Header graphic for print

Password Protected

Data Privacy & Security News and Trends

Lessons Gleaned From Recent HIPAA Settlements: An Ounce of Prevention is Worth a Pound of Cure: How Recent OCR Enforcement Impacts Your Transaction Diligence

Posted in Health Information

HIPAA enforcement has been on the rise during the last several years, and the dollar impact of those settlements has continued to grow significantly. The Department of Health and Human Services, Office of Civil Rights (OCR) announced a record number of enforcement actions in 2016, including reaching its largest settlement to date in August 2016 of $5.5 million with an entity that incurred three separate breaches of electronic protected health information (ePHI) over the course of a year. OCR has already announced three (3) enforcement actions only two months into 2017, including its first settlement with an entity for failing to timely report a breach.

Recent statistics support that HIPAA compliance is a risk that should be taken seriously. According to a February 2017 report from Protenus, in 2016, on average there was at least one health data breach per day. More importantly, a Ponemon Institute report notes the average total organizational cost of a breach is about $7 million.  The adage that the lack of robust HIPAA policies and procedures or a failure to conduct the required Security Risk Assessment is “typical” could be a costly and time consuming mistake. Indeed, it’s not just the potential settlement costs that must be considered.  It’s also the going forward cost to implement the corrective action plan that may be required as part of the settlement, which can include the requirement to hire an independent third-party to investigate and assess compliance with the corrective action plan, in addition to requirements to provide annual compliance reports and officer attestations.

What OCR Enforcement Tells Us About HIPAA Diligence

Several recent OCR settlements highlight exactly the issues that frequently come up during the transaction diligence process. Part one of this blog examines a few of the key HIPAA diligence areas and related OCR enforcement action. In part two, we will address how to tackle HIPAA diligence by asking the right questions and consider strategies for risk mitigation.

  1. Business Associate Agreements (BAA) – Missing, Non-Existent or Unsigned BAAs Should Not be Overlooked. HIPAA diligence should include a thorough analysis of BAAs, particularly those for key vendors or vendors handling ePHI. OCR has entered into sizable settlements both with Covered Entities for failing to have BAAs in place and with Business Associates for failing to meet HIPAA requirements. For example, in March 2016, OCR entered into a $1.55 million settlement with a health system that failed to enter into a BAA with a vendor whose employee had an unencrypted laptop stolen from a locked vehicle. In June 2016, OCR entered into a $650,000 with a Business Associate that provided management and information technology services to nursing homes for failure to comply with the HIPAA Security Rule.
  2. Security Risk Assessments (SRA) – Failure to Conduct or Follow Recommendations Identified in a SRA Can be Costly. Don’t forget to inquire about Security Risk Assessments. Under the HIPAA Security Rule, Covered Entities and Business Associates must maintain appropriate technical, administrative and physical safeguards for e-PHI. Issues that frequently arise during the diligence process are (i) failure to conduct a SRA, or (ii) conducting an SRA, but failing to implement remedial action leaving documented vulnerabilities. Several settlements in 2016 and in early 2017 underscore the importance of not only conducting a Security Risk Assessment, but also taking affirmative action to address areas of weakness once an entity is made aware of security gaps. A perfect example is OCR’s January 2017 $3.2 million settlement with a Dallas medical center for failure to comply “over many years with multiple standards of the HIPAA Security Rule.” Significantly OCR noted there was a “failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all laptops, work stations, mobile devices and removable storage media . . .”
  3. Carefully Review Data on a Cloud Server. As technology offers increased convenience many providers have turned to cloud based solutions. In October 2016, OCR issued guidance for HIPAA-covered entities that use cloud computing services for ePHI. Among other things, the guidance requires the use of a BAA with cloud service providers. The guidance also notes that cloud providers are liable for failing to safeguard ePHI. This guidance comes on the heels of OCRs July 2016 $2.7 million settlement with a university that was storing data on a cloud-based server without a BAA in place. Specifically, a stolen laptop computer resulted in the breach ePHI which was being stored on an internet-based service provider without a BAA. In this regard, diligence should include inquiring about steps to ensure compliance with OCRs most recent guidance.
  4. Understand Processes, Don’t Just Check the Policy Box – Fines Can be Assessed for Lack of Timely Breach Notification. Most diligence inquiries ask the basic questions regarding HIPAA breaches; however it is also critical to review a company’s policies and procedures (both on paper and in practice) for reviewing and responding to HIPAA breaches. In January 2017, OCR entered a $475,000 settlement with a provider for failing to notify OCR within the required sixty (60) day timeframe upon discovering a breach affecting more than 500 individuals. While not a large settlement, this settlement is OCRs first enforcement action for failing to follow breach notification requirements. Accordingly, if a provider has experienced HIPAA breach activity, it is important to ask targeted follow up questions to ensure the provider is following all breach notification requirements. When underlying issues are discovered, consideration should be giving to future enforcement and potential penalties. Notably, the breach activity involved in this settlement occurred in October 2013, with notification to OCR occurring in early 2014 and OCRs enforcement action in January 2017. Our next blog post will address various ways to consider the time gap for enforcement activity.

Key Takeaways.  When conducting transaction diligence, it is important to ask questions beyond a standard set of requests for policies and procedures to those that look around corners and assess areas that could result in future fines, not to mention significant headline risks.  In our next blog post, we will examine key diligence questions, data room considerations and potential mitigants to consider when HIPAA issues arise during the diligence process.

