Beginning in 2020, California residents will have the right to opt out of the sale of their personal information under the California Consumer Privacy Act of 2018 (CaCPA or also called CCPA). It is time to revisit your third-party service provider agreements. Companies now have two reasons to ensure that service provider agreements restrict the use or sale of personal information: to comply with CaCPA and to reduce risk of an FTC enforcement action. Continue Reading Preparing for 2020: Check In On Your Vendors
On October 16, 2018, the Securities and Exchange Commission (SEC) issued a report on the results of investigations made by the SEC’s Division of Enforcement into nine public companies that were victims of cyber-related frauds. In each case, the SEC investigation focused on whether the target companies had complied with the applicable requirements of the Securities Exchange Act of 1934, as amended (Act). The Act requires public companies to devise and maintain a system of internal control over financial reporting designed to provide reasonable assurance that, among other things, transactions are executed in accordance with company management’s authorization, that transactions are properly recorded and that access to assets is permitted only with management’s authorization.
Ultimately, the SEC did not pursue enforcement actions against any of these companies, but released the report to advise public companies that cyber-fraud incidents must be taken into account when designing and maintaining internal control procedures. Continue Reading SEC Report Reiterates Cybersecurity Implications for Internal Control Requirement
In the matter of LabMD Inc. v. Federal Trade Commission, case number 16-16270, the U.S. Court of Appeals for the Eleventh Circuit ruled against the FTC, finding that the order against LabMD for lax data security measures was not enforceable.
The FTC’s original order against LabMD was due to a 2008 security incident where a LabMD employee downloaded a program which exposed customer information over the internet. Although customer harm was never shown by FTC, in 2016 the agency issued a Final Order against LabMD for unreasonable data security practices. The case was eventually brought before the Eleventh Circuit by LabMD to determine if the alleged failure to implement reasonable data security measures in 2008 was an unfair practice under Section 5(a) of the FTC Act.
This post originally appeared in our sister publication, Subject To Inquiry.
On May 21, the North American Securities Administrators Association (NASAA) announced a massive and coordinated series of enforcement actions by U.S. state and Canadian provincial regulators to combat fraudulent practices involving cryptocurrency-related investment products.
As cryptocurrencies have gained in popularity, companies have increasingly turned to a method known as an initial coin offering (ICO) to raise capital. ICOs, however, are ripe for potential fraud. As the Washington Post has explained, “consumers face higher risks of being misled at a time when the intense demand for bitcoin has prompted many retail investors to take extreme steps to gain exposure to the currency…”
On April 25, the Securities and Exchange Commission announced a settlement with Yahoo that constituted its first enforcement action against a public company for failing to disclose a data breach.
This settlement demonstrates that companies in post-data breach environments must engage in a thorough, fulsome analysis of whether to disclose the cybersecurity incident in their public filings. In conducting this analysis, companies face a difficult choice: disclose and face public and investor backlash, or decline to disclose and potentially face later regulatory scrutiny and/or class action stockholders’ litigation.
To read McGuireWoods’ analysis of what the Yahoo settlement can teach about proper disclosure analysis and the factors that a company must consider when conducting this critical task, download a copy of our white paper, titled “Between a Rock and A Hard Place: SEC Disclosure Analysis in Light of the Yahoo Settlement.”
The 2018 Regular Session of the Virginia General Assembly recently concluded after considering approximately 3700 bills and resolutions during the 60-day session. Several privacy-related bills were on the legislative agenda, but few were enacted into law.
Tax Return Data
As highlighted in January, the General Assembly this year continued its efforts to address the growing problem of criminals filing fraudulent tax returns using stolen identities of unsuspecting taxpayers. Last year, Virginia adopted legislation that requires employers and payroll service providers to provide breach notification to the Attorney General of Virginia when those entities experience an unauthorized access or acquisition of unredacted and unencrypted data containing a taxpayer’s identification number and certain payroll information. Virginia Code Ann. § 18.2-186.6(M).
