Header graphic for print

Password Protected

Data Privacy & Security News and Trends

Insurance Coverage for Lost Profits Arising from Cyber Attacks on the U.S. Power Grid

Posted in Cyber Insurance

The Washington Post reported last week that Russian hackers had penetrated the U.S. utility grid through Burlington Electric Department, a Vermont utility. Although the utility later clarified that the attacked computer was not connected to the grid and that the connection to Russia was not confirmed, hundreds of news sources picked up the story, demonstrating the widespread concern over cyber intrusions into our electric grid.

The United States electricity grid is critically important to our lives. The “grid” is vulnerable to not only weather-related power outages but also to cyberattacks.  The most likely path for a hacker into a utility is through a utility’s control systems, which almost always are connected to the internet.  The connection between the control systems in any piece of equipment or device and the internet is called the “Internet of Things.”

A shutdown in service by a utility by a cyberattack could produce dire economic consequences to both small and large businesses. It is therefore essential that businesses try to manage this business interruption risk, and because the risk is outside of a business’s control, insurance is the best (and possibly only) tool to use.

Cyber Attacks on Utilities – Frequency and Potential Impact

Electric utilities experienced a spike in cyberattacks in 2016, according to a survey by Tripwire, a cyber security firm. Seventy-five percent of the information technology workers surveyed reported that their companies in the oil, natural gas and electricity sectors had experienced at least one successful cyberattack in the past twelve months, meaning intruders were able to breach one or more firewalls or other protections.

Cyber hackers have successfully shut down electric utilities in the past. FireEye, another digital security firm, reported that in December 2015, Russian-nexus actors attacked several Ukrainian utilities causing blackouts in several regions.  The hackers used malware inserted through the connections between the utilities’ industrial control systems and the internet to gain access to their computer systems.  The hackers then shut down circuit breakers at multiple substations, cutting off power to over 230,000 homes and businesses.

Impact of an Attack on the U.S. Electricity Grid

A cyberattack on the United States electricity grid could result in both property damage at the utility and a significant impact to customers. As they did in the Ukraine, hackers could use malware inserted through the Internet of Things to gain access to computer systems at a utility.  Then, hackers could cause electric generators to overload and burn out, resulting in fires and explosions.  Alternatively, the perpetrators could simply shut down utility substations.    Regardless whether a cyberattack results in property damage at the utility, the resulting losses to utility customers could be in the billions.  A 2014 Federal Energy Regulatory Commission analysis revealed that successful attacks on just nine of 55,000 U.S. power-grid substations could cause nationwide blackouts for weeks, if not months.

Insuring Against Cyber Attacks on Utilities

     Coverage Available Under Traditional Property Policies

Business interruption (“BI”) coverage protects against lost profits resulting from property damage to the insured’s property. Standard property insurance policies include coverage for lost profits arising from a covered event at an up-stream supplier.  This is called “contingent” BI coverage.  Many policies also include “service interruption” coverage, which is a type of contingent BI insurance insuring lost profits arising from damage to an electric utility’s property causing an interruption in the utility’s service.

Coverage under traditional property insurance policies for lost profits arising from a cyberattack on a utility may be limited. Standard property insurance policies require direct physical loss to property at the utility in order to trigger coverage for business interruption to a downstream power customer.  Many courts have held that damage to data is not a “direct physical loss.”  Moreover, property policies typically exclude coverage for losses arising from damage to or destruction of electronic data.  Therefore, unless the cyberattack on the utility causes an explosion or a fire – physical loss to property – standard property insurance policies may not provide coverage for lost profits arising from a utility shut down.

     Coverage Available Under Cyber Policies

Because traditional property policies may not provide BI coverage for a cyberattack on an electric utility, policyholders should consider cyber insurance. Cyber insurance policies provide coverage for a variety of cyber risks, including the type of malware that a hacker might use to attack an electric utility.  Recently, many carriers have broadened cyber insurance offerings to include contingent BI coverage that would protect against lost profits arising from a utility shutdown initiated by a hacker.  Because breaches to the U.S. electrical grid pose such a widespread risk, however, insurers typically limit this coverage in a number of ways.  These limitations include reducing the duration of the coverage, setting waiting periods of up to 60 days before the coverage applies, and adding exclusions.

One key exclusion that could apply to an attack on a utility is the terrorism exclusion. These exclusions bar coverage for losses arising from acts committed “for political, religious, ideological or similar purposes including the intention to influence any government and/or to put the public, or any section of the public, in fear.”

An attack on the U.S. electrical grid would generate intense focus on the source of the attack and whether it had a political, religious, or ideological purpose. Moreover, as the recent debate concerning the Russian attacks on the Democratic National Committee demonstrates, it is difficult to identify with certainty the source of a cyberattack.  Therefore, disputes over the application of terrorism exclusions likely will arise following an attack on a utility.

