Category: cybersecurity

E-Verify: North Carolina and Federal Requirements

An article by Jennifer G. Parser of Poyner Spruill LLP regarding E-Verify appeared recently in The National Law Review:

North Carolina’s Rule

Last June, 2011, North Carolina joined the ranks of an increasing number of states requiring the use of E-Verify.  E-Verify is a free internet-based system that allows employers to determine employment authorization by checking an employee’s documentation against Department of Homeland Security (DHS) and Social Security Administration (SSA) databases.  It applies to certain federal contractors, but also is being adopted by states, regardless of federal contracts being involved.

North Carolina counties, cities and public universities were required to register and participate in E-Verify by October 1, 2011. Private sector employers’ participation in E-Verify is phased in more slowly, according to the employer’s size:

  • Employers with 500 or more employees will be required to participate by October 1, 2012;
  • Employers with 100 or more employees will be required to participate by January 1, 2013; and
  • Employers with 25 or more employees will be required to participate by July 1, 2013.

Federal E-Verify Rule

Private businesses in North Carolina are required to verify the employment eligibility of current employees regardless of the above phased-in legislation if the employer has been awarded a federal contract on or after September 8, 2009 that contains the Federal Acquisition Regulation (FAR) E-Verify clause. Such federal contractors must enroll in E-Verify within 30 days of the contract award date regardless of the business’ size. After enrollment, the federal contractor has 90 days to use E-Verify.  The federal contractor must then use E-Verify for new hires within 3 business days of the employee’s start date.

E-Verify must also used for existing employees assigned to work on the  federal contract within 90 days of the federal contract being awarded or within 30 days of the employee’s assignment to work on the federal contract, whichever is later. For existing employees to be required to be  run through E-Verify, the employee must perform substantial work under the federal contract which does not include administrative or clerical functions.  E-Verify does not apply to work that is performed outside the US, if the term of the federal contract lasts less 120 days, or if the federal contract pertains to commercially available off the shelf items.  A “commercially available off the shelf item”, known COTS, is something generally sold in substantial quantities in the open market.  A few examples are computer software, computer hardware and construction materials.  Also, industries that hire agricultural workers for 90 days or less in a 12 month period are exempt from enrolling in Federal E-Verify.

Unless the subcontractor is a supplier and not subject to the E-Verify federal contractor rule, a federal contractor must also ensure that its subcontractors enroll in and use E-Verify if:

  • The prime contract includes the Far E-Verify clause,
  • The subcontract is for commercial or noncommercial services or construction,
  • The subcontract has a value of more than $3,000, or
  • The subcontract includes work performed in the United States.

A Few Important Rules for Any Business Enrolled in E-Verify 

  • Post the notices that the business is now enrolled in E-Verify alongside antidiscrimination notices by the Office of Special Counsel for Immigration-Related Unfair Employment Practices
  • When completing the I-9 form, the employee’s choice of a List B document must contain a photograph in order to be run through E-Verify
  • Do not use E-Verify selectively
  • Do not use E-Verify to pre-screen job applicants; it is used post-hiring
  • Do not ask for additional documentation in the event of a “Tentative Nonconfirmation” by E-Verify: allow the employee time to correct any error by visiting the local SSA office
  • Do not terminate or take adverse action against an employee  who receives a tentative nonconfirmation: allow them time to correct the error

Penalties, Federal- and State-Imposed

There have been substantial fines levied for immigration-related offenses by Immigration and Customs Enforcement (ICE) against employers enrolled in E-Verify, proving enrollment in E-Verify will not save an employer from potential violations.

Civil penalties for violations of  North Carolina’s E-Verify law are assessed by the NC Commissioner of Labor and range from $1,000 to $10,000.

E-Verify Link

Unless already enrolled in E-Verify as a federal contractor or subcontractor or having elected to do so on a voluntary basis, North Carolina employers with 25 or more employees would do well to visit the E-Verify website.  Click here.  At this point, there is time to become acquainted with E-Verify and its enrollment procedures before registration becomes mandatory.

© 2012 Poyner Spruill LLP

FERC Rules on Several Core Reliability Compliance Issues: New Orders Address Cybersecurity, Registration, and Contingency Planning

The National Law Review published an article recently by Stephen M. SpinaJ. Daniel Skees, and John D. McGrane of Morgan, Lewis & Bockius LLP regarding New FERC Rules on Reliability Compliance:

At FERC’s open meeting on April 19, 2012, FERC approved several orders addressing core aspects of Reliability Standards compliance, including cybersecurity Reliability Standards, compliance registration, and contingency planning issues. The newly approved cybsersecurity Reliability Standards significantly increase the scope of facilities subject to those requirements, the compliance registration decisions clarify the jurisdictional boundary between distribution and transmission facilities, and the planning orders represent a rejection of NERC’s approach to planning for firm load loss following a single contingency.

Cybersecurity: FERC Approves Version 4 CIP Reliability Standards

In Order No. 761, FERC approved Version 4 of the Critical Infrastructure Protection (CIP) Reliability Standards. Under Version 4, the risk-based assessment methodology previously used to identify the Critical Assets that must be protected under the CIP Reliability Standards is replaced with a list of “bright-line” criteria for identifying Critical Assets, contained in Attachment 1 to CIP-002-4. These criteria, FERC concluded, “will offer an increase in the overall protection for bulk electric system components that clearly require protection, including control centers.” In the order, FERC established a deadline of March 31, 2013, for NERC to submit the Version 5 CIP Reliability Standards, which will address the remaining directives from Order No. 706, in which FERC approved the original CIP Reliability Standards. The project site for the Version 5 CIP Reliability Standards is located online.