This year, Virginia enacted legislation aimed at imposing certain obligations on state tax return preparers. Tax return preparers are not required to comply with Virginia’s data breach notification statute. However, effective July 1, 2018, Virginia tax return preparers are required to notify the Virginia Department of Taxation:
“without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted return information that compromises the confidentiality of such information maintained by such signing income tax return preparer and that creates a reasonable belief that an [unprotected] version of such information was accessed and acquired by an unauthorized person and that causes, or such preparer reasonably believes has caused or will cause, identity theft or other fraud.” Acts of Assembly, Chapter 283
Additionally, if a breach occurs, the state tax return preparer is required to provide the Department information concerning the taxpayers whose information was accessed or obtained by unauthorized persons and certain information about the preparer. It is estimated that the enactment of this legislation will save Virginia approximately $300,000 by avoiding the issuance of unrecoverable fraudulent refunds.
Other Privacy-Related Legislation
Additional bills related to privacy include (partial listing):
- PASSED: Clarifying that certain student directory information held by institutions of higher education may only be released in limited circumstances in response to Freedom of Information Act requests. HB1
- PASSED: Reduction in the amount a credit reporting agency may charge a consumer to place a security freeze on his credit report from $10 to $5. 1027 SB16
- DEFEATED: Eliminating the ability of a credit reporting agency to charge a consumer a fee to place a security freeze on the consumer’s credit report. HB6; HB86; HB1232; SB18; SB22; (partial listing)
- DEFEATED: Prohibiting companies providing broadband internet access services in the Commonwealth from blocking, throttling, engaging in paid prioritization and interfering or unreasonably disadvantaging a users’ ability to access broadband internet access. The bill also would have limited a broadband service providers’ disclosure of personally identifiable information about consumers to circumstances involving certain court orders, subpoenas or for authorized law-enforcement activities. SB948
- DEFEATED: Limiting state contracts for internet access services only to those services providers that agree to protect certain personally identifiable information and adhere to certain internet neutrality provisions. Proposed to prohibit internet access service providers that provide such service to a public body from blocking, throttling or providing preference to entities that pay for the optimization of data transfer rates. Additionally, the bill proposed to prohibit such service providers from knowingly disclosing personally identifiable information about users unless such disclosure is pursuant to certain court orders, subpoenas or for authorized law-enforcement activities. SB949
- DEFEATED: Requiring consumer reporting agencies to disclose within 15 days a breach of the security of a computerized data system, when such disclosure is required by Virginia’s data breach notification statute, § 18.2-186.6. The bill provides that failure to report is a violation of the Virginia Consumer Protection Act. HB1588
- DEFEATED: Prohibiting state agency employment applications, under certain circumstances, from inquiring whether a prospective employee has been arrested or charged with, or convicted, of any crime (a.k.a. “ban-the-box”). SB252; HB1357
- DEFEATED: Prohibiting a prospective employer (i) from requiring a prospective employee to disclose his wage or salary history or (ii) attempting to obtain such information from the person’s current or previous employers. HB240
- DEFEATED: Allowing the use of drones by law-enforcement without obtaining a warrant under certain circumstances. HB1290
- DEFEATED: Prohibiting a provider of electronic communication or remote computing service from disclosing location data to an investigative or law-enforcement officer except pursuant to a search warrant. HB604
- DEFEATED: Directing a legislative commission to study how local governments report data breaches, identify ways to promote efficient and timely reporting of such breaches by local governments and to develop best practices to assist localities with cyber security. HJ39
Virginia’s approach on privacy issues this past session reflects its approach on most issues – a measured response in response to actual problems. This approach is in contrast to some states enacting policies in anticipation of future issues or without a solid indication of potential harm to consumers. In the case of the security freeze legislation, the enacted bill was in response to a significant data breach last year involving one of the big three credit reporting agencies. With regard to protecting certain student directory information, the General Assembly acted in response to the perceived misuse of such information by political campaigns. Finally, the legislature continued its efforts to address the continuing problem of tax fraud by attempting to cut off avenues for would be identity thieves to file false state income tax returns.
