Tag: Cybersecurity

California AG Announces Amendment to the CCPA

On February 25, 2019, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the California Consumer Privacy Act (CCPA), which was enacted in June of 2018. If enacted, this would be the second amendment to the CCPA, following an earlier amendment in September of 2018 that Governor Jerry Brown signed into law Senate Bill 1121, which also clarified and strengthened the original version of the law.

As we reported previously, the CCPA will apply to any entity that does business in the State of California and satisfies one or more of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information. Under the CCPA, key consumer rights will include:

  • A consumer’s right to request deletion of personal information which would require the business to delete information upon receipt of a verified request;
  • A consumer’s right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and 3rd parties to which the information was sold or disclosed;
  • A consumer’s right to opt-out of the sale of personal information by a business and prohibiting the business from discriminating against the consumer for exercising this right, including a prohibition on charging the consumer who opts-out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.

SB 561’s amendments include:

  • Expands a consumer’s right to bring a private cause of action. Currently, the CCPA provides consumer a private right of action if their nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information. The amendment broadens this provision to grant consumers a private right of action if their rights under the CCPA are violated.
  • Removes language that allows businesses the opportunity to cure an alleged violation within 30-days after being notified of alleged noncompliance.
  • Removes language allowing a business or third party to seek the opinion of the Attorney General for guidance on how to comply with the law. Instead, the amendment specifies that the Attorney General may publish materials that provide businesses and others with general guidance on how to comply with the law.

With an effective date of January 1, 2020 (and regulations not yet proposed), it is expected that additional amendments will be negotiated, drafted, and published. Last month, the California Attorney General’s Office began the CCPA rulemaking process with a six-part series of public forums, allowing all interested persons the opportunity to provide their comments on the new law.

SB 561 comes just days after the AG Becerra together with Assemblymember Mark Levine announced Assembly Bill 1130 to strengthen California’s existing data breach notification law. No doubt, California is leading the way in U.S. data privacy and security law.

Jackson Lewis P.C. © 2019.

This post was written by  Joseph J. Lazzarotti   Jason C. Gavejian and Maya Atrakchi

Google Fined $57 Million in First Major Enforcement of GDPR Against a US-based Company

On January 21, 2019, Google was fined nearly $57 million (approximately 50 million euros) by France’s Data Protection Authority, CNIL, for an alleged violation of the General Data Protection Regulation (GDPR).[1] CNIL found Google violated the GDPR based on a lack of transparency, inadequate information, and lack of valid consent regarding ad personalization. This fine is the largest imposed under the GDPR since it went into effect in May 2018 and the first to be imposed on a U.S.-based company.

CNIL began investigating Google’s practices based on complaints received from two GDPR consumer privacy rights organizations alleging Google did not have a valid legal basis to process the personal data of the users of its services, particularly for Google’s personalized advertisement purposes. The first of the complaints was filed on May 25, 2018, the effective date of the GDPR.

Following its investigation, CNIL found the general structure of the information required to be disclosed by Google relating to its processing of users’ information was “excessively disseminated across several documents.” CNIL stated the relevant information pertaining to privacy rights was only available after several steps, which sometimes required up to five or six actions. Moreover, CNIL indicated users were not able to fully understand the extent of the processing operations carried out by Google because the operations were described in a “too generic and vague manner.” Additionally, the regulator determined information regarding the retention period was not provided for some data collected by Google.

Google’s process for obtaining user consent to data collection for advertisement personalization was also alleged to be problematic under the GDPR. CNIL stated Google users’ consent was not considered to be sufficiently informed due to the information on processing operations for advertisement being spread across several documents. The consent obtained by Google was not deemed to be specific to any individual Google service, and CNIL determined it was impossible for the user to be aware of the extent of the data processed and combined.

Finally, CNIL determined the user consent captured by Google was not “specific” or “unambiguous” as these terms are defined by the GDPR. By way of example, CNIL noted that Google’s users were asked to click the boxes «I agree to Google’s Terms of Service» and «I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. As a result, the user was required to give consent, in full, for all processing operations purposes carried out by Google based on this consent, rather than for distinct purposes, as required under the GDPR. Additionally, the CNIL commented Google’s checkbox used to capture user consent relating to ad personalization was “pre-clicked.” The GDPR requires consent to be “unambiguous,” with clear affirmative action from the user, which according to the CNIL, required clicking an unclicked box.

