Privacy Law Archives - Page 20 of 24 - The National Law Forum

Responding to the Anthem Cyber Attack

Anthem Inc. (Anthem), the nation’s second-largest health insurer, revealed late on Wednesday, February 4 that it was the victim of a significant cyber attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including those insured by related Anthem companies.Anthem has reported that the exposed information includes member names, member health ID and Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information. The investigation of the massive data breach is ongoing, and media outlets have reported that class action suits have already been filed against Anthem in California and Alabama, claiming that lax Anthem security measures contributed to this incident.

Employers, multiemployer health plans, and others responsible for employee health benefit programs should take note that theHealth Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws may hold them responsible for ensuring that certain notifications are made related to the incident. The nature of these obligations will depend on whether the benefits offered through Anthem are provided under an insurance policy, and so are considered to be “fully insured,” or whether the Anthem benefits are provided under a “self-insured” arrangement, where Anthem does not insure the benefits, but instead administers the benefits. The most significant legal obligations on the part of employers, multiemployer health plans, and others responsible for employee health benefit programs will apply to Anthem benefits that are self-insured.

Where notifications must be made, the notifications may be due to former and present employees and their dependents, government agencies, and the media. Where HIPAA applies, the notifications will need to be made “without unreasonable delay” and in any event no later than 60 days after the employer or other responsible party becomes aware that the breach has affected its own health plan participants. Where state data breach laws apply, notifications generally must be made in the most expedient time possible and without unreasonable delay, subject to certain permitted delays. Some state laws impose outside timeframes as short as 30 days. Under the state laws, reporting obligations on the part of employers, multiemployer health plans, and others responsible for employee health benefit programs will generally turn on whether they, or Anthem, “own” the breached data. Since the state laws apply to breaches of data of their residents, regardless of the states in which the compromised entities and data owners are located, and since former employees and dependents could reside anywhere, a comprehensive state law analysis is required to determine the legal requirements arising from this data breach. Fortunately, depending on the circumstances, some (but not all) state data breach notification laws defer to HIPAA breach notification procedures, and do not require additional action where HIPAA applies and is followed.

As potentially affected parties wait for confirmation from Anthem as to whether any of their employees, former employees or their covered dependents has had their data compromised, we recommend that affected parties work with their legal counsel to determine what their responsibilities, if any, might be to respond to this incident. Among other things, for self-insured arrangements, HIPAA business associate agreements and other contracts with Anthem should be reviewed to assess how data breaches are addressed, whether data ownership has been addressed by contract, and whether indemnification provisions may apply. Consideration should also be given to promptly reaching out to Anthem to clarify the extent to which Anthem will be addressing notification responsibilities. Once parties are in a position to make required notifications, we also recommend that companies consult with legal counsel to review the notifications and the distribution plans for those notifications to assure that applicable legal requirements have been satisfied.

ARTICLE BY

FTC Releases Extensive Report on the “Internet of Things”

On January 27, 2015, U.S. Federal Trade Commission (FTC) staff released an extensive report on the “Internet of Things” (IoT). The report, based in part on input the FTC received at its November 2013 workshop on the subject, discusses the benefits and risks of IoT products to consumers and offers best practices for IoT manufacturers to integrate the principles of security, data minimization, notice and choice into the development of IoT devices. While the FTC staff’s report does not call for IoT specific legislation at this time, given the rapidly evolving nature of the technology, it reiterates the FTC’s earlier recommendation to Congress to enact strong federal data security and breach notification legislation.

The report also describes the tools the FTC will use to ensure that IoT manufacturers consider privacy and security issues as they develop new devices. These tools include:

Enforcement actions under such laws as the FTC Act, the Fair Credit Reporting Act (FCRA) and the Children’s Online Privacy Protection Act (COPPA), as applicable;
Developing consumer and business education materials in the IoT area;
Participation in multi-stakeholder groups considering guidelines related to IoT; and
Advocacy to other agencies, state legislatures and courts to promote protections in this area.

In furtherance of its initiative to provide educational materials on IoT for businesses, the FTC also announced the publication of “Careful Connections: Building Security in the Internet of Things”. This site provides a wealth of advice and resources for businesses on how they can go about meeting the concept of “security by design” and consider issues of security at every stage of the product development lifecycle for internet-connected devices and things.

This week’s report is one more sign pointing toward our prediction regarding the FTC’s increased activity in the IoT space in 2015.

It’s Data Privacy Day 2015

Today is Data Privacy Day, and as you might expect, we have a few bits and bytes for you.

Use the Opportunity

Data Privacy Day is another opportunity to push out a note to employees regarding their own privacy and security — and how that can help the company.

The Federal Trade Commission Issues IoT (Internet of Things) Report

Following up on its November 2013 workshop on the Internet of Things, the Federal Trade Commission (“FTC”) has released a staff report on privacy and security in the context of the Internet of Things (“IoT”), “Internet of Things: Privacy & Security in a Connected World” along with a document that summarizes the best practices for businesses contained in the Report. The primary focus of the Report is the application of four of the Fair Information Practice Principles (“FIPPs”) to the IoT – data security, data minimization, notice, and choice.

Data Privacy The report begins by defining IoT for the FTC’s purposes as “‘things’ such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet,” but limits this to devices that are sold to or used by consumers, rather than businesses, in line with the FTC’s consumer protection mandate. Before discussing the best practices, the FTC goes on to delineate several benefits and risks of the IoT. Among the benefits are (1) improvements to health care, such as insulin pumps and blood-pressure cuffs that allow people avoid trips to the doctor the tools to monitor their own vital signs from home; (2) more efficient energy use at home, through smart meters and home automation systems; and (3) safer roadways as connected cars can notify drivers of dangerous road conditions and offer real-time diagnostics of a vehicle.

The risks highlighted by the Report include, among others, (1) unauthorized access and misuse of personal information; (2) unexpected uses of personal information; (3) collection of unexpected types of information; (4) security vulnerabilities in IoT devices that could facilitate attacks on other systems; and (5) risks to physical safety, such as may arise from hacking an insulin pump.

In light of these risks, the FTC staff suggests a number of best practices based on four FIPPs. At the workshop from which this report was generated, all participants agreed on the importance of applying the data security principle. However, participants disagreed concerning the suitability of applying the data minimization, notice, and choice principles to the IoT, arguing that minimization might limit potential opportunities for IoT devices, and notice and choice might not be practical depending on the device’s interface – for example, some do not have screens. The FTC recognized these concerns but still proposed best practices based on these principles.

Recommendations

Data Security Best Practices:

Security by design. This includes building in security from the outset and constantly reconsidering security at every stage of development. It also includes testing products thoroughly and conducting risk assessments throughout a product’s development
Personnel practices. Responsibility for product security should rests at an appropriate level within the organization. This could be a Chief Privacy Officer, but the higher-up the responsible part, the better off a product and company will be.
Oversee third party providers. Companies should provide sufficient oversight of their service providers and require reasonable security by contract.
Defense-in-depth. Security measures should be considered at each level at which data is collected stored, and transmitted, including a customer’s home Wi-Fi network over which the data collected will travel. Sensitive data should be encrypted.
Reasonable access control. Strong authentication and identity validation techniques will help to protect against unauthorized access to devices and customer data.

Data Minimization Best Practices:

Carefully consider data collected. Companies should be fully cognizant of why some category of data is collected and how long that data should be stored.

Only collect necessary data. Avoid collecting data that is not needed to serve the purpose for which a customer purchases the device. Establish a reasonable retention limit on data the device does collect.

Deidentify data where possible. If deidentified data would be sufficient companies should only maintain such data in a deidentified form and work to prevent reidentification.

Notice and Choice Best Practices: The FTC initially notes that the context in which data is collected may mean that notice and choice is not necessary. For example, when information is collected to support the specific purpose for which the device was purchased.

