The General Data Protection Regulation (GDPR) imposes strict obligations upon organizations that process the “personal data” of European individuals. Failure to comply with GDPR can result in large fines. The UK’s Information Commissioner’s Office (ICO), in recent months, issued a number of fines of £500,000 on global businesses with household names, and such fines have generated a lot of publicity. Many onlookers would be shocked by the magnitude of those fines but may not have appreciated that they were imposed under the Data Protection Act 1998, which was in force when the offending breaches occurred. Had the breaches taken place after May 25th of this year, when the GDPR took effect, those fines would more than likely have been significantly higher.

Businesses have therefore invested significant resources and money to make sure that they do not fall foul of the obligations imposed by the GDPR. Yet, within less than a year of the GDPR becoming binding law, those same businesses face further disruption as Brexit looms. Continue Reading Implications of Brexit on GDPR

2018 Best Legal Blog Contest - Click to Vote

Effective October 1, 2018, Connecticut has the most stringent requirement—24 months—for free mitigation services that must be provided to those affected by a data breach of personally identifiable information (in the case of Connecticut: (A) Social Security number; (B) driver’s license number or state identification card number; (C) credit or debit card number; or (D) financial account number in combination with any required security code, access code or password that would permit access to such financial account).

With a new high-water set, it is likely that other states will quickly follow suit.  In the meantime, for entities that are responding to a multi-state data breach that includes Connecticut, there will now be a business decision of whether or not to offer 24 months of services to all affected individuals regardless of state law requirements (some of which are silent and the rest of which require 12 months of services).

This post originally appeared in our sister publication, Insurance Recovery Blog.

For the second time in ten days, a federal appeals court ruled a crime insurance policy provides coverage for losses arising from a business email compromise. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, No. 17-2014, 2018 WL 3404708 (Sixth Circuit July 13, 2018), the Sixth Circuit held that Travelers was obligated to provide coverage for a loss the insured suffered when it wired $834,000 to a thief’s bank account, believing that it was transmitting a payment to one of its Chinese subcontractors.

Losses arising from business email compromise exceeded $12.5 billion between October 2013 and May 2018. Business email compromise is a form of social-engineering fraud that targets both businesses and individuals who make payments by wire transfer. Thieves accomplish business email compromise by accessing e-mail accounts of vendors or customers of the insured or by invading the computer system of the insured. The thief then provides fraudulent instructions to the insured to wire funds to the thief’s bank account, usually for the stated purpose of paying legitimate invoices.

Continue Reading Sixth Circuit Finds Coverage Under Crime Policy for Business Email Compromise

Personal information has become the prey of relentless poachers. In light of the influx of data breaches, state legislatures are taking action.  Not surprisingly, now every state has enacted data breach notification laws, which are triggered when personal information is breached.  Read below for a summary of relevant state legislation recently adopted or laws recently amended that pertaining to data breach notification.

Arizona

Arizona amended its data breach notification law, effective July 21, 2018. This amendment requires companies to notify affected consumers within a 45-day window upon discovery of a data breach. If the data breach impacts more than 1,000 consumers, companies must also notify the state attorney general as well as the three largest consumer credit reporting agencies. The state attorney general can also impose up to $500,000 in penalties for a company’s non-compliance.

Continue Reading Updates to State Data Breach Laws

Yesterday Gov. Jerry Brown signed California Consumer Privacy Act of 2018, which grants California residents unprecedented control over the collection, use, and sale of personal information. Many have already speculated that other state legislatures will follow suit and adopt a similar law in their own states, as has occurred in the wake of past California laws on data privacy and security. A copy of the law can be found here.

Continue Reading New California Privacy Law Could Have Nationwide Implications

South Carolina has become the first state to enact cybersecurity legislation for the insurance industry.

On May 3, Governor McMaster signed a bill requiring South Carolina insurers to “develop, implement, and maintain a comprehensive information security program” for their customers’ data. 2017 SC H.B. 4655 (NS). Based on the insurance industry model rules, the South Carolina Insurance Data Security Act has three primary aims: it requires “licensees” to prevent, detect and remediate insurance customer data breaches.

Continue Reading South Carolina Requires Cybersecurity Program for Insurance Licensees

Quick to blame a state-sponsored organization, Yahoo announced at least 500 million of their account holders had their information stolen – in 2014.

A statement released on September 22, 2016, by Yahoo’s Chief Information Security Officer, Bob Lord, says that the hackers likely have, “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.” Yahoo says that the “on-going” investigation suggests no payment card data or bank account information was stolen. Nevertheless, they advise users to monitor their accounts for suspicious activity.

At this point Yahoo has revealed very little about the investigation. But its statement did say that there is “no evidence that the state-sponsored actor is currently in Yahoo’s network.”

What the statement noticeably does not say is why it took Yahoo so long to disclose the hack.  In August, cybercriminal “Peace” claimed to have account information for over 200 million Yahoo users. At the time, Yahoo confirmed it was aware of the claim, but it was unclear if it was legitimate and Yahoo made no statement regarding the security of user information. This begs the question, when did Yahoo become aware of the hack?

As the investigation continues Yahoo will be held accountable to answer that question as well as several others. And while it has barely been 24 hours since the announcement there are takeaways from Yahoo’s breach.  First, any business with sensitive information must always think defensively.  Assume your network is constantly under attack and prepare accordingly. Otherwise, be ready to explain to shareholders and customers why your network was compromised.  Secondly, routinely monitor your network – just because you did not detect the breach, does not mean the breach did not occur.  In other words, don’t wait for a cybercriminal on the dark web to start selling sensitive information stolen from your network before you secure your network.

And lastly, do not become complacent with your security. From low end hackers to state-sponsored organizations, criminals are constantly crafting new ways to steal data so your network must be equipped to handle the attacks.  Because whether we like it or not, data breaches are here to stay – just ask Yahoo and about 500 million users.

Highlighting the importance of cybersecurity in a time of data breaches and cyber attacks that have compromised our national security, privacy, economy, and businesses, President Obama incorporated cybersecurity issues in his recent State of the Union address. He stated:

No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism.

Referencing recent proposed legislation and policy initiatives, he continued:

I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyberattacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.

While the President did not lay out the details of the legislation, his speech came on the heels of a busy two weeks during which the White House announced various policy initiatives and legislatives proposals, including:

• increasing the sharing of cybersecurity information between the government and private companies and granting corresponding liability protections to the disclosing companies;

• bolstering law officials’ ability to investigate and prosecute cybercriminals, including by introducing new penalties for cyber criminals;

• streamlining data breach notification laws; and

• establishing a federal standard for hacked companies to disclose breaches to employees and consumers who may be affected.

Now that all eyes are watching, attention will focus on efforts by legislators, industry groups, and privacy and consumer advocates to strike a balance among the competing interests that will be impacted. For example, certain industry groups have pushed for the liability protections that the President’s information-sharing proposal provides; however, these same groups have balked at the breach reporting requirements as overly burdensome. Similarly, privacy groups maintain that Congress must first reform the National Security Administration (“NSA”) before considering cyber information-sharing legislation, so that the information-sharing proposal does not create another means for the NSA to collect Americans’ personal information.

Stay tuned as these issues unfold…