This fine may be appealed by Google, which indicated it remained committed to meeting the “high standards of transparency and control” expected by its users and to complying with the consent requirements of the GDPR. Google indicated it would study the decision to determine next steps. Given Google is the first U.S.-based company against whom a DPA has attempted GDPR enforcement, in combination with the size of the fine imposed, it will be interesting to watch how Google responds.

The GDPR enforcement action against Google should be seen as a message to all U.S.-based organizations that collect the data of citizens of the European Union. Companies should review their privacy policies, practices, and end-user agreements to ensure they are compliant with the consent requirements of the GDPR.

© 2019 Dinsmore & Shohl LLP. All rights reserved.
This post was written by Matthew S. Arend and Jared M. Bruce of Dinsmore & Shohl LLP.

Get a Head Start in 2019 – Leveraging Your Cyber Liability Insurance

As 2019 begins, companies should seriously consider the financial and reputational impacts of cyber incidents and invest in sufficient and appropriate cyber liability coverage. According to a recent published report, incidents of lost personal information (such as protected health information) are on the rise and are significantly costing companies. Although cyber liability insurance is not new, many companies lack sufficient coverage. RSM US LLP, NetDiligence 2018 Cyber Claims Study (2018).

According to the 2018 study, cyber claims are impacting companies of all sizes with revenues ranging from less than $50 million to more than $100 billion.  Further, the average total breach cost alone is $603.9K. This does not include crisis services cost (average $307K), the legal costs (defense = $106K; settlement = $224K; regulatory defense = $514K; regulatory fines = $18K), and the cost of business interruption (all costs = $2M; recovery expense = $957K).  In addition to these financial costs, reputational impact stemming from cyber incidents can materially set companies back for a long period of time after the incident.

Companies can reduce risk associated with cyber incidents by developing and implementing privacy and security policies, educating and training employees, and building strong security infrastructures.  Nevertheless, there is no such thing as 100% security, and thus companies should consider leveraging cyber liability insurance to offset residual risks.  With that said, cyber liability coverages vary across issuers and can contain many carve-outs and other complexities that can prevent or reduce coverage.  Therefore, stakeholders should review their cyber liability policies to ensure that they understand the terms and conditions of such policies. Key items to evaluate can include: coverage levels per claim and in the aggregate, retention amounts, notice requirements, exclusions, and whether liability arising from malicious third party conduct are sufficiently covered.

While cyber liability insurance will not practically reduce risk or a cyber incident, it is increasingly a critical component of a holistic risk mitigation strategy given the world we live in.

©2019 Epstein Becker & Green, P.C. All rights reserved.
This post was written by Alaap B. Shah and Daniel Kim from Epstein Becker & Green, P.C.

Pennsylvania Supreme Court Holds Employers Have a Duty to Exercise Reasonable Care to Safeguard Sensitive Personal Information About Their Employees

To date, Pennsylvania has not adopted a comprehensive law specifying how sensitive personal information about individuals must be secured or the protections that holders of this information must use to minimize risk of breach. [1] Pennsylvania only requires that, in the event of a breach, holders of sensitive personal information notify the affected individuals so they can take appropriate precautions against misuse of their information. Pennsylvania does have some laws specific to particular industries, such as health care and insurance, regarding how sensitive personal information may be used or disclosed, but there is no single mandate across all industries obligating holders of sensitive personal information to secure it in any particular way.

Employers, however, are a common denominator among all industries, and recently, the Pennsylvania Supreme Court in Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center held that when employers (regardless of the industry, the size of the employer, or the number of employees they hire) require their employees to provide sensitive personal information, such as Social Security numbers, bank accounts, tax returns, or other financial information, those employers have a legal duty to exercise reasonable care to safeguard that information when they store it on an Internet-accessible computer system. [2] Employers who do not exercise reasonable care to safeguard the sensitive personal information may be liable for financial damages to their employees in the event of a breach. [3]

All employers who collect sensitive personal information about their employees and maintain the information electronically on an Internet-accessible system are affected by the court’s decision. The court’s analysis also suggests that, regardless of how the information is stored (i.e., electronically or otherwise), an employer has a duty to exercise reasonable care to safeguard the sensitive personal information it collects about its employees from known threats to the information. This alert examines the court’s holding and identifies questions employers should be asking about their data requests, data security practices, and data-retention policies and procedures, and it offers suggestions for mitigating associated risks that apply regardless of whether employers store the information on an Internet-accessible computer.