Compliance Registration: FERC Addresses Distribution/Transmission Distinction

In City of Holland, 139 FERC ¶ 61, 055 (2012), FERC rejected the City of Holland, Michigan, Board of Public Works’ appeal of NERC’s decision to register the City of Holland as a Transmission Owner and Transmission Operator. In reaching this decision, FERC rejected the City of Holland’s assertion that its facilities are distribution facilities, and therefore not part of the definition of “Bulk Electric System” and not subject to registration. FERC explained that the City of Holland’s facilities perform a transmission function, transporting power from the City of Holland’s generation facilities or importing power from other sources over high-voltage lines before stepping the voltage down for distribution to end users. In reaching this decision, FERC also thought it relevant that the facilities at issue do not serve load from a single transmission source, can experience bi-directional flows, and are above the voltage level generally considered distribution voltage.

Commissioner Cheryl A. LaFleur dissented on the grounds that this order depends on the fundamental, yet unsettled question of what facilities are considered “local distribution” under Section 215 of the Federal Power Act (FPA) and therefore outside of FERC’s jurisdiction. As explained in Commissioner LaFleur’s dissent, FERC has in the past identified the criteria for identifying local distribution facilities under Section 201(b) of the FPA, which uses language identical to Section 215, but FERC chose not to apply the Section 201(b) criteria in addressing the City of Holland’s appeal. Commissioner LaFleur asserted that if FERC believes that Congress intended to create different classes of local distribution facilities, FERC has the “burden of demonstrating that this is a reasonable interpretation of the statute.”

In U.S. Department of Energy, Portsmouth/Paducah Project Office, 139 FERC ¶ 61,054 (2012), FERC granted the Portsmouth/Paducah Project Office’s appeal of its registration as a Load-Serving Entity (LSE). FERC had previously remanded this registration, and in ruling on NERC’s subsequent decision upholding the registration, concluded that NERC had failed to support registration as an LSE because NERC had not shown that the lessees and contractors working at the Portsmouth/Paducah Project Office are separate end-use customers to whom the Portsmouth/Paducah Project Office provides electricity. FERC explained that the Ohio Valley Electric Corporation, which sells to the Portsmouth/Paducah Project Office under a state retail tariff, is the appropriate LSE.

Contingency Planning: FERC Demands Stringent Criteria for Planned Load Loss Following a Single Contingency

In Order No. 762, FERC rejected NERC’s proposed revisions to “Note b” in TPL-002-0b, which explains when a Transmission Planner or Planning Authority can plan for the interruption of firm load to meet system reliability requirements following a single contingency. Under NERC’s proposal, these entities could plan for load shedding following a single contingency so long as they documented such planning and considered alternative solutions in an open and transparent stakeholder process. FERC concluded that the proposal failed to satisfy FERC’s earlier directives on this issue and did not present an “equally effective and efficient alternative.” According to FERC, the proposed Note b process “is vague, potentially unenforceable and may lack safeguards to produce consistent results.” The parameters for the proposed stakeholder process, FERC concluded, do not provide a meaningful limitation on the ability to curtail firm load following a single contingency. Furthermore, the conditions under which such interruptions are appropriate remain undefined, threatening the basic system performance objectives of the NERC Transmission Planning Reliability Standards, risking system reliability.

In Transmission Planning Reliability Standards, Notice of Proposed Rulemaking, 139 FERC ¶ 61,059 (2012), FERC proposed to remand NERC’s proposal to combine the four current Transmission Planning Reliability Standards into a single new standard, TPL-001-2. According to FERC, footnote 12 to Table 1 in this proposed standard, which governs planning for the interruption of firm load following a single contingency, presents the same concerns as the Note b issues that led FERC to reject a similar proposal in Order No. 762 (described above). This footnote, which only requires a documented plan developed through an open and transparent stakeholder process that considers alternatives, does not define the parameters governing the decision to plan for the loss of firm load following a single contingency. While FERC noted several improvements in the standard, because of concerns with footnote 12, FERC proposed to find that TPL-001-2 does not meet the statutory criteria for approval. Comments will be due 60 days after the Notice of Proposed Rulemaking is published in the Federal Register. In the Notice of Proposed Rulemaking, FERC requested comments on several transmission planning issues in addition to the core concern regarding planned load curtailments.

Copyright © 2012 by Morgan, Lewis & Bockius LLP

White House Report May Have Long-Term Effect on Consumer Privacy and How Companies Do Business

A recent White House report on consumer  data privacy forecasts a multifaceted approach to fulfilling public expectations regarding the protection of consumer’s personal information.  Although it is uncertain if the report will result in new legislation in the near future, the report could have long-term implications for the current regulatory landscape.

In February 2012 the White House released a report detailing the current administration’s position on consumer privacy, entitled Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.  Although it is uncertain if the report will result in new privacy legislation in the near term, the report may still have long-term implications for the current regulatory landscape.

As explained in the report’s Executive Summary, the consumer privacy framework proposed by the administration consists of four key elements: (1) a Consumer Privacy Bill of Rights; (2) a “multistakeholder” process to specify how the principles in the Consumer Privacy Bill of Rights apply in particular business  contexts; (3) effective enforcement; and (4) a commitment to increase interoperability with the privacy frameworks of international partners. Below we examine each of these elements.