When notice or choice are necessary, the FTC offers several suggestions for how a company might give or obtain that, including (1) offer choice at point of sale; (2) direct customers to online tutorials; (3) print QR codes on the device that take customers to a website for notice and choice; provide choices during initial set-up; (4) provide icons to convey important privacy-relevant information, such a flashing light that appears when a device connects to the Internet; (5) provide notice through emails or texts when requested by consumers; and (6) make use of a user experience approach, such personalizing privacy preferences based on the choices a customer already made on another device.

Legislation. The FTC staff recommends against IoT-specific legislation in the Report, citing the infancy of the industry and the potential for federal legislation to stifle innovation. Instead, the FTC recommends technology-neutral privacy and data security legislation. Without saying it explicitly, this appears to be a recommendation for something akin to the Consumer Privacy Bill of Rights recently proposed by the President, along with giving the FTC authority to enforce certain privacy protections, including notice and choice, even in the absence of a showing of deceptive or unfair acts or practices.

In the meantime, the FTC notes that it will continue to provide privacy and data security oversight of IoT as it has in other areas of privacy. Specifically, the FTC would continue to enforce the FTC Act, the Children’s Online Privacy Protection Act, and other relevant statutes. Other initiatives would include developing education materials, advocating on behalf of consumer privacy, and participating in multi-stakeholder groups to develop IoT guidelines for industry.

Three Lessons for Mitigating Network Security Risks in 2015: Bring Your Own Device

Not too long ago, organizations fell into one of two camps when it came to personal mobile devices in the workplace – these devices were either connected to their networks or they weren’t.

But times have changed. Mobile devices have become so ubiquitous that every business has to acknowledge that employees will connect their personal devices to the corporate network, whether there’s a bring-your-own-device (BYOD) policy in place or not. So really, those two camps we mentioned earlier have evolved – the devices are a given, and now, it’s just a question of whether or not you choose to regulate them.

This decision has significant implications for network security. If you aren’t regulating the use of these devices, you could be putting the integrity of your entire network at risk. As data protection specialist Vinod Banerjee told CNBC, “You have employees doing more on a mobile device and doing it ad hoc here and there and perhaps therefore not thinking about some of the risks that are apparent.” What’s worse, this has the potential to happen on a wide scale – Gartner predicted that, by 2018, more than half of all mobile users will turn first to their phone or tablet to complete online tasks. The potential for substantial remote access vulnerabilities is high.

So what can risk practitioners within IT departments do to regain control over company-related information stored on employees’ personal devices? Here are three steps to improve network security:

1. Focus on the Increasing Number of Endpoints, Not New Types

Employees are expected to have returned from holiday time off with all sorts of new gadgets they received as gifts, from fitness trackers to smart cameras and other connected devices.

Although these personal connected devices do pose some network security risk if they’re used in the workplace, securing different network-enabled mobile endpoints is really nothing special for an IT security professional. It doesn’t matter if it’s a smartphone, a tablet or a smart toilet that connects to the network – in the end, all of these devices are computers and enterprises will treat them as such.

The real problem for IT departments involves the number of new network-enabled endpoints. With each additional endpoint comes more network traffic and, subsequently, more risk. Together, a high number of endpoints has the potential to create more severe remote access vulnerabilities within corporate networks.

To mitigate the risk that accompanies these endpoints, IT departments will rely on centralized authentication and authorization functions to ensure user access control and network policy adherence. Appropriate filtering of all the traffic, data and information that is sent into the network by users is also very important. Just as drivers create environmental waste every time they get behind the wheel, network users constantly send waste – in this case, private web and data traffic, as well as malicious software – into the network through their personal devices. Enterprises need to prepare their networks for this onslaught.

2. Raise the Base Level of Security

Another way that new endpoints could chip away at a network security infrastructure is if risk practitioners fall into a trap where they focus so much on securing new endpoints, such as phones and tablets, that they lose focus on securing devices like laptops and desktops that have been in use for much longer.

It’s not difficult to see how this could happen – information security professionals know that attackers constantly change their modus operandi as they look for security vulnerabilities, often through new, potentially unprotected devices. So, in response, IT departments pour more resources into protecting these devices. In a worst-case scenario, enterprises could find themselves lacking the resources to both pivot and mitigate new vulnerabilities, while still adequately protecting remote endpoints that have been attached to the corporate network for years.

To offset this concern, IT departments need to maintain a heightened level of security across the entire network. It’s not enough to address devices ad hoc. It’s about raising the floor of network security, to protect all devices – regardless of their shape or operating system.

3. Link IT and HR When Deprovisioning Users

Another area of concern around mobile devices involves ex-employees. Employee termination procedures now need to account for BYOD and remote access, in order to prevent former employees from accessing the corporate network after their last day on the job. This is particularly important because IT staff have minimal visibility over ex-employees who could be abusing their remote access capabilities.

As IT departments know, generally the best approach to network security is to adopt policies that are centrally managed and strictly enforced. In this case, by connecting the human resources database with the user deprovisioning process, a company ensures all access to corporate systems is denied from devices, across-the-board, as soon as the employee is marked “terminated” in the HR database. This eliminates any likelihood of remote access vulnerabilities.

Similarly, there also needs to be a process for removing all company data from an ex-employee’s personal mobile device. By implementing a mobile device management or container solution, which creates a distinct work environment on the device, you’ll have an easy-to-administer method of deleting all traces of corporate data whenever an employee leaves the company. This approach is doubly effective, as it also neatly handles situations when a device is lost or stolen.

New Risks, New Resolutions

As the network security landscape continues to shift, the BYOD and remote access policies and processes of yesterday will no longer be sufficient for IT departments to manage the personal devices of employees. The New Year brings with it new challenges, and risk practitioners need new approaches to keep their networks safe and secure.

ARTICLE BY

Risk Management Magazine

Risk and Insurance Management Society, Inc. (RIMS)

President Obama Seeks to Strengthen and Clarify Cybercrime Law Enforcement

On Tuesday, President Obama introduced a legislative proposal on privacy and data security that seeks to strengthen and clarify law enforcement’s ability to investigate and prosecute cybercrimes.

The first section of the proposed legislation would expand the definition of “racketeering activity” under the Racketeering Influenced and Corrupt Organizations (“RICO”) Act to include felony offenses under the Computer Fraud and Abuse Act (“CFAA”)—the federal anti-hacking statute. The second section would amend existing law to deter “the development and sale of computer and cell phone spying devices.” The third section proposes substantial changes intended to modernize the CFAA. Finally, the proposal’s fourth section is aimed at strengthening the government’s ability to disrupt and shut down botnets—networks of computers often deployed to commit crimes, such as spreading malware.

Although much of the proposal is modeled off a similar proposal advanced by the White House in 2011, there are key differences, including making clear that it is a crime to access a computer in breach of a use restriction, while at the same time limiting the scope of liability for such access to cases that the Administration believes are serious enough to warrant prosecution under the CFAA.

Updating and Expanding the RICO Act to Include CFAA Offenses

The White House proposal would include felony violations of the CFAA in the definition of “racketeering activity” under the RICO Act. This would provide for increased penalties for cybercrimes and afford prosecutors the ability to more easily charge certain members of organized criminal groups engaged in computer network attacks and related cybercrimes.

Deterring the Development and Sale of Computer and Cell Phone Spying Devices

The White House proposal seeks to deter the development and sale of computer and cell phone spying devices by instituting two changes. First, the legislative proposal would amend 18 U.S.C. § 1956 to “enabl[e] appropriate charges for defendants who engage in money laundering to conceal profits from the sale of surreptitious interception devices.” Second, it would amend 18 U.S.C. § 2513 “to allow for the criminal and civil forfeiture proceeds from the sale of surreptitious interception devices and property used to facilitate the crime.” This would expand the scope of section 2513, which currently provides for the forfeiture of only the surreptitious devices themselves.