Eighth Circuit Undoes Target Data Breach Settlement Class

Posted in Data breach, Litigation

The $10 million settlement class in the Target data breach case was unraveled by the Eighth Circuit Court of Appeals in a recent decision that will force the district court to address the impact of the Supreme Court’s decision in Spokeo v. RobinsThe Eighth Circuit remanded the case to the district court, finding that the lower court did not conduct a rigorous analysis of the record under Rule 23 prior to certifying the settlement class.

The case stems from the 2013 data breach of consumers’ credit and debit card information, which consisted of approximately 110 million Target customers. Following the consolidation of the hundreds of consumer class action lawsuits that followed, the U.S. District Court for the District of Minnesota preliminarily certified a settlement class defined as “[a]ll persons in the United States whose credit or debit card information and/or whose personal information was compromised as a result of the [Target] data breach.”  Under the terms of the settlement, Target was to create a $10 million settlement fund, which would pay class members with documented losses first with the remaining balance distributed to members with undocumented losses.  Class members who suffered no loss from the data breach would not receive any monetary compensation.  Target also agreed to permit an attorney fee award of up to $6.75 million in addition to the $10 million class fund and take on certain improvements in its data security practices.

Prior to final approval, two class members, Leif Olson and Jim Sciaroni, objected to the settlement. Olson alleged that certification of the class was improper due to the intraclass conflict between the named representatives and class members who, like Olson, had not suffered any loss and therefore would not receive any compensation, but would release Target from any claims should the breach someday injure him in the future.  Olson contended that this “zero-recovery subclass” should be certified as a separate subclass with independent representation.

At the final approval stage, the district court did not analyze Olson’s objection. Indeed, the district court refused to reconsider whether certification was proper solely because it had already preliminarily certified the class, stating “[b]ut the Court certified a settlement class in the preliminary approval order, and will not revisit that determination here.”  This outright refusal to consider the propriety of class certification at the final approval stage was the death knell for the case before the Eighth Circuit.

The Eighth Circuit explained that not only do courts have the duty to conduct a rigorous analysis to ensure that Rule 23’s prerequisites are met, but this duty continues throughout the litigation.  In reviewing the district court’s preliminary order, the Eighth Circuit found that it was lacking in legal analysis, concluding that the court’s remarks were “the product of summary conclusion rather than rigor.”  This lack of legal analysis constituted an abuse of discretion and prevented the appellate court from conducting a meaningful review.

The Eighth Circuit highlighted three issues for the district court to consider on remand. First, whether an intraclass conflict exists when class members who cannot claim money from a settlement fund are represented by class members who can. Second, if there is a conflict, whether it prevents the class representatives from fairly and adequately protecting the interests of all of the class members.  Third, if the class is conflicted, whether the conflict is fundamental and requires certification of one or more subclasses with independent representation.

Although these questions are important in any case involving intraclass conflicts, they underscore a problem arising frequently in data breach actions—how should the law treat the compromise of data without any evidence of misuse.  This issue is particularly at the forefront following the Supreme Court’s decision in Spokeo v. RobinsIf class members that suffered no loss from the data breach lack standing under Spokeo, it is unclear whether such a subclass could exist since neither the representative nor its members suffered a concrete injury.  It also poses the question as to whether those members should be included in the class at all.  How the district court analyzes these issues on remand may set the stage for future data breach class actions.

ALERT: Beware of W-2 Scam!

Posted in Data breach, Data Security

Our Data Privacy and Security team is currently assisting multiple clients in responding to nearly identical fraudulent requests for IRS Form W-2 information. Significantly, these clients are in a number of industries and are located in a variety of states, which confirms that this scam is widespread.

IRS Issues Warning About W-2 Scam

Earlier this month, the Internal Revenue Service (IRS) issued a warning that the Form W-2 e-mail phishing scam is circulating again and has grown to include a wider variety of industries this year.

What Is the Scam?

The criminals behind the W-2 phishing scam disguise an e-mail so it appears to be from a CEO or other executive within the company. In fact, some of the request e-mails contain signature lines that are identical to those in legitimate e-mails.  The e-mail is sent to an employee, typically in payroll or human resources, and asks for copies of the Forms W-2 or other sensitive employee information, including social security numbers.

Criminals attempt to get the Forms W-2 before employees have a chance to file their returns. This allows the criminal to file the return first and obtain the refund that should have gone to the employee.

In some cases, the W-2 request is combined with or followed by a request for money to be electronically transferred to third party accounts.

“This is one of the most dangerous e-mail phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns.  We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.  The IRS also warns that businesses that were victims last year are receiving scam e-mails again this year.


Never respond to an e-mail that demands the immediate release of sensitive personal information or money without first independently verifying the identity of the sender.  Also, do not call any number supplied in the request e-mail as the form of verification because the criminals have set up phone banks that enable them to continue the ruse.  Instead, be sure to verify the request in person or use an internal phone number to speak directly with the (alleged) requestor.

If Your Company is a Target

If your company is targeted by a W-2 or wire transfer scam, you should report the attack to the IRS without responding to the scammer. Any W-2 scam e-mail can be forwarded to phishing@irs.gov with “W2 Scam” in the subject line. You should also file a complaint with the Internet Crime Complaint Center. For more information from the IRS visit www.irs.gov/identitytheft.