Best Practices

Businesses should carefully evaluate their existing property insurance policy to determine whether it provides coverage for lost income arising from the interruption of electrical power arising from a cyberattack on a utility. Coverage under traditional property forms may be limited, however.  Insureds also should review their cyber insurance policy to assess the scope of BI coverage offered there.  Even if the policy provides such coverage, it is important to review the applicable sublimit, duration of coverage, waiting period, and exclusions to assess how broad the coverage truly is.  If the coverage limitations are significant, keep in mind that in today’s cyber insurance market, many policy terms are negotiable.  Furthermore, because the cyber insurance market is still rapidly developing, insureds should be sure to carefully compare their existing policy with other policies that may be available in the market at renewal time.  Working with counsel and an insurance broker, businesses may be able to negotiate changes to the carrier’s proposed language to expand the coverage available for this very important and potentially catastrophic risk.

Data Privacy Class Actions Post-Spokeo

Posted in Data breach, Data Security, Litigation

Earlier this year, the Supreme Court, in Spokeo, Inc. v. Robins, held that a bare procedural violation of a statutory requirement, divorced from any concrete harm, does not establish the injury-in-fact necessary to maintain a lawsuit in federal court. As the year comes to an end, it is clear that Spokeo has undoubtedly had an impact on class actions involving data privacy.

Procedural Violations of Data Privacy Statutes Do Not Satisfy Article III Following Spokeo

Given that many data privacy statutes provide for statutory damages and attorneys’ fees, they have become prime targets for class action attorneys. The class action claims, however, typically stem from technical or procedural violations of these statutes without any actual harm suffered by the plaintiffs, subjecting these lawsuits to fresh attacks following Spokeo. The various Courts of Appeals that have faced such challenges in data privacy actions in the wake of Spokeo have consistently found standing lacking under Article III.

Most recently, on December 13, 2016, the Seventh Circuit examined Spokeo in the context of the Fair and Accurate Credit Transactions Act (FACTA) in Meyers v. Nicolet Restaurant of de Pere, LLC.  FACTA prohibits businesses from printing more than the last five digits of a customer’s credit card number or the expiration date on a receipt, providing a private right of action with statutory damages up to $1,000 for any violation. In Meyers, the plaintiff alleged that a restaurant violated FACTA by printing the expiration date of his credit card on his sales receipt. In analyzing whether the plaintiff suffered a concrete harm in accordance with Spokeo, the Court noted that the plaintiff discovered the violation immediately, nobody else saw the non-compliant receipt, and thus it was “hard to imagine” how the expiration date could have increased the risk that the plaintiff’s identity would be compromised. Accordingly, the Court held that the plaintiff failed to establish any concrete harm, nor any appreciable risk of harm, to satisfy the injury-in-fact requirement for Article III standing under Spokeo.

The D.C. Circuit similarly held that a data privacy class action could not even “get out of the starting gate” with respect to standing following Spokeo. The plaintiffs in Hancock v. Urban Outfitters, Inc. alleged violations of D.C.’s Use of Consumer Identification Information Act, which prohibits retailers from asking for a customer’s address in connection with a credit card transaction. The Court held that the plaintiffs failed to allege that they suffered any cognizable injury as a result of defendants requesting their zip codes, noting that the plaintiffs did not allege any invasion of privacy, increased risk of fraud or identity theft, or pecuniary or emotional injury.  Instead, the claim rested upon a bare violation of the statute—the very theory of standing that the Supreme Court rejected in Spokeo.

These cases suggest that purely technical violations of data privacy statutes will not satisfy the injury-in-fact requirement under Article III’s standing analysis after Spokeo.  Instead, plaintiffs will need to show that a violation caused harm, likely through the actual disclosure to a third party or some evidence of emotional injury.

Data Breaches Likely Satisfy Article III Standing

Spokeo, however, has had less of an impact on standing in data breach class actions. This is because, as the Supreme Court in Spokeo acknowledged, an alleged violation of a procedural statutory right can establish the requisite concrete injury if the violation creates “a risk of real harm.”

The Sixth Circuit recently held that a data breach creates a sufficient “risk of real harm” to satisfy Article III. In Galaria v. Nationwide Mutual Insurance Company, some hackers allegedly broke into an insurance company’s computer network and stole personal identifying information of the customers. The plaintiffs brought a class action alleging violations of the Fair Credit Reporting Act for the company’s alleged failure to adopt procedures to protect against the wrongful dissemination of its customers’ data.  In evaluating standing, the Court found that where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for fraudulent purposes—creating a “risk of real harm” to support standing. The plaintiffs also alleged that they had to expend time and money to monitor their credit, check their bank statements, and modify their financial accounts because of the data breach. Thus, in addition to the substantial risk of harm, the plaintiffs had reasonably incurred mitigation costs sufficient to establish standing under Article III.

