Category: cybersecurity

Data Breach Developments in California (Part 2)

Morgan Lewis

Last week, we discussed three important changes to California’s data breach law that become effective January 1, 2015. Part two of this series looks at the data breach report recently released by the California Attorney General.

California Data Breach Report

In October, the California Attorney General’s data breach report presented key findings on breaches occurring in California and recommendations for lawmakers and affected industries. Notable findings and recommendations from the report are summarized below.

  • Data breaches are on the rise. Among other findings, the report found that the number of data breaches in California increased by 28% from 2012 to 2013, with “intentional unauthorized intrusions into computer systems” showing the biggest increase among breach categories and accounting for 53% of reported incidents.

  • Breaches of payment card data in the retail industry are most likely to result in fraud. The report found that from 2012 to 2013, the retail industry experienced 77 breaches, or 26% of all breaches, representing the largest share among industry sectors. Almost all (90%) of these breaches involved payment card data, which, according to the report, is the most likely data breach category to result in fraud.

  • Offers of mitigation services are on the rise and can be helpful to affected individuals. The report notes that after experiencing a data breach, entities are commonly offering mitigation services, such as free credit monitoring or other identity theft protection services, which can be helpful by providing advanced notice to individuals whose information is used fraudulently. However, the report found that no offers were made in 28% of incidents where the services would have been helpful. As discussed in part one, the new California law requires breach notices to include offers of mitigation services in certain circumstances.

  • Retailers should take action to “devalue payment card data.” Based on the finding that retail breaches involving payment card data are most likely to result in fraud, the report recommends that retailers take advantage of “promising” new technology, such as chip cards and tokenization, to enhance their security measures and “devalue payment card data.” The report also encourages retailers to implement tokenization technology for online and mobile transactions.

  • Lawmakers should clarify the roles of data owners and data maintainers in providing notices. Interestingly, the report recommends that the California legislature should clarify the notice obligations of owners and maintainers under the law. Specifically, the report explains that the law appears to require data maintainers to notify data owners of breaches, while the data owners must notify the affected individuals. Given this difference in responsibility, important breach notices may be delayed because the owners and maintainers may not agree on their respective obligations.

ARTICLE BY

Barbara Murphy Melby
Christopher C Archer
OF
Morgan, Lewis & Bockius LLP

California To Expand Its Data Breach Notification Rules

Sheppard Mullin Law Firm

California has broadened its data breach notification statutes in response to the increasing number of large data breaches of customer information.  AB 1710, which Governor Jerry Brown signed into law, amends California’s Data Breach Notification Law to (1) ban the sale, advertising for sale or offering for sale of social security numbers, (2) extend the existing data-security law and obligations applicable to entities that own or license customer information to entities that “maintain” the information, and (3) require that if the person or business providing notification of a breach under the statute was the source of the breach then the notice must include an offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost for 12 months along with any information necessary to take advantage of the offer.  The last of these amendments has spurned some debate over whether the statute actually mandates an offer of credit monitoring or other services given its use of the phrase “if any.”  It is also unclear what exactly is intended by or who qualifies as “the source of the breach.”

The use and placement of the phrase “if any” in the statute does create some ambiguity.  The statute, however, speaks in mandatory terms when it states the notification “shall include” an offer of these services.  Its plain language also suggests the phrase “if any” is directed to the question of whether appropriate identity theft or mitigation services exist and are available – not whether or not they must be offered.  A review of the measure’s legislative history confirms this.  The Committee analyses all discuss this element of the statute as “requiring” an offer of services.  Indeed, the legislative analysis immediately following the addition of the phrase “if any” defined the problem under existing law to be that it does not require any prevention or mitigation steps and states that this measure (AB 1710) addresses this issue by requiring an offer of appropriate “identity theft prevention and mitigation services, if any are available,…”  This interpretation is also consistent with the fact that an offer is only required when the breach involves disclosure of highly sensitive information that tends to lead to identity theft or credit card fraud, i.e., the customer’s social security, driver’s license or California identification number.

The standard of whether or not such services would, to some degree, be appropriate will not likely be the primary conversation that this amendment sparks.  The more lively topic will likely be who is the “source of the breach” (and even then the offer is only required when you are both the source of the breach and the party giving notice under the statute) and what standards apply for determining “appropriate” services.  The legislative history is not as equally helpful on these questions.  Thus, until the scope of this new requirement becomes more clear, businesses involved in a breach under the statute need to carefully think through the risks of offering certain services when providing notice.