Modernizing the CFAA

According to the White House, the goal of the proposal’s third section is to “enhance [the CFAA’s] effectiveness against attackers on computers and computer networks, including those by insiders.” The proposed legislation contains several key amendments to various CFAA provisions:

First, the proposal would make access in violation of certain use restrictions an illegal act under the CFAA by amending the definition of “exceeds authorized access” to include instances in which a user accesses a computer with authorization to obtain or alter information “for the purpose that the accessor knows is not authorized by the computer owner.” Language of this sort would address, at least in part, an existing circuit split on the meaning of the language “exceeds authorized access,” as used in the CFAA. Some commentators, however, have questioned whether the proposed language will resolve the current ambiguity over the CFAA’s reach. For example, if an employee accessed a computer for a non-work-related purpose, it would be obvious that the employee would be violating the CFAA (as amended by the White House’s proposed language) if there were a written policy that states “company computers can be accessed only for work-related purposes.” However, if a non-employee accessed the computer, there may not be a clear violation of the CFAA because the non-employee is not bound by—and thus would not be breaching—the employer’s policy. As a result, the courts may still have disagreements about the scope of the phrase “exceeds authorized access” even with the new language.

The White House’s proposal would also add a new provision to the CFAA by amending 18 U.S.C. § 1030(a)—the subsection of the CFAA that lists the punishable offenses under the statute. The added provision would provide new threshold requirements for criminal offenses resulting from users exceeding their authorized access. The proposal would punish a user who “intentionally exceeds authorized access to a protected computer, and thereby obtains information from such computer” if one of three conditions are met: “(i) the value of the information obtained exceeds $5,000; (ii) the offense was committed in furtherance of any felony violation of the laws of the United States or of any State, unless such violation would be based solely on obtaining the information without authorization or in excess of authorization; or (iii) the protected computer is owned or operated by or on behalf of a governmental entity.” While courts must still interpret the meaning of these conditions, they provide a clearer framework for prosecution of offenses under the statute and, in theory, would constrain the government’s ability to prosecute individuals under the CFAA for minor offenses.

Additionally, the White House proposal would amend the CFAA “to enable the prosecution of the sale of a ‘means of access’ such as a botnet.” Further, instead of requiring the government to prove “intent to defraud” under this subsection (the intent standard applicable to violations motived by financial gain), the legislation would require prosecutors only to establish “willfulness,” so as to criminalize unlawful trafficking of access to “other types of wrongdoing perpetrated using botnets” and not just password and similar information.

The proposal would also enhance CFAA penalties and enforcement mechanisms by raising penalties for circumventing technological barriers to access a computer (e.g., hacking into or breaking into a computer), and by making such violations felonies carrying a prison term of up to ten years. This is a significant change from the current law, which allows for either a misdemeanor or a felony carrying a maximum prison term of only five years. The proposal would also create civil forfeiture procedures, “clarify that the ‘proceeds’ forfeitable [under the CFAA] are gross proceeds, as opposed to net proceeds,” and in appropriate circumstances, allow for the forfeiture of real property used to facilitate offenses under the statute. And the proposal would clarify “that both conspiracy and attempt to commit a computer hacking offense are subject to the same penalties as completed, substantive offenses.”

Shutting Down Botnets

Finally, the legislative proposal would add to existing civil remedies by explicitly providing courts with the authority to issue injunctions aimed at disrupting or shutting down botnets. Under the proposal, the Attorney General would be authorized to seek injunctive relief under 18 U.S.C. § 1345 if the government can show that the criminal conduct alleged would affect 100 or more protected computers during a one-year period. Criminal conduct under the proposal would include “denying access to or operation of the computers [denial of services attacks], installing unwanted software on the computers [malware], using the computers without authorization, or obtaining information from the computers without authorization.” The legislation would also protect from liability individuals or entities that comply with courts orders and would allow courts to order the government to reimburse those individuals or entities for costs directly incurred in complying with such orders.

This post was written with contributions from Jim Garland.

ARTICLE BY

Privacy and Data Security Practice Group

Covington & Burling LLP

New Year to Bring Increased Regulatory Focus on Cybersecurity for Financial Institutions

Having weathered the cybersecurity turbulence of 2014, the financial services sector can look forward to increased regulatory attention from federal, state and non-governmental regulators in 2015. First, in the wake of data breaches at major banks and financial institutions, and drawing upon its mid-2014 “Report on Cyber Security in the Banking Sector,”¹ the New York Department of Financial Services (the “NYDFS” or the “Department”) has announced a New Cybersecurity Examination Process for the banks under its regulatory jurisdiction (the “Examination Letter”). Additionally, the Chairman of the federal Commodity Futures Trading Commission (“CFTC”) has testified before a Senate committee that the CFTC will increase its attention to cybersecurity during its upcoming examinations of clearinghouses and exchanges. Also, the Conference of State Bank Supervisors (“CSBS”) has issued a resource guide for bank executives on cybersecurity that community bank CEOs, senior executives and board members are being strongly encouraged to use to address cybersecurity threats at their banks.

These latest regulatory developments impacting financial institutions will likely affect the cybersecurity policies of other regulators, including enforcement actions against regulated entities that fail to implement adequate cybersecurity programs. Thus, even if your organization is not a financial institution regulated by the NYDFS, CFTC or a state banking regulator, the key takeaways discussed below will provide insight into the types of questions regulators will pose, and offer practical guidance for developing a compliant privacy and data security program to mitigate cybersecurity risks. The December 2014 ruling that retailer Target had an affirmative duty to protect its customers’ personal and financial information illustrates that these pronouncements provide important guidance not just to regulated entities, but to companies generally.

NYDFS’s Examination Letter

On December 10, 2014, the NYDFS issued the Examination Letter to all New York chartered and licensed banking institutions announcing the Department’s new, targeted cybersecurity preparedness assessment. In an effort to promote greater cybersecurity across the financial services industry, the NYDFS warned that it will expand its routine information technology examinations to include cybersecurity. However, as noted in an article in American Banker², the Examination Letter provides no indication that the examinations will differentiate among banks by size, meaning a smaller community bank may be subject to the same cybersecurity requirements as multinational banks with significantly more resources.

The new examination procedures are designed to encourage “all financial institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than as a subset of information technology.” According to Benjamin M. Lawsky, Superintendent of the NYDFS, new procedures are also intended to promote a “laser-like focus on this issue by both banks and regulators” given that regulatory examination rankings can have a significant impact on the operations of financial institutions, including their ability to enter into new business lines or make acquisitions.

The Examination Letter notes that the NYDFS will be incorporating the following new security-oriented topics into its pre-examination “First Day Letters” to assist in expediting the Department’s review of financial institutions’ cybersecurity preparedness:³

Corporate governance, including written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
Cybersecurity incident detection, monitoring and reporting processes;
Resources devoted to information security and overall risk management;
The risks posed by shared infrastructure;
Protections against intrusion, including multifactor or adaptive authentication, and server and database configurations;
Information security testing and monitoring, including penetration testing;
Training of information security professionals as well as all other personnel;
Vetting and management of third-party service providers; and
Cybersecurity insurance coverage and other third-party protections.

In addition to the information requested in the First Day Letter, the NYDFS stated that it will schedule IT/cybersecurity examinations following the risk assessments of each financial institution. The new IT/cybersecurity examinations will take a deeper look into the financial institution’s ability to prevent, detect and respond to data breaches and other cyber attacks by requesting:

The qualifications of the institution’s Chief Information Security Officer, or the individual otherwise responsible for information security;
Copies of the institution’s information security policies and procedures;
The institution’s data classification approaches and data access management controls;
The institution’s vulnerability management programs, including its consideration of applications, servers, endpoints, mobile, network and other devices;
The institution’s patch management program, including how updates, patches and fixes are obtained and disseminated;
The institution’s due diligence process regarding information security practices used to vet, select and monitor third-party service providers;
Application development standards used by the institution, including the extent to which security and privacy requirements are incorporated into application development processes;
The institution’s incident response program, including how incidents are reported, escalated and remediated; and
The relationship between information security and the organization’s business continuity program.