Looking Ahead to Future Standing Challenges

Cases involving data privacy claims arguably have seen the greatest impact from the Supreme Court’s ruling in Spokeo.  Although the line drawn between standing and the absence of standing seems clear at the moment, plaintiffs’ attorneys are sure to create new theories of harm to attempt to satisfy Article III’s standing requirement.

Obama’s National Cybersecurity Recommendations to Trump

Posted in Cybersecurity, Data Security, Legislation

On December 1, 2016, the Commission on Enhancing National Cybersecurity (Commission)—established ten months earlier by President Obama—released its Report on Securing and Growing the Digital Economy (Report).  The 50-page Report includes six major imperatives with 16 recommendations and 53 associated action items to improve national cybersecurity. The Commission is a non-partisan panel comprised of 12 members from various industries, including Uber, Microsoft and U.S. Cyber Command.

The Commission’s Recommendations

The six major imperatives, as they appear in the Report, are to:

  • Protect, defend, and secure today’s information infrastructure and digital networks;
  • Innovate and accelerate investment for the security and growth of digital networks and the digital economy;
  • Prepare consumers to thrive in a digital age;
  • Build cybersecurity workforce capabilities;
  • Better equip government to function effectively and securely in the digital age; and
  • Ensure an open, fair, competitive, and secure global digital economy.

These recommendations are directed to the next administration. The Report states, “[t]he Commission considers this report a direct memo to the next President” and suggests that most of the recommendations should begin within the Trump’s first 100 days in office.

The Report calls for increased industry and government information sharing, more guidance on cybersecurity best practices and increased consumer education on the issues. To implement those principles, the Report details what agencies should be involved and provides a timeline for the President-elect. For example, the Report states that:

“[t]he Department of Justice should lead an interagency study with the Departments of Commerce and Homeland Security and work with the Federal Trade Commission, the Consumer Product Safety Commission, and interested private sector parties to assess the current state of the law with regard to liability for harm caused by faulty IoT (Internet of Things) devices and provide recommendations within 180 days.”

Other recommendations include:

  • Initiating a national cybersecurity workforce program to train 100,000 new cybersecurity practitioners by 2020;
  • Developing a standard template for documents to inform consumers of their cybersecurity roles plus creating a “Consumer’s Bill of Rights and Responsibilities for the Digital Age”;
  • Appointing an Ambassador for Cybersecurity within the first 180 days; and
  • Increasing funding for cybersecurity across the federal government.

Incorporating the Report into Trump’s Cybersecurity Plan

While the Report is directed to the Trump administration, it is unclear if the President-elect will incorporate the Commission’s recommendations. During the campaign Trump outlined a cybersecurity plan that focused on defensive and offensive strategies. Trump’s campaign outline, however, did not include the level of detail that the Report provides. Some of the Report’s recommendations are similar to items in Trump’s plan.  For example, the Report suggests appointing an Assistant to the President for Cybersecurity, while Trump’s campaign plan included a proposal to create a Cyber Review Team to evaluate vulnerabilities in critical infrastructure.

One major vulnerability in cybersecurity infrastructure is the capability to shut down internet service companies. In response to the October attack on Dyn, several legislators have called for safeguards to protect internet security.  Senator Mark Warner, for example, released a letter from FCC Chairman Tom Wheeler in which Wheeler proposed an FCC-mandated cybersecurity certification process for “Internet of Things” devices. Wheeler, who will step down as chairman once President-elect Trump is inaugurated, said the FCC’s Advisory Committees should develop a “device cybersecurity certification process.” This certification process would attempt to prevent attacks like the one Dyn experienced.

But the President-elect, who said that for every new regulation, two old regulations must be eliminated, may not be quick to follow any recommendation leftover from the Obama administration, especially if it requires new regulatory action. If Trump chooses not to follow the Report’s recommendations, he will undoubtedly be expected to release an exhaustive national cybersecurity plan shortly after taking office.

International Employers in Scope of the GDPR: Are You Ready?

Posted in Data portability, EU Data Protection, Legislation

The GDPR harmonizes data protection laws across the EU and updates the current 20-year-old regime to take account of globalization and the ever-changing technology landscape.  It will apply not only to EU companies, but to any company processing the personal data of individuals in the EU in relation to offering goods or services, or to monitoring their behavior.  Significant penalties can be imposed on employers that breach the GDPR, including fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater.  The level of fine will depend on the type of breach and any mitigating factors, but they are undoubtedly meant to penalize any employer’s disregard for the GDPR.

Employers should prepare for the following changes to avoid being subject to the new enforcement penalties.

More Detailed Privacy Notices

Under the current law, employers are required to provide employees and job applicants with a privacy notice setting out certain information. Under the GDPR, employers will need to provide more detailed information, such as:

  • How long data will be stored for;
  • If data will be transferred to other countries;
  • Information on the right to make a subject access request; and
  • Information on the right to have personal data deleted or rectified in certain instances.