1. Consumer Privacy Bill of Rights

Building upon Fair Information Practice Principles that were first promulgated by the U.S. Department of Health, Education, and Welfare in the 1970s, the Consumer Privacy Bill of Rights is intended to affirm consumer expectations with regard to how companies handle personal data.2  Although the administration recognizes consumers have “certain responsibilities” to protect their own privacy, it also emphasizes the importance of using personal data in a manner consistent with the context in which it is collected.

In a press release accompanying the release of the report, the White House summarized the basic tenets of the Consumer Privacy Bill of Rights3:

Transparency—Consumers have a right to easily understandable information about privacy and security practices.

Respect for Context—Consumers have a right to expect that organizations will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data.4

Security—Consumers have a right to secure and responsible handling of personal data.

Access and Accuracy—Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.

Focused Collection—Consumers have a right to reasonable limits on the personal data that companies collect and retain.

Accountability—Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

The outline for the Consumer Privacy Bill of Rights is largely aspirational, in that it does not create any enforceable obligations.  Instead, the framework simply creates suggested guidelines for companies that collect personal data as a primary, or even ancillary, function of their business operations.  As the administration recognizes, in the absence of legislation these are only “general principles that afford companies discretion in how they implement them.”5

Nevertheless, as consumers become more invested in how their personal information is used, a company that disregards the basic tenets of the Consumer Privacy Bill of Rights may be doing so at its own peril.  Although the Consumer Privacy Bill of Rights has not been codified, companies should expect that some iteration of the same principles will ultimately be legislated, or voluntarily adopted by enough industry leaders to render them enforceable by the FTC.  Therefore, companies would be welladvised to make sure they have coherent privacy policies in place now in order to avoid running afoul of guidelines imposed by whatever regulatory framework is implemented later.

2. The “Multistakeholder” Process to Develop Enforceable Codes of Conduct

The report also encourages stakeholders—described by the Administration as “companies, industry groups, privacy advocates, consumer groups, crime victims, academics, international partners, State Attorneys General, Federal civil and criminal law enforcement representatives, and other relevant groups”—to cooperate in the development of rules implementing the principles outlined in the Consumer Privacy Bill of Rights.  Of all the elements comprising the administration’s consumer privacy framework, it is this “multistakeholder” process that will likely see the most activity in coming months.

The report identifies several benefits attributable to this approach6:  First, an open process reflects the character of the internet itself as an “open, decentralized, user-driven platform for communication, innovation and economic growth.”  Second, participation of multiple stakeholders encourages flexibility, speed and creativity.  Third, this approach is likely to producesolutions “in a more timely fashion than regulatory processes and treaty-based organizations.”  Finally, the multistakeholder process allows experts to focus on specific challenges, rather than relying upon centralized authority.

The report contemplates that the multistakeholder process  will be moderated by the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA), a view echoed by the press release accompanying the report.7  This process will likely present companies whose operations involve the collection of consumer data online—a rapidly expanding category that encompasses far more than just internet businesses—with an opportunity to shape future internet privacy legislation.

NTIA has already initiated the conversation through the issuance of a Request for Public Comments on the administration’s consumer privacy framework.8  NTIA has suggested the first topic for discussion should be a “discrete issue that allows consumers and businesses to engage [in] and conclude multistakeholder discussions in a reasonable timeframe.”9    As  one example, NTIA has suggested stakeholders discuss how the  Consumer Privacy Bill of Rights’ “transparency” principle should be applied to privacy notices for mobile applications.  When one considers that by some estimates the revenue generated by the mobile application market is expected to reach $25 billion over the next four years, it is clear that even this “discrete” issue alone could result in a significant regulatory impact.10

3. Effective Enforcement

The report further suggests that the Federal Trade Commission (FTC) will play a vital role in the enforcement of the consumer privacy protections outlined by the administration and developed during the multistakeholder process.  The administration admits, however, that in the absence of new legislation, the FTC’s authority in the area of consumer privacy may be limited to the enforcement of guidelines adopted by companies voluntarily.

According to the administration, enforcement actions “by the FTC (and State Attorneys General) have established that companies’ failures to adhere to voluntary privacy commitments, such as those stated in privacy policies, are actionable under the FTC Act’s (and State analogues) prohibition on unfair or deceptive acts or practices.”11  Therefore, in the administration’s view, the guidelines developed during the multistakeholder process would be enforceable under the existing statutory framework.

In light of the current election cycle and the resulting political landscape, it seems unlikely Congress will pass new consumer privacy legislation in the near term.  Nevertheless, companies should remain mindful that the FTC—and even state Attorneys General—may become more aggressive in addressing flagrant violations of consumers’ privacy expectations.  For instance, California’s Attorney General has explained that her office intends to enforce an agreement that California reached with Apple and other industry leaders earlier this year.  The agreement would require developers of mobile applications to post conspicuous privacy policies that explain how users’ personal information is gathered and used.

Moreover, the increased attention directed at privacy issues by consumer groups and the public at large suggests an inevitable groundswell of support for new privacy legislation.  As Jon Leibowitz, the chairman of the FTC, explained earlier this week, we could see new privacy legislation early in the term of the next Congress.12

4. A Commitment to Increased Operability

Recognizing that other countries have taken different approaches to data privacy issues, the report also encourages the development of interoperability with regulatory regimes implemented internationally.  The administration has suggested a three-pronged approach to achieving increased operability: mutual recognition, development of codes of conduct through multistakeholder processes and enforcement cooperation.