The NYDFS’s Examination Letter is essentially a “take-home test” for any New York chartered or licensed banking institution or regulated firm preparing for an NYDFS examination or conducting its own internal audit to strengthen its cybersecurity practices and incident response preparedness. Additionally, although the new examination procedures do not impose cybersecurity requirements on regulated entities per se, the NYDFS is essentially announcing the standards and practices it expects to be adopted in any compliant cybersecurity program. For now, the new cybersecurity examination procedures are limited to banks, but it is likely that the NYDFS will extend these same types of procedures to the other financial services firms it regulates, such as insurance companies and investment companies.

CFTC’s Increased Focus on Cybersecurity

On December 10, 2014, CFTC Chairman Timothy Massad testified before a Senate Agriculture Committee hearing that cybersecurity is “perhaps the single most important new risk to financial stability.” As a result, cybersecurity will become an increasingly important aspect of the CFTC’s oversight for futures and swaps markets.

Chairman Massad testified that the CFTC requires clearinghouses, swap execution facilities, designated contract markets and other market infrastructures to implement system safeguards, which must include four elements: (1) a program of risk analysis and oversight to identify and minimize sources of cyber and operational risks; (2) automated systems that are reliable, secure and scalable; (3) emergency procedures, backup facilities and a business continuity/disaster recovery plan; and (4) regular, objective, independent testing to verify that the system safeguards are sufficient. Each CFTC-regulated entity must also have a risk management program that addresses seven key elements, including information security, systems development, quality assurance and governance. Furthermore, these entities must notify the CFTC promptly of cybersecurity incidents.

Although the CFTC does not conduct independent testing of its cybersecurity requirements, it reviews evidence provided for satisfaction of the requirements. Chairman Massad testified that the CFTC’s upcoming examinations will focus on the following areas:

Governance—Are the board of directors and top management devoting sufficient attention to cybersecurity?
Resources—Are sufficient resources and capabilities being devoted to monitor and control cyber-related risks across all levels of the organization?
Policies and Procedures—Are adequate plans and policies in place to address information security, physical security, system operations and other critical areas? Is the regulated entity actually following its plans and policies, and considering how plans and policies may need to be amended from time to time in light of technological, market or other security developments?
Vigilance and Responsiveness to Identified Weaknesses and Problems—If a weakness or deficiency is identified, does the regulated entity take prompt and thorough action to address it? Does it not only fix the immediate problem, but also examine the root causes of the deficiency?⁴

CSBS Guidance for Financial Services Officers and Directors

On December 17, 2014, the CSBS issued “Cybersecurity 101: A Resource Guide for Bank Executives” (the “CSBS Resource Guide”), which is designed to aid chief executive officers, senior executives and board members in their understanding, oversight and implementation of effective cybersecurity programs. The CSBS Resource Guide is organized according to the five core cybersecurity functions of the Commerce Department’s National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity: (1) identify internal and external cybersecurity risks; (2) protect organizational systems, assets and data; (3) detect systems intrusions, data breaches and unauthorized access; (4) respond to a potential cybersecurity event; and (5) recover from a cybersecurity event by restoring normal operations and services. For each of these core functions, the CSBS Resource Guide provides questions that chief executive officers should ask, as well as training guidance and a model checklist to follow in the event of a data breach.

Takeaways

In light of these developments, banks and other financial institutions should consider undertaking the following steps and customizing them to their specific circumstances and risks:

1. Conducting Periodic Cybersecurity Risk Assessments

Identify potential cybersecurity threats (including physical security threats) to security, confidentiality and integrity of personal and other sensitive information (both customer and internal) and related systems;
Evaluate effectiveness of current controls in light of identified risks;
Prioritize resources, assets and systems corresponding to the nature and level of threats and vulnerabilities, and revise procedures and controls, as necessary and appropriate, to address and mitigate areas of risk; and
Determine whether existing insurance policies will cover the threats identified in the risk assessment, and determine whether separate cyber coverage is needed.

2. Evaluating Potential Third-Party Vendor Risks

Review due diligence procedures for selecting vendors and procedures for approval/monitoring of vendor access to networks, customer data or other sensitive information;
Obtain copies of vendors’ written information security plans or certifications of compliance with applicable standards; and
Determine whether contracts with vendors include appropriate security measures, including incident response notification procedures and cyber insurance coverage.

3. Developing and Periodically Testing a Comprehensive Incident Response Plan

Implement a comprehensive, written incident response plan to respond proactively to actual or suspected cybersecurity events; and
Conduct periodic “table top” exercises of mock cybersecurity events with IT, legal, compliance, human resources and other business stakeholders.

ARTICLE BY

John C. Cleary

Bruce A. Radke

Vedder Price

_{¹ See http://www.dfs.ny.gov/about/press2014/pr1405061.htm

² See http://www.americanbanker.com/news/bank-technology/new-york-cybersecurity-exams-will-be-tougher-than-ffiecs-1071603-1.html

³ The NYDFS’s new cybersecurity questions and topics are similar to the comprehensive cybersecurity questionnaire attached to the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations’ (“OCIE”) Risk Alert, issued on April 15, 2014, as part of the OCIE’s cybersecurity examinations of registered investment advisors and broker-dealers. Click here.

⁴ The NYDFS and the CFTC are certainly not the only banking and financial services regulators that have intensified their focus on cybersecurity. Indeed, during her December 10, 2014 testimony before the U.S. Senate Committee on Banking, Housing and Urban Affairs, Valerie Abend, chair of the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity and Critical Infrastructure Working Group, said the FFIEC’s interagency cybersecurity guidelines “require banks to develop and implement formal information security programs that are tailored to a bank’s assessment of the risks it faces, including internal and external threats to customer information and any method used to access, collect, store, use, transmit, protect, or dispose of the information.”}

Consumer Claims Survive Motion to Dismiss in Target Data Breach Class Action

A recent ruling by Federal District Judge Paul Magnuson will permit most of the consumer claims in the Target data breach litigation to survive Target’s motion to dismiss. This most recent ruling follows on the heels of the court’s December 2 decision partially denying Target’s motion to dismiss consolidated complaint of the banks that issued the credit and debit cards that were subject to the breach. The late 2013 data theft that gave rise to the consumer and issuer bank claims was caused by malware placed by hackers on Target’s point-of-sale (“POS”) terminals. The malware allowed the hackers to record and steal payment card data as customers’ credit or debit cards were swiped. In the consolidated consumer complaint, 117 named plaintiffs allege that Target wrongfully failed to prevent or timely disclose the data theft. Plaintiffs also contend that Target failed to disclose the purported insufficiency of Target’s data security practices. The consumers assert claims under the laws of 49 states and the District of Columbia for negligence, breach of contract, breach of data notification statutes and violation of state unfair trade practice statutes. The consumer complaint also purports to assert those claims on behalf of a putative plaintiff class consisting of every Target customer whose credit or debit card information was stolen in the data breach.The court’s latest ruling rejected arguments by Target as to standing and damages that would have required dismissal of the consumer claims in their entirety. The court did state, however, that Target can revisit the question of whether plaintiffs had sustained actionable injuries after discovery has concluded. And, even though most of the consumer Plaintiffs’ claims survive, the court did rule that that certain of the claims alleged under particular states’ laws should be dismissed. As is true of the court’s denial of Target’s motion to dismiss the issuer banks’ consolidated complaint, the denial of the motion to dismiss does not resolve the merits of the surviving consumer claims. Like the surviving issuer bank claims, the consumer claims that were not dismissed will now be the subject of extensive discovery and further motion practice relating to class certification and summary judgment.

