Header graphic for print

Password Protected

Data Privacy & Security News and Trends

21st Century Data Breaches: Not All Fun and Games

Posted in Data breach, Data Security, Privacy, Retail

Data breaches can occur in the most surprising places. When data breaches affect sensitive, private information—especially those of children—companies can face scrutiny from regulatory agencies and be exposed to civil (and perhaps even criminal) liability.  While hackers are still targeting retail corporations and financial institutions, some hackers have moved onto an unexpected new area: children’s toys.

Spiral Toys Inc. sells stuffed animals called “CloudPets.” These 21st century stuffed animals are connected to the internet, allowing parents, their children, and anyone with access to the stuffed animals to record and send voice messages to each other.  Users simply download the “CloudPets” phone app (the Android app has been downloaded over 100,000 times already), and create an account by registering their emails and other personal information with the CloudPets app.  Unfortunately, the combination of a vulnerable security network and the sensitive nature of the private information held on the CloudPets’ server made it an attractive target for hackers.

In February 2017, cybersecurity experts discovered that the account information of more than 800,000 CloudPets could be easily accessible by anyone browsing the internet, without the need for a password. Even more disturbing, as reported by cnet.com, nearly 2.2 million voice recordings were also stored online in an unsecure manner.  This includes potentially millions of voice recordings of children.  According to the cybersecurity experts, hackers appeared to have wiped the user database and held its contents for ransom from the company.

Unfortunately, CloudPets’ security flaws do not appear to be an isolated event. While retailers and banks have beefed up their cybersecurity in recent years after a number of high-profile breaches, toy manufacturers appear to be lagging behind.  In prior years, cybersecurity experts raised similar concerns with an internet-connected Barbie doll.  Likewise, cybersecurity concerns have been raised with other connected devices that contain private information, such as the fitness tracking devices like Fitbit.

Data breaches result in serious legal and public relations consequences, including a duty to disclose breaches to the public, regulatory fines, and potential class action lawsuits. Civil actions premised on torts law, i.e., invasion of privacy, are also colorable causes of action against breach involving sensitive private information.

Finally, data breaches can also result in severe financial consequences for the companies involved. For CloudPets, its security breach has directly or indirectly caused their stock price to drop to 1 cent.  Moving forward, manufacturers of “connected” 21st century toys and gadgets should study cybersecurity best practices and cyber-threat trends to stay ahead of the pack and reduce their likelihood of becoming targets for opportunistic hackers.

Court Confirms Right to Be Forgotten Is Not Absolute

Posted in EU Data Protection, Legislation, Privacy

It has been less than three years since the Court of Justice of the European Union (CJEU) decided that people have the right to have incorrect information about them removed from online search engine results. However, this so-called “right to be forgotten” is not absolute, as confirmed by the CJEU’s most recent ruling last week.

This case concerned an Italian director, Mr. Salvatore Manni, who sought to have his personal details removed from company records in an official public register. He believed that his properties had failed to sell because the companies register showed that he had been an administrator of another company that went bankrupt.

The CJEU held that Mr. Manni could not demand the deletion of his personal data from the official register because the public nature of company registers is intended to ensure legal certainty and to protect the interests of third parties. It was held that this inference with an individual’s fundamental rights to a private life and to protect personal data was not disproportionate in the circumstances. This was because company registers only disclose a limited amount of personal data and company executives should be required to disclose data relating to their identity and functions within a company. The CJEU concluded by saying that in specific and exceptional situations, overriding and legitimate reasons may justify limiting the rights of third parties to access such data, and left it up to national courts to determine whether “legitimate and overriding reasons” exist on a case-by-case basis.

This decision echoes the ruling in the 2014 Google Spain Case; the right to be forgotten must be balanced against individuals’ fundamental rights, such as the right of freedom of expression and the public’s right to know information about persons holding key positions within a company. The General Data Protection Regulation (GDPR) which codifies the right to be forgotten also confirms this position. The right to be forgotten allows individuals to request the deletion of personal data in specific circumstances. However, the GDPR contains certain exemptions where companies can refuse to deal with a deletion request, such as where the processing is necessary to exercise the right of freedom of expression, and for archiving purposes in the public interest.