Further, if any inadvertent disclosure of sensitive personal information has been made in connection with this scam, report the incident to the IRS and law enforcement, such as the FBI, as soon as possible. You may also contact McGuireWoods for assistance.  We are currently working with clients to respond to these breaches and are very familiar with the response process, including any state notifications that may be required. We can also assist with reporting to law enforcement and the IRS.

ERISA Advisory Council Issues 2016 Report on Benefit Plan Cybersecurity

Posted in Cybersecurity, Data breach, Employee Benefit Plan Data

Cyber threats cannot be eliminated but they can be managed. Cyber experts say that it is not a question of if you will have a cyber-attack, rather it is a question of when. The next question is what you are going to do about it. In addition to taking action to minimize cybersecurity risk, all parties involved in the administration of benefit plans and their data should be prepared to RESPOND and RECOVER in the case of a cyber event. Cybersecurity is everyone’s responsibility. Critical actions and decisions can be anticipated, so they should be considered before an incident occurs, not while it is occurring or after it has occurred. You should be PREPARED IN ADVANCE.”

The above admonition appears in the November 2016 report to the Secretary of Labor recently released by the Advisory Council on Employee Welfare and Benefit Plans (the Council) entitled “Cybersecurity Considerations for Benefit Plans” (the Report). The Council was established under the Employee Retirement Income Security Act of 1974 (ERISA) to advise the secretary on issues related to employee benefit plans. ERISA, which was designed to be a comprehensive federal law regulating benefit plans, gives the Department of Labor (the DOL) enforcement authority over various matters involving plans, including the responsibilities of plan fiduciaries.

The Report notes that while cybersecurity is a focus area for organizations as to ongoing business activities, benefit plans often fall outside the scope of cybersecurity planning. Given that plans maintain and share sensitive employee data and asset information across multiple unrelated entities on a regular basis as part of the plan administration process, the Report indicates that such data and asset information should be specifically considered when implementing cybersecurity risk management measures.

Report’s Objective and Recommendations

The Council’s objective in producing the Report was to provide relevant information to, and raise awareness with, plan sponsors, fiduciaries and service providers regarding the development of cybersecurity risk management programs for benefit plans.

During 2016, the Council studied benefit plan cybersecurity, receiving oral and written testimony from experts and interested parties. Based on this testimony and the Council’s own research, the Report provides two recommendations:

  • Make the Report and its appendices available via the DOL website as soon as administratively feasible to provide plan sponsors, fiduciaries and service providers with information on developing and maintaining a robust cyber risk management program for benefit plans; and
  • Provide information to the members of the employee benefit plan community to educate them on cybersecurity risks and potential approaches for managing these risks.

In connection with the second recommendation, the Report includes as Appendix A a sample document designed to be a resource for plan sponsors and service providers as to considerations for managing cybersecurity risks.

Unfortunately, the Report does not address two major concerns of plan administrators. According to the Report, the Council is aware that ambiguities and potential issues remain as to:

  • Whether cybersecurity is a fiduciary responsibility; and
  • Whether state cyber laws are preempted by ERISA.

However, the Report notes, the Council has determined that providing guidance on these topics is beyond the scope of its study.


Fiduciary Duty: If courts should hold that fiduciaries are required under ERISA to safeguard benefit plan data (the statute is silent on the matter), the implications are enormous. ERISA provides that any fiduciary as to a plan “who breaches any of the responsibilities, obligations, or duties imposed upon fiduciaries by [Title I of ERISA] shall be personally liable to make good to such plan any losses to the plan resulting from each such breach.” Under ERISA, various persons, including plan participants, can bring suit for “appropriate relief” in connection with a breach of fiduciary duty. A representative of one prominent company that assists thousands of businesses in managing employee benefit programs has told us that it views the safeguarding of participant data as a contractual matter rather than an ERISA matter.

Preemption: ERISA provides, with certain exceptions, that it “shall supersede [i.e., preempt] any and all State laws insofar as they may now or hereafter relate to any employee benefit plan.” State-law preemption is a bedrock principle of ERISA. If courts should conclude that state laws on data breaches do not “relate” to benefit plans, and are therefore not preempted by ERISA, the determination of which state law or laws apply to a data breach involving a plan having participants in multiple states would be a daunting task for its administrator, given that these laws are far from uniform as to the duties they impose.

Existing Cybersecurity Frameworks

The Report reviews and comments on various cybersecurity frameworks that could provide the foundation for cybersecurity strategies for benefit plans. Continue Reading

FTC Cautions Companies on Cross-Device Tracking Disclosures

Posted in Consumer Privacy/FTC

On January 23, 2017, the FTC released a new report outlining its recommendations for companies using cross-device tracking. The report focused on the FTC’s continued commitment to consumer choice, transparency, and security.

What is cross-device tracking?

Cross-device tracking occurs when companies attempt to connect a consumer’s activities across multiple devices. For example, a consumer begins streaming a television show on her computer and then pauses the program. Later when she continues to watch the same program on a different device, the show resumes exactly where she left off.