Court rejects Target’s arguments on standing and injury: As is common in data breach cases, Target’s primary ground for seeking dismissal of the consumer claims was lack of standing due to the absence of actionable consumer injury. In its motion to dismiss, Target argued that none of the plaintiffs had alleged a present injury sufficient to establish “case or controversy” standing under Article III of the United States Constitution. Specifically, Target contended that none of plaintiffs’ alleged present injuries either constituted a present harm to plaintiffs or was fairly traceable to the theft of payment card data. Target’s central argument was that allegations that unauthorized charges had been made on plaintiffs’ payment cards did not plead actionable injury because plaintiffs did not – indeed, likely could not – allege that such charges had not been or would not be reimbursed by the card issuing banks. Target further argued that other alleged injuries could not fairly be traced to theft of payment card data because they could only have arisen from unrelated conduct (such as identity theft resulting from a plaintiff’s stolen social security number) or were not fairly traceable to the data theft itself (such as loss of access to funds based on plaintiffs’ own voluntary closing of accounts).

The court gave these arguments cursory treatment. Judge Magnuson disagreed with Target’s injury analysis, finding that “Plaintiffs have alleged injury” in the form of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.” Target contended that such alleged injuries are insufficient to confer standing because “Plaintiffs do not allege that their expenses were unreimbursed or say whether they or their bank closed their accounts . . . .” The court rejected this argument, stating that Target had “set a too-high standard for Plaintiffs to meet at the motion-to-dismiss stage.” In so ruling, however, Judge Magnuson merely deferred to another day a decision on whether the injuries alleged were indeed fairly traceable to the alleged wrong doing. Despite concluding that Plaintiffs’ allegations were “sufficient at this stage to plead standing,” the court nonetheless stated that, “[s]hould discovery fail to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue.” Thus, it remains open to Target to show that neither Plaintiffs nor putative class members suffered injuries fairly traceable to the data breach.

The court’s finding that Plaintiffs had alleged actionable injuries also supported its denial of Target’s request that the Court dismiss claims asserted under 26 state consumer protection laws that required allegation of pecuniary injury. Similarly the court rejected Target’s argument that Plaintiffs’ negligence claims should be dismissed for failure to allege cognizable damages.

Court dismisses some state consumer protection law claims; most survive. Plaintiffs brought unfair or deceptive trade practice claims under the consumer protection statutes of 49 states and the District of Columbia. The court dismissed claims under Wisconsin law because the subject statute contains no private right of action. The court also dismissed claims asserted on behalf of absent class members under the consumer protection laws of Alabama, Georgia, Kentucky, Louisiana, Mississippi, Montana, South Carolina, Tennessee and Utah, finding that the laws of those states, which preclude the assertion of consumer protection claims by means of a class action, “define the scope of the state-created right” and preclude certification of a class to pursue such claims (quoting Shady Grove Orthopedic Assocs. v. Allstate Ins. Co., 559 U.S. 393, 423 (2010)). Otherwise, as noted above, Judge Magnuson found that plaintiffs’ allegations, including their allegations of injury, asserted actionable class and individual claims under the remaining states’ consumer protection statutes, and declined to dismiss such claims.

Certain data breach notice claims survive motion to dismiss. Plaintiffs asserted claims against Target under the date breach notification statutes of 38 states, alleging that Target had failed to disclose the data breach as soon as required under those laws. As with plaintiffs’ other claims, the court rejected as premature Target’s argument that plaintiffs had not alleged any actionable damages flowing from alleged violations of state data breach notification statutes. Certain of Target’s arguments for dismissal based on statutory language prevailed. Plaintiffs conceded that the data breach statutes in Florida, Oklahoma, and Utah did not permit a private right of action, and voluntarily withdrew those claims. Where the applicable statutes provided only for enforcement by the state attorney general (as is true in Arkansas, Connecticut, Idaho, Massachusetts, Minnesota, Nebraska, Nevada and, Texas), the court dismissed Plaintiffs’ claims. Where the remedies available under other states’ laws were non-exclusive or ambiguous –as was the case in Colorado, Delaware, Iowa, Kansas, Michigan and Wyoming – the court declined to dismiss Plaintiffs’ claims. Where applicable state laws were silent as to the authority to enforce the enactment, the court inferred a private right of enforcement in all states except Rhode Island, where controlling authority holds that if a statute does not expressly provide for a private cause of action, such a right cannot be inferred. As to all other states, the court agreed with plaintiffs’ argument that there is either a permissive cause of action or that there is a private right to enforce data breach notification statues under applicable state consumer protection statutes.

Negligence claims survive where not barred under the economic loss doctrine: Actual damages is a required element of a common law negligence claim. The court’s rejection of Target’s argument that Plaintiffs had failed to allege actionable injury precluded dismissal of Plaintiffs’ negligence claims in their entirety for failure to plead damages. Under certain states’ laws, however, the so-called “economic loss doctrine” requires dismissal of claims for negligence where the alleged injury consists solely of economic loss rather than personal injury or property damage. Following state authority, the court invoked the economic loss doctrine to dismiss negligence claims based on the economic loss rule under Alaska, California, Georgia, Illinois, Iowa and Massachusetts law. The court declined to dismiss negligence claims under District of Columbia, Idaho and New Hampshire law, holding that precedent in those jurisdictions required additional factual development to determine whether there exists any special duty that would vitiate the economic loss doctrine. Finally, the court held that the facts pleaded in the Complaint satisfied the exception to the economic loss doctrine applicable under New York and Pennsylvania law where there is a duty to protect from the specific harm alleged.

Breach of implied contract claims survive: Judge Magnuson held that the existence of an implied contract turns on issue of fact that cannot be resolved at the motion to dismiss stage because “a jury could reasonably find that a customer’s use of a credit or debit card to pay at a retailer may include the implied contract term that the retailer “will take reasonable measures to protect the information” on those cards (citing In re Hannaford Bros. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 119 (D. Me. 2009)).

Breach of contract claim dismissed without prejudice: The Complaint alleges that Target violated the terms of the card agreement for the Target REDcard, in which Target states that it “use[s] security measures that comply with federal law.” The Complaint, however, fails to specify the federal law with which Target purportedly failed to comply. Accordingly, the court dismissed that claim without prejudice, allowing Plaintiffs leave to replead that claim to specify, if possible, the state law that had been violated.

Bailment claim dismissed: A common law bailment claim consists of wrongful failure to return tangible property entrusted to another. Plaintiffs, however, do not and cannot allege that stolen payment card information was given to Target with expectation of return. Therefore, the court dismissed Plaintiffs’ bailment claim with prejudice.

Unjust enrichment claim survives: Plaintiffs claim that Target is liable for unjust enrichment because it knowingly received or obtained something of value which in equity and good conscience it should not have received. This claim is based on two theories. The first is an “overcharge” theory claiming that Target charges an unearned premium for data security. The second theory states that class members would not have shopped at Target had Target disclosed alleged deficiencies in its data security. The court rejected the first theory as unsupported as a matter of law, but concluded, without citation to authority, that the “‘would not have shopped’ theory . . . is plausible and supports their claim for unjust enrichment.”

Significant obstacles remain for consumer claims: The court’s refusal to accept Target’s injury arguments at the motion to dismiss stage does not eliminate Plaintiffs’ burden to prove that consumers suffered actionable losses. Because consumers generally do not have to pay for fraudulent charges on their payment cards, such activity will not provide a basis to establish cognizable damages. Nor is the cost of credit monitoring or other activities associated with avoiding identity theft or adverse credit history likely to provide grounds for proving actionable damages. A majority of courts that have addressed the issue have held that such costs are not actionable as a necessary and reasonable consequence of a payment card data breach. And even where fraud mitigation costs have been treated as cognizable injury – as was the case in Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011) – the court nonetheless denied plaintiffs’ motion for class certificationbecause questions of whether individual consumers’ remedial actions were reasonable and what such actions reasonably should have cost could not be determined without taking testimony from every member of the class, thereby raising highly individualized issues of fact and law that would preclude trying class members’ claims through proof common to the class as a whole. The parties will have the opportunity to grapple with these issues after discovery has concluded.

