS) attacks.   The first attack began at 7am ET and was resolved within about two hours.  A second attack began just before noon and a third attack just after 4pm ET.  Described by Dyn as a “sophisticated attack across multiple attack vectors and internet locations” the attacks affected websites including Spotify, Twitter, Reddit, the New York Times, and SoundCloud.

Techs and Specs – What is DDoS?

Domain name system (DNS) servers, such as those operated by Dyn, help translate a URL into an IP address. In other words, when you enter a URL like www.passwordprotectedlaw.com into your internet browser, the DNS server works to translate and configure the URL you entered into an IP address that sends you to the website you asked to visit.

DNS servers can only manage a certain number of requests at one time. DDoS attacks are successful because they overwhelm DNS servers by flooding the server with fake requests.  Like getting a busy signal when too many people call one phone number, if the DNS server is inundated with requests to connect to an IP address, it can no longer process those requests and the system stops working – just like it did Friday.

These malicious requests are powered by malware known as botnets. Botnets infect and take control of unprotected devices (such as CCTVs, DVRs, and other “Internet of Things” (IoT devices) without the user’s knowledge.  Dyn confirmed that, at least in part, the DDoS attack on Friday was a result of botnet malware known as Mirai.  Mirai infected inadequately secured devices by searching for and infiltrating devices that used default passwords.  Once Mirai infected the devices, it used the devices to send an overwhelming number of fake requests to Dyn, which overloaded its system.  These fake requests, in turn, prevented legitimate requests from being processed and therefore stopped legitimate users from accessing various websites that used Dyn DNS servers.

Responsibility and Liability

Unfortunately, these attacks are likely to proliferate because there is a low barrier to entry and it can be difficult to determine attribution for attacks. For example, the Mirai botnet source code was made public in September 2016 thereby allowing any person or criminal enterprise to take and use the code for malicious purposes.

Cyberattacks, like the one on Friday, can cripple businesses by disrupting revenue. Moreover, to the extent that cyberattacks expose data security vulnerabilities, the attacks can potentially expose a company to liability.  For example, the Federal Trade Commission brought action against LabMD for having insufficient data security practices. As these attacks become increasingly common, federal and state agencies will continue to closely monitor business data security practices.

To help avoid liability and mitigate damage from a DDoS, or other cyberattacks, keep in mind the following:

  • Practice Information Governance: understand your network, know and safeguard your sensitive data, and train your users.
  • Educate employees about the threat of phishing – which is the most popular delivery method for malware, including botnets.
  • Understand what your DNS server provides and how it protects against and responds to service disruptions.
  • Ensure that all devices on your network – CCTVs, Wi-Fi routers, and webcams – are reasonably secure and updated, for example, by changing default passwords and regularly updating patches.
  • Implement intrusion detection/prevention and malware prevention systems to detect and alert on malicious traffic traversing your network.
  • If possible, isolate or limit IoT traffic on your network to only essential devices.

FFIEC Issues FAQs on the Cybersecurity Assessment Tool

Posted in Cybersecurity, Financial Services Information Management

On October 18, 2016, the Federal Financial Institutions Examination Council (FFIEC) issued answers to frequently asked questions (FAQs) to clarify points in FFEIC’s Cybersecurity Assessment Tool (Assessment).  FFIEC released the Assessment in June 2015 to help financial institutions identify their risks and assess their cybersecurity preparedness.  The Assessment incorporates cybersecurity principles from the FFIEC Information Technology (IT) Examination Handbook (the IT Handbook) and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (the NIST Framework).  While FFIEC’s Assessment is a good tool for banks to evaluate their cybersecurity standards, some banks experienced challenges mapping processes to the NIST Framework and interpreting FFIEC’s IT Handbook.  FFIEC’s FAQs should resolve these common issues, but they also raise other questions. Continue Reading

Expected Soon: Modifications of the Standard Contractual Clauses

Posted in Data portability, Data retention, EU Data Protection, Legislation, Privacy

The European Commission very recently presented two draft implementing decisions amending the existing adequacy decision on standard contractual clauses.

These drafts were presented to the Article 31 Committee, which is composed of Members State representatives who assist the European Commission concerning the protection of individuals with regard to the processing of personal data.

This presentation is a consequence of the Schrems ruling and past declarations of the Article 29 Working Party that standard contractual clauses remain under scrutiny.

The summary by the Article 31 Committee speaks for itself: “In Schrems, the Court invalidated Article 3 of the Safe Harbour adequacy decision because it found that the Commission exceeded its powers in imposing limitations on the powers of national supervisory authorities (DPAs) to suspend and prohibit data flows. Since a comparable provision restricting the powers of DPAs is present in the existing adequacy and SCCs decisions, the main objective of the proposed draft amending decisions is to remove any such restriction, thereby ensuring that the DPAs can use all the powers provided under EU and national law.”

The Article 31 Committee will make a final decision concerning these draft amendments in the coming days or weeks after reviewing the opinions of the Article 29 Working Party. It is possible that the Article 29 Working Party will propose other amendments.

Continue Reading

State Legislatures Protect Student Data and Mandate Greater Transparency

Posted in Legislation, Privacy

Public schools have generated and maintained massive amounts of student information for decades. Standardized test scores, grades, conduct records, psychological and medical information, student assessments, child and parent personal information, and teacher evaluations of children’s performance are all essential to providing and improving educational services.  But with such massive amounts of data comes great risk that it will be misused.

Congress recognized the sensitivity of this information in the early 1970’s and passed the Family and Education Records Protection Act (FERPA) in 1974.  FERPA guarantees families access to their child’s educational records, and also protects against disclosure of student data for non-educational purposes.  However, the rapid technology advances of the past decade far outstripped the ability of FERPA to provide risk solutions, so individual states have begun to fill the regulatory gap with their own laws and requirements.  These state laws address both data privacy and data security and continue the emphasis on transparency and accountability begun by FERPA.

Technology has rapidly enhanced the ability of schools to assess a student’s strengths, isolate learning deficits, and deliver learning systems that are individualized to maximize educational gains and teaching efficiency.  The aggregate of individuals’ microdata creates vast amounts of macrodata that allow schools to determine which learning systems are most effective, which should be modified or discarded, and which provide value platforms that are consistent with school boards’ limited financial resources.  Data collection, sharing and analysis are powerful tools in the modern educational product market.  But all of that data is sensitive and private to individuals, and its use needs to be thoughtfully regulated and protected.

The Data Quality Campaign has released a Summary of 2016 State Legislation that analyzes the growth and content of state bills and laws governing school-based data.  The DQC Report states that 15 states passed 18 new data privacy laws in 2016, with particular emphasis on three concerns:

  1. regulating the data use and privacy activities of online service providers;
  2. enhancing transparency around how student data is managed and used; and
  3. mandating greater responsibility for safeguarding data both internally and from cyber-threats.

Schools and educational technology providers will be well-advised to work together collaboratively to maximize learning opportunities for students while minimizing the risks of data compromise or inappropriate use of personal data. Only where the integrity of technology systems is assured will parents and the general public trust schools and learning product vendors with the data of our children. And experience teaches that every time a breach or abuse occurs, the response will be greater and more onerous legislation.

Industry Insight: Information Governance – Leverage Your Business Intelligence and Reduce Risk

Posted in Cybersecurity, Data breach, Data Protection and Competition

The goal is to turn data into information, and information into insight.” – Carly Fiorina, former CEO, Hewlett-Packard Co.

The most valuable asset of every organization is information. Organizing, analyzing and optimizing this complex source of business intelligence can be daunting.  In addition, assuring the security of sensitive data for legal compliance and reputational purposes can at times seem an unattainable goal.  Increasingly companies look to comprehensive information governance (IG) programs to fulfill both competitive business strategies and legal obligations.

What is Information Governance?

Information governance is a framework that brings together all the requirements, standards and best practices that apply to data in order to understand and exploit diverse information resources. IG facilitates reliable and secure information delivery despite expanding global markets, on-demand user access and emerging technologies.  Consumers now expect information services anywhere and anytime.  Managing the challenges related to this demand, as well as the volume, variety and velocity of data, is the most complex issue facing companies today.