With respect to mutual recognition, the report identifies existing examples of transnational cooperation in the privacy context.  For example, it cites the Asia-Pacific Economic Cooperation’s voluntary system of Cross Border Privacy Rules and also the European Union’s Data Protection Directive.  It appears that the administration, at least for now, will depend upon companies’ voluntary adoption of these international frameworks.

Just as the administration will rely upon the multistakeholder process to develop domestic codes of conduct, it will adopt the same approach to developing globally applicable rules and guidelines.  Although the administration contemplates this process will be directed by the U.S. Departments of Commerce and State, the report does not provide any details.

Finally, the report explains the FTC will spearhead the U. S. Government’s efforts to cooperate with the FTC’s foreign counterparts in the “development of privacy enforcement priorities, sharing of best practices, and support for joint enforcement initiatives.”13

1  Report at 1. 

2  Although businesses are also “consumers,” the report appears to focus on protecting individuals’ personally identifiable information. 

3  We Can’t Wait: Obama Administration Unveils Blueprint for a “Privacy Bill of Rights” to Protect Consumers Online, February 23, 2012, Office of the Press Secretary. 

4 To illustrate the “context” principle, the report provides the example of a hypothetical social networking provider.  Users expect that certain biographical information will be collected in order to improve the service; however, if the provider sells the same biographical information to an information broker for advertising purposes, that use is more attenuated from users’ expectations.  Therefore, the latter use is not consistent with the “context” in which the biographical information was provided. 

5  Report at 2. 

6  Report at 23. 

7  We Can’t Wait, February 23, 2012, Office of the Press Secretary (“In the coming weeks, the Commerce Department’s National Telecommunications and Information Administration will convene stakeholders … .”). 

8  Docket No. 120214135-2135-01, February 29, 2012. 

9 Moving Forward with the Consumer Privacy Bill of Rights, Lawrence E. Strickling, Assistant Secretary for Communications and Information, February 29, 2012. 

10 According to Markets & Markets, a market research company and consulting firm. 

11 Report at 29. 

12 U.S. Agency Seeks Tougher Consumer Privacy Rules, The New York Times, March 26, 2012. 

13 Report at 33. 

© 2012 McDermott Will & Emery

The Growing Corporate Threat of Taxpayer Identity Theft Fraud

The National Law Review recently published an article by Latour “LT” Laffferty of Fowler White Boggs P.A. regarding Identity Theft:

Identity theft continues to be a growing problem nationwide, but particularly in Florida which continues to lead the nation per capita in reported incidents of identity theft according to the Federal Trade Commission (FTC), a national clearinghouse for consumer fraud complaints. Taxpayer identity theft fraud, a subset of identity theft in general, is the most prevalent form of identity theft according to the FTC which reported that tax-related identity theft incidents increased from 51,702 in 2008 to 248,357 in 2010. This is a dramatic increase from the 35,000 instances of employment-related identity theft cases reported in 2007.

Taxpayer identity theft fraud involves not only the theft of someone’s identity but also the filing of a fraudulent tax return using the victim’s social security number to receive a tax refund often totaling more than $9,000.00. The IRS identified and prevented the issuance of more than $14 billion in fraudulent refunds in 2011. A 2008 report issued by the Treasury Inspector General for Tax Administration (TIGTA), an IRS watchdog, stated that the prevention of taxpayer identity theft fraud is an employer’s issue involving the security of their systems and data. According to TIGTA, 938,664 of the 2.1 million fraudulent tax returns filed in 2011 involved identity theft and totaled $6.5 billion. The stolen information includes the person’s name, date of birth and social security number or Medicare beneficiary number.

The latest twist, however, is that your own employees are in on the crime as law enforcement agencies are reporting that employees at many businesses that compile personal information are misappropriating and selling the information to thieves who are filing fraudulent tax returns. The Centers for Medicare and Medicaid Services (CMS) issued a Fraud Alert in February 2012 warning healthcare providers that perpetrators are misappropriating the identities of Medicare beneficiaries from “employers, schools, hospitals, and prisons” but any businesses that store personal information are at risk from current or prospective employees. Recent law enforcement arrests report finding suspects with massive quantities of tax refunds and lists of prospective employers to apply for jobs with the specific intent to steal taxpayer identities from their databases.

The reality of this emerging threat is that perpetrators are actually targeting organizations for employment so that they can specifically breach their data security and commit identity theft and aid those committing tax refund fraud. These organizations have both a fiduciary and legal duty to safeguard that personal information, but also a legal duty to notify those consumers who they can reasonably identify that their personal information has been stolen.

©2002-2012 Fowler White Boggs P.A.

Data Security Breach Alert: 1.5 Million Credit Card Customers Affected

The National Law Review recently published an article regarding A Recent Security Breach written by Adam M. Veness of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

Global Payments, Inc. (NYSE: GPN) (“Global”) has reported a significant data security breach for approximately 1.5 million credit card customers.  According to astatement that Global released on Sunday, their investigation has revealed that “Track 2 card data may have been stolen, but that cardholders’ names, addresses and social security numbers were not obtained by criminals.”  Using Track 2 data, a hacker can transfer a credit card’s account number and expiration date to a fraudulent card, and then use the fraudulent card for purchases.

As a result of the breach, Visa has removed Global from its list of companies that it considers to be “compliant services providers.”  In an effort to calm consumers, Global issued a press release today assuring that “[b]ased on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.”