ARTICLE BY

Kevin M. McGinty

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C

Four Ways For A Financial Institution To Minimize Losses Related To A Data Breach

The explosive growth of electronic credit and debit card transactions has increased the possibility of data breaches for financial institutions. The ongoing data breach litigation by financial institutions against Target is just one example of what could be the new normal with card-swipe electronic transactions now dominating commerce: according to Javelin Strategy and Research, only about twenty-five percent (25%) of point-of-purchase sales are currently made with cash, and that percentage is expected to continue to decline in the coming years.

This surge has been beneficial to the bottom line of many financial institutions, but the spike in electronic transactions has also increased the potential for data breaches and related liability. According to the Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis1 the average cost of a data theft from financial services companies in 2013 was $236 per customer account. The primary reason for the increase is the loss of customers following the data breach. Financial services providers continue to be most susceptible to high rates of customer defections as a result of data breaches. (Ponemon, 2014)

As the volume of electronic transactions has increased, hackers and cybercriminals have become more sophisticated and successful, as evidenced by recent high-profile data breaches involving Target, Neiman Marcus, eBay, and Jimmy John’s. While mega-breaches tend to grab the headlines, most data losses involve fewer than 10,000 customer records. (Ponemon, 2014) Nonetheless, these data losses can be costly, averaging $5.9 million per breach incident in 2013. (Ponemon, 2014)

What can financial institutions do to minimize their losses, when both large and small institutions can fall victim? Below are four proactive steps that may be taken by any size institution:

1. Preparation

Statistically, four factors are most important to reducing the cost of a data breach: a strong pre-incident security posture, a current incident response plan, business continuity management involvement, and leadership by a Chief Information Security Officer. Together, these can reduce the per capita cost of a data breach as much as 30%. (Ponemon, 2014) Good preparation should also include data security audits and breach response exercises to test preparedness.

2. Purchasing Data Breach and Other Insurance

One in three companies has insurance to protect against data breach losses (Marsh LLC, Benchmarking Trends: Interest in Cyber Insurance Continues to Climb, 2014)2. Covered risks typically include disclosure of confidential data, malicious or accidental loss of data, introduction of malicious codes or viruses, crisis management and public relations expenses, business interruption expenses, and data or system restoration. In 2013, cyber insurance policies sold to retailers, hospitals, banks, and other businesses jumped significantly. (Marsh LLC, 2014) Given the potentially tremendous costs associated with a data breach, cyber insurance policies are no longer a niche or specialty product, and are quickly becoming a necessity in the financial services industry and a key component of risk management for financial institutions.

In addition to policies specifically covering data breaches, it is important to consider whether an institution’s losses may be covered under the terms of an existing policy. Some courts have found that traditional policies include coverage for data breach claims. In Netscape Communications Corp. v. Federal Insurance Co., decided in 2009, the Ninth Circuit Court of Appeals held that personal and advertising injury coverage in a commercial general liability (“CGL”) policy applied to claims alleging that the insured had violated the plaintiff’s right of privacy in private online communications. In Retail Ventures, Inc. v. National Union Fire Insurance Co., the Sixth Circuit Court of Appeals found that coverage may also apply under a financial institution’s crime policy. In WMS Industries, Inc. v. Federal Insurance Co., the Fifth Circuit Court of Appeals affirmed the district court’s holding that all-risk and first-party property policies may provide coverage for data damage and business interruption arising out of data breaches. Lastly, in Retail Systems, Inc. v. CNA Insurance Companies, the Minnesota Court of Appeals found that an insured’s loss of a computer tape containing third-party data was “property damage” and, therefore, was covered by CGL insurance.

Even if there may be a question as to whether coverage is available, notice of the breach should be given to the insurer immediately. Financial institutions should consider consulting with their insurance providers to confirm whether or not their standard policies cover data breaches and, if so, whether there are any coverage limits or exclusions. “Too often, the close scrutiny of policy coverage does not occur until after a claim is made. This makes misunderstanding and disappointment a distinct, and potentially costly, risk. Even sophisticated companies stumble. In 2011, SONY suffered a series of cyber security breaches affecting data in its online gaming systems. The SONY insurer said the company did not have a cyber insurance policy, that SONY’s existing policies only covered tangible property damage, not cyber incidents, and therefore the insurer would not provide any coverage for the company’s nearly $200 million loss. SONY spokespersons contested these statements, expressing their belief that at least some of the losses were covered. (Mark F. Foley, Digital Lex: Insurance Coverage for the Cyber World (Feb. 19, 2013), at http://www.WTNNews.com. See, Insurance Against Cyber Attacks Expected to Boom, New York Times online, December 23, 2011)

Banks, or their counsel, should also proactively review vendor or third-party contractor agreements to confirm that the vendor or third party contractor has an obligation to indemnify the financial institution for losses related to a data breach, and that the financial institution is named as an additional insured under the vendor’s or third-party contractor’s insurance policy covering such breaches. Contracts that do not provide these protections should be updated.

3. Using Regulatory Tools and Guidance

In September 2014, FDIC Chairman Martin Gruenberg stated that “internet cyber threats have rapidly become the most urgent category of technological challenges facing our banks.” As a result, the FDIC now defines cybersecurity as “an issue of highest importance” for itself and the Federal Financial Institutions Examination Council.

The FFIEC recently formed a Cybersecurity and Critical Infrastructure Working Group that works with the intelligence community, law enforcement and the Department of Homeland Security on cybersecurity issues. The Working Group is currently assessing the banking sector’s preparedness to combat and respond to cybersecurity threats. The report will include a regulatory self-assessment to evaluate readiness and identify areas requiring additional attention.

The FDIC also created a “Cyber Challenge” online resource that features videos and a simulation exercise. As part of this effort, the FDIC also requires third-party technology service providers (TSPs) to update financial institutions on operational threats the FDIC identifies at a TSP during an examination.

The rollout of these resources, coupled with the recent guidance from the OCC and the Fed regarding the management of third party relationships (for a more in-depth discussion, please see our January 2014 Commercial Law Update, “Managing Third Party Relationships: New Regulatory Guidance for Banks“), demonstrates the increased scrutiny regulators are giving to these issues and why they are hot-button topics for financial institutions to tackle.

4. Filing Lawsuits Against Parties Responsible for Data Breaches

A recent example of financial institutions going on the offensive with regard to a data breach by a service provider is the lawsuit brought by several banks against Target, In re Target Corporation Customer Data Security Breach Litigation, Case No. 14-md-02522, which is currently pending in Minnesota federal district court. The banks are seeking class-action status for banks across the country arising out of the compromise of at least 40 million credit cards, which affected up to 110 million people whose personal information, such as email addresses and phone numbers, were stolen.

The banks seek millions of dollars of damages to recover money spent reimbursing fraudulent charges and issuing new credit and debit cards.

The court recently denied Target’s motion to dismiss all of the claims, concluding that Target played a “key role” in the data breach. In denying the motion, the court held that “Plaintiffs have plausibly alleged that Target’s actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers’ attack began – caused foreseeable harm to plaintiffs” and also concluded that “Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered.” At this stage, the banks are proceeding with claims for negligence and violations of Minnesota’s Plastic Security Card Act.

As illustrated by the Target litigation, if losses are not covered by insurance or if the institution otherwise cannot be made whole, a financial institution should consider trying to recover damages through litigation. However, the Target case is still being litigated, and the law is not settled as to whether third parties, such as merchants who process credit and debit cards, may be held liable to an issuing financial institution for damages arising out of the merchant’s data breach.

Financial institutions would be well-served by utilizing these resources to protect against cyber attacks and should keep a close eye on upcoming regulatory guidance in this area as it is clear that the regulators are focusing on ways to protect against, and minimize the number of, data breaches and their effect on financial institutions.

