Employee Error Accounts for Most Security Breaches

security breachesA recent study by a well-known information security company captures one of the most common information security fallacies: that information security is a technology problem. Most businesses view mitigating information security risks as falling squarely in the purview of their information technology department. However, this study reports that human error actually accounted for nearly two-thirds of security compromises, far exceeding causes like insecure websites and hacking.1 While technological measures (e.g., anti-virus software, access controls, firewalls, and intrusion detection systems) are clearly important, their effectiveness pales in comparison to the benefits gained by effective security awareness training.

Just as troubling, another recent study found a 789% increase in e-mail phishing attacks containing malicious code, including ransomware, in the first quarter of 2016 over the final quarter of 2015.2 Phishing, which is an attempt to obtain confidential information or access by fraudulently posing as a legitimate company seeking information via e-mail, instant message or other electronic communication, specifically preys on employees who have not been trained to recognize the scam. A successful phishing expedition can result in the loss of confidential and financial information, system disruption and consumer litigation exposure. Every industry is impacted and at risk.

The results of these studies should serve as a clarion call to businesses. While we have long known that the human component is the key to improved security,3 it is also one of the most neglected areas in many business’ information security programs. Security awareness training for employees is one of the most important and effective means of reducing the potential for costly errors in handling sensitive information and protecting company information systems. Regardless of how much money and effort a business spends on its technological security measures, it cannot achieve an adequate level of security without addressing the human component.

Awareness training can ensure employees have a solid understanding of employer security practices and policies, as well as the tell-tale signs of an attempt to gain improper access to computer systems and confidential information. In contrast, uninformed employees are susceptible to mistakes, malware, phishing attacks, and other forms of social engineering. They can do substantial harm to a company’s systems and place its data at risk. The recent spate of ransomware attacks highlight just how critical the human element really is, as almost every one of those attacks resulted from human error.

First and foremost, it is critical that training programs have the participation of and include input from all relevant stakeholders at the company, including Human Resources, IT, Information Security, Legal, and Compliance.

Key aspects of any successful training program should also include the following:

  • Train on an ongoing basis. Avoid limiting training to when an employee is first hired or assigned to a new role in the organization

  • Train creatively, not just in a non-interactive classroom setting

  • Look for means to introduce interactivity into the training process

  • Have a means of measuring progress

To be truly effective, a security awareness program must provide “multiple methods of communicating awareness and educating employees as well (for example, posters, letters, memos, web based training, meetings, and promotions).”[1]

Training can be conducted through a number of means:

  • Classroom sessions

  • Webinars

  • Security posters and other materials in common areas

  • Brown bag lunches

  • Helpful hints distributed to employees via e-mail or corporate intranet posts

  • Simulated phishing attacks (e.g., systems that will periodically send phishinge-mail to employees attempting to lure them into clicking on an attachment or a hyperlink and then alerting the employee that they have engaged in an insecure activity)

Additionally, having comprehensive and understandable employee policies is critical to a company’s information security safeguards. Readable and effective policies can be used in conjunction with effective employee training to reduce data security incidents caused by human error.

Finally, one of the most effective ways to increase employee security awareness is to help employees understand that good security practices can also benefit them personally. Being security-aware not only serves to protect their employer’s systems, but also helps in better securing the employee’s own personal data and computers. For example, by being more vigilant in identifying potential phishing attacks at work, the employee will become more vigilant in using home e-mail accounts and thereby protect their own data, photographs, financial accounts, etc.


1https://www.egress.com/news/egress-ico-foi-2016
2http://phishme.com/phishme-q1-2016-malware-review/
3 See, e.g., Common Sense Guide to Mitigating Insider Threats, 4th Edition.http://www.sei.cmu.edu/reports/12tr012.pdf.

Fiduciary Risk in Data Privacy and Cybersecurity? You Bet!

Health plan administrators are (or certainly should be) well-versed in their obligations under the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH). Failure to secure protected health information (PHI) from disclosure can result in civil monetary penalties of up to $1.5 million and potential criminal penalties of up to 10 years’ imprisonment. Penalties of this size have the tendency to get people’s attention. But, if you are a retirement plan fiduciary or administrator (which likely includes officers and other senior-level executives at a company), are you aware of your obligations to protect sensitive data and other personal information in your control and the control of your vendors?