These new rules take effect on January 1, 2015.  To review the amended statute or its legislative history click here.

ARTICLE BY

Brian R. Blackman
OF
Sheppard, Mullin, Richter & Hampton LLP

Contract Corner: Cybersecurity (Part 3)

Morgan Lewis logo

Over the last two weeks, we discussed contract provisions designed to address the implementation of preventive security measures, as well as responding to security incidents. Our third and final blog post in this series focuses on contractual provisions that address the allocation of liability for breaches that result in security incidents.

Because of the potential for large-scale damages from a security incident, customers and service providers are generally very focused on the allocation of liability in indemnification and liability provisions. Below we list some key issues to consider when drafting these contract provisions.

  • Rather than relying on general negligence or contract breach standards, consider adding security incidents resulting from a contractual breach as separate grounds for indemnification coverage.

  • Determine whether indemnification is limited to third-party claims or includes other direct and/or indirect damages and liabilities caused by a security incident.

  • Coordinate indemnification defense with incident response provisions and consider the effect on the customer’s client relationships where the vendor assumes such defense.

  • Assess whether all potential damages from a security incident are covered by the damages provisions, including any damages that may be considered indirect or consequential.

  • To determine the allocation of liability, consider the contract value, industry norms, type of data at issue, potential business exposure, cost of preventative measures, and cause of the security incident.

  • Consider calling out specific damages related to a security breach that are not subject to any cap or exclusion to provide clarity and protection—such damages can include the costs of reconstructing data, notifying clients, and providing them with identity protection services.

With cyber attacks growing in number and sophistication on a daily basis and the increased amount and value of data that is at risk to such attacks, cybersecurity concerns are top of mind for senior management.

This post is part of our recurring “Contract Corner” series, which provides analysis of specific contract terms and clauses that may raise particular issues or problems. Check out our prior Contract Corner posts for more on contracts, and be on the lookout for future posts in the series.

Click here for Part 1.

Click here for Part 2.

ARTICLE BY

Peter M. Watt-Morse
A. Benjamin Klaber
OF
Morgan, Lewis & Bockius LLP

Protecting Trade Secrets in the Cloud

FINAL SW logo wLLP2

The business community’s growing use of cloud-based computing services provides great benefits due to cost-savings and mobile information access.  However, business leaders should understand the risks of storing valuable trade secrets in the cloud.  This article provides the business community tips on how to safeguard valuable trade secrets stored in the cloud from being freely disclosed to the public, thus putting the business at risk of losing protections that courts grant trade secrets.

As businesses’ profit margins have continued to shrink since the Great Recession, more companies have looked to reduce costs by reducing growing expenses related to their information technology departments.[1] The first line item to draw attention in the IT budget is frequently the rising costs associated with maintaining and upgrading system hardware.  Businesses often find that housing and operating multiple servers stretches IT budgets thin by increasing maintenance, labor, and operational costs.  The solution so many businesses have turned to is to move their valuable data to virtual servers, or the “cloud.”[2]  A recent survey of IT executives provides that companies will triple their IT spending on cloud-based services in 2014 over 2011.[3]  Cloud service providers have also seen demand increase as they increase their cloud capabilities.[4]

Although cloud-based servers provide businesses with substantial financial and operational benefits, businesses must recognize that there are perils to shifting data to the cloud.  One of the key concerns businesses should consider before moving data to the cloud is the risk that its valuable trade secrets will lose protection as a result of insufficient safeguards to protect against disclosure.  This article addresses that concern and provides businesses keys for seeking to protect valuable secrets in the cloud.

What is a Protectable Trade Secret

The initial step for a business to determine how to protect its trade secrets is to understand how the law characterizes a trade secret.  Information qualifies as a trade secret only if it derives independent economic value as a result of not being generally known or readily ascertainable, and be subject to reasonable efforts to maintain its secrecy.  Trade secrets are broadly defined as information, including technical or non-technical data, a formula, pattern, compilation, program, device, method, technique, drawing, process, financial data, strategies, pricing information, and lists of customers, prospective customers, and suppliers.

Businesses Need to Take Reasonable Efforts to Protect Trade Secrets in the Cloud

Trade secrets are only protectable when the owner takes reasonable efforts to prevent them from being freely disclosed to the public so that the information does not become generally known.