Restrictions to Consent

Currently, many employers justify processing personal data on the basis of employee consent. This approach has been increasingly criticized because there is doubt as to whether or not consent is given freely in the subordinate employer-employee relationship.

There are more prescriptive requirements for obtaining consent under the GDPR and employees must be able to withdraw their consent at any time. This will make it harder for employers to rely on consent to justify processing. Instead, employers will generally need to rely on one of the other legal grounds to process personal data.

New Breach Notification Requirement

The GDPR imposes a new mandatory breach reporting requirement. Where there has been a data breach (such as an accidental or unlawful loss, or disclosure of personal data), the employer will have to notify and provide certain information to the data protection authority within 72 hours. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also have to be notified.

Data Protection Officers

All public authorities and those private companies involved in regular monitoring or large-scale processing of sensitive data will need to appoint a data protection officer to:

  • Advise on GDPR obligations;
  • Monitor compliance; and
  • Liaise with the data protection authority.

How to Prepare Now

Co-operation and understanding of the new GDPR obligations across the business is critical and organizations will need HR, legal, IT and compliance teams to take a combined approach.

The most important steps for HR to take now include:

  • Carry out a data audit. Carefully assess current HR data and related processing activities and identify any gaps with the GDPR.
  • Review current privacy notices and update them to comply with the more detailed information requirements. All information provided must be easy for employees and job applicants to understand.
  • Assess the legal grounds for processing personal data. Where consent is currently relied on, check whether or not it meets GDPR requirements and remember that consent may be revoked at any time. Employers will generally need to rely on one of the other legal grounds to continue to process employee personal data.
  • Develop a data breach response program to ensure prompt notification. Allocate responsibility to certain people to investigate and contain a breach, and make a report. Train employees to recognize and address data breaches, and put appropriate policies and procedures in place.
  • Determine whether or not a data protection officer must be appointed and, if so, think about how best to recruit, train and resource one.

This article was originally published here by Personnel Today and is reproduced here with permission.

Yahoo Déjà Vu – One Billion Yahoo Accounts Hacked

Posted in Consumer Privacy/FTC, Cybersecurity, Data breach, Data Security, Identity Theft, Other, Privacy

Yesterday afternoon Yahoo Inc. (Yahoo) announced that user information was stolen from more than one billion accounts in August 2013. Yahoo said that the stolen information includes, “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers” but does not include bank account information.

Yahoo’s chief information security officer, Bob Lord, said in a statement yesterday that Yahoo believes the August 2013 incident is “likely distinct” from the incident that was disclosed in September 2016 that affected 500 million users (the September 2016 disclosure involved an attack from 2014). Yahoo also stated it has connected this newly announced August 2013 activity to the same state-sponsored actor responsible for the 2014 attack. Yahoo is currently notifying affected account holders and recommending users change their passwords and monitor accounts for suspicious activity.

This hack is particularly troubling because Yahoo believes a third party stole proprietary code from Yahoo that allows a hacker to access users’ accounts without a password. Specifically, the code forges authentication “cookies.” A cookie is data sent from a website and stored in the user’s web browser. Authentication cookies tell the browser that the user has previously authenticated the website. A forged authentication cookie thus allows an unauthorized user to log on to an account without using a password, potentially repeatedly and indefinitely. Yahoo has since invalidated the forged authentication cookies so they cannot be used to access accounts.

Passwords have recently come under scrutiny as an inadequate way to protect information. During a hearing held on November 16, 2016 by members of the House Energy and Commerce Committee, one expert, Dr. Kevin Fu testified that, “passwords are just intrinsically insecure” and “encourage unwise security behavior.” Dr. Fu continues, “the fact that we are relying on passwords at all is a big problem” and that “we need to retire passwords.”  The disturbing reality of his testimony came to life with this most recent Yahoo attack, made possible by circumventing passwords to hack accounts. This unfortunate event may mark the beginning of a transition away from passwords as a security measure.

Yahoo is already battling several proposed class actions alleging violations of federal and state consumer protection and privacy laws from the September disclosure. The company will now face additional inquiries about the 2013 incident and the over three year reporting delay about the hack.

Don’t Forget the State Attorneys General

Posted in Consumer Privacy/FTC, Data breach, Identity Theft, Legislation, Notification

State attorneys general play an active role in data privacy and security matters. Their involvement is increasing as they grapple with changing technologies and threats, rapidly evolving state laws and their relatively broad consumer protection authority to engage private sector custodians of personal data such as retailers, financial institutions, technology companies, and health systems. In some states, attorneys general also have some level of law enforcement responsibility related to data breaches and privacy matters.  The role of the attorneys general vary by state, further complicating compliance for those who may experience a data privacy or security event.