U.S. Senate leaders may be close to reaching an agreement on a legislative proposal that would establish a national data breach notification and security standard (the Data Acquisition and Technology Accountability and Security Act) which would streamline nationwide reporting requirements for businesses. However, there are a plethora of reasons it may not make much progress through Congress this year. The current 49-state, soon to be 50-state, patchwork of breach notification laws that are all different in various meaningful ways makes compliance with a nationwide breach (which is what typically occurs in companies) quite tedious. This proposed federal legislation would set a national standard for securing customer data and reporting data breaches.
Similar legislation has stalled in Congress for nearly a decade, but recent events, including numerous high profile data breaches and other events where data was misused, the EU Parliament’s approval of the General Data Protection Regulation (GDPR) with an enforcement date of May 25, 2018, and California’s proposed ballot initiative on privacy (improving consumers’ rights regarding collection and usage of their data), have catalyzed Congress once more. Last week, senators introduced legislation called Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT Act). The bill requires explicit opt-in consent from users to share, use, or sell any personal information, notification any time data is collected, shared, or used, and new security and breach reporting requirements. The CONSENT Act relies on the Federal Trade Commission to enforce any violations of those new rules.
There are many obstacles to enacting federal data privacy and security legislation, including disputes over preemption of state law, reasonable security standards, penalties, and exemptions. After Republicans took control of the White House and both chambers of Congress last year, federal regulatory activity diminished, and cities and states have stepped in to fill the void. The attorneys general of 31 states are pressing lawmakers to scrap the Data Acquisition and Technology Accountability and Security Act, arguing that it waters down more stringent state laws requiring prompt notification of breaches to consumers. Since South Dakota passed a new law in March, every state but Alabama has data breach laws in effect which require companies to notify consumers when their personal information hacked. And last week Alabama’s governor signed the final state data breach law which goes into effect on May 1, 2018. The attorneys general argue that these state laws have catalyzed greater transparency about data breaches and improved steps companies can take to prevent breaches from occurring again.
In addition to state laws, some cities have taken affirmative steps regarding data security. NYC Mayor de Blasio announced the launch of a cybersecurity initiative, NYC Secure, which is supposed to defend New Yorkers from malicious cyber activity on mobile devices, public Wi-Fi networks, and beyond. The first program is a smartphone protection app which issues warnings to users when suspicious activity is detected on their mobile devices.
Stay tuned to see who wins the state versus federal power struggle over data privacy and security—exciting times are ahead!
A “white hat” is an ethical computer hacker who specializes in penetration testing and other testing methodologies to ensure the security of an organization’s information systems. According to the Ethical Hacking Council, “The goal of the ethical hacker is to help the organization take pre-emptive measures against malicious attacks by attacking the system himself or herself; all the while staying within legal limits.” White hat hackers usually present their skills as benefiting their clients and broader society. They may be reformed black hat hackers or may simply be knowledgeable of the techniques and methods used by hackers. However, white hats have been known to offer broader hacking services, such as information gathering about persons or entities at odds with those hiring the white hat. Ethical hackers have been compared to digital versions of private investigators or investigative reporters.
In considering whether to engage a white hat hacker, there are a number of precautions that a company should take to increase the likelihood that the white hat will be credible, professional and ethical and only engage in lawful activities during the course of the engagement.
Credibility. Consider existing relationships, references and certifications. For example, the EC-Council offers a Certified Ethical Hacker accreditation. Many large consulting firms provide ethical hacking services. References from trusted peers are also extremely important.
Background Check. Conduct a thorough background check. Although the white hat may be affiliated with a reputable consulting firm, verify his or her experience and credentials and investigate possible criminal history. Do not assume that what the hacker tells you is true.
