This post originally appeared in our sister publication, Insurance Recovery Blog.

For the second time in ten days, a federal appeals court ruled a crime insurance policy provides coverage for losses arising from a business email compromise. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, No. 17-2014, 2018 WL 3404708 (Sixth Circuit July 13, 2018), the Sixth Circuit held that Travelers was obligated to provide coverage for a loss the insured suffered when it wired $834,000 to a thief’s bank account, believing that it was transmitting a payment to one of its Chinese subcontractors.

Losses arising from business email compromise exceeded $12.5 billion between October 2013 and May 2018. Business email compromise is a form of social-engineering fraud that targets both businesses and individuals who make payments by wire transfer. Thieves accomplish business email compromise by accessing e-mail accounts of vendors or customers of the insured or by invading the computer system of the insured. The thief then provides fraudulent instructions to the insured to wire funds to the thief’s bank account, usually for the stated purpose of paying legitimate invoices.

Continue Reading Sixth Circuit Finds Coverage Under Crime Policy for Business Email Compromise

Personal information has become the prey of relentless poachers. In light of the influx of data breaches, state legislatures are taking action.  Not surprisingly, now every state has enacted data breach notification laws, which are triggered when personal information is breached.  Read below for a summary of relevant state legislation recently adopted or laws recently amended that pertaining to data breach notification.

Arizona

Arizona amended its data breach notification law, effective July 21, 2018. This amendment requires companies to notify affected consumers within a 45-day window upon discovery of a data breach. If the data breach impacts more than 1,000 consumers, companies must also notify the state attorney general as well as the three largest consumer credit reporting agencies. The state attorney general can also impose up to $500,000 in penalties for a company’s non-compliance.

Continue Reading Updates to State Data Breach Laws

On August 1, 2018, NIST will withdraw eleven SP 800 publications that are considered out of date.  These publications will not be revised.  According to NIST the following publications will be withdrawn:

  • SP 800-13 (October 1995), Telecommunications Security Guidelines for Telecommunications Management Network
  • SP 800-17 (February 1998), Modes of Operation Validation System (MOVS): Requirements and Procedures
  • SP 800-19 (October 1999), Mobile Agent Security
  • SP 800-23 (August 2000), Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
  • SP 800-24 (April 2001), PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
  • SP 800-33 (December 2001), Underlying Technical Models for Information Technology Security
  • SP 800-36 (October 2003), Guide to Selecting Information Technology Security Products
  • SP 800-43 (November 2002), Systems Administration Guidance for Securing Windows 2000 Professional System
  • SP 800-65 (January 2005), Integrating IT Security into the Capital Planning and Investment Control Process
  • SP 800-68 Rev. 1 (October 2008), Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist
  • SP 800-69 (September 2006), Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist

More information about these publications and the reason for withdrawal can be found here.

As previously discussed, the General Data Protection Regulation (GDPR) created heightened consent standards for companies processing and sharing personal data of EU data subjects.  When processing personal data under the GDPR, consent must be freely given, specific, informed, and unambiguous.  Further, the GDPR requires affirmative action by the user, forcing them to manually “check/click” opt-in boxes.  This removes the potential for “implied consent” under past acceptable practice, where the consent box was already “checked/clicked” for users; under that practice the user gave “implied consent” unless the box was manually “unchecked”  (withdrawing their consent).

While the GDPR governs the processing and sharing of personal data, a second set of regulations has already been regulating electronic direct marketing (EDM).  The Privacy and Electronic Communications Regulations (PECR) sets rules that organizations must follow when sending EDM.  As a result, when organizations process personal data for use in EDM campaigns, there must be compliance with both the GDPR and PECR.

Continue Reading How Direct Marketing is Impacted by GDPR and PECR

Since our launch in 2013, Password Protected has made every attempt to provide in-depth relevant data privacy and cybersecurity legal analysis. In our continued effort to provide accessible and useful information, we have modernized our blog to provide readers with a better experience. We have re-formatted with the user in mind, to provide easily digestible information as it happens, delivering the latest in comprehensive privacy and cybersecurity news.

Thank you for your continued readership and engagement. Feedback is always welcome; if you have any questions about our blog you can contact us here.

ICYMI, be sure to read some of our more popular posts from Password Protected as well as these other recent data privacy and cybersecurity developments:

SEC Disclosure Analysis in Light of the Yahoo Settlement

U.S. Companies: Are You Ready for GDPR?

HIPAA in Due Diligence (Part I): Four Key Diligence Questions

South Carolina Requires Cybersecurity Program for Insurance Licensees

New York Cybersecurity Regulations: Additional Testing and Reporting Requirements Take Effect

Considerations in Drafting Limitations of Liability for Data Breaches

— Meaghan and Andrew

It seems that most employees and plan participants “think” their retirement money and data are not at risk.  This is due, in part, because:

  • there are few published incidents of breaches or potential hacks;
  • there has been not a single legal decision involving a cybersecurity breach and a retirement plan; and
  • there is no comprehensive federal regulation that protects qualified retirement plans and service providers.

This blog discusses whether retirement plans are really at risk; and if so why. It concludes with some helpful hints and practical advice to reduce such risks, some of which are tips employers (or plan sponsors) can share with retirement plan participants.

Continue Reading Cybersecurity & Retirement Plans

Yesterday Gov. Jerry Brown signed California Consumer Privacy Act of 2018, which grants California residents unprecedented control over the collection, use, and sale of personal information. Many have already speculated that other state legislatures will follow suit and adopt a similar law in their own states, as has occurred in the wake of past California laws on data privacy and security. A copy of the law can be found here.

Continue Reading New California Privacy Law Could Have Nationwide Implications

South Carolina has become the first state to enact cybersecurity legislation for the insurance industry.

On May 3, Governor McMaster signed a bill requiring South Carolina insurers to “develop, implement, and maintain a comprehensive information security program” for their customers’ data. 2017 SC H.B. 4655 (NS). Based on the insurance industry model rules, the South Carolina Insurance Data Security Act has three primary aims: it requires “licensees” to prevent, detect and remediate insurance customer data breaches.

Continue Reading South Carolina Requires Cybersecurity Program for Insurance Licensees

The EU-US Privacy Shield is one of the legal mechanisms enabling the transfer of personal data outside the European Economic Area to US companies that have self-certified to a number of privacy principles (which correspond to EU data protection requirements). The Privacy Shield replaced the Safe Harbour scheme and came into effect almost two years ago in August 2016. Since then it has faced numerous criticisms and legal challenges and is under scrutiny once again, facing possible suspension and even invalidation.

Continue Reading Another Ultimatum on the EU-US Privacy Shield

In the matter of LabMD Inc. v. Federal Trade Commission, case number 16-16270, the U.S. Court of Appeals for the Eleventh Circuit ruled against the FTC, finding that the order against LabMD for lax data security measures was not enforceable.

The FTC’s original order against LabMD was due to a 2008 security incident where a LabMD employee downloaded a program which exposed customer information over the internet. Although customer harm was never shown by FTC, in 2016 the agency issued a Final Order against LabMD for unreasonable data security practices. The case was eventually brought before the Eleventh Circuit by LabMD to determine if the alleged failure to implement reasonable data security measures in 2008 was an unfair practice under Section 5(a) of the FTC Act.

Continue Reading FTC’s Loss in the Eleventh Circuit Will Not Impede Data Security Enforcement