It seems that most employees and plan participants “think” their retirement money and data are not at risk.  This is due, in part, because:

  • there are few published incidents of breaches or potential hacks;
  • there has been not a single legal decision involving a cybersecurity breach and a retirement plan; and
  • there is no comprehensive federal regulation that protects qualified retirement plans and service providers.

This blog discusses whether retirement plans are really at risk; and if so why. It concludes with some helpful hints and practical advice to reduce such risks, some of which are tips employers (or plan sponsors) can share with retirement plan participants.

Continue Reading Cybersecurity & Retirement Plans

South Carolina has become the first state to enact cybersecurity legislation for the insurance industry.

On May 3, Governor McMaster signed a bill requiring South Carolina insurers to “develop, implement, and maintain a comprehensive information security program” for their customers’ data. 2017 SC H.B. 4655 (NS). Based on the insurance industry model rules, the South Carolina Insurance Data Security Act has three primary aims: it requires “licensees” to prevent, detect and remediate insurance customer data breaches.

Continue Reading South Carolina Requires Cybersecurity Program for Insurance Licensees

In the matter of LabMD Inc. v. Federal Trade Commission, case number 16-16270, the U.S. Court of Appeals for the Eleventh Circuit ruled against the FTC, finding that the order against LabMD for lax data security measures was not enforceable.

The FTC’s original order against LabMD was due to a 2008 security incident where a LabMD employee downloaded a program which exposed customer information over the internet. Although customer harm was never shown by FTC, in 2016 the agency issued a Final Order against LabMD for unreasonable data security practices. The case was eventually brought before the Eleventh Circuit by LabMD to determine if the alleged failure to implement reasonable data security measures in 2008 was an unfair practice under Section 5(a) of the FTC Act.

Continue Reading FTC’s Loss in the Eleventh Circuit Will Not Impede Data Security Enforcement

The HIPAA Security Rule requires covered entities and business associates to implement physical, administrative, and technical safeguards to protect protected health information (PHI). The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently issued guidance warning that “essential” physical security is often overlooked.

Continue Reading Don’t Neglect Physical Safeguards as Part of HIPAA Security Compliance

After 25 May 2018, data protection will be a high-risk issue for all retailers who fall within the scope of the GDPR. Organizations can be fined up to 4% of annual worldwide turnover or 20 million euros (whichever is greater) for violations of the GDPR. Moreover, the GDPR applies to any business that targets goods or services at individuals located in the EU – so retailers can be caught by the GDPR even if they have no physical presence in the Union.

Retailers should pay particular attention to how they obtain customers’ consent to marketing. The GDPR requires a high standard for consent to use personal data, and violation of the consent is a serious infringement.

Continue Reading Retailers, Consent and the GDPR: Is Your Business in Breach?

A “white hat” is an ethical computer hacker who specializes in penetration testing and other testing methodologies to ensure the security of an organization’s information systems. According to the Ethical Hacking Council, “The goal of the ethical hacker is to help the organization take pre-emptive measures against malicious attacks by attacking the system himself or herself; all the while staying within legal limits.”  White hat hackers usually present their skills as benefiting their clients and broader society. They may be reformed black hat hackers or may simply be knowledgeable of the techniques and methods used by hackers.  However, white hats have been known to offer broader hacking services, such as information gathering about persons or entities at odds with those hiring the white hat.  Ethical hackers have been compared to digital versions of private investigators or investigative reporters.

In considering whether to engage a white hat hacker, there are a number of precautions that a company should take to increase the likelihood that the white hat will be credible, professional and ethical and only engage in lawful activities during the course of the engagement.

Credibility.  Consider existing relationships, references and certifications.  For example, the EC-Council offers a Certified Ethical Hacker accreditation.  Many large consulting firms provide ethical hacking services. References from trusted peers are also extremely important.

Background Check.  Conduct a thorough background check.  Although the white hat may be affiliated with a reputable consulting firm, verify his or her experience and credentials and investigate possible criminal history.  Do not assume that what the hacker tells you is true.

Engagement Letter.  Have the hacker sign an engagement letter or similar contract that clearly defines the engagement, prohibits any illegal or unethical conduct, and addresses liabilities, indemnification and remedies where appropriate.  Specify the hacking methods that are and are not acceptable and which information systems, networks and data may be accessed.  Require the hacker to provide proof of adequate professional liability insurance.

Confidentiality Agreement.  Require the hacker to sign a confidentiality or non-disclosure agreement that strictly prohibits the use or sharing with others of any information gathered as part of the engagement and that specifies the penalties for violation or references penalties set forth in the primary agreement.

Oversight.  Monitor the hacker’s activity and be on the lookout for any suspicious activity—both during and after the white hat’s work.  Ensure that the hacker remains within the scope of work defined within the engagement letter.  If the scope of work changes, revise the engagement letter accordingly.  Keep in mind that access to information systems presents opportunities to set conditions for future remote access or other unauthorized, nefarious activities.

Work Product.  Consider the desired work product that will be developed over the course of the white hat’s engagement and whether the white hat should report to the General Counsel or outside counsel to protect privilege.  In order to be admissible in evidence in civil litigation, the white hat must be willing to submit a signed affidavit, which describes under oath the results of the investigation, and to possibly testify.  Not every white hat makes a good witness.

 

As previously reported, the U.S. Securities and Exchange Commission (SEC) unanimously voted to approve additional guidance for reporting cybersecurity risks last month. However, it is unclear what, if any, impact the new guidance will have on the rate of SEC enforcement actions in the coming months.

According to a recent study by the NYU Pollack Center for Law & Business and Cornerstone Research, SEC enforcement actions significantly declined last year when compared with 2016. In fiscal year 2016, the SEC brought 92 enforcement actions against public companies and their subsidiaries. In fiscal year 2017, SEC enforcement declined by thirty three percent with the SEC filing 62 enforcement actions against public companies and their subsidiaries. Of the 62 enforcement actions, the SEC filed only 17 actions in the second half of fiscal year 2017. This was the largest semiannual decrease for a fiscal year since the Securities Enforcement Empirical Database (SEED) began collecting data in 2010. Similarly, the total monetary settlements declined from $1 billion over the first half of fiscal year 2017 to $196 million in the second half of the year.

The timing of the decline suggests that the Trump Administration may be reining in regulatory enforcement. However, despite the empirical slow down, Stephanie Avakian and Steven Peikin, the co-directors of the SEC’s enforcement divisions, deny that there has been any directive from the Trump Administration to slow the enforcement arm of the SEC. In fact, during the annual American Bar Association’s white collar conference, the co-directors cautioned that more enforcement actions—especially related to cybersecurity—may be on the horizon. Indeed, the SEC’s new cybersecurity guidelines coupled with the creation of the SEC Cyber Unit at the end of fiscal 2017 will give the SEC new tools to combat cyber related misconduct in 2018.

The one-year transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies expired on March 1, 2018. Financial services companies that are regulated by NYDFS now face additional requirements for assessing, monitoring, testing and reporting on the integrity and security of their information systems and the overall effectiveness of their cybersecurity programs.

Overview of New York Cybersecurity Regulations

The NYDFS cybersecurity regulations became effective on March 1, 2017, and the initial 180-day transitional period expired on August 28, 2017. The regulations that took effect last year require all covered entities to implement a cybersecurity program that identifies and protects against cybersecurity risks and adopt comprehensive policies and procedures for the protection of the company’s information systems and nonpublic information. The cybersecurity regulations apply to any organization operating under or required to operate under a NYDFS license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law. Click here for more information about the requirements of the regulations that took effect last year.

Additional Actions Required to Achieve Compliance

On March 1, 2018, additional requirements under the cybersecurity regulations took effect. In addition to the requirements that took effect last year, covered entities that are subject to the cybersecurity regulations must implement the following additional cybersecurity measures: Continue Reading New York Cybersecurity Regulations: Additional Testing and Reporting Requirements Take Effect

Last week, as previously reported, the U.S. Securities and Exchange Commission (SEC) unanimously voted to approve additional guidance for reporting cybersecurity risks. The release of this guidance underscores the SEC’s intent to prioritize cybersecurity compliance in 2018. The SEC may bring action against boilerplate cybersecurity disclosures that are not specifically tailored to address unique industry challenges. Companies should review and amend current policies and procedures to ensure legal compliance with the updated guidance and mitigate the risk of regulatory enforcement action. This includes companies that are subject to material cybersecurity risks but have not yet suffered a cyber-attack.