What Happened?

UPMC’s Internet-connected computer system was hacked and sensitive personal information about its employees was accessed and stolen. This information included names, birth dates, Social Security numbers, addresses, tax forms, and bank account information. The hackers used the stolen information to file false tax returns, and affected employees incurred financial damages. As a result, several UPMC employees filed a class-action lawsuit against UPMC on behalf of all 62,000 current and former UPMC employees whose data were accessed and stolen. The employees alleged that:

• UPMC affirmatively required employees to provide certain sensitive personal and financial information (including names, birth dates, Social Security numbers, addresses, tax forms, and bank account information) as a condition of employment.
• UPMC had a duty to exercise reasonable care to protect their employees’ personal and financial information from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.
• UPMC stored the employees’ sensitive personal information on its Internet-accessible computer system without adopting adequate security measures, such as encryption, adequate firewalls, and an adequate authentication protocol, to safeguard that information, which allowed hackers to access the system and steal the information.
• UPMC breached its duty to exercise reasonable care to protect the information, which allowed hackers to access the system and steal the information.
• UPMC was liable to the employees for the financial damages they incurred resulting from the breach.

UPMC filed preliminary objections to the complaint — Pennsylvania’s form of a motion to dismiss — and asserted that the economic-loss doctrine barred the employees from recovering purely economic damages. Under the economic-loss doctrine, actions sounding in tort require physical injury or property damage in order to recover for a breach of duty. [4] The trial court agreed with UPMC that the economic-loss doctrine barred recovery. [5] The trial court also found UPMC owed no existing duty to the employees as they alleged, and the “‘courts should not impose ‘a new affirmative duty of care that would allow data breach actions to recover damages recognized in common law negligence actions.’” [6] The trial court accordingly dismissed the complaint.

The employees appealed to the Pennsylvania Superior Court, and in a split decision, the Superior Court affirmed the trial court’s determination that employers did not owe their employees a duty under Pennsylvania law to exercise reasonable care to safeguard their sensitive personal information. [7] The Superior Court also agreed that the economic-loss doctrine barred recovery. [8] The Superior Court therefore affirmed the trial court’s order sustaining UPMC’s preliminary objections and dismissing the claim. [9]

The Pennsylvania Supreme Court’s Review

The Pennsylvania Supreme Court granted a discretionary appeal to determine the narrow questions of (1) whether an employer in Pennsylvania has a legal duty to use reasonable care to safeguard sensitive personal information about its employees when the employer chooses to store such information on an Internet-accessible computer system, and (2) if so, whether the employees could recover purely financial damages resulting from the breach of the duty. As discussed more fully below, the Supreme Court held that (i) employers have an existing duty to employees under Pennsylvania common law to exercise reasonable care in collecting and storing their sensitive personal information on their computer systems, and (ii) purely financial damages may be recovered if employers fail to exercise reasonable care in securing the sensitive personal information. [10]

First, the Supreme Court disagreed with the lower courts’ analysis that, if employers owed such a duty to exercise reasonable care to safeguard their employees’ sensitive personal information, such duty was a “new, affirmative duty” and was being created solely by the employees’ allegations. [11] In the Supreme Court’s view, the employees’ allegations were simply a “novel factual scenario” to apply an existing duty employers owe to the employees. [12]The Supreme Court stated that, as it has observed previously, “in scenarios involving an actor’s affirmative conduct, he is generally ‘under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm arising out of the act.’” [13] The Supreme Court concluded that, in this case, the employees alleged such affirmative conduct on the part of UPMC — namely, that “as a condition of employment, UPMC required them to provide certain personal and financial information, which UPMC collected and stored on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol. These factual assertions plainly constitute affirmative conduct on the part of UPMC.” [14] The Supreme Court also agreed with the employees that “this affirmative conduct resulted in UPMC owing the employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” [15]

With respect to the economic-loss doctrine, the Supreme Court held that the decisions relied upon by the trial court and the Superior Court “do not stand for the proposition that the economic loss doctrine, as applied in Pennsylvania, precludes all negligence claims seeking solely economic damages.” [16] Instead, the ability to recover “turns on the determination of the source of the duty plaintiff claims the defendant owed.” [17] In cases where the duty arises outside the context of a contract between the parties, the breach of that duty may be the basis of a negligence claim. [18] According to the Supreme Court, the employees’ allegations in the complaint existed independently from any contractual obligations between the parties. Accordingly, the employees had stated a claim upon which they could recover if their allegations proved to be true.