Information does not have to be cloaked in absolute secrecy to be a trade secret, as long as a business’s efforts to maintain secrecy or confidentiality are reasonable.  It is easy for one to imagine how a business may protect confidential documents that are stored locally.  Computer files may be password-protected with several layers of encryption software, with access limited to specified personnel.  Similarly, paper files may be stored in locked cabinets, in secured rooms, where only specified personnel are granted access.

However, those seemingly straight-forward security protocols become murky when information is stored in the cloud.  Unlike storing data on local servers, storing data in the cloud requires the owner to disclose confidential information to a third-party vendor.  In most situations, disclosing data to a third-party eliminates trade secret protections.   Therefore, businesses must take additional steps to ensure that its data remains secure.

Three Keys to Protecting Trade Secrets Stored in the Cloud

There are no fail-safe measures to protect data stored in the cloud.  The best way for a business to protect its trade secrets is to locally store and protect its most valuable data with the proper data security protocols.  A business, however, should not fear the cloud as long as it takes certain steps to ensure that it exercises reasonable efforts to protect its cloud-based data.

First, business leaders must conduct appropriate due diligence before selecting a cloud-provider.  The business should conduct necessary research to select a reputable, well-established company that has the physical and technological capabilities to store and protect data.

Conducting due diligence on a provider includes ensuring that the provider has taken necessary steps to establish appropriate physical and virtual security protocols to protect the confidentiality of your information.  Inquire how the provider establishes physical security measures, and monitoring capabilities to prevent unauthorized access to its data centers and infrastructure.  Also, learn how the provider limits its employees’ access to customer data and determine the internal controls that the provider has in place to prevent unauthorized viewing, copying, or emailing of customer information.

A business should also inquire about the provider’s virtual security protocols.  A business must generally understand how its cloud-provider’s encryption software and security management systems work to protect data.  If your business is not capable of independently evaluating whether the provider has proper security protocols, a good indicator is to ask the provider for its client list.  If the provider has clients that are typically security-conscious companies, such as financial institutions or healthcare facilities, that is a good indication that the provider has been vetted and it has proper security measures in place.  Finally, the provider should maintain sufficient data-protection insurance coverage to protect against potential data breaches or system failures.

Second, a business must have contractual safeguards in place with its cloud-provider to adequately protect its intellectual property and trade secrets.  The contract should establish that the business owns the data, that it will be segregated from other data groups, and that the business may enjoy unfettered access to the data.  The contract should specify that the business can demand that the data be deleted or returned request, and detail how the provider will purge the data to ensure that it is properly deleted upon termination of the relationship.  The contract should require regular data backup and recovery tests, while restricting the provider from accessing, using or copying data for its own purpose.  Finally, the contract should establish the provider’s obligations to notify the business of a data breach or system failure.

Third, a business should also consider adding multiple layers of authentication and encryption to data containing trade secrets before transmitting it to the cloud-provider.  However, a business should consider if the additional encryption efforts could adversely affect the business’s ability to access, utilize, and port data for its normal business use.

Conclusion

There are several financial and operational benefits for a business to store data in the cloud.  However, businesses must understand that there are also risks to storing its valuable trade secrets on virtual servers.  Businesses need to take reasonable efforts to protect the confidentiality and secrecy of its most valuable data and information.

[1] Dave Rosenberg.  Reducing IT Infrastructure Costs via Outsourcing.  May 7, 2009.  news.cnet.com/8301-13846_3-10235742-62.html

[2] Thor Olavsrud.  How Cloud Computing Helps Cut Costs, Boost Profits.  March 12, 2013. www.cio.com/article/730036/How_Cloud_Computing_Helps_Cut_Costs_Boost_Profits

[3] Andrew Horne. Transformational Change in IT Will Drive 2014 Spending.  November 5, 2013.  http://blogs.wsj.com/cio/2013/11/05/transformational-change-in-it-will-drive-2014-spending/

[4] IBM Commits $1.2bn to Cloud Data Centre Expansion.  January 17, 2014. www.bbc.co.uk/news/business-25773266