Companies who receive requests by individuals asking that their personal data be deleted will need to determine, on a case-by-case basis, whether or not such data should be erased. Organizations will be required to perform a balancing act against any competing rights when considering such erasure requests.

See also:

UK’s First Ever Right To Be Forgotten Enforcement: Google In the Firing Line Again

The French Data Protection Authority Puts Google On Notice To Delist Domain Names Beyond Site’s EU Extensions

The CJEU’s Google Spain Decision: A Right to be Forgotten Within the Limits of the Freedom of Expression

Costeja’s Revenge: Orders to Delete Accurate Data and the Right to be Forgotten in the EU

Court Gives Broad Reading to Illinois Biometric Privacy Act

Posted in Privacy, Profiling, Social Media

The Illinois Biometric Information Privacy Act (IBIPA) covers face geometry scans that are created from digital images, according to a preliminary ruling last month in a lawsuit against Google. Rivera v. Google Inc., No. 16 C 02714 (N.D. Ill. February 27, 2017). The suit seeks monetary compensation for individuals identified by face recognition technology in photos uploaded to the “Google Photo” service. The ruling rejected Google’s argument that the IBIPA should only cover facial scans that are made in person and potentially subjects Google and other providers of widely used facial recognition technology to significantly expanded privacy requirements in Illinois to protect biometric privacy of individuals whose faces are in the tech companies’ databases.

Two individuals sued Google, seeking class action status and claiming that Google violated the IBIPA when, without their consent, Google’s software obtained facial geometry for their faces from photos that were uploaded to Google Photo. Google Photo is a cloud based offering of Google that, among other things, uses facial recognition technology to assist users in organizing and retrieving their photos.  The IBIPA requires anyone who collects and stores certain “biometric identifiers” such as “face geometry” to first obtain the person’s consent and also requires a written policy for retention and eventual destruction of those identifiers.  The statute provides for damages of $1,000 for each negligent violation and $5,000 for each intentional violation.

In seeking to have the suit dismissed before proceedings begin, Google argued that language in the statute excluding photographs from some parts of the IBIPA should be applied to interpret the statute’s definition of “biometric identifiers” that are covered by the statute to mean that only in-person scans are covered. The statute defines “biometric identifier” as, “a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry.” The Court, in a detailed 30-page ruling carefully analyzing the text of the statute and the legislative history, concluded that despite “photograph” being expressly excluded from a different definition in the statute, the Illinois legislature did not intend to distinguish between in person and virtual scans in the definition of “biometric identifier.”  As a result, it interprets “biometric identifier” to include face geometry extracted from Google Photo images.

If this interpretation ultimately prevails, it would have a significant impact, at least in Illinois, on the privacy compliance requirements for a broad and growing category of technology products. In addition to Google, a great many photo sharing and social media product providers use similar facial recognition technology to identify people, to organize photos and to add features and images to photos.  The IBIPA would require all the entities providing these functions to specifically inform their users about the collection of face geometry and to publish a retention schedule, detailing how the data will be kept and when it will be deleted.

The impact of this Illinois statute on the rest of the country remains a contested issues. In its ruling, the court concluded that at this early stage of the lawsuit there was sufficient indication that the statute was violated in Illinois so that, unless contrary evidence was introduced, it would apply in this case.  That, however, was based on the assertion that the pictures were taken and uploaded in Illinois, and without an analysis of where the facial geometry was extracted or stored.  The court put aside to a later stage of the litigation the federal constitutional questions about whether this Illinois statute could govern Google’s (and other internet providers’) actions across the United States.