Retirement plans store extensive personal data on each participant and beneficiary. This data ranges from Social Security numbers and addresses to dates of birth, bank account and financial information, and other records and is stored physically and in electronic forms for years, if not decades. The term often used for this type of information is “personal identifiable information” (PII). While stored, numerous human resources and benefits department personnel, participants, beneficiaries, recordkeepers, trustees, consultants, and other vendors have access to some or all of this highly sensitive information. The extensive trove of PII presents an attractive, and often undersecured and easily exploitable, opportunity for criminals intent on stealing identities or on the outright theft of plan assets and benefit payments.

Federal laws similar to HIPAA but applicable to retirement plans have not (yet) been enacted. However, this does not mean that retirement plan fiduciaries and administrators are off the hook. Under the Employee Retirement Income Security Act of 1974 (ERISA), as amended, a fiduciary is required to discharge his or her duties solely in the interests of plan participants and beneficiaries, and, in doing so, must adhere to a standard of care frequently described as the “prudent expert” standard. Under this standard, it is not difficult to conclude that a retirement plan fiduciary who does not take certain precautions with regard to the protection of PII may be in breach of his or her fiduciary duty. And, although a breach of an ERISA fiduciary duty does not trigger clear statutory penalties like those applicable under HIPAA and HITECH, under ERISA, fiduciaries are personally liable for their fiduciary breaches.

So, what precautions should retirement plan fiduciaries take to help ensure that they have fulfilled their fiduciary duties with respect to data privacy and cybersecurity? What should a fiduciary do in the event of a data privacy or cybersecurity breach? Presently, 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted some form of breach notification law, and it is unsettled whether these breach notification laws are preempted by ERISA.

Copyright © 2016 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

Early Settlement of Home Depot Consumer Data Breach Claims – Start of Trend?

Last week, a federal court in Atlanta issued an order preliminarily approving a proposed settlement – valued up to $19.5 million – of the consumer claims arising from the 2014 theft of payment card data from Home Depot.  The cash and noncash terms of the proposed settlement are unexceptional.  What is unusual about this settlement is its timing. According to plaintiffs’ brief seeking preliminary approval of the settlement, rather than wait for a decision on Home Depot’s still-pending motion to dismiss, the parties conducted a mediation after argument on the motion, and concluded a negotiated settlement before the motion was decided.  The decision to settle early in the case – before discovery or summary judgment – may signal a recognition that the likely settlement value of the case did not warrant the substantial cost of additional litigation for either side.  Insofar as that logic would apply with equal force in just about any consumer payment card data breach case, the early resolution of the Home Depot case could provide a model for future settlements.

Prior to settlement, Home Depot had followed the standard playbook for defense of a consumer data breach claim, seeking dismissal of the action on standing grounds due to plaintiffs’ inability to establish injury resulting from the theft of credit and debit card numbers.  While defendants have had notable success in defeating consumer data breach claims on standing grounds – primarily because card issuers hold consumers harmless for fraud losses on their cards – recent decisions, exemplified by the denial of the motion to dismiss consumer claims in the Target data breach litigation, have concluded that consumers do suffer injury in the form of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.”  The growing frequency of courts finding standing to bring consumer payment card data breach claims posed for Home Depot the not-inconsiderable risk that the consumer claims would survive its motion to dismiss, requiring Home Depot to proceed to expensive document and deposition discovery.

At the same time, the cost of settling consumer claims has proven to be relatively small, even for classes numbering in the tens of millions of consumers.  The “injuries” that courts have relied upon to find standing still do not add up to large dollar value claims on a per-class member basis.  In the Target case, the claims of the 40 million-member consumer class settled for $10 million.  The small size of the Target settlement relative to the size of the class was not an anomaly.  As previously reported, plaintiffs in Target submitted a chart to the court detailing prior consumer data breach settlements.  The chart showed that the cash cost of a large data breach settlement is typically $1.00 or less per class member.  The Target settlement itself came in at approximately $0.25 per class member.  The pattern revealed in Target’s submission and in the Target settlement itself surely sent a strong signal to both sides as to the likely settlement range for the consumer claims in the Home Depot case.