The Implications of the Court’s Holding for Employers

Private employers in Pennsylvania (regardless of industry) who affirmatively request sensitive personal information from their new or existing employees and who maintain the sensitive personal information on Internet-connected computer systems have an existing duty to exercise reasonable care to safeguard that information. [19] As a result, employers (regardless of size or number of employees) should be evaluating their data collection and maintenance policies and procedures to mitigate the risk of being found not to have exercised reasonable care in safeguarding the information. In particular, employers should be answering the following questions:

1. Is the information really needed? Employers should be able to connect each data request to a legitimate business need (e.g., a legal requirement) and limit the data requested to the minimum amount of data required to achieve that legitimate business purpose. Some data elements are essential: names, addresses, Social Security numbers, and birth dates. This data is necessary to pay employees, to report tax withholdings, and to prevent fraud, among other purposes. Any data being requested from employees that is not absolutely necessary for a legitimate business purpose should be reevaluated and collection discontinued if it is determined to be unnecessary. Unnecessary data should also be deleted.

2. Could any of the information collected and maintained about the employees and determined to be necessary for a legitimate employer-purpose harm employees if it were stolen? To make this determination, employers must have a thorough understanding of precisely what information they maintain about employees. Information such as names and addresses likely does not qualify as sensitive personal information (although there are always exceptions) but financial information does. In order for an employer to be able to show it exercised reasonable care, it must first know the nature of the data in its possession.

3. What are foreseeable threats to the information being inappropriately accessed or stolen?Information being stored electronically is literally under attack. If employers maintain sensitive personal information about their employers electronically (or employers hire vendors who do so), they must understand these threats and how they might come to fruition. As noted above, however, the Supreme Court’s analysis applies equally to sensitive personal information in other forms, such as paper. If an employer could reasonably foresee that the paper records could be misused, the employer likewise has an existing duty to exercise reasonable care to protect it (e.g., locked file cabinets with limited access).

4. Based on the nature of the information and the identified foreseeable threats to that information, have appropriate safeguards to protecting the information been identified and implemented?Safeguards may vary depending on the nature of the underlying data and the identified foreseeable risks, although certain security practices have become or are quickly becoming fairly standard and failure to implement them would likely be seen as a failure to exercise reasonable care. At a minimum, employers should be able to demonstrate that people with appropriate experience and knowledge in safeguarding information are involved in these decisions.

5. Have the steps taken to safeguard the information been documented? The Supreme Court’s holding does not impose strict liability on employers in the event they get hacked and sensitive personal information about employees is accessed or stolen. The Supreme Court’s holding requires the exercise of reasonable care to safeguard the information from foreseeable threats. The best way to be able to support that reasonable care was exercised is to document all the steps taken including those listed above.

6. Does the cyber insurance policy cover breaches of employee data? It probably does, but employers should check the scope of coverage and ensure that nothing in the policy excludes the types of financial damages the employees in UPMC experienced.

Conclusion

The Supreme Court’s holding drives home that employers must use reasonable care in the collection of sensitive employee data and adds an incentive for doing so (the risk of incurring economic damages for breach).

NOTES:

[1] Indeed, there is no overarching definition of “sensitive personal information,” but it typically includes personal information that if acquired inappropriately could be used to harm the person to whom it belonged, such as Social Security or a driver’s license number coupled with bank account information.
[2] Dittman v. UPMC d/b/a The Univ. of Pittsburgh Med. Ctr. & UPMC McKeesport, No. 43 WAP 2017, slip op. at 1–2 (Pa. Nov. 21, 2018) (herein, “UPMC”).
[3] Id.
[4] See Bilt-Rite v. The Architectural Studio, 866 A.2d 270, 273 (Pa. 2005).
[5] See UPMC, slip op. at 4–5.
[6] See id. at 5 (quoting Bilt-Rite, supra). The trial court also “observed that the Legislature is aware of and has considered the issues that Employees sought the court to consider herein as evidenced by the Breach of Personal Information Notification Act (Data Breach Act), 73 P.S. §§ 2301 – 2329. Specifically, the court explained that, under the Data Breach Act, the Legislature has imposed a duty on entities to provide notice of a data breach only … and given the Office of the Attorney General the exclusive authority to bring an action for violation of the notification requirement … The court thus reasoned that, as public policy was a matter for the Legislature, it was not for the courts to alter the Legislature’s direction.” Id. at 6–7.
[7] Id. at 8–9.
[8] Id. at 7.
[9] Id.
[10] Id. at 1–2.
[11] Id. at 15.
[12] Id. at 10. Indeed, “[c]ommon-law duties stated in general terms are framed in such fashion for the very reason that they have broad-scale application.” Id. at 15–16. “‘Like any other cause of action at common law, negligence evolves through either directly applicable decisional law or by analogy, meaning that a defendant is not categorically exempt from liability simply because appellate decisional law has not specifically addressed a theory of liability in a particular context.’” Id. at 16 (quoting Scampone v. Highland Park Care Ctr., LLC, 57 A.3d 582, 299 (Pa. 2012)).
[13] Id. at 16 (emphasis added).
[14] Id. (emphasis added).
[15] Id. at 16–17. In arriving at this conclusion, the Supreme Court also rejected UPMC’s argument that “the presence of third-party criminality in this case eliminates the duty it owes to Employees …” Id. at 17. The Supreme Court acknowledged that an actor otherwise owing a duty “cannot be liable for third-party conduct that could ‘conceivably occur.’” Id. at 17. However, the Supreme Court agreed that “liability could be found if the actor ‘realized or should have realized the likelihood that such a situation might be created and that a third person might avail himself of the opportunity to commit such a tort or crime.’” Id. at 17–18 (quoting Mahan v. Am-Gard, Inc., 841 A.2d 1052 1061 (Pa. Super. 2003)) (emphasis added).
[16] Id. at 28.
[17] Id.
[18] Id.
[19] The court did not consider whether a cause of action would exist against local or state agencies under the limited waivers of sovereign immunity.

 

Copyright 2018 K & L Gates
This post was written by Patricia C. Shea of K & L Gates.
Read more about Cybersecurity concerns on the National Law Review’s Communication page.

Trump Administration Moves to Address Cybersecurity Concerns, Congress Funds Cyber Programs

On September 21, 2018, the Trump Administration released a National Cybersecurity Strategy (“Strategy”), to define its national cybersecurity policy and implement efforts to streamline responsibilities for mitigation and responses to cybersecurity events across federal agencies.  This Strategy also addresses working with the private sector to protect assets, train the workforce and mitigate any future cyber-attacks. 

The National Cybersecurity Strategy, a statement of Administration policy rather than a Presidential directive, builds on prior efforts by the Obama Administration to develop a comprehensive and coherent nationwide strategy to promote cybersecurity across multiple levels of government and among myriad industries.  While other agencies—notably the Departments of Defense and Homeland Security—have issued more narrowly-tailored plans and policies, this is the first major cybersecurity document to apply to the entire federal government.   The Strategy provides an important glimpse into the current Administration’s plan to address the ever-increasing cyber threats to national security imposed by malicious nation-state, non-state, and independent actors.

Specifically, the Strategy identifies four major areas of focus that may be of interest to stakeholders:

  • Supply Chain Risk Management.  Through this Strategy, the Administration directs federal agencies to integrate supply chain risk management practices into agency procurement and traditional risk management processes, including the creation of a supply chain risk assessment shared service to reduce duplicative supply chain activities across federal agencies.  The Strategy also mandates federal investment in more secure supply chain technologies. There are several bills pending before the Congress that would mandate requirements for supply chain risk management for federal agencies into law, including S. 3085, the “Federal Acquisition Supply Chain Security Act of 2018”.   This bill was reported favorably by the Senate Homeland Security and Governmental Affairs Committee on September 26th.  (More information on S. 3085 is available here.)
  • Strengthening Information Sharing Efforts.  The Strategy commits to strengthen information sharing efforts in order to protect critical infrastructure assets and allow information and communications technology (ICT) providers to respond to malicious cyber activity in a more timely and effective manner.  These actions include sharing threat and vulnerability information with cleared ICT operators, declassifying information as much as possible, and promoting an adaptable, sustainable and secure technology supply chain.
  • Building a Robust Cybersecurity Workforce.  The Strategy outlines actions the Administration will take to recruit and maintain a highly skilled cybersecurity workforce through the expansion of Federal recruitment and training efforts, while also re-skilling employees into cybersecurity careers.  It also will explore the capability of maintaining distributed cybersecurity personnel at the Department of Homeland Security that can be deployed across Federal agencies. There are several bills pending before the Congress that would create an employee rotation for government workers focused on cybersecurity.  Among them, S. 3437 the “Federal Rotational Cyber Workforce Program Act of 2018” was reported favorably by the Senate Homeland Security and Governmental Affairs Committee on September 26th.  (More information on S. 3437 is available here.)
  • Deterrence and Offensive Capabilities.  The Strategy authorizes federal agencies to conduct counter-offensive or “hack back” operations against malicious actors.  This continues the Administration’s departure from policies of previous Administrations, including its August decision to rescind Presidential Policy Directive 20, which governed the federal agency approval process for offensive cyber operations.

Recent Congressional Actions on Cybersecurity

In addition to the initiatives specifically outlined above, both chambers of Congress have taken additional steps to address cybersecurity across critical infrastructure sectors.  Importantly, Congress agreed to provide funding and direction for the newly-created Office of Cybersecurity, Energy Security, and Emergency Response (CESER) within the Department of Energy.  The recently enacted FY 2019 Energy and Water, Development and Related Agencies Appropriations bill, which was part of a broader funding package signed into law by the President on September 21, 2018, included $120 million for the CESER office and specific direction that funding be applied to research and development focusing on supply chain risks.  This research may tackle how IT systems, software, and networks pose legitimate cyber risks to the broader infrastructure they serve, including through malware and unknown software vulnerabilities.  The summary and text of the Appropriations bill is available here.

Additionally, this week, the House Energy and Commerce Subcommittee on Energy will hear testimony from Karen Evans, Assistant Secretary for CESER, as a part of its “DOE Modernization” hearing series. Committee members are likely to question Ms. Evans on CESER’s role in the implementation of the Strategy, as well as issues including securing energy infrastructure from cybersecurity threats, public-private partnerships, and electricity grid resilience. Additional information on this hearing is available here.

Outlook

The Strategy is the first step for the Administration to define broader cybersecurity threats and begin to develop a cohesive plan to combat cyber-attacks.  The document itself does not contain many specific imminent actions that the Administration will take and questions remain over who within the Trump Administration is personally responsible for coordinating these and other cybersecurity efforts.

The Strategy does, however, identify areas in which the Administration will seek to work with Congress on legislative solutions to promote these goals.  For example, the document specifically references efforts to work with Congress to “update electronic surveillance and computer crime statutes” to better enable law enforcement to deter criminal activity.  Further, the Administration indicates it will work with the Congress to promote education and training opportunities to develop a robust cybersecurity workforce.  Congress has been innately focused on cyber workforce issues already, with a slate of existing bills introduced by members of both parties to strengthen education and training programs in this area as noted above.

With midterm elections looming in 41 days, both Democrats and Republicans in Congress are preparing their legislative agendas for the 116th Congress set to convene in January.  Democrats and Republicans alike have indicated that cybersecurity will be at the top of the legislative agenda.  Whether  it is through action on election security, autonomous vehicles, electric utility stabilization policies, or other critical infrastructure areas, cybersecurity will continue be a major topic of discussion through 2019.

This post was written by Tracy A. Nagelbush and Michael Weiner of Van Ness Feldman LLP.

 

© 2018 Van Ness Feldman LLP

Transferring Cybersecurity Risk: Considerations When Obtaining Cyber Insurance

While procuring cyber insurance is an increasingly important business decision, choosing cyber insurance is not a simple process of merely identifying the amount of coverage desired and then paying for the corresponding premium.  Instead, as set forth below, it presents a matrix of considerations to be explored to ensure receipt of appropriate coverage when needed.