Attorneys general often work together leveraging their resources by initiating multistate litigation against companies resulting in larger settlements and by working closely with federal agencies such as the Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), the Federal Trade Commission (FTC), and the U.S. Department of Commerce (DOC). Attorneys general are also branching out from their typical enforcement roles to include policy and legislative initiatives.  Attorneys general associations such as the National Association of Attorneys General (NAAG), Republican Attorneys General Association (RAGA), and Democrat Attorneys General Association (DAGA) are making data privacy and security a top priority, frequently hosting panel discussions at their national meetings, and holding policy conferences specific to this topic.  The following are some examples of how attorneys general can impact your business regarding data breach and security matters.

State Reporting Requirements

A total of 47 states have legislation requiring entities to notify individuals of breaches involving personally identifiable information. Twenty-three of these states require entities to notify the attorney general of a breach. Some notification statutes are triggered by the number of persons affected by the breach (e.g., when 500 or 1,000 persons are affected). Others require disclosure no matter the size of the breach. As of this year, states requiring some form of attorney general notification are: California, Connecticut, Florida, Idaho, Illinois, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri, Montana, Nebraska, New Hampshire, New York, North Carolina, North Dakota, Oregon, Rhode Island, Vermont, Virginia and Washington.  Because state laws in this area are constantly changing, it is important to stay current on breach notification laws for your applicable states.

State Attorney General Litigation and Settlements

Attorneys general are actively involved in bringing litigation and seeking settlements against companies for various matters relating to data breaches. For example, Trump Hotel Collection settled with the New York attorney general to pay $50,000 in penalties when over 70,000 credit card numbers and other personal data were breached. Trump Hotel Collection also agreed to design and implement new data security practices to prevent future breaches.

Recently the Texas attorney general settled with PayPal regarding its Venmo mobile phone app for potential violations of Texas law by not disclosing how the personal information was being used and that it might have publically exposed private information. The settlement required PayPal to pay $175,000 to the state and improve disclosures regarding security and privacy.

Failure to timely notify patients of a breach and inadequate security measures resulted in a consent judgment against Beth Israel Deaconess Medical Center (BIDMC). The Massachusetts Attorney General sued BIDMC after a laptop containing health information of nearly 4,000 patients was stolen from a physician’s office. The lawsuit alleged BIDMC violated state and federal law when it did not notify patients that their information had been compromised until three months after the incident. BIDMC agreed to pay $100,000 and take steps to ensure compliance with data security laws.

A Vermont-based grocery store, Natural Provisions, settled with the Vermont Attorney General after a security breach involving credit card numbers. The settlement required Natural Provisions to upgrade its computer systems beyond the minimum required legal protections and pay a fine to the state. This settlement exemplifies the emerging trend requiring companies to not only pay a monetary penalty, but also make institutional improvements to prevent future breaches.

In November, Adobe settled a multistate action alleging the company did not employ reasonable security measures to protect customer information in violation of consumer protection laws and personal information safeguard statutes. The Connecticut attorney general led the multistate investigation with fourteen other states that involved over 500,000 people. The settlement required Adobe to pay $1 million to the states and review internal security polices at least twice annually.

State Attorney General Policy Initiatives

Many attorneys general are going beyond enforcement and litigation. This year, the Massachusetts Attorney General’s Office hosted a forum on data privacy. Consumer advocates at this forum encouraged attorneys general to pursue enforcement of consumer protection laws. Washington and California attorneys general release annual reports of every data breach incident in their state. Ohio’s Attorney General recently launched CyberOhio, a collection of cybersecurity initiatives to help Ohio businesses prevent data security threats and pursue legislative initiatives. The Maryland Internet Privacy Unit, created in 2013, monitors companies to ensure compliance with state and federal consumer protection laws. The increased policy attention on data breaches is sure to bring more enforcement and investigatory efforts by state attorneys general. Much of the policy development for attorneys general begin with their various national associations such as NAAG, RAGA and DAGA, providing companies with a good opportunity to help inform these state initiatives.

Summary

Despite federal regulations and enforcement, companies cannot forget that state attorneys general play a significant and expanding role with data privacy and security matters, including enforcement, prevention, and policy development. Understanding their role and a company’s responsibility in the event of a data breach is critical.  Engaging attorneys general before a crisis occurs, and helping shape their policy initiatives are also prudent strategies.

Do As We Say, Not As We Do: Audit Reveals Unencrypted IRS Emails Put Taxpayer Data at Risk

Posted in Data Protection and Competition, Data Security, Identity Theft

With tax season around the corner, the Internal Revenue Service (IRS) has begun its yearly campaign to educate taxpayers on the importance of protecting their personal information.  However, a recent audit of the agency’s email use reveals the awkward truth that even the IRS does not always follow best practices when it comes to protecting taxpayers’ sensitive information.