Not By "Any Manner" Of Means: Securing Cyber-Crime Coverage After Zurich v. Sony

Gilbert LLP Law Firm

Much has been written about the New York Supreme Court’s landmark ruling in Zurich American Insurance Co. v. Sony Corp., Index. No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014), in which a New York trial court denied coverage to Sony Corporation for liabilities stemming from a 2011 cyber-attack on its PlayStation Network. The court held that while a wide-scale data breach represents a “publication” of private information, the PlayStation Network breach did not fall within the ambit of Sony’s commercial general liability (“CGL”) policy because the policy covered only publications by the insured itself—not by third-party hackers. The court rejected Sony’s argument that the phrase “in any manner,” which qualified the word “publication” in Sony’s policy, sufficed to broaden coverage to encompass third-party acts. Instead, the court determined that the “in any manner” language referred merely to the medium by which information was published (e.g., print, internet, etc.), not the party that did the publishing.

Most of the commentary surrounding Sony has focused on the court’s interpretation of the phrase “in any manner.” But that aspect of the court’s ruling was relatively unremarkable: other courts have similarly limited the phrase, most notably the Eleventh Circuit Court of Appeals inCreative Hospitality Ventures, Inc. v. United States Liability Insurance Co., 444 Fed. App’x 370 (11th Cir. 2011) (holding that the issuance of a receipt to a customer containing more than the last five digits of the customer’s credit card number does not represent a publication). Lost in theSony debate is the fact that Sony may be able to prevail on appeal even if the appellate court refuses to adopt a broad reading of the “in any manner” language. Indeed, Sony can make a compelling case that the term “publication,” when read in context with the policy as a whole, is intended to encompass both first-party and third-party acts.

In focusing narrowly on the language of the advertising injury coverage grant, the Sony court overlooked a “cardinal principal” of insurance law: namely, that an insurance policy “should be read to give effect to all its provisions and to render them consistent with each other.”Mastrobuono v. Shearson Lehman Hutton, Inc., 514 U.S. 52, 63 (1995). Had the court taken a more holistic approach, it might have noticed that language in other parts of the policy evidenced the insurers’ intent to cover third-party publications. If Sony’s policy resembled the standard Insurance Services Office, Inc. (“ISO”) CGL policy, its exclusions section was surely riddled with clauses restricting coverage for certain types of injury “caused by or at the direction of the insured.” Only six of the exclusions in the ISO policy are not so qualified, including the absolute pollution exclusion and the exclusion for publications that occur prior to the policy period. It makes sense that insurers would wish to broadly exclude such categories of injury, just as it makes sense that exclusions for intentionally injurious acts would be written narrowly to apply only to the insured’s own actions. These carefully worded exclusions—when read together and in context with the policy as a whole—evidence a conscious decision by Sony’s insurers to exclude some injuries only if caused by the insured, while excluding other types of injury regardless of who, if anyone, is at fault. This, in turn, suggests that the insurers contemplated coverage for third-party acts unless such acts are expressly excluded.

Nowhere is this better illustrated that in the ISO policy’s exclusion for intellectual property infringement. This exclusion purports to broadly bar coverage for injury “arising out of the infringement of copyright, patent, trademark, trade secret or other intellectual property rights.” However, this broad exclusion is qualified by the caveat that it “does not apply to infringement,in your ‘advertisement’, [sic] of copyright, trade dress or slogan.” Thus, the exclusion bars coverage in the first instance for all intellectual property infringements irrespective of the identity of the perpetrator, then adds back coverage for certain acts of the insured. This evidences the insurer’s understanding that unless otherwise excluded, the policy affords coverage for advertising injury regardless of who caused it.

At minimum, the fact that the ISO policy exclusions vary with respect to whether they exclude all acts or only first-party acts should be sufficient to raise an ambiguity, thus triggering “the common-law rule of contract interpretation that a court should construe ambiguous language against the interest of the party that drafted it.” Mastrobuono, 514 U.S. at 62. Even if the policy does not unambiguously afford coverage for third-party publications, it is at the very least “susceptible to more than one reasonable interpretation.” Discovision Assocs. v. Fuji Photo Film Co., Ltd., 71 A.D.3d 448, 489 (N.Y. App. Div. 2010) (internal quotation marks and citation omitted). Pointing to ambiguity in the policy as a whole would provide policyholders such as Sony with a more plausible and straightforward avenue to securing coverage for third-party publications than does narrowly parsing the phrase “in any manner.”