ARTICLE BY

von Briesen & Roper, S.C.

Employer Liability for Employees’ Privacy Violations: What Your Organization Should Learn from Walgreens’ Expensive Lesson (Hint: It Has Little To Do with HIPAA)

You may already have read the scintillating facts surrounding a jury award of $1.44 million (recently challenged unsuccessfully on appeal) against Walgreen Co. following its pharmacist’s alleged inappropriate review and disclosure of patient records. What caught our attention was not so much the lurid details (the pharmacist was alleged to have looked up her boyfriend’s ex in Walgreens’ patient records, apparently to determine whether the ex might have passed an STD to her boyfriend). The more notable development was an employer footing the bill for a large jury verdict even though the employee violated the company’s policies as well as the law. This alert describes how Walgreens was put on the hook for its employees’ misdeeds, and examines whether a similar rationale could be applied in other privacy contexts (not just HIPAA) to create a new trend in employer liability for employee privacy violations. The implications are significant given the relative lack of success plaintiffs have encountered to-date when attempting to prosecute perceived privacy violations in court.

Employer Liability

Against the pharmacist, the patient pursued state-law claims of negligence/professional malpractice, invasion of privacy/public disclosure of private facts, and invasion of privacy/intrusion. She sought to hold Walgreens liable through respondeat superior (vicarious liability), and also included direct claims for negligent training, negligent supervision, negligent retention, and negligence/professional malpractice. While the trial judge dismissed the negligent training claim against Walgreens and the invasion of privacy by intrusion claim against the pharmacist, he allowed the other claims to proceed. The jury returned a general verdict for the patient, finding the pharmacist and Walgreens jointly liable for $1.44 million in damages.

The linchpin of respondeat superior is that an employer can only be held vicariously liable for damage caused by an employee if the employee was acting “within the scope of employment” when the injury occurred. When it appealed the jury verdict, Walgreens seized on this factor and argued that the pharmacist’s actions were outside the scope of employment because she clearly violated Walgreens policy. The appellate court disagreed, citing case law holding an employee’s actions are within the scope of employment if those actions are of the same “general nature” as the actions authorized by the employer, even when the employee’s specific actions are against company policy. The court reasoned that the pharmacist’s improper access of the patient’s records was of the same “general nature” as the actions authorized by Walgreens because the pharmacist took the same steps to access the patient’s records as she would have in properly accessing records of other patients. The pharmacist was authorized to use the Walgreens computer system and printer, handle prescriptions for Walgreens customers, look up customer information on the Walgreens computer system, review patient prescription histories, and make prescription-related printouts. The court found that the pharmacist’s conduct in accessing this patient’s records for personal reasons, while against company policy, was of the same “general nature” as the conduct authorized by Walgreens, and therefore at least some of her actions were within the scope of her employment. Since the pharmacist was acting within the scope of employment, the court affirmed that Walgreens could be held liable under respondeat superior.

Acknowledging Walgreens could not be held vicariously liable unless the pharmacist was also liable, the court turned next to the issue of the jury’s verdict concerning the pharmacist. As the jury returned only a general verdict (which does not indicate the specific grounds on which it made its decision), the court speculated on the theory of liability for the pharmacist, and held that the jury could have properly found the pharmacist liable under a general negligence theory. The key factors in a negligence claim are a duty owed to the plaintiff by the defendant, a breach of that duty by the defendant, causation, and damages. To establish the pharmacist owed a duty to the patient, the court looked to a state law requiring pharmacists to hold patient records and information in the strictest of confidences. Finding this statute to clearly establish that the pharmacist owed a duty of confidentiality the patient, the court found it unquestionable that the pharmacist’s actions breached that duty, and that the patient sustained at least some damages as a result. Therefore, the court concluded the jury could properly have found the pharmacist directly liable for the breach of confidentiality, and Walgreens vicariously liable for the breach.

Potential Impact

Commentary on this case has largely focused on HIPAA implications, and sometimes the more specific prospect of employer liability for employee HIPAA violations. Importantly, HIPAA was not a factor in the appellate court’s reasoning. Rather, the court looked primarily to state law for privacy expectations and a duty of confidentiality. That distinction creates broader implications for employer liability beyond HIPAA or health care generally.

A multitude of state laws now impose confidentiality, privacy and security obligations. Some are limited to certain professional occupations (e.g., pharmacists, physicians, even <<gasp>> lawyers), but many are more general. For example, many states have enacted requirements to maintain general or specific security measures without regard to industry. In fact, states increasingly read privacy and security obligations into their application of unfair and deceptive trade practices statutes, imposing a duty to maintain privacy and security across sectors and without regard to types of personal information affected.

The Indiana appellate court’s reasoning in the Walgreens’ case clearly suggests that employees owing a statutory duty of confidentiality under state law could be liable for a breach of such duties, and their employers may be vicariously liable for the reasons noted. While some state laws specifically enumerate such duties at the employee level (particularly where a license is held by the individual), it is not clear that distinction made a difference to the court’s rationale, meaning courts applying general privacy or security laws may consider following suit, even if the law does not create duties specifically aimed at employees.

Further, the Indiana appellate court’s broad characterization of what constitutes actions “within the scope of employment” could leave many employers on the hook for large damage awards, even if the underlying employee violation is indisputably against company policy.

While the Walgreens outcome alone may not establish a trend toward more frequent employer liability, it is important to recognize the case may be novel only in the size of the verdict awarded. For example, in 2006, the North Carolina Court of Appeals used similar reasoning to overturn the dismissal of a plaintiff’s negligent infliction of emotional distress claim against a doctor who allegedly allowed his office manager to improperly access the plaintiff’s medical records (Acosta v. Byrum).

What Should You Do?

The Walgreens outcome makes clear that policies, training and other compliance efforts may not indemnify employers against an employee’s breach of confidentiality or privacy. In addition to keeping an eye on further developments that either support or erode this potential liability trend, employers should consider whether broad technical access to systems is necessary and justified. Flat access rights can be necessary, particularly in health care settings where care often trumps privacy as a consideration. However, technical access limitations are the most effective way to demonstrate that employee misdeeds, when orchestrated in violation of systems-based (rather than merely policy-based) access controls, should not be held against the employer because they are clearly outside the scope of employment. Interestingly, the same approach can strengthen employer’s Computer Fraud and Abuse Act claims and can reduce the risk of HIPAA enforcement that may arise from similar facts.

ARTICLE BY

Jacob A. Lopes

Elizabeth H. Johnson

Poyner Spruill LLP

New State Privacy Laws Go Into Effect on Jan. 1, 2015 (California and Delaware)

State legislators have recently passed a number of bills that impose new data security and privacy requirements on companies nationwide. The laws include new data breach notification requirements, marketing restrictions, and data destruction rules. Below is an overview of the new laws and amendments that will go into effect on January 1, 2015.

Amendments to California’s Data Security and Breach Notification Law

In October 2014, California Governor Jerry Brown signed into law California bill AB 1710, an amendment to California’s existing data security and breach notification law. As a result, the following changes to California’s law will go into effect on Jan. 1:

1. Companies that maintain personal information about Californians will need to implement and maintain reasonable security procedures and practices.

California’s current data security and breach law requires companies that own or license personal information about Californians to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” For purposes of this data security requirement, California defines “personal information” as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code.

Under existing law, the terms “own” and “license” include personal information retained as a part of a business’s internal customer accounts or for the purpose of using the information in transactions.

As of Jan. 1, California law will require companies that merely “maintain” personal information about Californians (such as cloud providers), but do not own or license the information, also implement and maintain reasonable security procedures and practices appropriate to the nature of the information.

2. Companies that maintain personal information about Californians will be required to immediately notify the owner or licensee of the personal information in the event of a breach.