Generally, cross-device tracking can be categorized into two groups: deterministic or probabilistic. Deterministic cross-device tracking is the most familiar to consumers and requires the consumer to make an affirmative decision to identify themselves on a device. For example, when a consumer logs into a social media account on her smart phone and her laptop. By signing-in, the website identifies the devices as the users. The social media site then uses its functionalities to track the user. Because of this, a search for cooking recipes on a smart phone may led to advertisements on the consumer’s laptop for related cookware and products.

However, companies that use cross-device tracking do not always need consumers to affirmatively identify themselves. Companies that use probabilistic cross-tracking focus on matching IP addresses to determine whether devices are used by the same consumer or household. For example, if multiple devices like a work laptop and a smart phone share the same IP addresses during business hours and non-business hours, the companies infer that the devices belong to the same person and target the person’s advertisement and content accordingly.

What is the FTC’s guidance?

Although companies that advocate for cross-device tracking argue that such programs enhance the consumer experience, in its new report, the FTC stresses that companies must be sensitive to possible consequences for consumers and tailor their practices accordingly.

Specifically, in the report, the FTC noted its concern that companies “do not appear to be explicitly discussing cross-device tracking practices in their privacy policy.” The FTC reminded companies that, under FTC principles, companies must be truthful with consumers. Because of this, the FTC recommended that companies that engage in cross-device tracking disclose the practice and the type of information they are collecting. Failure to provide adequate disclosures, the FTC warned, may violate the FTC Act.

The FTC also stressed the importance of allowing and respecting consumers’ choices regarding what and how their information is being tracked. The FTC reminded companies to be clear on how any opt-out they offer affects cross-tracking. The report also suggested that companies avoid engaging in cross-device tracking on sensitive information such as finances and health data because such information may trigger heightened protections.

Finally, the FTC reminded companies that the FTC Act mandates that companies “maintain reasonable security, in order to avoid future unexpected and unauthorized use of data.” This includes information that may have been gleaned through cross-device tracking. In fact, according to the FTC, companies should be aware that hackers are increasingly targeting this type of data.

What Privacy Counsel Can Learn from the Unclassified Intelligence Report on Russian Activities and Intentions

Posted in Cybersecurity, Data Security

Civilian privacy officers and counsel have a rare opportunity following the publication of the January 6, 2017 report from the Office of the Director of National Intelligence, commissioned by Former President Obama, regarding Russian hacking and influence efforts in “recent US elections”. Insight from the U.S. intelligence community regarding foreign state-actor targets, hacking, and foreign state-actors’ means and methods is typically unavailable to persons responsible for maintaining the privacy of sensitive data in corporate America.  Accordingly, a comprehensive report on a recent hacking using state of the art means, would seem to be a must-read.  Unfortunately, readers of the unclassified version of the report will be disappointed with the absence of detail, and in the end, the report is more useful as a kind of “travel advisory”—a reminder that “there be monsters here,” and that foreign state-actors have and will target not only high profile national group targets, but personal emails and county-level public officials and systems, and the means used will include not only apparent exploitation of network vulnerability, but more plebeian spear-fishing efforts to compromise the unwary.

The report reads much like an expert opinion report familiar to civil litigators, except without the footnotes citing the record. Persons unaccustomed to receiving opinions from the U.S. intelligence community will find explanations of what terms such as “likely” and “high confidence” mean on a numerical and textual scale.  For those definitions alone, the report is worth reading, as it may be a useful dictionary to keep handy for future intelligence community announcements and findings.

Leaving aside the serious political implications inherent in the report, the conclusions that should be of most interest to privacy officers and counsel are that:

  1. Individuals’ private emails as well as the proprietary DNC network were hacked (by means not described) and content was transmitted to DCLeaks.com and Wikipedia by agents of Russian military intelligence;
  2. Not only primary campaigns and campaign individuals were targeted, but U.S. think tanks and lobbying groups were targeted and compromised, and information was only selectively released to serve the hackers’ non-economic purposes;
  3. Guccifer 2.0 is not a single individual, but is instead a fictitious persona that is a front for Russian military intelligence;
  4. Prior to Election Day, when it appeared that Hillary Clinton would prevail, Russian agents were prepared to launch a Twitter hashtag (#DemocracyRIP), ostensibly to foment popular suspicion regarding the election results;
  5. Russian agents obtained access to elements of multiple state and local electoral boards (though not systems involved in vote tallying); and
  6. Immediately following the election, Russian agents began cyber operations such as narrow-target spearfishing campaigns against US government employees and individuals associated with US think tanks, as well as non-governmental organizations involved in national security, defense, and foreign policy, with the goal of using any material obtained for future influence efforts.

There is no description in the unclassified report of the nature of the spearfishing schemes, nor any description of the means by which the DNC proprietary network or state or local electoral boards were compromised. The bulk of the report recounts public statements and actions taken by various Russian state actors and individuals which, in the collective judgment of the CIA, FBI, and NSA, establish that the hacking and influence efforts were motivated by, originated in and directed by Russia specifically to influence the election in favor of one candidate over the other.Privacy officers and counsel seeking guidance about what systems to secure, or seeking to determine where specifically to shore up their systems and protocols to fend off a future foreign state-actor cyberattack, will not find it here. As a result, officers and counsel can treat this report as a “travel advisory,” reminding them that employees using personal emails remain at great risk, that spearfishing schemes are alive and well and continue to be a prime source of intelligence for sophisticated hackers, and that anyone who has intelligence that could be of use to the government in the future is a potential (and perhaps even current) target.