The question of whether third-party publications are covered under the typical CGL policy is of crucial importance to policyholders seeking insurance recovery for cyber-crime injuries. Importantly, victory on this point by Sony or another hacking victim would transform Sony into a policyholder-friendly decision, because the Sony court answered the other difficult question presented in the case—whether a data breach represents a “publication”—in favor of coverage. If the appellate court is willing to look past the narrow language of the advertising injury coverage grant and focus on Sony’s policy as a whole, Sony will have a good chance of prevailing on appeal and, in doing so, will set a strong precedent in favor of cyber-crime coverage for hacking victims.

ARTICLE BY

Kami E. Quinn
Miriam Smolen
James Liddell
OF
Gilbert LLP

Forever 21 Faces Point-of-Sale Data Collection Class Action Lawsuit

Covington BUrling Law Firm

Fast fashion retailer Forever 21 Retail Inc. faces a putative class action lawsuit alleging that the retailer violated California law by requesting and recording shoppers’ credit card numbers and personal identification information at the point-of-sale.

Forever 21 shopper Tamar Estanboulian filed the lawsuit on September 7 in U.S. District Court for the Central District of California.  Estanboulian alleges that Forever 21 has a policy requiring its cashiers to request and record credit card numbers and personal identification information from customers using credit cards at the point-of-sale in Forever 21’s retail stores in violation of the Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08.  The complaint further alleges that the retailer pairs the obtained personal identification information with the shopper’s name obtained from the credit card used to make the purchase to get additional personal information.

According to the complaint, Estanboulian purchased merchandise with a credit card at a Forever 21 store in Los Angeles, CA this summer.  The cashier asked Estanboulian for her email address without informing her of the consequences of not providing the information.  Estanboulian alleges that she provided her email address because she believed that it was required to complete the transaction and receive a receipt.  She also claims that she witnessed cashiers asking other shoppers for their email addresses.  Shortly after completing her purchase and leaving the store, Estanboulian received a promotional email from Forever 21.

The proposed Class would include:  “all persons in California from whom [Forever 21] requested and recorded personal identification information in conjunction with a credit card transaction within one (1) year of the filing of this case.”

Forever 21 is not the only retailer that has been hit with a class action lawsuit for its data collection practices at the point-of-sale.  In June 2013, a putative class action was filed in U.S. District Court for the District of Massachusetts against J.Crew Group Inc. alleging that it collected zip codes from customers when they made purchases with credit cards at its Massachusetts stores.  The lawsuit also alleged that J.Crew then used that information to send unsolicited marketing and promotional materials.  The court approved a preliminary settlement in June pursuant to which J.Crew will provide $20 vouchers to eligible class members, up to $135,000 in attorneys’ fees and costs, and up to $3,000 to each of the class representatives.

ARTICLE BY

Morgan Kennedy
OF
Covington & Burling LLP

Google, the House of Lords and the timing of the EU Data Protection Regulation

Mintz Levin Law Firm

(LONDON) Could the European Court of Justice’s May 13, 2014 Google Spain decision delay the adoption of the EU Data Protection Regulation?

In the Google Spain “Right to be Forgotten” case, the ECJ held that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant.  The Google Spain decision has given a much sharper focus to the discussion about the Right to be Forgotten that may soon be adopted as part of the new Data Protection Regulation that is expected to be passed sometime in 2015.  With the advent of the Google Spain decision, an issue that was on the sideline for most businesses – and which was expected by some to be quietly dropped from the draft Data Protection Regulation – has become a hot political issue.  The Right to be Forgotten as interpreted by the ECJ has garnered international attention, deepened the UK/continental EU divide, and ultimately could delay the adoption of a final form of the Data Protection Regulation.

The Google Spain case has been controversial for various reasons.  The decision takes an expansive approach to the long-arm reach of EU data protection law.  It holds search engine providers liable to comply with removal requests even when the information in the search results is true, was originally published legally and can continue to be made available by the original website.  The decision makes the search engine provider the initial arbiter of whether the individual’s right to have his or her information removed from publically available search results is outweighed by the public’s interest in access to that information.   (For a pithy analysis of the “public record” aspects of the case, see John Gapper’s “Google should not erase the web’s memory” published in the Financial Times.)