Meanwhile, even as the motion to dismiss was being considered by the court, the parties were engaged in the process of planning for discovery.  At the time of the settlement the parties had already come to agreement on a scheduling order, merits and expert discovery protocols, a confidentiality agreement and protective order, and a stipulation concerning authentication of documents.  The case settled during the negotiation of a protocol for discovery of electronically stored information.  On top of all of this, plaintiffs had propounded 126 document requests on Home Depot.  Based on those activities, the parties would have understood that the impending costs of document production by Home Depot and document review by plaintiffs would be staggering, as would the subsequent cost to both parties of extensive deposition practice and expert discovery.  Given the benchmark established by Target and other similar cases, the anticipated discovery costs in Home Depot could easily equal or exceed the likely cost to settle the consumer claims.

Unsurprisingly, the proposed Home Depot settlement falls comfortably within the range indicated by the survey of data breach settlements that was submitted to the court in Target.  The Home Depot settlement provides for payment of $13 million to the class, and guarantees that Home Depot will spend $6.5 million to pay for credit protection for the class.  Note, however, that cash payments to class members from the $13 million settlement fund will be distributed on a claims-made basis.  If class members fail to claim the entire $13 million, the undistributed balance may be used to defray the cost of notice to the class and then, if funds still remain, the cost of purchasing credit protection.  If the claim rate is low enough, it is possible that Home Depot’s entire payment obligation under the settlement for the benefit of the class will not exceed $13 million settlement floor.  Either way, the settlement range of $13 million to $19.5 million will yield per-class member benefits for the 40 million class members whose payment card numbers were stolen of between $0.33  and $0.49 per person.  Note that here, as in Target, attorneys’ fees are requested in addition to the class distribution, with the request here equaling $8.475 million.  Home Depot has the right to challenge the fee award, but has waived any right of appeal from the trial court’s fee determination.

It is also worth noting how the cost of the consumer settlement compares to the overall cost of settlement.  As was the case for Target, the cost of settling the consumer claims is a small portion of the overall costs to Home Depot arising from the data breach.  According to a report by Reuters, Home Depot said it had booked $161 million of pre-tax expenses for the breach, including for the consumer settlement, and after accounting for expected insurance proceeds (reported by Home Depot in its last Form 10Q quarterly report to total about $100 million).  Thus, the largest amount that Home Depot could pay in settlement of the consumer claims (including attorneys’ fees) would equal just under 11% of the $261 million in breach-related expenses incurred by Home Depot.  The ability to settle for around 10% of the total data breach exposure – and the opportunity to avoid incurring additional litigation expenses that would drive up both totals – would provide another justification for striking an early deal to resolve the consumer claims.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Ransomware: How It Works and What You Can Do

“Ransomware” is making big news, with reports that a California hospital paid $17,000 to regain access to its network after malware locked access to files. This is a case, however, of the news catching up to the facts. Ransomware has been one of the fastest growing forms of cyberattack over the last year. According to media reports, as many as 100,000 computers per day are being infected with ransomware.

These increasing ransomware incidents serve as the latest warning that companies need to take steps to protect against costly and damaging cyberattacks.

How Ransomware works

Without getting too technical, ransomware works by infecting a computer, then using modern cryptography methods to encrypt files. Once encrypted, the files cannot be decrypted without the “key” that the hackers provide when you pay them ransom. Since we are talking about encryption schemes that would take supercomputers years to break, there is (with one increasingly limited exception) no way to regain access to the encrypted files without paying for the key.

We mentioned an increasingly limited exception. A couple of years ago, when one ransomware ring was taken down by law enforcement, some of the private keys that ring used to decrypt were recovered. Thus, if the ransomware variant that infected your machine happens to be the increasingly outdated version that matches these keys, then you have a shot at getting your files back without paying the ransom. But, the hackers are very aware of this loophole, and more modern ransomware variants do not respond to the captured keys.

How Ransomware is spread

The delivery methods keep evolving, but almost all delivery mechanisms have something in common: human help. Common delivery methods include such human-machine interactions as opening infected email attachments, and visiting websites which inject the malware into the user’s machine. While even the most innocent websites can be hijacked to deliver malware, the shadier websites are the most likely to give you an unwanted infection.