Cybersecurity and Privacy Trends That May Impact Your Company in 2017

Posted in Data Security, Other, Privacy

Throughout the past several years, data privacy and security practices have evolved into more than just defending against identity theft and protecting sensitive data. In fact, since 2014, to help raise awareness for data protection issues, the United States designated January 28th as Data Privacy Day.  In recognition of this internationally observed day, over the next eight weeks, our Data Privacy and Security team will examine eight of the most significant data privacy and security trends and how they may impact your company.

Week 1: The Relentless Progression of Malware

The internet has been plagued by malware since inception. But in 2016 several new forms of malware emerged.  Spear phishing is one common form that involves targeting a specific victim. Another is angler phishing, which involves a fake customer-support account that purports to “help” customers, but actually steals their information.  Perhaps the most malicious technique, certainly the fastest growing, is ransomware. Ransomware holds victims’ data hostage until the hacker is paid money.  Despite the growing awareness of ransomware, it remains a highly effective revenue generating tool for hackers. In fact, it is evolving into new strains, including a form in which the victims are offered the decryption key in exchange for forwarding the virus to new potential victims.  “To pay or not to pay” is indeed the question, and the answer often raises as many concerns as it does solutions.

Week 2: Data Privacy Litigation: Changes in the Liability Standard

There were several significant developments in data litigation in 2016.  Chief among them was the U.S. Supreme Court ruling in Spokeo, Inc. v. Robbins.  Spokeo held that a procedural violation of a statutory requirement, absent concrete harm, does not establish injury-in-fact.  Since then, courts have struggled to consistently interpret and apply this standard in class action data privacy cases.  In 2017, we expect courts around the country will continue to grapple with this standard, particularly as theories of harm continue to evolve. In addition, changes at the Supreme Court and new input into plaintiffs’ attempts at “no-injury” classes could further impact the landscape of data privacy class action litigation.

Week 3: Financial Services Sector

Beginning in January 2016, the Securities and Exchange Commission announced that the Office of Compliance Inspections and Examinations (OCIE) would focus on security protocols implemented by financial firms to protect against cyberattack. That began a long year of financial industry focus on data privacy and security issues.  More recently the New York Department of Financial Services (DFS) proposed the first cybersecurity regulations that would require financial institutions to adopt minimum cybersecurity standards. Shortly thereafter G-7 financial leaders agreed to a set of best practices in the financial industry. Other developments in the industry include:

And all of this is in addition to existing standards and laws, such as the Gramm-Leach-Bliley Act. As the financial industry navigates through these various guidelines and requirements in 2017, it will be interesting to see how these standards will be interpreted, whether a uniform standard evolves, and what impact these standards may have on data protection efforts in other industries.

Week 4: Big Data

The amount of consumer data that is being collected and used is greater than ever. As companies adjust privacy policies and respond to increased consumer and regulatory scrutiny, they are constantly working to protect information and respect consumer choices while still monetizing consumer data. Information governance has quickly become the best way for a business to safeguard data and limit liability. With the development of new mobile applications, artificial intelligence platforms, and cloud data processing systems, Big Data analytics will continue to provide valuable information that must be appropriately harnessed and protected.

Week 5: Mergers and Acquisitions

By the end of 2016, the seemingly endless stream of data breaches made security incidents appear normal, almost predictable. But when Yahoo released statements concerning two separate data breach incidents, affecting more than one billion users, the potential consequences for the company extended far past the norm. Yahoo’s announcement came in the midst of negotiations of a multi-billion dollar sale.  In light of Yahoo’s previously unknown data privacy and security issues, the transacting parties must now determine the impact these incidents will have on the deal.  The lesson here is this: before any terms are finalized, both seller and buyer should engage in thorough data privacy due diligence in order to fully understand the target’s privacy and security risk profile.  This includes an analysis of the target’s information security and governance programs, as well as information relating to known security incidents and vulnerabilities, disputes and enforcement actions.  Engaging in appropriate due diligence from the outset could dramatically change the structure of the deal, as well as the value of the transaction.  Security and privacy issues must also be considered during the negotiation of the transaction documents themselves, particularly with respect to representations and warranties, limitations of liability, indemnification obligations and closing conditions.

Week 6: Critical Infrastructure

The systems that support telecommunications, transportation, water, electricity and other critical networks are at substantial risk of being compromised by a far-reaching cyberattack. For example, since 2015, Ukraine’s power grid has been shut down twice by hackers, leaving thousands without heat during the snowy winter.  Cognizant of this impending threat, both President Obama and President Trump have examined national cybersecurity and how it impacts critical infrastructure. Likewise, roughly one week into the new year, the National Institute of Standards and Technology (NIST) released draft revisions to the “Framework for Improving Critical Infrastructure Cybersecurity” to help clarify and enhance the 2014 version. Going forward, securing critical infrastructure will depend largely on safeguarding the devices that manage those systems.  These devices and the interconnected manner by which they utilize and drive digital communication are known as the internet of things (IoT).  Attacks on the IoT, including medical devices, the healthcare industry, and the internet itself were front and center in 2016. The government and private sector alike must come together in 2017 to combat these imminent and pervasive threats.  For example, to help incentive companies to secure devices and avoid attacks, the Federal Trade Commission recently announced a competition to award up to $25,000 to anyone who creates a solution for securing outdated IoT devices.

Week 7: Safe Harbor Out, Privacy Shield In

In the midst of the summer heat, the European Commission officially adopted the U.S. Privacy Shield as an adequate framework for data transfers between the EU and those U.S. companies who self-certify their compliance with the Privacy Shield. The Privacy Shield replaces and updates the previous Safe Harbor framework which was invalidated by the European Court in 2016. While President Trump’s recent Executive Order, Enhancing Public Safety in the Interior of the United States, may call into question the effectiveness of the Privacy Shield, the US and the EU must continue to collaborate in order to determine the best way to permit and facilitate data transfers. There are also outstanding data implications resulting from BREXIT that will likely affect the UK-EU-US data privacy relationship. While we do not yet know what the post-BREXIT UK-EU relationship will resemble, if the UK also decides to leave the European Economic Area it would no longer be an automatically “safe” destination for EU personal data and so may need to adopt its own UK Privacy Shield in order to receive personal data from the EU. Additionally, the EU’s General Data Protection Regulation (GDPR) will continue to impact business decisions in 2017.  In fact, one study found that 28,000 data protection officers will be needed in order to comply with GDPR. The GDPR will not only impact EU companies, but any non-EU company processing the personal data of individuals in the EU to offer goods or services, or to monitor their behavior. In light of the significant new fines imposed on organizations who breach the GDPR, businesses are well advised to be undertaking their compliance efforts now to be ready for the May 2018 deadline.

Week 8: National Cybersecurity Concerns

This list would not be complete without a mention of the cybersecurity challenges President Trump will face during his administration. Recently, Trump announced that Rudy Giuliani will serve as a cybersecurity advisor helping to bridge the gap between the government and private sector. Tom Bossert will also serve as an adviser on national security, terrorism and cybersecurity and will be equal in status to incoming national security adviser and former Army Lt. Gen. Michael Flynn. Bossert currently works as a private consultant on homeland security matters and formally worked in the Bush administration as a deputy homeland security adviser.  Bossert, who previously held a position with the Small Business Administration, said this about his new position:

We must work toward cyber doctrine that reflects the wisdom of free markets, private competition and the important but limited role of government in establishing and enforcing the rule of law, honoring the rights of personal property, the benefits of free and fair trade, and the fundamental principles of liberty.

Bossert’s mention of the private sector comes as no surprise. The Trump administration will likely seek to ensure that any protection the government offers citizens in the form of new regulations will be balanced by strong support of technological innovation, free market enterprise and national security.

Insurance Coverage for Lost Profits Arising from Cyber Attacks on the U.S. Power Grid

Posted in Cyber Insurance

The Washington Post reported last week that Russian hackers had penetrated the U.S. utility grid through Burlington Electric Department, a Vermont utility. Although the utility later clarified that the attacked computer was not connected to the grid and that the connection to Russia was not confirmed, hundreds of news sources picked up the story, demonstrating the widespread concern over cyber intrusions into our electric grid.

The United States electricity grid is critically important to our lives. The “grid” is vulnerable to not only weather-related power outages but also to cyberattacks.  The most likely path for a hacker into a utility is through a utility’s control systems, which almost always are connected to the internet.  The connection between the control systems in any piece of equipment or device and the internet is called the “Internet of Things.”

A shutdown in service by a utility by a cyberattack could produce dire economic consequences to both small and large businesses. It is therefore essential that businesses try to manage this business interruption risk, and because the risk is outside of a business’s control, insurance is the best (and possibly only) tool to use.

Cyber Attacks on Utilities – Frequency and Potential Impact

Electric utilities experienced a spike in cyberattacks in 2016, according to a survey by Tripwire, a cyber security firm. Seventy-five percent of the information technology workers surveyed reported that their companies in the oil, natural gas and electricity sectors had experienced at least one successful cyberattack in the past twelve months, meaning intruders were able to breach one or more firewalls or other protections.

Cyber hackers have successfully shut down electric utilities in the past. FireEye, another digital security firm, reported that in December 2015, Russian-nexus actors attacked several Ukrainian utilities causing blackouts in several regions.  The hackers used malware inserted through the connections between the utilities’ industrial control systems and the internet to gain access to their computer systems.  The hackers then shut down circuit breakers at multiple substations, cutting off power to over 230,000 homes and businesses.

Impact of an Attack on the U.S. Electricity Grid

A cyberattack on the United States electricity grid could result in both property damage at the utility and a significant impact to customers. As they did in the Ukraine, hackers could use malware inserted through the Internet of Things to gain access to computer systems at a utility.  Then, hackers could cause electric generators to overload and burn out, resulting in fires and explosions.  Alternatively, the perpetrators could simply shut down utility substations.    Regardless whether a cyberattack results in property damage at the utility, the resulting losses to utility customers could be in the billions.  A 2014 Federal Energy Regulatory Commission analysis revealed that successful attacks on just nine of 55,000 U.S. power-grid substations could cause nationwide blackouts for weeks, if not months.

Insuring Against Cyber Attacks on Utilities

     Coverage Available Under Traditional Property Policies

Business interruption (“BI”) coverage protects against lost profits resulting from property damage to the insured’s property. Standard property insurance policies include coverage for lost profits arising from a covered event at an up-stream supplier.  This is called “contingent” BI coverage.  Many policies also include “service interruption” coverage, which is a type of contingent BI insurance insuring lost profits arising from damage to an electric utility’s property causing an interruption in the utility’s service.

Coverage under traditional property insurance policies for lost profits arising from a cyberattack on a utility may be limited. Standard property insurance policies require direct physical loss to property at the utility in order to trigger coverage for business interruption to a downstream power customer.  Many courts have held that damage to data is not a “direct physical loss.”  Moreover, property policies typically exclude coverage for losses arising from damage to or destruction of electronic data.  Therefore, unless the cyberattack on the utility causes an explosion or a fire – physical loss to property – standard property insurance policies may not provide coverage for lost profits arising from a utility shut down.

     Coverage Available Under Cyber Policies

Because traditional property policies may not provide BI coverage for a cyberattack on an electric utility, policyholders should consider cyber insurance. Cyber insurance policies provide coverage for a variety of cyber risks, including the type of malware that a hacker might use to attack an electric utility.  Recently, many carriers have broadened cyber insurance offerings to include contingent BI coverage that would protect against lost profits arising from a utility shutdown initiated by a hacker.  Because breaches to the U.S. electrical grid pose such a widespread risk, however, insurers typically limit this coverage in a number of ways.  These limitations include reducing the duration of the coverage, setting waiting periods of up to 60 days before the coverage applies, and adding exclusions.

One key exclusion that could apply to an attack on a utility is the terrorism exclusion. These exclusions bar coverage for losses arising from acts committed “for political, religious, ideological or similar purposes including the intention to influence any government and/or to put the public, or any section of the public, in fear.”

An attack on the U.S. electrical grid would generate intense focus on the source of the attack and whether it had a political, religious, or ideological purpose. Moreover, as the recent debate concerning the Russian attacks on the Democratic National Committee demonstrates, it is difficult to identify with certainty the source of a cyberattack.  Therefore, disputes over the application of terrorism exclusions likely will arise following an attack on a utility.

Best Practices

Businesses should carefully evaluate their existing property insurance policy to determine whether it provides coverage for lost income arising from the interruption of electrical power arising from a cyberattack on a utility. Coverage under traditional property forms may be limited, however.  Insureds also should review their cyber insurance policy to assess the scope of BI coverage offered there.  Even if the policy provides such coverage, it is important to review the applicable sublimit, duration of coverage, waiting period, and exclusions to assess how broad the coverage truly is.  If the coverage limitations are significant, keep in mind that in today’s cyber insurance market, many policy terms are negotiable.  Furthermore, because the cyber insurance market is still rapidly developing, insureds should be sure to carefully compare their existing policy with other policies that may be available in the market at renewal time.  Working with counsel and an insurance broker, businesses may be able to negotiate changes to the carrier’s proposed language to expand the coverage available for this very important and potentially catastrophic risk.

Data Privacy Class Actions Post-Spokeo

Posted in Data breach, Data Security, Litigation

Earlier this year, the Supreme Court, in Spokeo, Inc. v. Robins, held that a bare procedural violation of a statutory requirement, divorced from any concrete harm, does not establish the injury-in-fact necessary to maintain a lawsuit in federal court. As the year comes to an end, it is clear that Spokeo has undoubtedly had an impact on class actions involving data privacy.

Procedural Violations of Data Privacy Statutes Do Not Satisfy Article III Following Spokeo

Given that many data privacy statutes provide for statutory damages and attorneys’ fees, they have become prime targets for class action attorneys. The class action claims, however, typically stem from technical or procedural violations of these statutes without any actual harm suffered by the plaintiffs, subjecting these lawsuits to fresh attacks following Spokeo. The various Courts of Appeals that have faced such challenges in data privacy actions in the wake of Spokeo have consistently found standing lacking under Article III.

Most recently, on December 13, 2016, the Seventh Circuit examined Spokeo in the context of the Fair and Accurate Credit Transactions Act (FACTA) in Meyers v. Nicolet Restaurant of de Pere, LLC.  FACTA prohibits businesses from printing more than the last five digits of a customer’s credit card number or the expiration date on a receipt, providing a private right of action with statutory damages up to $1,000 for any violation. In Meyers, the plaintiff alleged that a restaurant violated FACTA by printing the expiration date of his credit card on his sales receipt. In analyzing whether the plaintiff suffered a concrete harm in accordance with Spokeo, the Court noted that the plaintiff discovered the violation immediately, nobody else saw the non-compliant receipt, and thus it was “hard to imagine” how the expiration date could have increased the risk that the plaintiff’s identity would be compromised. Accordingly, the Court held that the plaintiff failed to establish any concrete harm, nor any appreciable risk of harm, to satisfy the injury-in-fact requirement for Article III standing under Spokeo.

The D.C. Circuit similarly held that a data privacy class action could not even “get out of the starting gate” with respect to standing following Spokeo. The plaintiffs in Hancock v. Urban Outfitters, Inc. alleged violations of D.C.’s Use of Consumer Identification Information Act, which prohibits retailers from asking for a customer’s address in connection with a credit card transaction. The Court held that the plaintiffs failed to allege that they suffered any cognizable injury as a result of defendants requesting their zip codes, noting that the plaintiffs did not allege any invasion of privacy, increased risk of fraud or identity theft, or pecuniary or emotional injury.  Instead, the claim rested upon a bare violation of the statute—the very theory of standing that the Supreme Court rejected in Spokeo.