California currently requires companies that own or license personal information to disclose a data breach where it is reasonably believed that unencrypted personal information about a Californian was acquired without authorization. Current law also provides that such disclosure be made “in the most expedient time possible and without unreasonable delay.”

As of Jan. 1, companies that maintain personal information will be required to notify the owner or licensee of the personal information “immediately” after discovery of a breach if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

For purposes of data breach disclosure, “personal information” includes login credentials (“[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account,”) as well as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code.

As a reminder, other than for user name and password breaches (discussed below), current California law requires that a breach notification must be written in plain language and must include specific types of information about the breach.

Where the security breach involves the breach of online account information and no other personal information, then California law requires a business to provide the security breach notification in electronic or other form, directing the person whose personal information has been breached to promptly change her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with that business as well as all other online accounts for which the person uses the same name or email address and password or security question or answer.

However, where the security breach involves the breach of login credentials of an email account provided by a business, the business must not send the security breach notification to that email address. Instead, the business may comply with California law by providing notice by hard copy written notice or by clear and conspicuous notice delivered to the individual online when the individual is connected to the online account from an IP address or online location from which the business knows the resident customarily accesses the account.

3. After a breach, companies might be required to provide free identity theft prevention and mitigation services for 12 months.

AB 1710’s co-author stated in a press release that the bill “[r]equires the source of the breach to offer identity theft prevention and mitigation services for 12 months at no cost to individuals affected by a data breach. However, it is not clear whether this position is supported by the text of the bill, which only states that “if any” identity theft prevention and mitigation services are to be provided, then such services must be provided for 12 months at no cost. An earlier version of the bill had stated that identity theft and mitigation services “shall beprovided” to individuals affected by a data breach.

Given the ambiguity of the requirement to provide free identity theft prevention and mitigation services, whether and how this provision will be enforced in 2015 is something to watch.

4. Companies may not sell, advertise for sale, or offer to sell an individual’s social security number.

The amendment also includes a new prohibition on social security numbers. As of Jan. 1, California law will prohibit the sale, the advertisement for sale, and the offer to sell an individual’s social security number. Businesses that own, license, or maintain information on an individual’s social security number will want to keep this new prohibition in mind when contemplating data transfer or broker agreements, or other transactions involving the personal information of Californians.

California’s New Minor Privacy Marketing and Privacy Law

California’s “Privacy Rights for California Minors in the Digital World Law”, SB 568, (1) bars some online operators from marketing certain products and services to minors, and (2) allows minors under 18 to request deletion of certain content from websites on which they have registered (known informally as the “eraser law.”)

1. Restrictions on Marketing to Minors

Operators of websites, online services, online applications, and mobile applications that are directed to minors are prohibited from marketing or advertising the following products and services:

Alcoholic beverages
Tobacco, cigarette, or cigarette papers, or blunt wraps, or any other preparation of tobacco, or any other instrument or paraphernalia that is designed for the smoking or ingestion of tobacco, products prepared from tobacco, or any controlled substance
Electronic cigarettes
Salvia divinorum or Salvinorin A, or any substance or material containing Salvia divinorum or Salvinorin A
Drug paraphernalia
Firearms or handguns, ammunition or reloaded ammunition, handgun safety certificates, BB device
Less lethal weapons
Dangerous fireworks
Aerosol containers of paint capable of defacing property
Etching cream capable of defacing property
Tanning in an ultraviolet tanning device
Dietary supplement products containing ephedrine group alkaloids
Tickets or shares in a lottery game
Body branding or permanent tattoos
Obscene matter

These operators also are prohibited from: (1) knowingly using, disclosing, or compiling a minor’s personal information for the purposes of marketing or advertising any of those prohibited products or services, and (2) knowingly allowing a third party to use, disclose, or compile the minor’s personal information to market or advertise these products or services.

If an operator has actual knowledge that a minor is using the services, the operator may not target marketing or advertising to that minor based on the minor’s personal information. The operator also may not use, disclose, or compile the minor’s personal information to market or advertise the prohibited products or services, nor may the operator allow a third party to use, disclose, or compile the minor’s personal information for the prohibited products and services.

2. Deletion Requirement

If a minor is a registered user of a website, online service, online application, or mobile application, the operator must allow the minor to remove content and information that the minor had publicly posted on the website, service, or app. Operators also are required to provide notice of this right to registered minors.

Operators are not required to delete content or information if:

Any federal or state law requires the operator to maintain the content or information;
The content or information was provided by an individual other than the minor;
The content or information is anonymized;
The minor did not properly follow the instructions for requesting deletion; or
The minor received compensation or consideration for providing the content.

Amendments to California’s Invasion of Privacy Law

California’s Invasion of Privacy law will also receive an update on January 1, 2015. The California Invasion of Privacy law currently prohibits the attempt to capture, in a manner that is offensive to a reasonable person, any type of visual image, sound recording, or other physical impression, when the person is engaged in a personal or familial activity under circumstances where they had a reasonable expectation of privacy. Current California law prohibits the activities described where the attempt to capture is done through a visual or auditory enhancing device. As of January 1, 2015, the above activities will be prohibited when done using any device.

New Delaware Data Destruction Law

Companies conducting business in Delaware will be required to take all reasonable steps to destroy or arrange for the destruction of a consumer’s personal identifying information when those records are no longer retained. Destruction may occur by shredding, erasing, or otherwise destroying or modifying the personal identifying information so as to render the information unreadable or indecipherable.

The Delaware law defines personal identifying information as a consumer’s first name or first initial and last name in combination with one of the following: signature; date of birth; social security number; passport number; driver’s license or state identification card number; insurance policy number; financial services account number, bank account number, credit card number, or other financial information; or confidential health care information.

Entities subject to the Gramm-Leach-Bliley Act, covered entities subject to HIPAA, and consumer reporting agencies subject to the FCRA are exempt from the new law. Other entities, however, may be subject to private enforcement actions, which allow for the recovery of treble damages. These have the potential to add up quickly, as each record unreasonably disposed of constitutes a violation under the statute. In addition, the Delaware Attorney General and Division of Consumer Protection of the Department of Justice may bring suit in certain circumstances.

ARTICLE BY

David N. Fagan

Kurt Wimmer

Jeff Kosseff

Katherine R. H. Gasztonyi

Covington & Burling LLP

Like this:

Like this:

Use the Opportunity

The Federal Trade Commission Issues IoT (Internet of Things) Report

Recommendations

Like this:

1. Focus on the Increasing Number of Endpoints, Not New Types

2. Raise the Base Level of Security

3. Link IT and HR When Deprovisioning Users

New Risks, New Resolutions

Like this:

Updating and Expanding the RICO Act to Include CFAA Offenses

Deterring the Development and Sale of Computer and Cell Phone Spying Devices

Modernizing the CFAA

Shutting Down Botnets

Like this:

NYDFS’s Examination Letter

CFTC’s Increased Focus on Cybersecurity

CSBS Guidance for Financial Services Officers and Directors

Takeaways

Like this:

Like this:

1. Preparation

2. Purchasing Data Breach and Other Insurance

3. Using Regulatory Tools and Guidance

4. Filing Lawsuits Against Parties Responsible for Data Breaches

Like this:

Employer Liability

Potential Impact

What Should You Do?

Like this:

Amendments to California’s Data Security and Breach Notification Law

1. Companies that maintain personal information about Californians will need to implement and maintain reasonable security procedures and practices.

2. Companies that maintain personal information about Californians will be required to immediately notify the owner or licensee of the personal information in the event of a breach.

3. After a breach, companies might be required to provide free identity theft prevention and mitigation services for 12 months.

4. Companies may not sell, advertise for sale, or offer to sell an individual’s social security number.

California’s New Minor Privacy Marketing and Privacy Law

1. Restrictions on Marketing to Minors

2. Deletion Requirement

Amendments to California’s Invasion of Privacy Law

New Delaware Data Destruction Law

Like this: