Header graphic for print

Password Protected

Data Privacy & Security News and Trends

Allocation of Data Breach Risks and Costs in Vendor Contracts: Negotiate, Negotiate, Negotiate (And Negotiate Again!) Limitations on Liability and Indemnification

Posted in Data breach, Information Management, Notification

“A significant data breach is likely to cost the company materially, and costs could drag on for a number of years,” analyst Shlomo Rosenbaum, commenting on the Equifax breach.

Organizations increasingly rely on third-party service providers for data collection, processing, transfer and storage. As a result of this dependence on external data management sources, most companies are rethinking data breach risk and cost allocations in new and existing vendor agreements.

Limitation of liability and indemnification clauses form the framework for reducing unforeseeable, and potentially devastating, data breach costs. To defend against unpredictable damages, these clauses are fast becoming the most fiercely negotiated language in service provider agreements.  Both liability and indemnity have taken on new importance as organizations become acutely aware that the customer, not the vendor, most likely has the ultimate responsibility for data breached while in the hands of a vendor. The harsh reality that a majority of state statutes allocate the risk and costs of unauthorized disclosure to the data owner, not the vendor, is a red flag in contract negotiations. Customers now realize that they are probably legally required to investigate a breach, provide required notifications and cover any and all costs related to a breach despite the fact the vendor is the sole culpable party.  Under most state statutes, a service provider’s obligations, and liability for costs, end with notification to the customer.  Simply put, if the organization’s sensitive data is breached while under the control of a vendor, the vendor’s only obligation is to notify the organization. It is then the customer’s obligation to handle the fallout, unless the customer’s contract with the vendor provides otherwise. Continue Reading

Delaware Strengthens Cybersecurity Law

Posted in Data breach

On August 17, 2017, Delaware became the latest state to strengthen its cybersecurity laws. Under the newly enacted House Substitute 1 for House Bill 180, businesses who suffer cybersecurity breaches will face far more stringent notification requirements.

According to Representative Baumbach, D-Newark, who sponsored the bill, the legislation “is a meaningful step forward in addressing [cybersecurity] breaches so that we guarantee better protections for our residents and help them rebuild their lives after a cyber-attack.”

Under existing Delaware law, businesses that experience a cybersecurity breach are required only to notify the affected Delawareans “without unreasonable delay.” Effective April 14, 2018, companies will need to provide notice within 60 days, except in limited circumstances.  If the breach affects over 500 residents, the statute also requires the company to notify the Delaware Attorney General within the same time frame.

The law further expands the types of incidents that could give rise to consumer notification requirements by expanding the definition of “personal information.”  Continue Reading

Kaspersky: Back in the News and What to Do About the Order to Stop Using Kaspersky Products and Services

Posted in Cybersecurity, Data Security

Kaspersky Lab is once again in the news as questions are being raised about the role of Kaspersky software in a reported hack of the National Security Agency. The story repeats the all-too-frequent scenario of an employee—in this case a government contractor—transferring files from work to his home computer and that action leading to the disclosure of sensitive information.  In this case the data is said to have included “highly classified U.S. cyber secrets” and Russian hackers are alleged to have accessed the employee’s home computer through Kaspersky software. Kaspersky software, including popular antivirus tools, is developed by a company with alleged ties to the Russian government.

Last month the U.S. Department of Homeland Security (DHS) announced plans for the federal government to terminate “the use or presence of information security products, solutions, and services supplied directly or indirectly by AO Kaspersky Lab or related entities.” The federal government’s decision on Kaspersky reflects long-standing concerns about the company’s ties to the Russian Government and, in particular, to the Russian intelligence and security agency known as the Federal Service Bureau. U.S. media reports have highlighted worries that Kaspersky software and tools might be able to collect or otherwise be utilized to create opportunities for Russian cyber operations. Last week’s report about the hacking of the National Security Agency adds fuel to that fire, and it builds on tensions that have been exacerbated by Kaspersky’s efforts to publicly attribute certain cyber activities to the U.S. Government (which, it should be pointed out, Kaspersky has done in relation to other States as well).

The U.S. Government’s decision to remove Kaspersky software from government systems occurs against the backdrop of a heightened focus on cybersecurity across the federal government, including an Executive Order, additional Defense Department information security standards, and other new compliance requirements to be included in most federal contracts.  DHS required a plan to be developed by all federal agencies to remove the software within 90 days. What might this decision mean for government contractors currently using the software and/or tasked with removing the software from government systems?

Continue Reading

FTC Monitors Claims of Privacy Shield Compliance

Posted in Consumer Privacy/FTC, EU Data Protection

On September 15, 2017, the Trump White House released a Press Release regarding the EU-U.S. Privacy Shield—reiterating that they “firmly believe that the upcoming review [of the EU-U.S. Privacy Shield] will demonstrate the strength of the American promise to protect the personal data of citizens on both sides of the Atlantic.”

The first alliance of its kind, the E.U.-U.S. Privacy Shield provides a framework for the exchange of consumer personal data between the United States and countries in the European Union. Established in 2016, one of the purposes was to enable U.S. companies to more efficiently receive data from countries in the EU while staying compliant with privacy laws that protect EU citizens.  The agreement also allows companies to store EU citizens’ personal data on U.S. servers.

The “upcoming review” referenced in the White House Press Release refers to the first annual review of the Privacy Shield since its adoption, with both EU and U.S. officials stating their support for the alliance in a joint statement released September 21, 2017.  According to this statement, over 2,400 organizations have jointed the Privacy Shield since the program’s inception a year ago.  The U.S. and EU both declared a “share[d] . . . interest in the Framework’s success and remain committed to continued collaboration to ensure it functions as intended.”

But what good is an agreement without any bite for potential violators? The Federal Trade Commission (FTC) recently signaled that it fully intended to keep companies accountable for potential violations of the EU-U.S. Privacy Shield.

According to an FTC Press Release dated September 8, 2017, three U.S. Companies agreed to settle FTC charges that they “misled consumers about their participation” in the EU-U.S. Privacy Shield. The FTC alleged that these companies violated the FTC Act by “falsely claiming that they were certified to participate in the EU-U.S. Privacy Shield” when they had all “failed to complete the certification process for the Privacy Shield.” Acting FTC Chairman Maureen K. Ohlhausen warned companies that these “actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce.” Notably, these enforcement actions are the first cases the FTC has brought to enforce the Privacy Shield.

Moving forward, companies should carefully assess whether they have completed the steps and certification necessary to make certain representations about participation in the EU-U.S. Privacy Shield—as both the FTC and the current White House administration fully intend on continuing to “demonstrate the strength of the American promise” to pull their weight in the alliance.

Cyberattacks—Are You Ready?

Posted in Cybersecurity, Information Management

Recent cyber-attacks hurt individuals and investors on a regular basis. Recent attacks have cost hundreds of millions of dollars. Firms that have dismissed the dangers are increasingly at risk of regulatory action. New European laws will likely increase fines for non-compliance with cyber-security standards.  New York’s financial regulator recently enacted new cyber-security rules in August.

The types of threats are ever evolving. Increasingly sophisticated technology and the internet of things is catnip for hackers. For example, hackers recently broke into an internet-connected fish tank and used the tank as a launching pad to more sensitive parts of the company’s network. Hackers’ business models are also evolving. For better or worse, ransom payments are more common than sales of stolen data on the black market.

All to say the plans companies have laid out must be evolving as well. The first principle is that companies must take a layered approach to defense. Prevention is really only half the battle when a breach, large or small, is a near inevitability for most companies.  This move beyond prevention is new in the cyber-security world.  As many companies have seen, mitigation and disaster recovery is as important as prevention. Segregating sensitive data within a company can reduce the impact of any hacks that do breach the company’s outer barrier. Planning in advance how to respond to a hack reduces the risk of botches which often cause instant stock market plunges.

The second principle is to get smarter about your data more intelligently–know how much is stored, where and for how long. Information is an asset that makes companies vulnerable to hackers. The rise of artificial intelligence, data mining, internet of things and other cutting edge technologies can catalyze companies to stockpile information. Regulators’ wrath and the costs of maintaining a rock-solid digital infrastructure make data a source of business and legal risk. Companies should make sure they are ready.

The Equifax Breach: How to Protect Your Company and Your Customers

Posted in Data breach

On September 7, Equifax, one of the three major credit reporting firms in the U.S., disclosed a data breach that potentially affects 143 million consumers. Equifax’s disclosure indicated that the breach, which Equifax claims to have discovered in July, resulted from a vulnerability affecting Apache Struts CVE-2017-5638, which is an open-source software (OSS) framework that supports the Equifax online dispute portal web application.  The Apache Struts vulnerability was identified and disclosed by the United States Computer Emergency Readiness Team in March 2017. Although Equifax made some effort to identify and secure vulnerable systems, it is unclear what steps Equifax took to patch the system or if it otherwise engaged in remediation measures, including any update to its Web applications.

Managing Regulator Inquiry

If your company has utilized Equifax services, then your customers may have been exposed to an increased risk of identity theft. This risk may leave your business vulnerable to regulator inquiry.  Companies can expect regulators to ask questions such as: (1) what is the nature of the relationship between the company and Equifax, including contractual obligations; (2) what types of information have been exchanged between the company and Equifax, and is the company still reporting information to Equifax; and (3) in light of the breach, what will the company do to protect its customers and ensure their information is safeguarded going forward?

Some steps that you can immediately take to help position your company to properly respond to regulator inquiry include:

  • Establishing a point of contact and mobilizing your breach response team across departments to specifically manage the Equifax breach.
  • Conducting a thorough review of the information policies and procedures that are currently in place. This will allow you to effectively convey a factual report to the regulator regarding your data management practices.
  • Working with in-house and outside counsel to initiate an internal investigation to determine how sensitive consumer data is being managed, and what data may be at risk as a result of the breach.

Managing Your Relationship with Equifax

To mitigate any potential liability, you should immediately review your company’s contracts with Equifax. Once this analysis is complete, you can decide how best to manage your relationship with Equifax by determining what action, if any, you should take regarding any costs you may have related to the breach.  Some of the questions you should consider while evaluating your contractual relationship with Equifax include:

  • What Equifax products or services does your company use and what customer information is and has been exchanged between the company and Equifax?
  • Are there any existing contractual provisions that require the company to send data to Equifax?
    • If the company is required to use an Equifax service, are there transmission requirements to send the data? Who has access to the data? What is the data retention policy?
  • What pathways exist to modify the contract to address Equifax’s data security issues?
  • Is it reasonable to stop using the Equifax service?
    • Will there be a business disruption and cost to find another vendor? Keep in mind that there is no guarantee that existing alternatives are better equipped to safeguard against a breach.
  • What questions, demands and inquires can your company make of Equifax to determine what steps Equifax has taken since the breach to secure its system and customer information?
    • What costs should Equifax cover relating to your management of the breach? What improvements should Equifax make to enhance data security practices going forward?

NYDFS Guidance to Regulated Institutions

Following the Equifax breach, the New York Department of Financial Services (“NYDFS”) promptly issued guidance to all financial institutions and insurers that are regulated by NYDFS and its Cybersecurity Requirements for Financial Services Companies.  NYDFS strongly urged regulated institutions “to ensure that this incident receives the highest level of attention and vigilance.”   This guidance is instructive not only for regulated companies, but also for entities outside the purview of NYDFS, as it highlights the expectations that all companies will face in managing the threat to their customers posed by the Equifax breach.

The NYDFS guidance encourages institutions that provide consumer- or commercial-related account and debt information to Equifax to carefully review the terms of any credit-reporting arrangement with Equifax to determine any potential risk associated with the continued provision of data in light of this cyberattack. In this regard, institutions are specifically cautioned to take into consideration the NYDFS Cybersecurity Regulation with respect to third party service providers.  Similarly, institutions that receive credit reports from Equifax are advised to confirm the validity of information contained in Equifax credit reports, as they may have been compromised in the cyberattack.

The guidance also urges regulated institutions to consider the following best practices for information security:

  • Install all available security patches;
  • Implement appropriate ID theft and fraud prevention programs for both new and existing customers;
  • Use an identity verification/fraud service for identity verification;
  • Provide a call center for customers to report if their information has been hacked and code these customer accounts with a “red flag”; and
  • Use Multi-Factor Authentication and Risk-Based Authentication techniques instead of relying solely on personally identifiable information (PII) as a means of verifying identity.

“The data breach at Equifax demonstrates the necessity of strong state regulation like New York’s first-in-the-nation cybersecurity actions,” said Financial Services Superintendent Maria T. Vullo, warning that NYDFS would take all action that is necessary “to protect New York’s markets, consumers and sensitive information from criminals.”  In light of the recent expiration of the deadline for achieving compliance with the NYDFS Cybersecurity Regulations and the increased risk created by the Equifax breach, it is crucial that all companies regulated by NYDFS take immediate and proactive measure to mitigate potential harm to their customers and ensure compliance with the NYDFS Cybersecurity Regulations.

This breach has highlighted the often overlooked importance of proper IT infrastructure and data management. Accordingly, your company must be prepared to examine and defend its policies and practices to ensure your customers and IT network are protected.  Areas of focus should include vendor management practices, proactive system monitoring procedures, and data encryption protocols.

Update: Another Court Gives Broad Reading to Illinois Biometric Privacy Act

Posted in Privacy, Social Media

Another court ruling this week concludes that the Illinois Biometric Information Privacy Act (IBIPA) covers face geometry scans that are created from digital images, again rejecting the argument that the statute should apply only to facial scans made in person. The case, Monroy v. Shutterfly, Inc., No. 16 C 10984 (N.D. Ill. September 15, 2017) was brought by an individual whose face geometry was scanned by the photo website Shutterfly from a photo uploaded by a different user.

The IBIPA requires anyone who collects and stores certain “biometric identifiers” such as “face geometry” to first obtain the person’s consent and also requires a written policy for retention and eventual destruction of those identifiers.  Like the earlier Rivera v. Google ruling, this is a preliminary ruling in the case and one that still leaves open a thicket of issues related to how Illinois’s statute may apply to activities occurring in other states.  As further discussed in a prior post, if this interpretation ultimately prevails, it would have a significant impact, at least in Illinois, on the privacy compliance requirements for a broad and growing category of technology products.

A Little Help From HIPAA

Posted in Data Security, Health Information

HIPAA’s Security Rule requires that Covered Entities perform “periodic” Security Risk Assessments. All too often, however, this regulatory obligation is ignored altogether, performed extremely sporadically, or treated as a regulatory hoop-jumping exercise to be completed as quickly as possible.  Aside increasing the risk of HIPAA liability, treating the Security Rule Risk Assessment in these ways means missing out on an opportunity to explore and shore up the entity’s data security systems.

Despite what criticisms may exist for other parts of the HIPAA regulations, the Security Rule can be a remarkably helpful tool.  It was rolled out in 2013, and it has survived the test of time despite astonishing changes in technology.  Indeed, one of the reasons for this is that the Security Rule expressly incorporates a “flexibility of approach,” making it applicable to Covered Entities of all sizes and configurations.

At its core, the Security Rule risk aims to ensure the confidentiality, integrity, and availability of electronic PHI, and the elements of the rule are pretty much the very same things that would be expected of any responsibility organization operating in the digital age anyway.

When done properly, the Security Rule Risk Assessment helps entities to examine their operations to identify where and how their data is stored; reasonably anticipate and address the risks that may exist to their data; and identify the various ways in which the entity manages its operations with respect to a fairly logical set of required and addressable criteria.  This exercise can be critically important in helping in-house counsel and the compliance team to understand where the organization’s information “lives,” who is in charge of securing the data, and what areas of potential vulnerability require attention.

Lawyers do not often applaud regulations, but in the case of data security practices, HIPAA Security Rule can be tremendously helpful, and all entities should take it very seriously.

FTC Provides Guidance on Data Security in Its “Stick With Security” Blog

Posted in Data Security, FTC enforcement

Building on the FTC’s “Start with Security” guide for businesses, the agency launched the “Stick with Security” blog on July 21, 2017. The blog provides additional guidance on each of the 10 fundamental principles of data security through hypotheticals based on FTC decisions, questions submitted, and FTC enforcement actions. Each week, the FTC publishes a post dedicated to one of the 10 data security principles.

The 10 fundamental “Start with Security” principles include:

  1. Start with security. The first principle urges companies to factor data security into all aspects of the business and to make conscious decisions about how, when, and whether to collect, retain and use personally identifiable information.
  2. Control access to data sensibly. The second principle recommends restricting access to personal data to employees who have a legitimate need to access the data. This recommendation includes restricting administrative access to the company’s systems to employees tasked with making system changes.
  3. Require secure passwords and authentication. According to the third principle, companies should require “complex and unique” passwords, store passwords securely, and test for common vulnerabilities to protect against unauthorized access to data.
  4. Store sensitive personal information securely and protect it during transmission. The fourth principle advises companies to encrypt data while in transit and when at rest throughout the data’s entire lifecycle. Companies should use industry-tested methods of securing data and ensure that the measures are implemented and configured appropriately.
  5. Segment your network and monitor who’s trying to get in and out. The fifth principle speaks to the design of a company’s network; it should be segmented and include intrusion detection and prevention tools.
  6. Secure remote access to your network. The sixth principle considers a company to be responsible not only for the security of its internal network, but also for examining the security of employees’ computers and systems of others to whom the company grants remote access to its systems. In addition, companies should limit remote access to only the areas that are necessary to achieve the purpose.
  7. Apply sound security practices when developing new products. The seventh principle urges companies to use engineers trained in secure coding practices and to follow explicit platform guidelines designed to make new products more secure. This principle also indicates that companies are expected to ensure that their privacy and security features function properly and meet advertising claims.
  8. Make sure your service providers implement reasonable security measures. The eighth principle advises companies to choose providers with appropriate security measures and standards and to require providers to meet expectations by expressly including those obligations in provider contracts. Also companies should preserve contractually the right to verify that the provider is meeting expectations on data security matters.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise. The ninth principle instructs companies to implement and maintain up-to-date security patches, heed warnings regarding known vulnerabilities, and establish a process for receiving and responding to security alerts.
  10. Secure paper, physical media, and devices. The tenth principle applies similar security lessons to non-electronic data, such as data on paper and other physical media. This principle recommends storing paper containing sensitive data in a secure area, using PINs and encryption to secure data housed on other physical media, establishing security policies for employees when traveling with media that contains sensitive data, and disposing of sensitive data on paper and other physical media securely.

Since July 21st, the FTC has published seven helpful posts. Up next, the FTC will discuss the eighth principle: Make sure your service providers implement reasonable security measures.

Government Response to Increasing Cyber Threats

Posted in Cybersecurity, Legislation

Government agencies collect and hold massive amounts of personally identifiable information (PII), creating valuable targets for cybercrime. Recently proposed legislation would impose baseline standards for cyber hygiene on federal agencies. State and local governments, as well as private industry, should measure themselves against the same federal standards to protect against catastrophic loss of PII.

Security experts estimate that approximately 90% of successful cyberattacks are due to poor cyber hygiene and security management at the targets. The Promoting Good Cyber Hygiene Act of 2017 (the “Act”), introduced in the Senate, as well as comparable legislation introduced in the House, is designed to address potential shortcomings in federal agencies’ cyber hygiene practices. The Act would require the National Institute of Standards and Technology (NIST) to establish a list of best practices for effective and usable cyber hygiene for use by the Federal Government. The list also would be published as a standard for state and local government agencies, as well as the private sector.

Specifically, NIST must provide a list (1) of simple, basic controls that have the most impact in defending against common cyber security threats, (2) that utilizes commercial off-the-shelf technologies, based on international standards, and (3) that, if practicable, is based on and consistent with the Cybersecurity Framework contained Executive Order 13636 (“Improving Critical Infrastructure Cybersecurity”). Also, the Act requires DHS, in coordination with the FTC and NIST to conduct a study on cybersecurity threats relating to the Internet of Things (“IoT”), and in August, 2017, the Senate introduced the IoT Cybersecurity Improvement Act of 2017, which includes minimum security standards for IoT devices connecting to federal government systems.

The Act requires NIST to consider the benefits of emerging technologies and processes such as multi-factor authentication, data loss prevention, micro-segmentation, data encryption, cloud services, anonymization, software patching and maintenance, phishing education and other standard cybersecurity measures. NIST, as well as Federal and state governments should also consider implementing the following security best practices:

  • Compartmentalize and segment data and limit access to segmented data on a need to know basis. Only collect data that is necessary to provide its services.
  • Train all users (everyone with access to its systems, including contractors and subcontractors) on identifying and avoiding security threats.
  • Create comprehensive forensic evidence logs for data breaches to help identify and plug deficiencies in its systems.
  • Keep up to date on all operating systems versions and patches, and ensure its vendors are also up to date on its systems.
  • Monitor user activities and look for anomalies and discrepancies in access or usage patterns; track potentially suspicious activities.
  • Automate workflows and courses of action to reduce incident response times, and minimize the impact of a security breach.
  • Create, implement, and improve upon incident response and disaster recovery plans and risk mitigation strategies and best practices, both internally, as well as externally by requiring third party contractors to implement comparable practices.
  • Back up critical data on a continual basis to avoid susceptibility to ransomware demands.

In addition to new standards contemplated by the Act, NIST standards currently are being implemented into federal procurements. Federal Acquisition Regulation (“FAR”) and Department of Defense FAR Supplement (DFARS) provisions incorporated into government contracts require contractors to safeguard systems and information in accordance with all or part of NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” These new mandatory contract clauses underscore the vulnerability of information that may not remain in a single system. True risk mitigation includes requiring strategic partners to comply with proper cybersecurity measures.

In addition to storing PII, government agencies also own and operate critical systems, networks and infrastructure. In light of the increasingly high profile, more sophisticated, and numerous ransomware and other malware attacks, such as “Wanna Cry” and “not-Petya” infecting networks worldwide in the first half of 2017, it is more critical than ever for government agencies to identify, contain, remediate, and prevent cyberattacks. State and local government, as well as industry, should take advantage of the lessons learned and best practices incorporated in current and pending federal cybersecurity standards.

Federal standards such as those incorporated into government contracts and contemplated under the Act serve as a baseline starting point, and should continually be re-examined and updated once such best practices are implemented. Cyberattacks are not static and will evolve into sophisticated, higher volume attacks Cyber-countermeasures and best practices must follow suit and evolve and improve with each lesson learned from every attack.