Three Major Security Issues to Consider with SaaS and Cloud Solutions

Posted in Cybersecurity, Data Security

Small and medium-sized businesses are turning to software as a service (SaaS) solutions for their IT needs more and more frequently. SaaS solutions can provide end-users with quicker, cheaper access to software that they might not otherwise have at their disposal. SaaS solutions can also be more scalable which is important for early-stage companies.  However, SaaS and cloud data storage are still relatively nascent technologies and  carry some risks.  When your business turns to SaaS and cloud solutions, consider the following three major issues:

  1. Data Security:  Data breaches happen all the time. News reports of hacking and industrial espionage hit the headlines daily and present a serious threat to small and medium sized businesses. On-premise software still presents its own set of security concerns, but be wary of new technologies and vendors who do not have a robust security system in place.
  2. Ongoing Business Concerns:  Small and medium sized businesses many times have no option but to outsource certain tasks, such as IT. However, when you outsource IT, you lose control over how your service provider is doing business-wise and can open yourself up to various risks.
  3. Availability:  Employees at small or medium sized businesses work 24/7 and need access to company data 24/7. However, with SaaS and cloud computing, outside issues like internet and power outages are a common problem.

Keeping these three issues in mind, what should you do? First, perform due diligence on your vendors, and filter out mediocre SaaS providers and find the right solution for your business.  Ask vendors about their disaster plans and recovery methods, risk analyses and protocols.  Request information and recommendations from current customers.  Find out if there have been prior security breaches.  Read any terms and conditions, and don’t skip the fine print.  Make sure that any software or data that is critical for the continuation of your work is escrowed. A well-drafted software escrow agreement can go a long way in the event of an issue. If any customizations or updates to the software are done specifically for your business, make sure that those are covered as well, not just the original software version.

The bottom line: expect the unexpected and mitigate any future security issues that might arise.

The Validity of EU-U.S. Personal Data Export Tools: A Pending Issue

Posted in EU Data Protection, Legislation

Between the cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) and the adoption of the Privacy Shield, a number of data exporters have relied on the Standard Contractual Clauses (SCC) as the safest export tool to transfer personal data from the EU to the U.S. But as announced in our previous blog posts, the validity of the SCC and the Privacy Shield had to pass the EU legal test as regard to the fundamental right to data protection.

Indeed, while the Privacy Shield is facing an action for annulment brought by Digital Right Ireland to the CJEU, it is now the turn of the SCC to be examined in the context of a request filed by Maximilian Schrems against Facebook Ireland Limited to the Irish data protection authority (DPA). This last case has been submitted by the DPA to the Irish High Court, which is now assessing the opportunity to refer the question to the CJEU.

On May 24, 2016, the Irish DPA issued a draft decision summarizing its concerns about the validity of the SCC. It is worth noting that this was a turning point for the Irish DPA: the former Irish Commissioner, Billy Hawkes, defended the Safe Harbor against Maximilian Schrems and some other DPAs, whereas the new Irish Commissioner Helen Dixon basically defends the opposite, despite some improvements in U.S. laws and the SCC that occurred after the cancellation of the Safe Harbor. This might be the sign of an evolution due to the entry into force of the EU General Data Protection Regulation, the new strong and unified piece of data protection legislation that will apply from May 2018.

The main concern of the Irish DPA about the use of the SCC is the absence of an effective court’s remedy in the U.S. legislation for EU citizens to enforce their right to data protection where it might be a risk that personal data is processed by U.S. State agencies for national security purposes. Indeed, even if an EU citizen meets the criteria for a remedy against surveillance under the U.S. Foreign Intelligence Security Act, it appears on foot of the U.S. court’s decisions they cannot sue the U.S. government.

Concerning the Privacy Shield, it is too soon to know if it will survive the new U.S. political era. As observed with the dead Safe Harbor, strong voices start to express themselves opposing the industry and the EU and U.S. Privacy Shield negotiators (pro) to the EU civil society and some members of the EU Parliament and DPAs (contra).

The key issue finally lies in the ability for the U.S. legislation to grant data subjects with enforceable data protection rights that EU authorities and courts would find at least equivalent to those granted by the EU. The two above-mentioned legal cases, as well as the economic stakes of EU-U.S. data flows should put a strong pressure on U.S. government to provide additional guarantees.

For more information on the future of the Privacy Shield and SCC, please refer to the following prior Password Protected blog posts:

Expected Soon: Modifications of the Standard Contractual Clauses

Is the Privacy Shield Viable? Article 29 Working Party Proposes to Wait for Its Final Verdict

New Threat to Transatlantic Personal Data Transfers: Possible Invalidation of Standard Contractual Clauses

WP 29 Expresses Concerns About EU-U.S. Privacy Shield

The Rising Importance of Data Privacy and Security Practices for Healthcare Entities Facing Intensified Challenges

Posted in Data Security, Health Information, Information Management

For those in the healthcare industry, the privacy and security of information is vital to operations, but the importance and value of health information also makes the industry a prime target for threats.  Studies suggest that the vast majority of healthcare organizations have experienced one sort of data breach or another.  In fact, a May 2016 report from the Ponemon Institute found almost 90% of healthcare organizations had experienced a breach in the preceding two years, and 45% experience more than five breaches in the last two years.  Healthcare providers are also increasingly under attack by “ransomware” or “denial of service” attacks which lock up systems and hold them hostage until a ransom is paid to unlock them.  And while various agencies, including the FBI, recommend that providers not pay the demands of cyber criminals who execute ransomware attacks, this may not be a feasible option for providers who have failed to maintain robust data back-up systems.  Furthermore, the Office for Civil Rights has issued guidance that indicates that ransomware attacks need to be treated as security incidents and analyzed under HIPAA’s breach notification rule, although it recognizes that it is a fact-specific matter as to whether the incident will require notification to patients (and the OCR).  Finally, healthcare organizations are also subject to universal scams, such as the W-2 scam, which was previously discussed in the Password Protected Blog.

Preparing for ransomware and other attacks is not the only challenge; healthcare entities should be mindful that failure to comply with HIPAA is becoming increasingly costly.  To be sure, the Office for Civil Rights (“OCR”) has substantially ramped up its enforcement efforts.  Specifically, in 2016, OCR fines totaled $23 million, which is not only a new record but also roughly three times the previous record of $7.4 million (2014).  Aside from nearly doubling the record of enforcement actions (from seven to 13), 2016 witnessed a new record settlement: $5.5 million, paid by Advocate Health Care System.  Notably, the Advocate settlement was part of an enforcement blitz involving a settlement a week for three weeks in a row, as was previously reported in this blog.  Furthermore, in August 2016, the OCR announced an initiative to target smaller breaches (those involving fewer than 500 individuals), which means that small providers should no longer think that they will be able to “fly under the radar” of HIPAA enforcement.

2017 is already off to a strong enforcement start.  The OCR kicked off the year with the announcement of a (relatively modest) settlement of $475,000 for failure to make timely notifications of a breach.  Then, on February 1, 2017, the OCR announced that Children’s Medical Center of Dallas (“Children’s”) had to pay a civil money penalty of $3.2 million for its failure to implement appropriate risk manage plans despite external recommendations to do so.  Indeed, in 2010, Children’s experienced a loss of an unencrypted, non-password protected Blackberry device that contained protected health information of approximately 3,800 people.  And, in 2013, Children’s notified the OCR of a separate breach involving the theft of an unencrypted laptop containing electronic protected health information of 2,462 individuals.

Finally, on February 16, 2017, the OCR announced a HIPAA settlement that matched the previous high-water mark for settlements: $5.5 million.  In this latest case, Memorial Healthcare System settled with the OCR following a situation in which the protected health information of 115,143 individuals was impermissibly accessed by its employees and impermissibly disclosed to an affiliated physician’s office staff.  According to the OCR’s announcement, the login credentials of a former employee of a physician’s office were used from April 2011 to April 2012, without detection, and resulted in the unauthorized disclosure of information regarding 80,000 individuals.  Although the hospital had audit control policies in place, it failed to implement procedures for reviewing, modifying, and terminating rights of access, and it failed to regularly review system activity.

Looking Ahead: Prioritize Robust Data Privacy and Security Practices

The lesson in all of this is that no healthcare organizations should be coasting when it comes to data privacy and security activities.  Not only are providers under nearly constant attack, they are also likely to be subject to more aggressive enforcement and higher penalties if the OCR discovers inadequate compliance initiatives.  See additional discussion here.  To be sure, with the new focus on smaller breaches and the requirement that all breaches be reported to the OCR, no healthcare organization should consider itself to be immune from an enforcement action.  The solution: constant vigilance, routine training, regular updates to security risk assessments, and implementation of policies as they are written.

Lessons Gleaned From Recent HIPAA Settlements: An Ounce of Prevention is Worth a Pound of Cure: How Recent OCR Enforcement Impacts Your Transaction Diligence

Posted in Health Information

HIPAA enforcement has been on the rise during the last several years, and the dollar impact of those settlements has continued to grow significantly. The Department of Health and Human Services, Office of Civil Rights (OCR) announced a record number of enforcement actions in 2016, including reaching its largest settlement to date in August 2016 of $5.5 million with an entity that incurred three separate breaches of electronic protected health information (ePHI) over the course of a year. OCR has already announced three (3) enforcement actions only two months into 2017, including its first settlement with an entity for failing to timely report a breach.

Recent statistics support that HIPAA compliance is a risk that should be taken seriously. According to a February 2017 report from Protenus, in 2016, on average there was at least one health data breach per day. More importantly, a Ponemon Institute report notes the average total organizational cost of a breach is about $7 million.  The adage that the lack of robust HIPAA policies and procedures or a failure to conduct the required Security Risk Assessment is “typical” could be a costly and time consuming mistake. Indeed, it’s not just the potential settlement costs that must be considered.  It’s also the going forward cost to implement the corrective action plan that may be required as part of the settlement, which can include the requirement to hire an independent third-party to investigate and assess compliance with the corrective action plan, in addition to requirements to provide annual compliance reports and officer attestations.

What OCR Enforcement Tells Us About HIPAA Diligence

Several recent OCR settlements highlight exactly the issues that frequently come up during the transaction diligence process. Part one of this blog examines a few of the key HIPAA diligence areas and related OCR enforcement action. In part two, we will address how to tackle HIPAA diligence by asking the right questions and consider strategies for risk mitigation.

  1. Business Associate Agreements (BAA) – Missing, Non-Existent or Unsigned BAAs Should Not be Overlooked. HIPAA diligence should include a thorough analysis of BAAs, particularly those for key vendors or vendors handling ePHI. OCR has entered into sizable settlements both with Covered Entities for failing to have BAAs in place and with Business Associates for failing to meet HIPAA requirements. For example, in March 2016, OCR entered into a $1.55 million settlement with a health system that failed to enter into a BAA with a vendor whose employee had an unencrypted laptop stolen from a locked vehicle. In June 2016, OCR entered into a $650,000 with a Business Associate that provided management and information technology services to nursing homes for failure to comply with the HIPAA Security Rule.
  2. Security Risk Assessments (SRA) – Failure to Conduct or Follow Recommendations Identified in a SRA Can be Costly. Don’t forget to inquire about Security Risk Assessments. Under the HIPAA Security Rule, Covered Entities and Business Associates must maintain appropriate technical, administrative and physical safeguards for e-PHI. Issues that frequently arise during the diligence process are (i) failure to conduct a SRA, or (ii) conducting an SRA, but failing to implement remedial action leaving documented vulnerabilities. Several settlements in 2016 and in early 2017 underscore the importance of not only conducting a Security Risk Assessment, but also taking affirmative action to address areas of weakness once an entity is made aware of security gaps. A perfect example is OCR’s January 2017 $3.2 million settlement with a Dallas medical center for failure to comply “over many years with multiple standards of the HIPAA Security Rule.” Significantly OCR noted there was a “failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all laptops, work stations, mobile devices and removable storage media . . .”
  3. Carefully Review Data on a Cloud Server. As technology offers increased convenience many providers have turned to cloud based solutions. In October 2016, OCR issued guidance for HIPAA-covered entities that use cloud computing services for ePHI. Among other things, the guidance requires the use of a BAA with cloud service providers. The guidance also notes that cloud providers are liable for failing to safeguard ePHI. This guidance comes on the heels of OCRs July 2016 $2.7 million settlement with a university that was storing data on a cloud-based server without a BAA in place. Specifically, a stolen laptop computer resulted in the breach ePHI which was being stored on an internet-based service provider without a BAA. In this regard, diligence should include inquiring about steps to ensure compliance with OCRs most recent guidance.
  4. Understand Processes, Don’t Just Check the Policy Box – Fines Can be Assessed for Lack of Timely Breach Notification. Most diligence inquiries ask the basic questions regarding HIPAA breaches; however it is also critical to review a company’s policies and procedures (both on paper and in practice) for reviewing and responding to HIPAA breaches. In January 2017, OCR entered a $475,000 settlement with a provider for failing to notify OCR within the required sixty (60) day timeframe upon discovering a breach affecting more than 500 individuals. While not a large settlement, this settlement is OCRs first enforcement action for failing to follow breach notification requirements. Accordingly, if a provider has experienced HIPAA breach activity, it is important to ask targeted follow up questions to ensure the provider is following all breach notification requirements. When underlying issues are discovered, consideration should be giving to future enforcement and potential penalties. Notably, the breach activity involved in this settlement occurred in October 2013, with notification to OCR occurring in early 2014 and OCRs enforcement action in January 2017. Our next blog post will address various ways to consider the time gap for enforcement activity.

Key Takeaways.  When conducting transaction diligence, it is important to ask questions beyond a standard set of requests for policies and procedures to those that look around corners and assess areas that could result in future fines, not to mention significant headline risks.  In our next blog post, we will examine key diligence questions, data room considerations and potential mitigants to consider when HIPAA issues arise during the diligence process.

Eighth Circuit Undoes Target Data Breach Settlement Class

Posted in Data breach, Litigation

The $10 million settlement class in the Target data breach case was unraveled by the Eighth Circuit Court of Appeals in a recent decision that will force the district court to address the impact of the Supreme Court’s decision in Spokeo v. RobinsThe Eighth Circuit remanded the case to the district court, finding that the lower court did not conduct a rigorous analysis of the record under Rule 23 prior to certifying the settlement class.

The case stems from the 2013 data breach of consumers’ credit and debit card information, which consisted of approximately 110 million Target customers. Following the consolidation of the hundreds of consumer class action lawsuits that followed, the U.S. District Court for the District of Minnesota preliminarily certified a settlement class defined as “[a]ll persons in the United States whose credit or debit card information and/or whose personal information was compromised as a result of the [Target] data breach.”  Under the terms of the settlement, Target was to create a $10 million settlement fund, which would pay class members with documented losses first with the remaining balance distributed to members with undocumented losses.  Class members who suffered no loss from the data breach would not receive any monetary compensation.  Target also agreed to permit an attorney fee award of up to $6.75 million in addition to the $10 million class fund and take on certain improvements in its data security practices.

Prior to final approval, two class members, Leif Olson and Jim Sciaroni, objected to the settlement. Olson alleged that certification of the class was improper due to the intraclass conflict between the named representatives and class members who, like Olson, had not suffered any loss and therefore would not receive any compensation, but would release Target from any claims should the breach someday injure him in the future.  Olson contended that this “zero-recovery subclass” should be certified as a separate subclass with independent representation.

At the final approval stage, the district court did not analyze Olson’s objection. Indeed, the district court refused to reconsider whether certification was proper solely because it had already preliminarily certified the class, stating “[b]ut the Court certified a settlement class in the preliminary approval order, and will not revisit that determination here.”  This outright refusal to consider the propriety of class certification at the final approval stage was the death knell for the case before the Eighth Circuit.

The Eighth Circuit explained that not only do courts have the duty to conduct a rigorous analysis to ensure that Rule 23’s prerequisites are met, but this duty continues throughout the litigation.  In reviewing the district court’s preliminary order, the Eighth Circuit found that it was lacking in legal analysis, concluding that the court’s remarks were “the product of summary conclusion rather than rigor.”  This lack of legal analysis constituted an abuse of discretion and prevented the appellate court from conducting a meaningful review.

The Eighth Circuit highlighted three issues for the district court to consider on remand. First, whether an intraclass conflict exists when class members who cannot claim money from a settlement fund are represented by class members who can. Second, if there is a conflict, whether it prevents the class representatives from fairly and adequately protecting the interests of all of the class members.  Third, if the class is conflicted, whether the conflict is fundamental and requires certification of one or more subclasses with independent representation.

Although these questions are important in any case involving intraclass conflicts, they underscore a problem arising frequently in data breach actions—how should the law treat the compromise of data without any evidence of misuse.  This issue is particularly at the forefront following the Supreme Court’s decision in Spokeo v. RobinsIf class members that suffered no loss from the data breach lack standing under Spokeo, it is unclear whether such a subclass could exist since neither the representative nor its members suffered a concrete injury.  It also poses the question as to whether those members should be included in the class at all.  How the district court analyzes these issues on remand may set the stage for future data breach class actions.

ALERT: Beware of W-2 Scam!

Posted in Data breach, Data Security

Our Data Privacy and Security team is currently assisting multiple clients in responding to nearly identical fraudulent requests for IRS Form W-2 information. Significantly, these clients are in a number of industries and are located in a variety of states, which confirms that this scam is widespread.

IRS Issues Warning About W-2 Scam

Earlier this month, the Internal Revenue Service (IRS) issued a warning that the Form W-2 e-mail phishing scam is circulating again and has grown to include a wider variety of industries this year.

What Is the Scam?

The criminals behind the W-2 phishing scam disguise an e-mail so it appears to be from a CEO or other executive within the company. In fact, some of the request e-mails contain signature lines that are identical to those in legitimate e-mails.  The e-mail is sent to an employee, typically in payroll or human resources, and asks for copies of the Forms W-2 or other sensitive employee information, including social security numbers.

Criminals attempt to get the Forms W-2 before employees have a chance to file their returns. This allows the criminal to file the return first and obtain the refund that should have gone to the employee.

In some cases, the W-2 request is combined with or followed by a request for money to be electronically transferred to third party accounts.

“This is one of the most dangerous e-mail phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns.  We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.  The IRS also warns that businesses that were victims last year are receiving scam e-mails again this year.


Never respond to an e-mail that demands the immediate release of sensitive personal information or money without first independently verifying the identity of the sender.  Also, do not call any number supplied in the request e-mail as the form of verification because the criminals have set up phone banks that enable them to continue the ruse.  Instead, be sure to verify the request in person or use an internal phone number to speak directly with the (alleged) requestor.

If Your Company is a Target

If your company is targeted by a W-2 or wire transfer scam, you should report the attack to the IRS without responding to the scammer. Any W-2 scam e-mail can be forwarded to phishing@irs.gov with “W2 Scam” in the subject line. You should also file a complaint with the Internet Crime Complaint Center. For more information from the IRS visit www.irs.gov/identitytheft.

Further, if any inadvertent disclosure of sensitive personal information has been made in connection with this scam, report the incident to the IRS and law enforcement, such as the FBI, as soon as possible. You may also contact McGuireWoods for assistance.  We are currently working with clients to respond to these breaches and are very familiar with the response process, including any state notifications that may be required. We can also assist with reporting to law enforcement and the IRS.

ERISA Advisory Council Issues 2016 Report on Benefit Plan Cybersecurity

Posted in Cybersecurity, Data breach, Employee Benefit Plan Data

Cyber threats cannot be eliminated but they can be managed. Cyber experts say that it is not a question of if you will have a cyber-attack, rather it is a question of when. The next question is what you are going to do about it. In addition to taking action to minimize cybersecurity risk, all parties involved in the administration of benefit plans and their data should be prepared to RESPOND and RECOVER in the case of a cyber event. Cybersecurity is everyone’s responsibility. Critical actions and decisions can be anticipated, so they should be considered before an incident occurs, not while it is occurring or after it has occurred. You should be PREPARED IN ADVANCE.”

The above admonition appears in the November 2016 report to the Secretary of Labor recently released by the Advisory Council on Employee Welfare and Benefit Plans (the Council) entitled “Cybersecurity Considerations for Benefit Plans” (the Report). The Council was established under the Employee Retirement Income Security Act of 1974 (ERISA) to advise the secretary on issues related to employee benefit plans. ERISA, which was designed to be a comprehensive federal law regulating benefit plans, gives the Department of Labor (the DOL) enforcement authority over various matters involving plans, including the responsibilities of plan fiduciaries.

The Report notes that while cybersecurity is a focus area for organizations as to ongoing business activities, benefit plans often fall outside the scope of cybersecurity planning. Given that plans maintain and share sensitive employee data and asset information across multiple unrelated entities on a regular basis as part of the plan administration process, the Report indicates that such data and asset information should be specifically considered when implementing cybersecurity risk management measures.

Report’s Objective and Recommendations

The Council’s objective in producing the Report was to provide relevant information to, and raise awareness with, plan sponsors, fiduciaries and service providers regarding the development of cybersecurity risk management programs for benefit plans.

During 2016, the Council studied benefit plan cybersecurity, receiving oral and written testimony from experts and interested parties. Based on this testimony and the Council’s own research, the Report provides two recommendations:

  • Make the Report and its appendices available via the DOL website as soon as administratively feasible to provide plan sponsors, fiduciaries and service providers with information on developing and maintaining a robust cyber risk management program for benefit plans; and
  • Provide information to the members of the employee benefit plan community to educate them on cybersecurity risks and potential approaches for managing these risks.

In connection with the second recommendation, the Report includes as Appendix A a sample document designed to be a resource for plan sponsors and service providers as to considerations for managing cybersecurity risks.

Unfortunately, the Report does not address two major concerns of plan administrators. According to the Report, the Council is aware that ambiguities and potential issues remain as to:

  • Whether cybersecurity is a fiduciary responsibility; and
  • Whether state cyber laws are preempted by ERISA.

However, the Report notes, the Council has determined that providing guidance on these topics is beyond the scope of its study.


Fiduciary Duty: If courts should hold that fiduciaries are required under ERISA to safeguard benefit plan data (the statute is silent on the matter), the implications are enormous. ERISA provides that any fiduciary as to a plan “who breaches any of the responsibilities, obligations, or duties imposed upon fiduciaries by [Title I of ERISA] shall be personally liable to make good to such plan any losses to the plan resulting from each such breach.” Under ERISA, various persons, including plan participants, can bring suit for “appropriate relief” in connection with a breach of fiduciary duty. A representative of one prominent company that assists thousands of businesses in managing employee benefit programs has told us that it views the safeguarding of participant data as a contractual matter rather than an ERISA matter.

Preemption: ERISA provides, with certain exceptions, that it “shall supersede [i.e., preempt] any and all State laws insofar as they may now or hereafter relate to any employee benefit plan.” State-law preemption is a bedrock principle of ERISA. If courts should conclude that state laws on data breaches do not “relate” to benefit plans, and are therefore not preempted by ERISA, the determination of which state law or laws apply to a data breach involving a plan having participants in multiple states would be a daunting task for its administrator, given that these laws are far from uniform as to the duties they impose.

Existing Cybersecurity Frameworks

The Report reviews and comments on various cybersecurity frameworks that could provide the foundation for cybersecurity strategies for benefit plans. Continue Reading