The incident reinforces the importance of maintaining adequate data security.  Companies must take ample precautions to secure their customers’ data, and if they fail to do so, they may be vulnerable to a serious security breach that could adversely affect their bottom line.  As of the time of this post, Global’s stock price has fallen approximately 12% since the data breach news was announced.  Even when following best practices in data security, companies still may face data security breaches.  Despite these inevitable risks, companies should do everything reasonably required to protect against data breaches.  If a company can show that it has taken the proper precautions, then this may mitigate or reduce potential liability in the event of a breach.  After a breach, companies should ensure that they follow all of the strict legal requirements for notifying customers of the breach and remedying the effects of the breach.  Doing so may greatly reduce a company’s exposure to customer lawsuits and government action against the company.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Identity Theft Continues to Top FTC’s List of Consumer Complaints

Recently The National Law Review published an article by Rachel Hirsch of Ifrah Law regarding FTC’s Top Consumer Complaints:

For more than a decade, the Federal Trade Commission has been releasing its list of the top ten categories of consumer complaints received by the agency in the previous year. This list always serves as a good indication of the areas toward which the FTC may choose to direct its resources and increase its scrutiny.

For the 12th year in a row, identity theft was the number one complaint received by the FTC. Out of more than 1.8 million complaints the FTC received last year, 15% – or 279,156 – were about identity theft. Of those identity theft complaints, close to 25 percent were related to tax or wage-related fraud. The number of complaints related to identity theft actually declined in 2011 from the previous year, but this type of fraud still topped the list.

Most identity theft complaints came from consumers reporting that their personal information was stolen and used in government documents — often to fraudulently collect government benefits. Complaints about government document-related identity theft have increased 11% since 2009 and represented 27% of identity theft complaints last year. These numbers are likely to increase as concerns about consumer data privacy continue to garner the attention of the FTC.

After ID theft, the FTC’s top consumer complaints for 2011 were as follows:

• Debt collection complaints
• Prizes, sweepstakes, and lotteries
• Shop-at-Home and catalog sales
• Banks and lenders
• Internet services
• Auto-related complaints
• Imposter scams
• Telephone and mobile services
• Advance-fee loans and credit protection or repair

While credit cards are intertwined with many of the above complaints, complaints about credit cards themselves are noticeably absent from the 2011 list. In past years, credit card fraud was a major source of complaints from consumers. The drop in credit card-fraud-related complaints, however, is not surprising given the passage of the Credit CARD Act of 2009. This landmark federal legislation banned interest rate hikes “at any time for any reason” and limited the instances when rates on existing card balances could be hiked by issuers. The law also required lenders to give customers at least 45 days advance notice of significant changes in terms to allow card users time to shop around for better terms.

With the upcoming changes to the FTC’s advertising guidelines, there may very well be new additions to the consumer complaint list next year. Those complaints that already appear on the list are also likely to receive increased scrutiny.

© 2012 Ifrah PLLC

Search Warrant Basics

Recently The National Law Review published an article from Risk Management Magazine a publication of the Risk and Insurance Management Society, Inc. (RIMS) regarding Search Warrants in the Office:

When armed government agents enter your office, seize your computers and talk to your employees, the business day has gotten off to a rough start. It only gets worse when the news shows video of agents in raid jackets carrying your eye-catching, focus group-tested logo. As the days go on, you are busy reassuring customers, vendors and employees that despite early reports and comments made by the government and your competitors, it is all going to be fine and you are going to get back to business as usual.

Presented with this hypothetical situation, many adopt a similar response: it won’t happen to me. But any business that operates in a heavily regulated area or partners with any federal agency needs to appreciate that government inquiries are simply part of operating in that space. The FBI is not the only investigative agency; it is just as likely that the Environmental Protection Agency or the Health and Human Services Office of the Inspector General will be at the front desk with a warrant in hand and a team ready to cart away the infrastructure and knowledge of your business. Will you be ready?

Good planning as part of a regular annual review can help settle nerves, avoid costly mistakes, and put you in the best defensive position should that fateful day come when the feds show up at your door. Follow this five-part plan and you will be much better off.

Summon the Team

Just as the agents did the morning before the search, you need to assemble your response team. The government has specialized people with individual roles and you need to have the same type of team. Some people on your team are there because you want them there. Others make the team because they sit at the reception desk or close to the front door. Either way, they are now on the same team.

The point person on the team has to be the in-house counsel. The agent may not let the receptionist place a series of calls, but the receptionist should be permitted to call the in-house counsel to notify her of the situation. From that point on, the command center shifts from the front desk to counsel’s desk.

The next call should be made from the company’s general counsel to outside criminal counsel. A general litigation or M&A background may be well suited for the company’s general needs, but on this day, the needs are quite different. Outside criminal counsel needs to begin the dialogue with the agent and the prosecutor, and should send someone to the scene if possible.

The response team should also include the heads of IT, security and communications. The IT officer must make sure that, as the search is conducted, intrusion into the system can be minimized so that the business may continue operation. If the IT officer is not permitted to assist with the search, it is critical that he observes all actions taken by the government related to any IT matters. This observation may be valuable at some point in the future if computer records are compromised or lost. This is just as important for information that may tend to show some violation of the law as it is for information that may support defense or a claim of actual innocence. The Computer Crime and Intellectual Property Section of the Criminal Division has produced a manual for the search and seizure of computer records and an expert can help evaluate law enforcement’s compliance with its own approved procedures.