Google started implementing the ruling almost immediately, but only with respect to search results obtained through the use of its country-specific versions of its search engine, such aswww.google.es or www.google.co.uk.  The EU-specific search engine results notify users when some results have been omitted due to EU’s Right to be Forgotten.  (See the Telegraph’s ongoing list of the stories it has published that have been deleted from Google.co.uk’s search results to get a flavor of the sort of search results that have been deleted.)  However, the “generic” version of Google (www.google.com), which is also the default version for users in the US, does not omit the banned results.

Google has been engaged in an ongoing dialogue with EU data protection authorities regarding Google’s implementation of the Google Spain ruling.  According to some media reports, EU officials have complained that Google is implementing the ruling too broadly, allegedly to make a political point, while other commentators have noted that the ruling give Google very few reference points for performing the balancing-of-rights that is required by the ruling.  Perhaps more interestingly, some EU officials want Google to apply the Right to be Forgotten globally (including for google.com results) and without noting that any search results have been omitted (to prevent any negative inferences being drawn by the public based on notice that something has been deleted).  If the EU prevails with regard to removing personal data globally and without notice that the search results contain omissions, critics who are concerned about distortions of the public record and censorship at the regional level will have an even stronger case.   Of course, if truly global censorship becomes legally required by the EU, it seems likely that non-EU governments and organizations will enter the dialogue with a bit more energy – but even more vigorous international debate does not guarantee that the EU would be persuaded to change its views.

The ongoing public debate about the potentially global reach of the Right to be Forgotten is significant enough that it could potentially delay agreement on the final wording of the Data Protection Regulation.  Recently, an important committee of the UK’s House of Lords issued a report deeply critical of the Google Spain decision and the Right to be Forgotten as enshrined in the draft Data Protection Directive. Additionally, the UK’s Minister of Justice, Simon Hughes, has stated publically that the UK will seek to have the Right to be Forgotten removed from the draft Data Protection Regulation.  The impact of the UK’s stance (and the efforts of other Right to be Forgotten critics) on the timing of the adoption of the Regulation remains to be seen.  In the meantime, search companies will continue to grapple with compliance with the Google Spain decision.  Other companies that deal with EU personal data should tune in as the EU Parliament’s next session gets underway and we move inevitably closer to a final Data Protection Regulation. 

ARTICLE BY

Hope S. Foster
 
OF 
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

SEC Commissioner Highlights Need for Cyber-Risk Management in Speech at New York Stock Exchange

Proskauer Law firm

Cyber risks are an increasingly common risk facing businesses of all kinds.  In a recent speech given at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar emphasized that cybersecurity has grown to be a “top concern” of businesses and regulators alike and admonished companies, and more specifically their directors, to “take seriously their obligation to make sure that companies are appropriately addressing those risks.”

Commissioner Aguilar, in the speech delivered as part of the Cyber Risks and the Boardroom Conference hosted by the New York Stock Exchange’s Governance Services department on June 10, 2014, emphasized the responsibility of corporate directors to consider and address the risk of cyber-attacks.  The commissioner focused heavily on the obligation of companies to implement cybersecurity measures to prevent attacks.  He lauded companies for establishing board committees dedicated to risk management, noting that since 2008, the number of corporations with board-level risk committees responsible for security and privacy risks had increased from 8% to 48%.  Commissioner Aguilar nevertheless lamented what he referred to as the “gap” between the magnitude of cyber-risk exposure faced by companies today and the steps companies are currently taking to address those risks.  The commissioner referred companies to a federal framework for improving cybersecurity published earlier this year by the National Institute of Standards and Technology, which he noted may become a “baseline of best practices” to be used for legal, regulatory, or insurance purposes in assessing a company’s approach to cybersecurity.

Cyber-attack prevention is only half the battle, however.  Commissioner Aguilar cautioned that, despite their efforts to prevent a cyber-attack, companies must prepare “for the inevitable cyber-attack and the resulting fallout.”  An important part of any company’s cyber-risk management strategy is ensuring the company has adequate insurance coverage to respond to the costs of such an attack, including litigation and business disruption costs.

The insurance industry has responded to the increasing threat of cyber-attacks, such as data breaches, by issuing specific cyber insurance policies, while attempting to exclude coverage of these risks from their standard CGL policies.  Commissioner Aguilar observed that the U.S. Department of Commerce has suggested that companies include cyber insurance as part of their cyber-risk management plan, but that many companies still choose to forego this coverage.  While businesses without cyber insurance may have coverage under existing policies, insurers have relentlessly fought to cabin their responsibility for claims arising out of cyber-attacks.  Additionally, Commissioner Aguilar’s speech emphasizes that cyber-risk management is a board-level obligation, which may subject directors and officers of companies to the threat of litigation after a cyber-attack, underscoring the importance of adequate D&O coverage.

The Commissioner’s speech offers yet another reminder that companies should seek professional advice in determining whether they are adequately covered for losses and D&O liability arising out of a cyber-attack, both in prospectively evaluating insurance needs and in reacting to a cyber-attack when the risk materializes.

Read Commissioner Aguilar’s full speech here.

ARTICLE BY

Shawn Ledingham
OF
Proskauer Rose LLP

Firewall on the Hill: The Cybersecurity Information Sharing Act

Morgan Lewis logo

U.S. Treasury Secretary Jack Lew is urging Congress to pass legislation to bolster the country’s cyber defenses. The proposed bill—the Cybersecurity Information Sharing Act of 2014 (CISA)—may unleash a brute-force attack in the cyber war, but opposition based on privacy and civil liberties concerns could stop the bill dead in its tracks.

The CISA would enable companies to

  • share information with one another, including an antitrust exemption for the exchange or disclosure of a “cyber threat indicator,” which is broadly defined and includes information that indicates any attribute of a cybersecurity threat;
  • share information with the federal government, including the absence of any waiver of privilege or trade-secret protection and the retained ownership of the disclosed information;
  • launch countermeasures and monitor information systems under broad sets of circumstances, potentially expanding the information to be shared; and
  • monitor and share the information under an umbrella of protection from liability relating to the permitted activities, including a good-faith defense (absent gross negligence or willful misconduct) for activities not authorized by the CISA.

The CISA includes some protections for individuals. Namely, the U.S. Attorney General would develop governing guidelines to limit the law’s effect on privacy and civil liberties. Moreover, companies would be required to remove information that is known to be personal information (and not directly related to a cybersecurity threat) before sharing a cyber threat indicator.

In sum, companies could decide to share a wealth of information with one another and with the federal government if the CISA is passed, when sharing personal information depends on the reach of any future guidelines. If an extensive information-sharing program materializes, and there is at least a perception that sensitive personal information is being shared, companies could feel pressure from customers and advocacy groups to disclose their CISA activities and policies in their privacy statements. Companies should stay informed about developments in cybersecurity legislation, but the potential fallout regarding privacy could substantially weaken or postpone any new system. For every cybersecurity legislative effort, there will be bold countermeasures.

ARTICLE BY

Doneld G. Shelkey
A. Benjamin Klaber
OF:
Morgan, Lewis & Bockius LLP

Wyndham Data Breach Ruling Cleared for Potential Appeal to Third Circuit

COV_cmyk_C

 

U.S. District Court Judge Esther Salas ruled on Monday that the U.S. Court of Appeals for the Third Circuit can review her conclusion that Section 5 of the Federal Trade Commission Act provides the FTC with authority to bring actions arising from companies’ data security violations.

In April of this year, Judge Salas denied Wyndham Hotels and Resorts’ motion to dismiss a FTC lawsuit that alleges that Wyndham violated the FTC Act’s prohibition against “unfair practices” by failing to provide reasonable security for its customers’ personal information. Although her order is not a final ruling and is not binding on any other judge, it received considerable attention because it was the first time that a court has weighed in on the scope of the FTC’s authority over data security and privacy matters.

Denials of motions to dismiss ordinarily are not immediately appealable, absent permission from both the district court and the court of appeals.  In her ruling on Monday, Judge Salas granted Wyndham’s motion to appeal her order to the Third Circuit.  Judge Salas reasoned that there is substantial grounds for differences of opinion on two issues: (1) whether the FTC can bring a Section 5 unfairness claim involving data security; and (2) whether the FTC must formally promulgate regulations before bringing its unfairness claim.

If the Third Circuit grants Wyndham’s Petition to Appeal, the appellate court will review the legal conclusions in Judge Salas’s April order.  If the Third Circuit denies the petition, the case will proceed in the district court.  Even if the Third Circuit denies this petition for review, it ultimately may hear an appeal of the outcome of summary judgment proceedings or a trial in this case.

Article By:

Jeff Kosseff
Of:
Covington & Burling LLP