These cases suggest that purely technical violations of data privacy statutes will not satisfy the injury-in-fact requirement under Article III’s standing analysis after Spokeo.  Instead, plaintiffs will need to show that a violation caused harm, likely through the actual disclosure to a third party or some evidence of emotional injury.

Data Breaches Likely Satisfy Article III Standing

Spokeo, however, has had less of an impact on standing in data breach class actions. This is because, as the Supreme Court in Spokeo acknowledged, an alleged violation of a procedural statutory right can establish the requisite concrete injury if the violation creates “a risk of real harm.”

The Sixth Circuit recently held that a data breach creates a sufficient “risk of real harm” to satisfy Article III. In Galaria v. Nationwide Mutual Insurance Company, some hackers allegedly broke into an insurance company’s computer network and stole personal identifying information of the customers. The plaintiffs brought a class action alleging violations of the Fair Credit Reporting Act for the company’s alleged failure to adopt procedures to protect against the wrongful dissemination of its customers’ data.  In evaluating standing, the Court found that where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for fraudulent purposes—creating a “risk of real harm” to support standing. The plaintiffs also alleged that they had to expend time and money to monitor their credit, check their bank statements, and modify their financial accounts because of the data breach. Thus, in addition to the substantial risk of harm, the plaintiffs had reasonably incurred mitigation costs sufficient to establish standing under Article III.

Looking Ahead to Future Standing Challenges

Cases involving data privacy claims arguably have seen the greatest impact from the Supreme Court’s ruling in Spokeo.  Although the line drawn between standing and the absence of standing seems clear at the moment, plaintiffs’ attorneys are sure to create new theories of harm to attempt to satisfy Article III’s standing requirement.

Obama’s National Cybersecurity Recommendations to Trump

Posted in Cybersecurity, Data Security, Legislation

On December 1, 2016, the Commission on Enhancing National Cybersecurity (Commission)—established ten months earlier by President Obama—released its Report on Securing and Growing the Digital Economy (Report).  The 50-page Report includes six major imperatives with 16 recommendations and 53 associated action items to improve national cybersecurity. The Commission is a non-partisan panel comprised of 12 members from various industries, including Uber, Microsoft and U.S. Cyber Command.

The Commission’s Recommendations

The six major imperatives, as they appear in the Report, are to:

  • Protect, defend, and secure today’s information infrastructure and digital networks;
  • Innovate and accelerate investment for the security and growth of digital networks and the digital economy;
  • Prepare consumers to thrive in a digital age;
  • Build cybersecurity workforce capabilities;
  • Better equip government to function effectively and securely in the digital age; and
  • Ensure an open, fair, competitive, and secure global digital economy.

These recommendations are directed to the next administration. The Report states, “[t]he Commission considers this report a direct memo to the next President” and suggests that most of the recommendations should begin within the Trump’s first 100 days in office.

The Report calls for increased industry and government information sharing, more guidance on cybersecurity best practices and increased consumer education on the issues. To implement those principles, the Report details what agencies should be involved and provides a timeline for the President-elect. For example, the Report states that:

“[t]he Department of Justice should lead an interagency study with the Departments of Commerce and Homeland Security and work with the Federal Trade Commission, the Consumer Product Safety Commission, and interested private sector parties to assess the current state of the law with regard to liability for harm caused by faulty IoT (Internet of Things) devices and provide recommendations within 180 days.”

Other recommendations include:

  • Initiating a national cybersecurity workforce program to train 100,000 new cybersecurity practitioners by 2020;
  • Developing a standard template for documents to inform consumers of their cybersecurity roles plus creating a “Consumer’s Bill of Rights and Responsibilities for the Digital Age”;
  • Appointing an Ambassador for Cybersecurity within the first 180 days; and
  • Increasing funding for cybersecurity across the federal government.

Incorporating the Report into Trump’s Cybersecurity Plan

While the Report is directed to the Trump administration, it is unclear if the President-elect will incorporate the Commission’s recommendations. During the campaign Trump outlined a cybersecurity plan that focused on defensive and offensive strategies. Trump’s campaign outline, however, did not include the level of detail that the Report provides. Some of the Report’s recommendations are similar to items in Trump’s plan.  For example, the Report suggests appointing an Assistant to the President for Cybersecurity, while Trump’s campaign plan included a proposal to create a Cyber Review Team to evaluate vulnerabilities in critical infrastructure.

One major vulnerability in cybersecurity infrastructure is the capability to shut down internet service companies. In response to the October attack on Dyn, several legislators have called for safeguards to protect internet security.  Senator Mark Warner, for example, released a letter from FCC Chairman Tom Wheeler in which Wheeler proposed an FCC-mandated cybersecurity certification process for “Internet of Things” devices. Wheeler, who will step down as chairman once President-elect Trump is inaugurated, said the FCC’s Advisory Committees should develop a “device cybersecurity certification process.” This certification process would attempt to prevent attacks like the one Dyn experienced.

But the President-elect, who said that for every new regulation, two old regulations must be eliminated, may not be quick to follow any recommendation leftover from the Obama administration, especially if it requires new regulatory action. If Trump chooses not to follow the Report’s recommendations, he will undoubtedly be expected to release an exhaustive national cybersecurity plan shortly after taking office.