Prior SEC Cybersecurity Initiatives

Historically, the SEC has focused its cybersecurity efforts on protecting consumer information by conducting thorough risk assessments and evaluating vulnerabilities. For example, since 2014, the Office of Compliance Inspections and Examinations (OCIE) has made cybersecurity a top priority by reviewing the effectiveness of various cybersecurity programs. In 2015, the SEC announced enforcement actions against companies for lax cybersecurity policies that failed to safeguard consumer information. And in 2017 during the WannaCry Ransomware Attack, the SEC issued an alert to broker-dealers, investment advisers, and investment companies warning them and reminding them to address cybersecurity risks. Similarly, the Financial Industry Regulatory Authority (FINRA) continues to focus on cybersecurity as a top priority and recently, through its exam findings report, detailed effective cybersecurity program practices.

Cybersecurity Policies and Procedures

The release of updated guidance makes it clear that going forward the SEC will more closely examine cybersecurity risk disclosure policies and procedures and bring action against those companies that fail to comply with the guidance. In addition to expanding upon topics from the 2011 guidance, such as associated costs and the likelihood of litigation, the 2018 guidance addresses two new areas: (1) cybersecurity policies and procedures and (2) cybersecurity insider trading prohibitions. The guidance emphasizes the importance of establishing policies and procedures that manage the disclosure of “material cybersecurity risks and incidents in a timely fashion.”

The guidance states that when determining disclosure obligations, companies should avoid “generic cybersecurity-related disclosures” and consider:

  1. the potential materiality of any identified risk;
  2. the importance of any compromised information; and
  3. the impact of the incident on the company’s operations.

In order to determine the “materiality” of a cybersecurity risk, companies should analyze:

  1. the nature, extent, and potential magnitude of the risk; and
  2. the potential harm that could occur including reputational harm, financial challenges, customer and vendor relationships, as well as possible litigation or regulatory actions.

Insider Trading

Although the SEC did not mention any specific data incidents, recent breaches likely played a part in issuing new guidance. The SEC used the new guidance as a reminder to adopt policies and procedures that prevent corporate insiders from trading on material nonpublic information regarding a cyber incident before public disclosure of the incident. This is not the first time the SEC has scrutinized insider trading. In 2015 the SEC announced a $30 million settlement with Ukrainian-based Jaspen Capital Partners Limited and CEO Andriy Supranonok over allegations that they made financial gains by trading on non-public corporate news releases that were hacked from newswire services. The SEC continues focusing on insider trading in the 2018 guidance stating that when there is “selective disclosure of material nonpublic information related to cybersecurity” companies must ensure the material information is disclosed to all investors at the same time and therefore compliant with Regulation FD. The guidance goes on to state that companies should also avoid the mere appearance of improper trading that may occur “during the period following an incident and prior to the dissemination of disclosure.”

SEC Cybersecurity Certification

In addition to insider trading, the 2018 guidance states that disclosure controls and procedures should ensure that relevant cybersecurity risk and incident information is reported to management so that they may make required certifications and disclosure decisions. The inclusion of this concept is unsurprising given the 2014 speech by SEC Commissioner Luis A. Aguilar, in which he said that “ . . . ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.” The 2018 guidance expands on that point and specifically references different disclosure certifications that executive management should consider when assessing the adequacy of procedures for identifying cybersecurity risks. For example, certifications made pursuant to the Exchange Act Rules 13a-14 and 15d-14 as well as Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F are made on a quarterly and annually basis by upper management and require certification regarding the design and effectiveness of disclosure controls and procedures. When certifying cybersecurity effectiveness pursuant to the aforementioned, the guidance states that certifications and disclosures should consider:

  1. if there are sufficient controls and procedures for identifying cybersecurity risks and incidents;
  2. if there are sufficient controls and procedures for assessing and analyzing the impact of the incidents; and
  3. if cybersecurity risks or incidents threaten “a company’s ability to record, process, summarize, and report” required information, then management should determine if “there are deficiencies in disclosure controls and procedures that would render them ineffective.”