If your company is a manufacturer or scientific production company where the question at issue may be the quality, characteristics or integrity of a product, it is important that you demand an equal sample from the same source and under the same conditions as those taken by the seizing agents. This is important so that your own experts can review a similar sample for your own testing in defense. If this is not possible given the type of product seized, your outside counsel will work with prosecutors and agents to assert your rights to preserve evidence for future testing. Just as the IT expert can be a helpful observer, a technical expert who observes the government sampling can also provide valuable insight into issues related to the sampling that may make a world of difference at some time in the future.

The communications expert is the final member of the team, but no less significant. She can be an important point of contact for media inquiries that will inevitably follow. It is vital to be able to communicate to your customers that you are still performing your daily support and that, as you address this matter, you will never take your eye off the customer’s needs and deadlines. With a disciplined response, many companies will survive a search warrant and government investigation. This process will help ensure that your customers are there for you when you get through this difficult time.

Depending on the size of your company, all of the response team roles may be performed by one or two people. Think of the function of the tasks that need to be accomplished instead of job titles alone. The other factor that you must consider at the outset is what role will these people have in the case going forward. Try and identify people who can perform these tasks but will be outside the case itself. If you know that the company lab has been under investigation, the lab director may be a target of the investigation. If that is the case, you do not want to have that employee serving as your only witness observing the search. Instead, an ideal observer might be the outside counsel’s investigator.

Execute a Pre-Established Plan

An important part of this response is that you have a pre-established plan that can be taught and disseminated instantaneously. The first rule of any plan is to not make matters worse. In this case that means, “Let’s not have anyone arrested for obstruction.” If the search team has a signed search warrant for your address, they have a lawful right to make entry.

Challenging the search warrant is for another day and both state and federal laws prohibit interfering with the execution of a search warrant. This is the time to politely object to the search and document what is happening. With a copy of the search warrant in hand, outside legal counsel may be able to challenge the scope of the search, but that is not an area where the novice should dabble.

While your specialized team members perform their tasks, the company is generally at a standstill while the search continues. Let your team members work and have the rest of your employees go home. You are shut down for the time being just as you would be any other time your business is closed. You do not want to allow employees to wander the halls and interact with agents. Off-hand comments that make it into a law enforcement report may distort the facts and be difficult to explain later.

Make sure that company employees understand what is happening and what their rights are in this situation. It is important to avoid interfering with the actual lawful execution of a search warrant; it is also unlawful to tell your employees to not speak to the agents. If they know they have a right to meet with a company-retained counsel of their own and have a right to remain silent at this point, it may go a long way in calming nerves.

Assert Privilege

This is not a difficult matter to explain, but it is critical: if there are documents that are covered by the attorney/client privilege or any other similar privilege, it is critical that you assert that privilege. One reason for the receptionist to be allowed to call company counsel is that there are materials that are covered by the privilege.

It is critical to make privilege claims at this juncture so that the agents are aware of the assertion and that they formally recognize it. This may simply mean that they put those documents in a different box for review by a team subject to judicial review at a time in the near future or it may mean that the team will review the materials for immediate decisions to be made on scene. Whatever procedure the agents have established can be reviewed later, but if you do not assert privilege now, it changes the options available to you as the proceedings go forward

Record the Search

Given the concerns of civil liability, it is not uncommon for agents to make a video recording of their entry and departure from the scene. Their goal is to document any damage that may have been caused by the lawful execution of the warrant. The agents also want to be able to document their professional execution of the warrant in the event that claims are raised at a later point. But that tape is going to stay in their custody and not be available for your team to review as you prepare the defense.

A video record of the search may provide a key piece of support to the defense that could not possibly be understood on the day of the search. However, this process must be handled in a very unassuming manner and with a clear understanding by the agents that you are doing it, and that, in the event there are undercover officers who are masked, that you will make no effort to record them. In some states, recording voice without consent of all parties is a felony, so this is a matter that you must review with outside counsel when you are developing your procedures for search warrant response. Again, you do not want to do anything to make your situation worse.

Collect Your Own Intelligence

Just as the agents are trying to learn about your operations, they will be giving you valuable information about their own operations and the focus of their investigation. Your first tasks are to determine who is in charge, document the names of the agents in attendance and note all the agencies involved in the search. This is information that you can gather directly by politely asking for the names of the agents and observing the insignia of the agents’ uniforms or badges around their necks.

The other opportunity available to you in this unique situation is the opportunity to listen to the language the agents use, the apparent hierarchy of the agents, and the small bits of casual conversation that may give you valuable insight into the goals of the search. As the day wears on, the agents will feel more comfortable around your response team and they will talk more freely. This is not to suggest that your team should attempt to interrogate the agents, however, because that will open a two-way dialogue that may lead to statements that are difficult to explain or put in context. The suggestion is simply that you serve as an active listener.

Help Establish Rapport

Throughout the day, the agents are going to be forming opinions about your company and your employees. Use this time to make a good impression about your company. A professional, disciplined response in a time of crisis sends a very different message than the one sent by yelling obstructionists. Even though the agents have quite a bit of information about you as their target, it may have all been gathered from third parties. This may be your opportunity to impress them and to help them question the veracity of your accusers. Remember that there will be meetings about your company, your executives and their futures, and the only people in those meetings will be the agents and the prosecutors. You want their memories of this day to weigh in your favor.

Risk Management Magazine and Risk Management Monitor. Copyright 2012 Risk and Insurance Management Society, Inc.

Privacy-on-the-Go: California Attorney General and Major Mobile Application Platforms Agree to Privacy Principles for Mobile Applications

Recently The National Law Review featured an article written by Cynthia J. Larose and Jake Romero of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. regarding Mobile Apps and Privacy:

Application developers have been put on notice by the State of California. It is time to pay attention to user privacy and collection of information from user devices.

In an effort led by the office of California Attorney General Kamala D. Harris, the state has reached an agreement committing the six largest companies offering platforms for mobile applications (commonly referred to as “apps”) to a set of principles designed to ensure compliance with California’s Online Privacy Protection Act. The agreement with Apple Inc., Google Inc., Microsoft Corp., Amazon.com Inc., Hewlett-Packard Co., and Research In Motion Ltd., who collectively represent over 95% of the mobile application market, is significant for two reasons. First, it operates as an acknowledgement that California’s Online Privacy Protection Act applies to app developers as well as platform providers. Second, the agreement may effectively create a minimum standard for disclosures and transparency with regard to the collection of personal information by mobile applications. Because of the global nature of the Internet, the law will apply to every mobile app provided through the six firms’ app stores even though it is a state law.

This alert includes a description of the principles underlying this agreement, as well as certain best practices to help mobile app developers ensure compliance. The full text of the agreement, as well as comments from the Office of the Attorney General, can be accessed online at http://ag.ca.gov/newsalerts/print_release.php?id=2630.

Mobile Applications and Data Privacy

The most recent data from the Pew Research Center shows that 50% of all adult cell phone owners have apps on their mobile phones, a percentage that has nearly doubled over the past two years. This same survey also indicated that approximately 43% of those surveyed purchased a phone on which apps were already installed. Many of these mobile applications, in order to facilitate the functionality of the app, allow the app developer broad access to data held on the user’s mobile device. However, as noted by Attorney General Harris in a press conference announcing the agreement, many mobile applications, including twenty-two of the thirty most popular apps, lack a privacy policy to explain how much of the user’s data is accessible by the developer, and how and with whom that data is shared.

California’s Online Privacy Protection Act provides that “[a]n operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site,” or in the case of an operator of an online service, make that policy reasonably accessible to those consumers. In entering into this agreement, the six major platform providers have acknowledged that this requirement applies equally to mobile app developers (as “online services”) and the platform providers have agreed to, among other things, implement a means for users to report apps that do not comply with this requirement and a process for investigating and responding to those reports.

The New Privacy Standard and Ensuring Compliance

A likely outcome of this agreement is that compliance with California’s Online Privacy Protection Act will become a minimum standard for the mobile application industry, because even those developers located outside the state of California will likely conclude that it is easier to have a single policy that meets California’s requirements, rather than risk inadvertent non-compliance.

To ensure compliance, developers or providers of mobile apps that collect personal data from users’ mobile devices will be required to have a privacy policy that meets the requirements set forth in Section 22575(b) of California’s Business and Professions Code (as an incorporated portion of the Online Privacy Protection Act, Section 22575(b) can be accessed in full by following the link provided above). Specifically, the privacy policy must:

·         Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.

·         If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.

·         Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator’s privacy policy for that Web site or online service.

·         Identify its effective date.

In establishing a compliant privacy policy, an app developer or provider should take great care to ensure that the descriptions and processes contained therein match the actual operations of the company and the information it collects, and the policy should be reviewed periodically by both legal counsel and the app developer’s technical experts so that it can be updated as necessary. The policy should be clear and easy to understand, especially with regard to the collection and sharing of personal data. For those companies who may be affected by this agreement and already have a privacy policy in place, that policy should be reviewed to determine whether it should be updated. Developers and platform providers that do not comply with the law can be prosecuted under California’sUnfair Competition Law and/or False Advertising Law, which has penalties of up to $500,000 per use of the app in violation, Harris said. “If developers do not follow the privacy policies we will sue,” she added.

Anticipated Developments

Per their agreement with Attorney General Harris, the six major mobile app platforms will commence working with app developers to ensure compliance and provide education regarding privacy and data sharing. To increase awareness and promote transparency, mobile app developers will be required, as part of the application submitting an app to the platform, to provide either a link to that developer’s privacy policy, a statement describing the policy, or the full text of the policy itself. In each case, a user who is considering downloading the developer’s app will be provided access to the privacy policy associated with that app prior to downloading it.

The six major platforms have agreed to reconvene within six months to further evaluate any required changes), but no specific timeline has been stated with regard to implementing the changes described above. However, for mobile app developers who hope to continue to be a part of this quickly growing and highly lucrative market, there may not be a more opportune time to take advantage of the resources being provided on both a state and industry level.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Cybersecurity Act of 2012 Introduced

On February 14, a bipartisan group of senators introduced to the U.S. Senate the Cybersecurity Act of 2012, under which the Department of Homeland Security (DHS) would assess the risks and vulnerabilities of critical infrastructure systems and develop security performance requirements for the systems and assets designated as covered critical infrastructure. The bill is sponsored by Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (I-CT), committee ranking member Susan Collins (R-ME), Commerce Committee Chairman Jay Rockefeller (D-WV), and Select Intelligence Committee Chairman Dianne Feinstein (D-CA). As explained in the statement announcing the measure, “[t]he bill envisions a public-private partnership to secure those systems, which, if commandeered or destroyed by a cyber attack, could cause mass deaths, evacuations, disruptions to life-sustaining services, or catastrophic damage to the economy or national security.”

