2018 Best Legal Blog Contest - Click to Vote

On October 16, 2018, the Securities and Exchange Commission (SEC) issued a report on the results of investigations made by the SEC’s Division of Enforcement into nine public companies that were victims of cyber-related frauds.  In each case, the SEC investigation focused on whether the target companies had complied with the applicable requirements of the Securities Exchange Act of 1934, as amended (Act). The Act requires public companies to devise and maintain a system of internal control over financial reporting designed to provide reasonable assurance that, among other things, transactions are executed in accordance with company management’s authorization, that transactions are properly recorded and that access to assets is permitted only with management’s authorization.

Ultimately, the SEC did not pursue enforcement actions against any of these companies, but released the report to advise public companies that cyber-fraud incidents must be taken into account when designing and maintaining internal control procedures. Continue Reading SEC Report Reiterates Cybersecurity Implications for Internal Control Requirement

2018 Best Legal Blog Contest - Click to Vote

Effective October 1, 2018, Connecticut has the most stringent requirement—24 months—for free mitigation services that must be provided to those affected by a data breach of personally identifiable information (in the case of Connecticut: (A) Social Security number; (B) driver’s license number or state identification card number; (C) credit or debit card number; or (D) financial account number in combination with any required security code, access code or password that would permit access to such financial account).

With a new high-water set, it is likely that other states will quickly follow suit.  In the meantime, for entities that are responding to a multi-state data breach that includes Connecticut, there will now be a business decision of whether or not to offer 24 months of services to all affected individuals regardless of state law requirements (some of which are silent and the rest of which require 12 months of services).

2018 Best Legal Blog Contest - Click to Vote

CA IoT Cybersecurity Bill Heads To Governor’s Desk
The bill (SB-327), if signed by Gov. Brown, will take effect on January 1, 2020. It is aimed at securing connected devices. The bill states that, “a manufacturer of a connected device shall equip the device with a reasonable security feature or features.”

House Approves Financial Sector Data Breach Bill
On Sept. 13 the House Financial Services Committee approved bill (H.R. 6743) to create a national data breach notification standard for the financial sector. The bill would amend the GLBA and preempt state law for institutions covered under the financial services law.

Department of Commerce Launches Collaborative Privacy Framework Effort
NIST announced it has launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk. NIST will hold a public workshop on Oct. 16, 2018, in Austin, Texas—in conjunction with the International Association of Privacy Professionals’ Privacy. Security. Risk. 2018.

Upcoming Events:

McGuireWoods HIPAA Webinar Series: September 24, 2018 
This webinar will examine the application of HIPAA to the ever-growing array of mobile health applications and devices, with an emphasis on the design and security implications of such devices.

NIST has published Special Publication (SP) 1800-5, “IT Asset Management” to help financial service companies monitor and manage IT assets.  According to the release:

“The example solution…gives companies the ability to track, manage, and report on information assets throughout their entire life cycle. This can ultimately increase cybersecurity resilience by enhancing the visibility of assets, identifying vulnerable assets, enabling faster response to security alerts, revealing which applications are actually being used, and reducing help desk response times.”

A copy of the SP can be found here.

The convergence of the General Data Protection Regulation and the investigation into Russian interference in the 2016 election has created a perfect privacy storm. Social media platforms’ complacency on this front, and the resulting public backlash, have further amplified the pressure on legislatures to react.  Although state legislatures have been quick to do so (most notably California, which passed a sweeping new privacy law in June), Congress has not.

Recently, Senator Mark Warner (D-VA) issued a draft white paper proposing 20 policy approaches to combat these issues.  The proposals seek to enhance user privacy, increase transparency, and dam the deluge of misinformation that, to date, has run through social media platforms largely unchecked.

Continue Reading Warner White Paper Floats Far-Ranging Privacy Proposals

CTIA, a trade association representing the wireless communications industry, recently announced a new cybersecurity certification program for IoT cellular-connected devices. The announcement comes shortly after NIST hosted a workshop in July regarding Considerations for Managing IoT Cybersecurity and Privacy Risks.

CTIA states, “[t]he program will protect consumers and wireless infrastructure, while creating a more secure foundation for smart cities, connected cars, mHealth and other IoT applications.” Tom Sawanobori, SVP and Chief Technology Officer at CTIA states that, “[t]he IoT Cybersecurity Certification Program harnesses CTIA’s network of authorized labs and reflects our commitment to securing networks and devices in an increasingly connected wireless world.”

According to CTIA, the Cybersecurity Certification Program is built upon NTIA and NIST IoT security recommendations. The Program will begin accepting devices for certification testing in October 2018.

More information about the Cybersecurity Certification Program can be found here.

On August 14, 2018, President Trump signed into law S. 770, the “NIST Small Business Cybersecurity Act.”  This Act requires the National Institute of Standards and Technology (NIST) to develop and disseminate resources for small businesses to help reduce their cybersecurity risks. The Act states that the resources should be:

  • “Generally applicable and usable by a wide range of small business concerns;
  • Vary with the nature and size of the implementing small business concern, and the nature and sensitivity of the data collected or stored on the information systems or devices of the implementing small business concern;
  • Include elements, that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships, to assist small business concerns in mitigating common cybersecurity risks;
  • Include case studies of practical application;
  • Technology-neutral and can be implemented using technologies that are commercial and off-the-shelf; and
  • Based on international standards to the extent possible, and are consistent with the Stevenson-Wydler Technology Innovation Act of 1980.”

The eighteen month transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies expires on September 4, 2018. These requirements apply to entities, “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”  In less than a month, these Covered Entities subject to Part 500 are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.

These requirements include:

  • Implement and maintain audit trail requirements (500.06);
  • Adopt written application security requirements (500.08);
  • Adopt written data retention requirements (500.13);
  • Implement monitoring/unauthorized access requirements (Section 500.14(a)); and
  • Implement encryption requirements (500.15).

The final compliance deadline is March 1, 2019.  In addition to those aforementioned Covered Entities, credit reporting agencies with significant operations in New York were recently required to comply with the cybersecurity regulations.  More information about the Cybersecurity Requirements can be found here.

The U.S. Treasury recently released a report identifying improvements that would support nonbank financial institutions but also embrace innovation and technology.  Among other things, the report recommends the creation of a national data breach notification standard and the development of effective national and international Fintech policies, including Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) efforts.

In addition to the aforementioned, the report outlines roughly 80 suggestions meant to:

• “Embrace the efficient and responsible use of consumer financial data and competitive technologies;
• Streamline the regulatory environment to foster innovation and avoid fragmentation;
• Modernize regulations for an array of financial products and activities; and
• Facilitate ‘regulatory sandboxes’ to promote innovation.”

A copy of the report can be found here.

This post originally appeared in our sister publication, Insurance Recovery Blog.

For the second time in ten days, a federal appeals court ruled a crime insurance policy provides coverage for losses arising from a business email compromise. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, No. 17-2014, 2018 WL 3404708 (Sixth Circuit July 13, 2018), the Sixth Circuit held that Travelers was obligated to provide coverage for a loss the insured suffered when it wired $834,000 to a thief’s bank account, believing that it was transmitting a payment to one of its Chinese subcontractors.

Losses arising from business email compromise exceeded $12.5 billion between October 2013 and May 2018. Business email compromise is a form of social-engineering fraud that targets both businesses and individuals who make payments by wire transfer. Thieves accomplish business email compromise by accessing e-mail accounts of vendors or customers of the insured or by invading the computer system of the insured. The thief then provides fraudulent instructions to the insured to wire funds to the thief’s bank account, usually for the stated purpose of paying legitimate invoices.

Continue Reading Sixth Circuit Finds Coverage Under Crime Policy for Business Email Compromise