Engagement Letter. Have the hacker sign an engagement letter or similar contract that clearly defines the engagement, prohibits any illegal or unethical conduct, and addresses liabilities, indemnification and remedies where appropriate. Specify the hacking methods that are and are not acceptable and which information systems, networks and data may be accessed. Require the hacker to provide proof of adequate professional liability insurance.
Confidentiality Agreement. Require the hacker to sign a confidentiality or non-disclosure agreement that strictly prohibits the use or sharing with others of any information gathered as part of the engagement and that specifies the penalties for violation or references penalties set forth in the primary agreement.
Oversight. Monitor the hacker’s activity and be on the lookout for any suspicious activity—both during and after the white hat’s work. Ensure that the hacker remains within the scope of work defined within the engagement letter. If the scope of work changes, revise the engagement letter accordingly. Keep in mind that access to information systems presents opportunities to set conditions for future remote access or other unauthorized, nefarious activities.
Work Product. Consider the desired work product that will be developed over the course of the white hat’s engagement and whether the white hat should report to the General Counsel or outside counsel to protect privilege. In order to be admissible in evidence in civil litigation, the white hat must be willing to submit a signed affidavit, which describes under oath the results of the investigation, and to possibly testify. Not every white hat makes a good witness.
On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect. Are you ready?
Organizations, anywhere in the world, that process the personal data of European Union (EU) residents should pay attention to GDPR and its territorial scope.
If you collect personal data or behavioral information from someone in the EU (also referred to as a “data subject” in the GDPR), your company will be subject to the requirements of GDPR. The extended scope of GDPR will apply to your company even if:
- the processing of personal data takes place outside of the EU;
- no financial transaction takes place; or
- your company has no physical operations or employees in the EU.
The definition of “personal data” is broader than the definition of “personally identifiable information”, commonly used in U.S. information security and privacy laws.
Why should you care?
Failing to comply with GDPR may result in a maximum fine of €20,000,000 euros or 4% of global turnover, whichever is higher.
There are questions over how EU regulators will enforce these fines on companies outside of the EU. However, it would be ill-advised to underestimate the EU’s desire to create uniform data privacy laws for its market and the lengths to which regulators may go to accomplish this goal. GDPR extraterritorial enforcement mechanisms with authorities in non-EU countries is very possible.
The potential reputational damage that may result from noncompliance is also something organizations should consider. Non-EU companies, especially those with a strong online presence, should think whether action is required now to avoid the possibility of unfavorable headlines down the line.
How to mitigate risk?
- Conduct a Data Privacy Audit (DPA). A DPA should show you the location of data in your company and map the flows of this data. A DPA should also map your current data processing activities against the rights of data subjects which are mandated by GDPR. Examples being, the rights of data subjects to access their personal data and the right to be forgotten. The UK information commissioner’s office has provided helpful guidance on DPAs which can be accessed here.
- Put in place processes for deleting data. One of the 7 principles of GDPR is data minimization. Organizations must not keep data for longer than necessary and data subjects have the right to request the deletion of the personal data that you hold about them (known as the “right to be forgotten”). If not already in place, you should establish processes for deleting personal data: (i) on request; and (ii) if its retention is no longer necessary.
- Re-examine consent mechanisms. Consent of the relevant data subject is the basis upon which many organizations comply with the requirements of existing EU data protection laws relating to the processing and storing of such data subject’s personal data. If this is true of your organization you should note that the requirements under GDPR for obtaining consent are more stringent. For example, if you use pre-checked opt-in boxes to gain consent, GDPR clarifies that this is not an indication of valid consent. If your current mechanisms for obtaining consent or the consents that you already have do not meet the standards set by GDPR, you should consider updating such mechanisms and seeking new consents which satisfy the requirements of GDPR.
- Appoint a data processing officer (DPO). If your core activities call for either: (i) regular and systematic monitoring of data subjects on a large scale, or (ii) processing on a large scale of certain categories of data you may be required to appoint a DPO.
If you have any questions or concerns regarding GDPR compliance please email EUDataProtection@mcguirewoods.com.