As the number of cyber-attacks has increased, so has the SEC’s interest in comprehensively regulating cyber risks. If your company has suffered a small attack that does not meet the criteria for materiality, the incident still may need to be reported to the SEC because the company may be a target for high profile hackers or state agents. Further, if your company suffers a cyber-attack of any size, the guidance states that you may need to “refresh” previous disclosures during the process of investigating a cybersecurity incident or past events. It goes on to provide that “past incidents involving suppliers, customers, competitors, and others may be relevant when crafting risk factor disclosure.” But even if your company has not suffered a cyber-attack, the SEC expects that your company has adopted and implemented written cybersecurity policies and procedures that protect consumer information, limit insider trading and properly manage cybersecurity risk disclosure.

As noted in our previous post, in contrast to the Democratic commissioners, Chairman Jay Clayton, stated that he believes the guidance will “promote clearer and more robust disclosure” and that he “urge[s] public companies to examine their controls and procedures.” For example, when disclosing significant risk factors pursuant to Regulation S-K and Form 20-F, the guidance suggests that companies should consider the following:

  1. the occurrence of prior cybersecurity incidents, including severity and frequency;
  2. the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
  3. the costs associated with maintaining cybersecurity protections; and
  4. existing or pending laws and regulations that may affect the requirements.

While the guidance does not specifically propose new cybersecurity regulations, it does provide a new focus for the agency as well as additional detail regarding previously articulated issues. Company counsel and executive management should closely examine their disclosures, as well as their overall cybersecurity risk disclosure policies and procedures, to determine if they are compliant with this new SEC guidance.

The increasingly popular use of biometric authentication technology by employers as a means of tracking employee data, including for timekeeping purposes, can create liability.  Biometric data generally consists of an individual’s physical characteristics and the associated technology used to aggregate this data. Biometric data can include fingerprints, DNA, voiceprints or facial recognition technology. This futuristic means of tracking individuals has its benefits in terms of employee time management (e.g., in lieu of a traditional punch cards), to provide access to a secure facility, or for other authentication purposes. But it also has its pitfalls.

Several states have proposed or enacted legislation protecting individuals’ privacy rights in the collection of their biometric data.  Illinois led the pack by enacting the Illinois Biometric Privacy Act (“BIPA”) in 2008, which requires businesses who collect biometric data to: (1) provide written notice to the individual of the collection; (2) inform the individual of the length of time for which the biometric identifiers are being collected, stored, and used; and (3) obtain express, written consent from the individual prior to collection.  Employers and other private entities must also exercise a reasonable standard of care in handling biometric data.

BIPA creates a private right of action for individuals aggrieved by a statutory violation, and violations can create substantial exposure to an employer, including liquidated damages, attorneys’ fees, costs, and/or injunctive relief.  Since enactment of BIPA, similar legislation has been either enacted or proposed in other states including Texas, Alaska, Connecticut, Montana, New Hampshire, and Washington.

The privacy litigation landscape – particularly in the employment context – has already seen an evolution as a result of these laws designed to protect biometric information, with an uptick in litigation between 2015 and 2017.  In one example, in October, 2017, a rehabilitation center in Illinois called Paramount of Oak Park Rehabilitation & Nursing Center LLC was slapped with a BIPA-violation lawsuit for requiring employees to scan fingerprints twice daily as a means of clocking in and clocking out.  The complaint filed in Cook County, IL calls this practice “invasive” and states:

Unlike a Social Security number, which can be changed, no amount of time or money can compensate [workers] if their fingerprints are compromised by the lax procedures through which defendants capture, collect, store and use their workers’ biometrics.

Notably, this and other lawsuits addressing this issue do not necessarily arrive at the point of challenging use of the data.  Instead, employers are facing liability at the outset for the mere collection of this data when not in compliance with statutory requirements.  Over 30 similar class action lawsuits have been filed in federal and state jurisdictions.

Case law under BIPA and other similar statutes is still developing, and employers should keep a watchful eye on trends in court’s treatment of biometric data protections, restrictions, and requirements in order to ensure compliance. In the interim, and because the cost of non-compliance is substantial, employers should be cautious in their approach to collecting, using and storing its employees’ biometric data.  Specifically, employers should:

  • Draft a written policy regarding collection and use of biometric data, including the company’s process for safeguarding the information, and destruction of data, consistent with state law. Employers should consider including a discrimination disclaimer in their policy, which should be disseminated widely, and review should be made an onboarding and training requirement.
  • Obtain express written consent and a release from each employee before collecting or using their biometric data.
  • Implement a data breach response protocol that includes biometric data and provide notice to employees that a protocol exists.