Good IG practices, based on legal compliance and business objectives, provide efficient and safe data flows both within and outside an organization. Understanding the types and location of sensitive data is the first step to an effective IG program.  Fundamental IG tools, including data maps and retention schedules, ensure appropriate technical safeguards and defensible information lifecycles.  Training and communication are essential to engaging employees, consumers, and third parties in all aspects of IG.

IG In Practice

Evolving privacy and security regulations, as well as the proliferation of outsourced data, mandate that companies apply internal IG standards to cloud providers and third parties suppliers. Corporations are now responsible for policing the information management practices of business partners and third parties or face the risk of litigation and substantial fines.  Take for example, United States v. InMobi Pte Ltd., where a mobile advertising company, InMobi, was fined by the Federal Trade Commission for tracking the locations of consumers. InMobi is a business-to-business provider and therefore never deals with mobile device users. Nevertheless, InMobi is subject to a $4 million civil penalty, which the FTC  suspended to $950,000 based on the company’s financial condition. The company is also required to delete all information it collected without consent and institute a privacy program that will be audited every two years until 2036. Organizations must seek assurances of third party accountability through strong contract language that addresses privacy, security and data standards or they remain vulnerable to additional risks.

The role of IG in privacy and security has never been more important due to the risk exposure related to data breaches. An increasingly important aspect of IG is the documentation and disclosure of how personal information is collected, processed, shared, tracked and stored.  Every breach involving personal data has the potential to fuel spectacular headlines and class action lawsuits. The devastating business consequences of a breach are verified by the fact that 51% of customers will take their business elsewhere once their information has been compromised.*

Despite the potential for lost revenue, litigation and loss of reputation, 61% of CEOs report they are not well prepared to deal with results of a breach.* This is due in part to the constantly evolving and progressively sophisticated threats to businesses. For instance, a new form of ransomware called Mamba was recently identified.  Instead of just encrypting data, this malware scrambles the entire the operating system including apps, shared files and personal data, essentially leaving your computer, and potentially your whole network, entirely useless. As consumers grow less tolerant of their personal data being exposed, senior executives must make data security a priority by implementing and constantly updating comprehensive IG programs to incorporate defensible breach response and prevention procedures.

IG At Every Level

IG ultimately requires the commitment of C-level stakeholders. All C-level executives should be prepared to handle a potential security crisis with the help of IT, legal, and PR teams. This preparation should be documented in an immediately executable data breach response plan.   The ability to take rapid countermeasures and openly and effectively communicate during a breach is key to effectively managing expectations of shareholders and customers. The probability of breach related litigation is reduced with effective response and crisis management procedures as part of an overall IG program. **

In summary, good IG can provide invaluable business intelligence and opportunities based good information insight, security and accessibility. In addition, defensible privacy and security practices are the best protection against reputation damaging data breaches and costly litigation.

*Identillect Technologies, CEO Responsibilities for Data Breach, Retrieved from https://identillect.com/file/downloadpublication?fileUrl=%2FContent%2FDocuments%2FPublications%2FCEO%20Responsibilities%20for%20Data%20Breach.pdf (October 10, 2016).

**Romanosky, S., Hoffman, D., Aquisti, A., Empirical Analysis of Data Breach Litigation, iConference (2013).

The Cloud Grounded: Cloud Hosts Are Business Associates Under HIPAA Security Rule

Posted in Data Security, Health Information, Other

The Department of Health and Human Services Office for Civil Rights (OCR) issued long-anticipated guidance to help covered entities and their business associates — including cloud service providers (CSPs) — comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Generally, OCR clarifies that a CSP is considered a business associate and therefore regulated under HIPAA when a covered entity or its business associate engages that CSP to create, receive, maintain or transmit electronic protected health information (ePHI) on its behalf, even if the CSP does not have an encryption key and cannot actually view the ePHI.

For these “no-view services,” OCR has determined that encryption and inability to access are insufficient measures to address all of the security concerns under the HIPAA Security Rule. Indeed, the other key considerations — integrity and availability — are directly relevant to CSPs, regardless of their ability to access the ePHI they maintain. Squarely addressing the justification that many CSPs used to assert that they should not be considered business associates, OCR expressly states that the “conduit” exception does not apply to CSPs, as it is available only for PHI that is “transient” in nature. Thus, for these key reasons, CSPs are considered business associates and are subject to direct liability under HIPAA.

A CSP must meet applicable HIPAA requirements, such as proper internal controls and breach response procedures. This also means that there must be a HIPAA-compliant business associate agreement (BAA) in place covering the arrangement. Consistent with this, OCR previously entered into a settlement agreement with a covered entity for $2.7 million and a corrective action plan because the covered entity stored ePHI on a cloud-based server without entering into an appropriate BAA.

OCR issued other specific points of guidance with respect to cloud computing, including the following: Continue Reading

FFIEC to Host Webinars on Mobile Financial Services and the FS-ISAC to Promote Bank Cybersecurity Preparedness

Posted in Cybersecurity, Financial Services Information Management

On October 6, 2013, the Federal Financial Institutions Examination Council (FFIEC) announced that it will host two webinars with the goal of increasing cybersecurity preparedness by its member financial institutions.  FFIEC’s webinars are in recognition and observance of National Cybersecurity Awareness Month.

FFIEC’s first webinar will cover Mobile Financial Services – Appendix E of the FFIEC’s Retail Payment System Booklet (the Mobil Device Webinar).  In April 2016, FFIEC updated Appendix E of its Retail Payment Systems booklet to address the proliferation and technological advancements in mobile banking. FFIEC’s Mobil Device Webinar will provide an overview of the contents of Appendix E of its Retail Payments Systems booklet and include a question and answer session on mobile financial services. The Mobil Device Webinar will be held on Thursday, October 13 at 3:00pm New York time.  Banks and other financial institutions can register for FFEIC’s Mobil Device Webinar by clicking here.

FFIEC’s second webinar will highlight the Financial Services – Information Sharing and Analysis Center (FS-ISAC) and discuss how banks can benefit from FS-ISAC membership (the FS-ISAC Webinar). In November 2014, FFIEC issued statements on FFIEC’s observations from its cybersecurity assessment and recommended that financial institutions participate in the FS-ISAC. FFIEC’s FS-ISAC Webinar will feature a guest speaker from the FS-ISAC and will provide tips on how to manage the information flow and filter information through the FS-ISAC membership portal.  The FS-ISAC Webinar will be held on Thursday, November 3 at 1:00pm New York time.  Banks and other financial institutions can register for FFEIC’s FS-ISAC Webinar by clicking here.

FFIEC last celebrated National Cybersecurity Awareness Month in October 2013 before FFIEC launched its cybersecurity webpage and began its cybersecurity preparedness campaign for community financial institutions.  FFIEC’s Mobil Device Webinar and FS-ISAC are a good ways to observe National Cybersecurity Awareness Month, but FFIEC could better improve cybersecurity preparedness by requiring that all financial institutions adopt cybersecurity programs consistent with the first-in-the-nation cybersecurity standards recently proposed (the Proposed Regulations) by the New York Department of Financial Services (the NY DFS).  The NY DFS’s Proposed Regulations are in step in the right direction because they require a number of cybersecurity controls not included in FFIEC’s IT Examination Handbook.  Hopefully, banks and other financial institutions will have consistent standards for better cybersecurity before the next National Cybersecurity Awareness Month in 2017.

FFIEC IT Security Booklet Revised

Posted in Data Security, Financial Services Information Management, Information Management

On September 9, 2016 the Federal Financial Institution Examination Council (FFIEC) updated its Information Security Booklet (available here).  In addition to certain editorial non-substantive changes, the modifications include revisions to IT risk management and information security processes, and updated examination procedures in Appendix A to help examiners evaluate an institution’s culture, governance, information security program, security operations, and assurance processes.  Affected institutions include those regulated by prudential regulators in addition to those regulated by the Consumer Financial Protection Bureau (CFPB), which is a member of FFIEC and has been increasing its scrutiny of consumer-facing “financial technology” or “fintech” firms (on September 27, the CFPB also noted that is consumer complaint database had hit the 1 million-complaint-mark).

Compliance, internal auditors and cybersecurity professionals in affected institutions should in particular take note of updated Appendix A to the booklet, which lays out the following 11 objectives for examiners.

  1. Determine the appropriate scope and objectives for the examination.
  2. Determine whether management promotes effective governance of the information security program through a strong information security culture, defined information security responsibilities and accountability, and adequate resources to support the program.
  3. Determine whether management of the information security program is appropriate and supports the institution’s IT risk management process, integrates with lines of business and support functions, and integrates third-party service provider activities with the information security program.
  4. As part of the information security program, determine whether management has established risk identification processes.
  5. Determine whether management measures the risk to guide its recommendations for and use of mitigating controls.
  6. Determine whether management effectively implements controls to mitigate identified risk.
  7. Determine whether management has effective risk monitoring and reporting processes.
  8. Determine whether management has security operations that encompass necessary security-related functions, are guided by defined processes, are integrated with lines of business and activities outsourced to third-party service providers, and have adequate resources (e.g., staff and technology).
  9. Determine whether management has an effective information security program.
  10. Determine whether assurance activities provide sufficient confidence that the security program is operating as expected and reaching intended goals.
  11. Discuss corrective action and communicate findings.

Incorporating these objectives into information security programs will assist affected firms in structuring, monitoring and evaluating IT security risks in accordance with FFIEC standards.

Your Credit Card Number’s Been Stolen. Have You Been Injured? Courts’ Answers Continue to Vary

Posted in Data breach, Litigation, Retail

Seemingly not a day goes by without news of another major data breach. In the past few weeks, Yahoo! announced that at least 500 million of its user accounts were stolen in 2014, hot on the heels of Dropbox’s announcement that more than 68 million of its accounts were compromised.  Data breach announcements by major companies are inevitably swiftly followed by class action complaints alleging a bevy of state and common-law claims.  Yet despite the ubiquity of this litigation, courts’ jurisprudence regarding what plaintiffs must plead to have standing and to state a claim arising from an alleged data breach continues to be unpredictable.  The source of this difficulty is a thorny question: what injury must plaintiffs allege to have standing and to adequately plead their claims in the wake of an announcement that their personal information has been stolen?

As the Supreme Court held in Clapper v. Amnesty Int’l, USA, for a plaintiff to establish an injury in fact sufficient to demonstrate standing, she must plead an injury that is “sufficiently impending.”  While plaintiffs need not “demonstrate that it is literally certain that the harms they identify will come about,” “allegations of possible future injury are not sufficient” and the plaintiff must demonstrate a “substantial risk” of harm that caused her to “reasonably incur costs to mitigate or avoid that harm.”   In the context of data breach litigation, courts have varied in how they apply this test in cases where plaintiffs allege that the theft of their personal information put them at “substantial risk” of identity theft.  Most courts have held that the mere allegation that stolen information may be misused is insufficient to establish an injury-in-fact necessary for Article III standing.  For example, in In re Science App. Int’l Corp. Backup Data Theft Litig., Judge Boasberg of the District of Columbia (citing a string of similarly-decided cases) held that the mere increased risk of identity theft, and plaintiffs’ expenditures in purchasing identity theft protection, were insufficient to confer standing.  But other courts have not followed suit, reasoning that sophisticated hacks are made for only one purpose: to obtain and then misuse personal information, which naturally injures innocent individuals.  As Judge Koh of the Northern District of California put it in finding standing for injuries arising from a hack of Adobe’s servers, “after all, why would hackers target and steal personal customer data if not to misuse it?”

Injury-in-fact jurisprudence seemed to grow only more convoluted when the Court of Appeals for the Seventh Circuit decided Remijas v. Neiman Marcus Group, LLC in 2015.  In Neiman Marcus, the Seventh Circuit held that plaintiffs’ allegations that hackers deliberately targeted Neiman Marcus to obtain their credit card information were sufficient to establish an injury-in-fact.  Cautioning that it was “important not to overread Clapper,” the Seventh Circuit echoed Judge Koh’s rhetorical question (albeit without attribution), asking, “Why else would hackers break into a store’s database and steal consumers’ private information?”  The Seventh Circuit also noted that Neiman Marcus offered credit and identity theft protection services to customers, reasoning that the retailer’s actions demonstrated the substantial risk of harm because “it is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.”  In holding that plaintiffs established injury-in-fact sufficient to confer standing, the Seventh Circuit seemingly created a circuit split with the Third Circuit, which considered nearly identical claims and rejected them in Reilly v. Ceridian Corp.

Yet even within the Seventh Circuit, courts continue to grapple with what plaintiffs must plead regarding their alleged injury. In an October 3, 2016 decision in In re Barnes & Noble Pin Pad Litig., Judge Wood of the Northern District of Illinois held that plaintiffs’ claimed injuries resulting from hackers’ theft of their personal information through Barnes & Noble’s PIN pads sufficed to establish standing following Remijas. However, the court nevertheless dismissed plaintiff’s claims for failure to state a claim.  The court reasoned that several of plaintiffs’ claims required that they plead economic damages and noted that plaintiffs did not plead any actual monetary loss as a result of the data breach.  The court also dismissed plaintiffs’ common-law claim for invasion of privacy for failure to plead that the accessed personal information had been widely disseminated or that its disclosure was embarrassing to the plaintiffs.

The question arises whether the court’s decision in Barnes & Noble was simply a pleading failure that will be rectified by the plaintiffs’ bar – in future cases, plaintiffs might plausibly plead economic injuries resulting from identity theft or fraudulent charges.  Additionally, plaintiffs frequently pursue negligence claims on the theory that the breached company failed to employ reasonable information security measures, a claim that was absent in Barnes & Noble but might have survived under Judge Wood’s analysis.  The state of data breach litigation is further complicated by the FTC’s stance that unreasonable information security measures may violate the FTC Act even absent identifiable harm to consumers.  In sum, the state of data breach litigation, and courts’ approach to plaintiffs’ alleged injuries, remains in flux.  McGuireWoods LLP data privacy and class action attorneys will continue to monitor and report trends in data breach litigation.

Trick or Treat: The FCC Releases Privacy Regulations for Internet Service Providers

Posted in Consumer Privacy/FTC, Data breach, Notification, Privacy

Yesterday the Federal Communications Commission (FCC) revealed its revamped broadband privacy regulations. In March, the FCC initially proposed privacy rules which were highly criticized by everyone from the Federal Trade Commission (FTC) to small business owners. The new rules contain less regulation and they more closely resemble the FTC approach to privacy. In fact FTC Chairwoman Edith Ramirez already issued a statement regarding the FCC privacy proposal in which she applauds the FCC for listening to the FTC’s input and reiterates that the FTC has “decades” of experience in regulating privacy.

What’s Required

The rules would require internet service providers (ISPs) to explain the following to a customer when the customer signs up for service:

  • what information is collected;
  • how and for what purpose the ISP uses and/or shares the information; and
  • who the ISP shares the information with.

Compliance Guidelines

The FTC’s influence is most evident in the guidelines for protecting customer information. The regulations, which are meant to be flexible and allow for changes in technology, require the ISP to engage in “appropriately calibrated” and “reasonable” practices to protect consumer data.

Examples of appropriately calibrated practices include:

  • up-to-date and relevant industry best practices;
  • appropriate accountability and oversight of its security practices;
  • implementation of robust customer authentication tools; and
  • proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights


Under the rules, ISPs would be required to obtain “opt-in” consent to use sensitive customer information including:

  • geo-location
  • children’s information
  • health information
  • financial information
  • Social Security numbers
  • web browsing history
  • app usage history
  • the content of communications

Data Breach Requirements

The FCC regulations also seek to protect consumers during a data breach by requiring ISPs to engage in “common-sense” breach practices. This breach requirement would be “triggered by the ISP’s determination that an unauthorized disclosure of a customer’s personal information has occurred, unless the ISP establishes that no harm is reasonably likely to occur.”  While there is little explanation of how the ISP should make the breach determination, or what “harm” means, the FCC does provide a breach timeline for the ISP to follow.

Specifically, the FCC says that if the ISP determines there has been a breach, a provider is required to notify:

  • customers no later than 30 days after discovery;
  • the FCC no later than 7 business days after discovery; and
  • the FBI and the U.S. Secret Service no later than 7 business days after discovery of the breach if the breach affects more than 5,000 customers.

The proposed regulations make a point of noting they do not regulate the privacy practices of websites or apps (where the FTC is currently regulating) and they do not address government surveillance or encryption.

The FCC is scheduled to vote on the proposed regulations on October 27th.