On November 17, 2016, the Treasury Inspector General for Tax Administration (TIGTA) released its October report on an audit of emails sent by 80 randomly selected IRS employees in the Small Business/Self Employed (SB/SE) division during a four-week period in the spring of 2015.  The audit revealed that 39 of the 80 employees sent a total of 326 unencrypted emails containing 8,031 different taxpayers’ personally identifiable information (PII).

The Office of Management and Budget defines PII as any information that can be “used to distinguish or trace an individual’s identity,” such as names, Social Security numbers, birth dates, or tax return information.  The TIGTA report observed that loss, theft, or unauthorized disclosure of PII places individuals at risk for invasion of privacy and identity theft.

Of the 326 unencrypted emails identified by TIGTA, IRS staff sent 275 within the agency and 51 to non-IRS email accounts, including some emails to agents’ personal email accounts, for reasons that are unclear. Most of the internal emails were sent using the IRS’ Enterprise e-Fax system, which allows employees to fax documents from their computers, but which does not have encryption capability.

In its report, TIGTA extrapolated the results of the 80-employee sample to the entire IRS staff and estimated that, over the same four-week period, 11,416 IRS employees sent 95,396 unencrypted emails with private information of 2.4 million taxpayers. If this rate is typical, TIGTA determined, it could mean that the IRS annually sends more than 1.1 million unencrypted emails with private information of 28.2 million taxpayers.  The IRS has established penalties for employees who send unencrypted emails with taxpayers’ personal information, ranging from warning to termination; however, neither the TIGTA nor the IRS has said whether anyone has been disciplined.

In its response, the IRS noted that TIGTA’s review did not identify any instances where unencrypted information was sent to an unintended recipient or fell into the wrong hands.  Karen Schiller, Commissioner of the SB/SE division, also observed that, because most of the emails were sent internally, they remained “within the extensive protections of the IRS firewall” and therefore posed “a minimal risk of disclosure or access.”  Nonetheless, Schiller and the agency recognized that the TIGTA audit reveals areas where the IRS can improve, including in its use of encryption, and emphasized that the IRS is committed to ensuring the privacy and security of taxpayer information against external threats.

The inspector general’s report made several recommendations, including technology upgrades—such as encrypting emails by default and updates to the e-Fax system to allow it to handle encrypted messages, improved training for employees and managers, and disciplinary action for violators.

A separate TIGTA report from October, also released November 17, further revealed that the IRS failed to protect taxpayer information when it transferred data externally to other agencies and contractors.  TIGTA found that the IRS did not always share sensitive data through secure file transfer and identified a number of vulnerable IRS servers: 61 servers with “high-risk vulnerabilities,” 32 servers missing important security patches—of which four were “deemed as critical,” and 10 servers with outdated operating systems.

As April approaches, we will continue to monitor threats facing the privacy and security of taxpayer information and efforts by the IRS to educate the public—and its staff—on ways to guard against these threats.

Retirement Plans Incur Data Breaches; ERISA Council Addresses Cyber Risks

Posted in Cybersecurity, Data Security

Until relatively recently, retirement plans have not made the news as targets of data breaches. This is somewhat surprising, given the wealth of participants’ personal data stored online by these plans. This past summer, however, two plans experienced cybersecurity incidents, one involving theft and one involving ransomware.

While earlier this month, the ERISA Advisory Council (Council) recommended that the Department of Labor (DOL) inform the employee benefits community as to cybersecurity risks and potential approaches for managing those risks, there is a dearth of law on the subject of ERISA and cybersecurity. In fact, ERISA is silent on the subject and no court has yet decided if and to what extent managing cybersecurity risk is a fiduciary function.

Fraudulent Loans Obtained From Chicago Deferred Compensation Plan

The Chicago Deferred Compensation Plan is a Section 457(b) defined contribution plan with some $3.6 billion in assets. In June, press reports indicated that $2.6 million was taken from the plan in the form of unapproved loans from 58 participant accounts. Within five days, the funds were restored, apparently by the company that administered the plan. Participants’ personal information was used to set up web profiles that allowed loans to be taken from their accounts. The matter remains under investigation.

Ransomware Demand Hits UFCW Local 655 Food Employers Joint Pension Plan

This past July, hackers made a ransomware demand on the United Food and Commercial Workers Union Local 655 Food Employers Joint Pension Plan. The plan is a multi-employer defined benefit plan that had assets of approximately $569 million at the end of 2015.

“Ransomware” is malicious software that infiltrates a device or potentially an entire information technology network. The software uses tools to encrypt or “lock” the data located on the device or network to prevent access unless what is, in effect, a monetary ransom is paid to the attacker (typically in untraceable electronic currency, called bitcoins) for a “key” to unlock and retrieve the data.

The unidentified hacker who took control of one of the Local 655 plan’s servers demanded three bitcoins, worth about $2,000, in order for the server to work again. The ransom was not paid and the plan used a backup server to recreate the information that had been on the locked server.