Infrastructure Protection Obligations

Title I of the bill provides the key provisions of the critical infrastructure protection obligations that would be imposed by the bill. Under Title I, DHS, in consultation with entities that own or operate critical infrastructure, the Critical Infrastructure Partnership Advisory Council, the Information Sharing and Analysis Organizations, and other appropriate state and local governments, is required to conduct an assessment of cybersecurity threats, vulnerabilities, and risks to determine which sectors pose the most significant risk. Once the sectors have been prioritized based on risk, DHS, along with the other agencies and organizations, must conduct a cybersecurity risk assessment of the critical infrastructure in each sector. These risk assessments must consider the actual or assessed threat, the threatened harm to health and safety, the threat posed to national security, the risk of damage to other critical infrastructure, the risk of economic harm, and each sector’s overall resilience, among other factors. In conducting these assessments, DHS is called upon to cooperate with owners and operators of critical infrastructure.

DHS, in conjunction with the same agencies and organizations, must also develop procedures that will be used to designate certain critical infrastructure at the system or asset level as “covered critical infrastructure,” therefore making those systems and assets subject to the cybersecurity requirements developed under the bill. This infrastructure is to be identified based on an analysis of whether damage or unauthorized access to the system or asset could result in any of the following:

  • Harm to life-sustaining services that could result in mass casualties or mass evacuation
  • Catastrophic economic damage to the United States
  • “Severe degradation” of national security

Technology products themselves or services provided in support of such products may not be designated as covered critical infrastructure based solely on the finding that the products are capable of being used in covered critical infrastructure.

Following the identification of covered critical infrastructure, DHS must also develop, on a sector-by-sector basis, cybersecurity performance requirements that require the owners of covered critical infrastructure to remediate the cybersecurity risks identified through the risk assessment performed by DHS for that sector. The bill requires that, in establishing the performance requirements, DHS have a process through which it considers performance requirements proposed by asset owners, voluntary standards development organizations, and other groups, as well as existing industry practices, standards, and guidelines. If DHS determines that the existing or proposed performance requirements are insufficient, DHS is required to develop performance requirements on its own.

Once the covered critical infrastructure is identified and the performance requirements defined, asset owners will be required to take steps to secure the covered critical infrastructure assets and systems, and to that end the bill tasks DHS with promulgating regulations to require covered critical infrastructure owners to do the following:

  • Receive notifications of cybersecurity risks
  • Implement cybersecurity protections that the owner “determines to be best suited to satisfy” the performance requirements
  • Maintain continuity of operations and incident response plans
  • Report cybersecurity incidents

Each owner of covered critical infrastructure will be required to certify yearly that it has implemented cybersecurity protections sufficient to satisfy DHS’s approved security performance requirements or to submit a third-party assessment regarding compliance with those performance requirements that satisfies certain standards for the training, certification, and independence of the assessors.

The bill provides that DHS may exempt from the performance requirements any system or asset if the owner can demonstrate that the system or asset is sufficiently protected against the risks identified by DHS or that compliance with the performance requirements would not “substantially” improve the security of the system or asset.

Enforcement

The enforcement regime proposed by the bill provides that any federal agency with responsibility for security of the covered critical infrastructure at issue may enforce the regulations. However, DHS itself may enforce the regulations (i) if there is no other appropriate agency, (ii) if DHS is requested to do so by the agency with responsibility for the security of the covered critical infrastructure in question, or (iii) if the agency with responsibility for the security of the covered critical infrastructure fails to take enforcement action as requested by DHS. Civil penalties are available for violations of section 105 of the bill, under which the performance requirements are established. However, no private right of action would exist.

Owners and operators of covered critical infrastructure would be exempt from punitive damages related to identified cybersecurity risks so long as they have implemented security measures that satisfy the performance requirements, are substantially compliant with the performance requirements, and have completed the annual assessments.

Avoiding Duplicative Regulation

While the cybersecurity obligations imposed by this bill would be far-reaching and could conceivably overlap with the Critical Infrastructure Protection (CIP) Reliability Standards approved by the Federal Energy Regulatory Commission (FERC) for certain bulk-power system infrastructure, the bill attempts to carve out existing cybersecurity protections, and provides several mechanisms to ensure that critical infrastructure that is already regulated will not receive duplicative regulation under this proposal.

When developing performance requirements, DHS is required to determine whether there are existing regulations in effect that cover the identified critical infrastructure and address the risks identified by DHS. If such regulations are in place, DHS is instructed to develop performance requirements only if the existing regulations do not provide an appropriate level of security. This will likely require an analysis of the existing CIP Reliability Standards by DHS, including an analysis of whether those standards cover all of the covered critical infrastructure for the electric sector identified by DHS, and whether those standards provide a sufficient level of security to protect against the risks identified by DHS.

Another method by which the existing CIP Reliability Standards framework may remain unchanged is the presidential exemption authority provided under the bill. Pursuant to that provision, the President is authorized to exempt critical infrastructure from these requirements if the appropriate “sector-specific regulatory agency” (FERC for electric infrastructure) “has sufficient specific requirements and enforcement mechanisms to effectively mitigate” the risks identified by DHS.

Additionally, DHS and the other “sector-specific agencies” with responsibility for regulating critical infrastructure security are required to coordinate their efforts to eliminate duplicative reporting or compliance requirements. Similarly, any new rules developed by sector-specific agencies must be coordinated with DHS to ensure that they are consistent with DHS’s efforts.

Copyright © 2012 by Morgan, Lewis & Bockius LLP.