These delivery methods have several implications which help explain ransomware’s rapid proliferation. First, the hacker doesn’t have to put any thought into making you a target. He or she just has to cast the malware about (much like throwing seed into the air), and then wait for you to call once you are infected. Second, ransomware has an extremely high ROI for the hacker’s limited efforts. The hacker has to write (or buy) the ransomware once (and it’s not expensive to acquire), seed it once, and then sit back and watch the profits roll in from thousands of infections.

What you can do

While nothing provides a bulletproof solution to this growing problem, implementing and strengthening several measures can lower your risk:

•Because much of this malware infects machines by tricking the user, raising user awareness of this problem is crucial. Users who are more resistant to clicking on suspicious email links and visiting shady  websites are your best means of lessening exposure. You should realize that:
◦Inattentive users run a very real risk of bringing damaging cyber-infections into the company.
◦“Think before you click” on email attachments and imbedded links is an important defense. You are far better off having users who over-report suspicious links to IT than with users who are overly trusting.
◦Web browsing should be limited to those business sites that are necessary for your operations..
◦If your users have the ability to link to company systems from their personal computers or other devices, understand that applying these rules to their personal device use makes them, and the company, safer.
•Encourage prompt employee reporting of potential problems. Even the most diligent employee may fall prey to a malicious email. Employees who fear discipline or termination will be much less likely to swiftly report potential problems. You will eventually discover you’ve been compromised, but only after the damage has multiplied.
•Backup frequently. Losing a file to encryption is much less problematic if you have a clean backup copy. Review your backup procedures, and make sure you have a robust backup process.

© Copyright 2016 Armstrong Teasdale LLP. All rights reserved

Homeland Security Releases Cybersecurity Information Sharing Act Guidelines

The US Department of Homeland Security (DHS) issued guidance this week to assist nonfederal entities to share cyber threat indicators and defensive measures with federal entities under the Cybersecurity Information Sharing Act of 2015 (CISA). CISA was passed as part of the Cybersecurity Act of 2015 and directs the Attorney General and the Secretary of DHS to develop guidance that promotes sharing cyber threat indicators with federal entities. CISA also helps nonfederal entities identify defensive measures and share them with federal entities and describes the protections that nonfederal entities receive for sharing, including targeted liability protection.

Highlights of the guidance for nonfederal entities under CISA include the following:

  • Identifying information that qualifies as a cyber threat indicator but is likely to include personally identifiable information not directly related to a cybersecurity threat.

  • Identifying information that is unlikely to be directly related to a cybersecurity threat but is protected under otherwise applicable privacy laws.

  • Providing methods for sharing defensive measures.

  • Allowing nonfederal entities to share cyber threat indicators and defensive measures with any other entity—private, federal, state, local, territorial, or tribal—for a “cybersecurity purpose.”

    • “Cyber threat indicator” means information that is necessary to describe or identify

      • malicious reconnaissance or anomalous patterns of communications for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;

      • a method of defeating a security control or exploitation of a security vulnerability (or causing a user with legitimate access to do so) ;

      • a security vulnerability;

      •  malicious cyber command and control;

      • the actual or potential harm caused, including a description of the information exfiltrated as a result of a particular cybersecurity threat;

      • any other attribute of a cybersecurity threat, if such disclosure is not otherwise prohibited by law; and

      • any combination of the above.

    • “Defensive measure” means

      • an action, device, procedure, signature, technique, or other measure applied to an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability, and

      • the term does not include a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system not owned by the private entity operating the measure (or another entity that has given consent).

    • “Cybersecurity purpose” means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.

  • Allowing for the sharing of such information, “notwithstanding any other provision of law.” Nonfederal entities are required to remove any information from a cyber threat indicator or defensive measure known at the time of sharing to be personal identifiable information not directly related to a cybersecurity threat before sharing it with a federal entity. Such review may be conducted through either a manual or technical process.

  • Providing for the sharing of cyber threat indicators and defensive measures with the federal government, which requires the Secretary of DHS to develop a capability and process within DHS to accept cyber threat indicators and defensive measures in real time from any nonfederal entity, including private entities. DHS will in turn relay that information to federal entities in an automated manner, consistent with the operational and privacy and civil liberties policies including through submission via: Automated Indicator Sharing (AIS), web form, email, and Information Sharing and Analysis Centers or Information Sharing and Analysis Organizations.

  • Providing for the following protections in addition to liability protection:

    • Antitrust exemption

    • Exemption from federal and state disclosure laws

    • Exemption from certain state and federal regulatory uses

    • No waiver of privilege for shared material

    • Treatment of commercial, financial, and proprietary information (to offer protection from the expected further sharing)

    • Ex parte communications waiver (the sharing shall not be subject to the rules of any federal agency, department, or judicial doctrine regarding ex parte communications with a decision making official)

Guidance was also released for Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government, Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government, and Privacy and Civil Liberties Interim Guidelines.

Copyright © 2016 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

Ransomware Strikes California Hospital – Could You Be Next?

digitallife03-111715In a chain of events that should be a wake-up call to any entity using and storing critical health information (and indeed, ANY kind of critical information), Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a ransomware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack that locked access to the medical center’s electronic medical record (“EMR”) system and blocked the electronic exchange of patient information. Earlier reports indicated that the hackers had originally demanded $3,400,000.Such “ransomware” attacks are caused by computer viruses that wall off or encrypt data to prevent user access. Hackers hold the data ransom, demanding payment for the decryption key necessary to unlock the data. The attacks are often caused by email phishing scams. The scams may be random or target particular businesses or entities. In the case of HPMC, the medical center’s president and CEO indicated to media outlets that the attack was random, though Brian Barrett, writing for Wiredquestioned that assertion. The medical center’s announcement of the resolution of the incident indicates that there is no evidence that patient or employee information was accessed by the hackers as part of the attack. Even if the data was not compromised, the attack led to enormous hassles at the hospital, returning it to a pre-electronic record-keeping system.

We have seen many variations of the ransomware attacks on the increase lately.   Cryptolocker and Cryptowall are the two most prevalent threats, but a Forbes article about the HPMC attack revealed that HPMC was victimized by a variant called “Locky,” which, according to the Forbes article, is infecting about 90,000 machines a day.

Details of the HPMC Incident

On February 2, 2016, three days before the HPMC attack, the Department of Health & Human Services Office for Civil Rights (“OCR”) announced the launch of its new Cyber-Awareness Initiative. That announcement included information on ransomware attacks and prevention strategies. Suggested prevention strategies from OCR included:

  1. Backing up data onto segmented networks or external devices and making sure backups are current.  That protects you from data loss of any kind, whether caused by ransomware, flood, fire, loss, etc.  If your system is adequately backed up, you may not need to pay ransom to get your data unlocked.

  2. Don’t be the low-hanging fruit:  Ensuring software patches and anti-virus are current and updated will certainly help.   Many attacks rely on exploiting security bugs that already have available fixes.

  3. Installing pop-up blockers and ad-blocking software.

  4. Implementing browser filters and smart email practices.

Most of these prevention strategies are HIPAA security and overall general business security measures that ought to be in place for companies across the board. As OCR and the FBI (see below) both indicate, smart email practices and training the workforce on them are key elements to preventing phishing scams.

FBI on Ransomware

One of the big questions arising out of the HPMC and other ransomware cases is:  do we pay?   If your business is about to grind to a halt, you likely have no choice.    However, the incident should first be reported to the FBI and discussed with forensics and legal experts who have experience with ransomware in particular. The FBI’s Ransomware information page provides some tips.  Ransomware attacks should be part of your incident response plan and the “what do we do” should be discussed at the highest levels of the company.

When in Doubt, Don’t Be a Click Monkey!

Before clicking on a link in an email or opening an attachment, consider contextual clues in the email. The following types of messages should be considered suspicious:

  • A shipping confirmation that does not appear to be related to a package you have actually sent or expect to receive.

  • A message about a sensitive topic (e.g., taxes, bank accounts, other websites with log-in information) that has multiple parties in the To: or cc: line.

  • A bank with whom you do not do business asking you to reset your password.CodeMonkey-68762_960x3601

  • A message with an attachment but no text in the body.

All businesses in any sector need to take notice of the HPMC attack and take steps to ensure that they are not the next hostages in a ransomware scheme.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Hollywood Presbyterian Concedes to Hacker’s Demands in Ransomware Attack

In a chain of events that should be a wake-up call to any entity using and storing critical health information, Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a malware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack that locked access to the medical center’s electronic medical record (“EMR”) system and blocked the electronic exchange of patient information. Earlier reports indicated that the hackers had originally demanded $3,400,000.

Such “ransomware” attacks are caused by computer viruses that wall off or encrypt data to prevent user access. Hackers hold the data ransom, demanding payment for the decryption key necessary to unlock the data. The attacks are often caused by email phishing scams. The scams may be random or target particular businesses or entities. In the case of HPMC, the medical center’s president and CEO indicated to media outlets that the attack was random, though Brian Barrett, writing for Wired,questioned that assertion.

The medical center’s announcement of the resolution of the incident indicates that there is no evidence that patient or employee information was accessed by the hackers as part of the attack. Even if the data was not compromised, the attack led to enormous hassles at the hospital, returning it to a pre-electronic record-keeping system.

On February 2, 2016, three days before the HPMC attack, the Department of Health & Human Services Office for Civil Rights (“OCR”) announced the launch of its new Cyber-Awareness Initiative. That announcement included information on ransomware attacks and prevention strategies. Suggested prevention strategies from OCR included:

  1. Backing up data onto segmented networks or external devices and making sure backups are current.

  2. Ensuring software patches and anti-virus are current and updated.

  3. Installing pop-up blockers and ad-blocking software.

  4. Implementing browser filters and smart email practices.

Most of these prevention strategies are HIPAA security measures that ought to be in place generally. As OCR indicates, smart email practices and training the workforce on them are key elements to preventing phishing scams. Before clicking on a link in an email or opening an attachment, consider contextual clues in the email. The following types of messages should be considered suspicious:

  • A shipping confirmation that does not appear to be related to a package you have actually sent or expect to receive.

  • A message about a sensitive topic (e.g., taxes, bank accounts, other websites with log-in information) that has multiple parties in the To: or cc: line.

  • A bank with whom you do not do business asking you to reset your password.

  • A message with an attachment but no text in the body.

All health care providers, payors, and their business associates need to take notice of the HPMC attack and take steps to ensure that they are not the next hostages in a ransomware scheme.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

President Seeks $19 Billion and Creates Commission to Address Cybersecurity

President Barack Obama requested $19 billion in his budget for 2017 to address cybersecurity in the United States, $5 billion more than was budgeted for the current year. Today, he issued an Executive Order that will create a commission within the Department of Commerce to be known as the “Commission on Enhancing National Cybersecurity.”

So, what will $19 billion buy? The President’s proposal calls for a number of measures designed to improve and strengthen cybersecurity. Some examples include:

  • $3.1 billion to update and replace old IT systems, along with a new position in the White House to lead the effort.

  • About $62 million is allotted for more cybersecurity professionals, including funding scholarship programs to strengthen the pipeline for this much needed human capital.

  • Amounts for the classified cyber budget for intelligence agencies such as the National Security Agency and the CIA.

The Commission on Enhancing National Cybersecurity under the President’s Executive Order would have as its mission:

To make detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices. The Commission’s recommendations should address actions that can be taken over the next decade to accomplish these goals.

The Commission will need to consider recommendations for at least the following:

  1. how best to bolster the protection of systems and data, including how to advance identity management, authentication, and cybersecurity of online identities, in light of technological developments and other trends;

  2. ensuring that cybersecurity is a core element of the technologies associated with the Internet of Things and cloud computing, and that the policy and legal foundation for cybersecurity in the context of the Internet of Things is stable and adaptable;

  3. further investments in research and development initiatives that can enhance cybersecurity;

  4. increasing the quality, quantity, and level of expertise of the cybersecurity workforce in the Federal Government and private sector, including through education and training;

  5. improving broad-based education of commonsense cybersecurity practices for the general public; and

  6. any other issues that the President, through the Secretary of Commerce (Secretary), requests the Commission to consider.

These actions are designed to affect both the public and private sectors. Accordingly, businesses need to monitor these activities to ensure compliance and that their efforts are consistent with recognized best practices.

Jackson Lewis P.C. © 2016

Department of Commerce Releases Fact Sheet on EU-U.S. Privacy Shield

As we reported yesterday, the United States and the European Commission have reached a political agreement on a new framework for transatlantic data flows, referred to as the EU-U.S. Privacy Shield.  The U.S. Department of Commerce (“Commerce”) released a fact sheet yesterday to coincide with the announcement of the agreement.

The fact sheet includes a series of bullet points listing ways in which the Privacy Shield (1) “significantly improves commercial oversight and enhances privacy protections,” and (2) “demonstrates the U.S. Commitments to limitations and safeguards on national security.”  On the first point, Commerce states that “EU individuals will have access to multiple avenues to resolve concerns,” including alternative dispute resolution at no cost to individuals.  In addition, Commerce “will step in directly and use best efforts to resolve referred complaints” using a “special team with significant new resources.”  On the second point, the fact sheet references President Obama’s executive actions to enhance privacy protections and oversight relating to U.S. government surveillance activities.  Finally, Commerce states that “the United States is making the commitment to respond to appropriate requests” regarding U.S. intelligence activity, in a manner that is consistent with national security obligations.

Agreement Reached on New EU-U.S. Safe Harbor: the EU-U.S. Privacy Shield

On February 2nd, 2016, the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows.  The new framework – the EU-U.S. Privacy Shield – succeeds the EU-U.S. Safe Harbor framework (for more on the Court of Justice of the European Union decision in the Schrems case declaring the Safe Harbor invalid, see our earlier post here).  The EU’s College of Commissioners has also mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.

The EU-U.S. Privacy Shield

According to the Commission press release, there will be several new elements to the EU-U.S. Privacy Shield, as compared with the invalidated EU-U.S. Safe Harbor framework.  For instance, in addition to subjecting participating U.S. companies to certain as-yet unspecified safeguards, the Privacy Shield will include:

  • An annual joint review of the program performed by the European Commission and U.S. Department of Commerce – to which European data protection authorities will be invited – to ensure its proper functioning.  This will include a review of access by U.S. intelligence agencies to EU-originating data.

  • Enhanced rights of redress for European data subjects, including (i) subjecting U.S. organizations to firmer deadlines when responding to complaints, (ii) allowing EU citizens and EU data protection authorities to refer complaints to the U.S. Department of Commerce and the U.S. Federal Trade Commission, (iii) establishing, as a last resort, a new binding alternative dispute resolution mechanism to resolve complaints that will be voluntary and free to data subjects, capable of issuing binding injunctive orders, and subject to judicial review consistent with the U.S. Federal Arbitration Act, and (iv) creating a new “Ombudsperson” within the U.S. State Department to handle complaints – channeled through EU Member State representatives – that relate to U.S. intelligence agencies’ access to data.  Disputes relating to human resources/employee data will remain subject to an alternative process that entails somewhat closer involvement of EU data protection authorities, similar to the current Safe Harbor.

Moreover, it is reported that the U.S. Director of National Intelligence will confirm by official letter to the EU that U.S. intelligence agencies do not engage in “indiscriminate mass surveillance” of data transferred under the new arrangement.

The Privacy Shield is expected to retain or enhance many of the elements contained in the original Safe Harbor framework, including substantive commitments made by U.S. companies on such matters as furnishing appropriate notices to EU citizens, maintaining the security of transferred data, and tightened restrictions on onward transfers.  The precise nature of these obligations is not yet known, but will become clearer in the weeks ahead.

Next steps

The EU College of Commissioner’s has mandated Vice-President Ansip and Commissioner Jourová to, over the coming weeks, prepare a draft Decision declaring the U.S. to ensure an adequate level of protection.  The adoption of such a Decision by the Commission must follow a “comitology” procedure which will involve:

  • a proposal from the Commission;

  • an opinion by EU Member States’ data protection authorities and the European Data Protection Supervisor (“EDPS”), in the framework of the Article 29 Working Party;

  • an approval from the “Article 31 Committee”, composed of representatives of Member States, under the comitology “examination procedure”;

  • the formal adoption of the Decision by the College of Commissioners;

  • at any time, the European Parliament and the Council may request the Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the Directive.

The effect of such a Commission Adequacy Decision is that personal data can flow from the 28 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to the U.S. without any further safeguards being necessary.

Commissioner Jourová hopes for the new arrangement to be in force in approximately 3 months’ time.  The U.S. Government, in the meantime, will make the necessary preparations to put in place the new framework, monitoring mechanisms, and new Ombudsperson.

Tomorrow (February 3rd, 2016), Commissioner Jourová will attend the plenary meeting of the Article 29 Working Party to discuss the role of the EU data protection authorities under the EU-U.S. Privacy Shield.  The U.S. Department of Commerce is, in parallel, planning further briefings about the text.