Possible data that may have been accessed during the attack included participants’ names, dates of birth, Social Security numbers and bank account information. As a precaution, the union offered credit monitoring and identity protection services to its members for 12 months without cost.

ERISA Advisory Council Addresses Benefit Plan Cybersecurity

The Council was created under ERISA and is tasked with advising the Secretary of Labor (Secretary) and submitting recommendations regarding the Secretary’s functions under ERISA. The Council consists of 15 members appointed by the Secretary

Benefit plan cybersecurity has been studied by the Council since 2011. In 2015 and earlier this year, hearings were held. The Council has made available its current issue statement on cybersecurity as well as the prepared statements of witnesses at this year’s hearings.

The Council’s final 2016 report is not expected to be released for several months. On November 10, it did release an executive summary provided to the Secretary, in which it made the following recommendations:

  • Make the Council’s report and its appendices available via the DOL’s website as soon as administratively feasible to provide plan sponsors, fiduciaries and service providers with useful information on developing and maintaining a robust cyber risk management program for benefit plans.
  • Provide information to the employee benefit plan community of plan sponsors, fiduciaries and service providers to educate them on cybersecurity risks and potential approaches for managing these risks.

The summary notes that the Council has drafted a sample document titled Employee Benefit Plans: Considerations for Managing Cybersecurity Risks for the DOL as an illustration. When the Council’s final report is posted, we will report on it and the sample document in a WorkCite.

Observation

Apart from protecting online data, plan administrators are seriously concerned about the following:

  • Is cybersecurity a fiduciary responsibility under ERISA? If so, in some cases plan fiduciaries may have personal liability under ERISA for the consequences resulting from data breaches.
  • Are state cybersecurity laws and regulations pre-empted by ERISA? If not, in the event of a data breach, administrators of plans with participants residing in multiple states will have a daunting task in determining which laws and regulations apply.

Regrettably, the Council indicated in its issue statement that although it was aware of these matters, it did not intend to address them within the scope of its study. So far, no guidance has come from the DOL itself on either fiduciary responsibility or pre-emption.

Cybersecurity Threats May Impact Your Digital Health

Posted in Consumer Privacy/FTC, Cybersecurity, Data breach, Data Protection and Competition, Health Information

As the healthcare industry continues to embrace the Internet of Things, cybersecurity may present unprecedented health and privacy risks to patients. Wireless-enabled medical devices are increasingly common. For some patients, this means that their hearts are, quite literally, connected to the Internet of Things. For others, mobile medical apps and wearable products are collecting personal health data that may be inadequately protected.

The medical device industry came under fire this year when a Senator from California sent a letter to the top five U.S. medical device manufacturers expressing “serious concerns that the cybersecurity vulnerabilities in medical devices are putting the health and safety of patients in California and across the country at risk.” Senator Barbara Boxer (D-CA) wrote her letter in response to findings from an independent security researcher who discovered certain vulnerabilities in drug infusion pumps used in hospitals.  The researcher discovered that the device software was vulnerable to infiltration that had the potential to manipulate the pump’s drug dosage levels. Unfortunately, this is not the first time this risk has been demonstrated.  For instance, similar studies have revealed the vulnerabilities of wireless-enabled pacemakers and defibrillators, which in some cases have led to embarrassing public disclosures by companies seeking to profit from such vulnerabilities.

This month, two other lawmakers questioned the U.S. Food and Drug Administration (FDA) on its plans to address cybersecurity vulnerabilities in networked medical devices. Diana DeGette (D-CO) and Susan W. Brooks (R-IN) urged the agency to consider the vulnerability of the 10 to 15 million devices in circulation that are connected to the internet, hospital networks, and to other medical devices.

While there is no evidence that medical devices have been the targets of cyber-attacks, other IoT devices are increasingly becoming attractive targets. The consequences of such an attack on medical devices could be dire. These threats are credible enough that during his tenure as Vice President, Dick Cheney was ordered to disable the wireless functionality of his pacemaker due to fears it might be hacked in an assassination attempt. As more medical device manufacturers create products that are wireless-enabled, data security for these devices is an increasing concern. Historically, device manufacturers have had to create products that are able to perform under various conditions, such as power outages.  Going forward, resistance to cyber-attacks is likely to be an additional hurdle that device manufacturers will need to clear before marketing their products.

This year FDA issued draft guidance addressing Postmarket Management of Cybersecurity in Medical Devices. FDA encourages manufacturers to use a proactive and risk-based approach in the post-market phase for medical devices, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity. FDA has also identified cybersecurity enhancement in medical devices as a Science Priority for FY 2017. Medical device manufacturers are likely to face increasing scrutiny from FDA regarding the cybersecurity measures of connected devices.

“But what about my fitness tracker?” you may ask.  The explosive growth of wearable wellness products and mobile medical apps has created another avenue for cyber-threats. These products raise serious privacy and security concerns.  Wearable products and medical apps collect a plethora of sensitive health information about its users, such as location, pregnancy, gender information, and ovulation information. Despite these issues, for the time being, many of these products may fall into a regulatory no-mans-land.  Per its recent guidance, FDA does not intend to regulate low-risk general wellness products. Additionally, FDA’s current guidance suggests that many mobile medical apps will fall outside of FDA’s jurisdiction as they will not meet the definition of “medical device.” Other mobile medical apps may meet the definition of “medical device” but pose lower risk to the public, and therefore FDA does not intend to regulate these products as “medical devices.” HIPAA is unlikely to apply to these products as they are not offered by “covered entities.”  FDA’s stance on this may change and these products are still subject to regulation by the Federal Trade Commission (FTC), however, for the time-being consumers will need to carefully consider the cybersecurity strength of the manufacturers from which they are purchasing these products.

Given the growth of the healthcare industry and the constantly evolving nature of cyber-threats, these issues are not likely to disappear any time soon.  Manufacturers will need to be vigilant to keep up with the constantly evolving cybersecurity threats and assess vulnerabilities when designing and developing products.

LabMD Successfully Delays FTC’s Data Security Enforcement During Appeal

Posted in Consumer Privacy/FTC, Data Protection and Competition, Data Security, FTC enforcement

In another twist in the LabMD case, LabMD has succeeded in obtaining a delay on the FTC’s enforcement action during its appeal.  Of course, the substantive issues remain to be determined.

In 2013, the Federal Trade Commission (FTC) issued an administrative complaint against LabMD for alleged “unfair” data security practices culminating in an Opinion and Final Order (Order) against the company for violating Section 5 of the Federal Trade Commission Act (Section 5). After exhausting administrative law procedures, LabMD filed an appeal with the U.S. Court of Appeals for the Eleventh Circuit to prevent the FTC from enforcing the Order until the court reviewed several unresolved legal questions, including whether or not the FTC can enforce data security standards in the absence of identifiable harm.

The Court’s Analysis

In determining whether or not to grant the Stay, the court weighed the following four considerations:

  1. Did LabMD make a strong showing it would succeed on the merits;
  2. Would LabMD be irreparably injured without the stay;
  3. Does issuing the stay substantially injure a third party; and
  4. What is in the public’s best interest?

Success on the Merits

To succeed on the merits, LabMD must show that the FTC misinterpreted Section 5 as it was applied in the Order. Section 5 grants the FTC authority over “unfair or deceptive acts.” (15 U.S. C § 45 (a)). “Unfair” is defined as something that has caused “or is likely to cause substantial injury to consumers.” (15 U.S.C. § 45 (n)). Federal agencies are charged with reasonably interpreting their own statutes. In its discussion, the court said that LabMD presented “a strong showing that the FTC’s factual findings and legal interpretations may not be reasonable.” In other words, there is enough ambiguity in the FTC’s analysis that the Order should not be enforced, yet. The court says, “[i]t is not clear that the FTC reasonably interpreted ‘likely to cause’ …we do not read the word ‘likely’ to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable.”(emphasis added).

Irreparable Harm

The second point of analysis examines to what extent LabMD would be harmed if the Order is enforced. Here the court highlights the fact that LabMD (which was founded in 1996) is no longer in operation, with no employees, no revenue, and is relying on pro bono legal representation. Simply put, the court determined that LabMD is not well positioned to assume the costs required to comply with the Order.

Third Party Injury & Public’s Interest

The third and fourth points consider if third parties would be harmed by delaying the Order. Here the court notes that the “FTC’s ruling did not point to any tangible harm to any consumer, because there is no evidence that any consumer suffered a harm.” The court continues, “there is no evidence that any consumer ever suffered any tangible harm…we find it improbable that a party downloaded this information now years ago, has not used it for several years, but may yet use it for nefarious purposes before this appeal terminates”. This analysis led the court to determine there is no risk of immediate harm to consumers or the public if the Order is delayed.

What’s Next for the FTC and LabMD?

This Stay comes after a handful of attempts to clarify the FTC’s policies and procedures in this case, including a letter from Sen. Jeff Flake and Sen. Mike Lee sent to Chairwoman Ramirez challenging the FTC’s analysis. In particular, the letter addresses whether the “FTC’s cybersecurity regime complies with the protections of due process under the constitution.”  The letter directly addresses the FTC’s analysis that LabMD’s vagueness challenge was inapplicable because there are no fundamental rights implicated in the case. The letter asks “[a]re laws unconstitutionally vague only if they implicate fundamental rights?”

This case then begs the question: has data security regulation hit the proverbial ‘tipping point’? Is momentum slowly crawling away from big agency regulation and inching towards streamlined industry standards?  Maybe. The Stay is certainly a win for LabMD, but it does not mean it is a loss for the FTC. The case is far from over. There are several substantive claims that must be addressed on appeal.