The Importance of Cyber Insurance

In the face of continued and more destructive cyber threats and the advent of more demanding statutory and regulatory requirements, it is critical for a company not only to mitigate risk through comprehensive cybersecurity management but also to transfer that risk by obtaining tailored cyber insurance.  Indeed, more rigorous regulations, along with their attendant financial penalties for noncompliance (such as the EU’s General Data Protection Regulation (“GDPR”), which became effective May 25, 2018, or the NY Department of Financial Services (“NYDFS”) cybersecurity regulation, which was instituted in 2017) are likely to become the norm, not the exception.  Violation of these more recent rules and requirements (and potential expenses and related fines) also do not apply only when data is lost through an actual breach, but also when data is destroyed or cannot be accessed (ransomware) and when data is improperly collected.  Moreover, cyber risks and costs are indiscriminate and affect all industries.

To offset these serious risks, cyber insurance usually is necessary.  Third-party cyber liability claims are not covered under most general liability policies including the Insurance Service Organization’s industry standard GL form.  Director & Officer liability policies usually exclude cyber liability claims.  Property policies, including the ISO “All Risk” form, typically exclude first party cyber claims.  Limited first party cyber coverage may be available through crime policies, and some Information Technology Industry Errors & Omissions policies afford third party cyber coverage.  In most cases, however, only a cyber policy can assure a company of the desired coverage.  A company has a much better chance for coverage and a prompt resolution of its claim under a cyber policy without the need to resort to litigation.

While cyber insurance has been available since the late 1990’s, it is rapidly expanding because of the continued need for a holistic approach to cybersecurity protection.  Indeed, insurance companies expect a surge of business as companies rush to purchase cyber insurance following the arrival of tougher regulations like the GDPR.

Cyber security and liability risks also often involve highly-technical, rapidly evolving information technology issues.  A prospective insured should inquire regarding the cyber experience of its broker, particularly if it is not using a large multi-line producer who has access to an IT consultant or cyber specialist.  Some brokers specialize in cyber insurance, and an insured should consider using a broker who possesses cyber experience.  While “bare bones” cyber coverage is available from authorized or “admitted” insurers, more comprehensive niche cyber coverage often is available only in the surplus lines or “non-admitted” market and can be brokered only by surplus lines producers.

The selection of an insurer is even more important.  In addition to issues of Best’s Financial Quality and Size Ratings, many insurers offer low cost, bares bones thirdparty coverage, while other insurers offer broader, albeit more expensive, coverage, and better claim service.

Cost-wise, premiums will be lower for those companies with comprehensive cyber-risk management plans in place with demonstrated levels of security and internal controls, i.e., better security equals lower risk, which equals more competitive pricing.  A company therefore is further incentivized to ensure it has adequate procedures in place to prevent, detect, investigate, and report data breaches.

The Level of Coverage Needed: Initial Considerations

One of the most important steps in the process of obtaining cyber insurance is to determine what type of coverage a company needs based on reasonably anticipated cyber risks inherent to a company’s business and position in the marketplace.  There are multiple considerations a company should undertake in assessing the kind and amount of coverage needed.

What type of company are you?

A company should consider:

>> its industry and the type of services it offers;

>> the type of data it handles (e.g., financial information, health information, credit information);

>> the makeup of its customers (e.g., whether they include EU citizens); and

>> what regulations it must follow.

Depending upon the kind of data it collects and handles, the company will be subject to a different array of regulations, which should inform the company regarding the type of cyber insurance coverage to be sought.  If a company is a financial institution, it must comply with the privacy rules of the Gramm Leach Bliley Act.  If the company handles personal health information, it will be subject to the privacy requirements of the Health Insurance Portability and Accountability Act, HIPAA.  If the company handles the data of EU citizens, it will be subject to the privacy restrictions (and severe potential penalties) of the GDPR.

First-Party and Third-Party Costs

The company also should think about the kinds of costs it may incur to manage a cyber incident/breach and whether cyber insurance coverage to defer or recoup all of those costs is necessary or prudent.  Such first-party costs can include:

>> forensic investigation costs to determine the source of the cyber incident/ breach and the extent of harm caused

>> remediation costs to rectify any network problem or software deficiencies

>> notification costs to customers whose data was compromised

>> data restoration costs of data stolen, lost, or altered

>> business interruption costs to help restore business functions and to maintain business capabilities while responding to a cyber incident

>> legal costs to evaluate regulatory obligations and assess any liability

>> public relation costs to help maintain and/or restore confidence in the company

Considering these first-party costs, however, is not as straightforward as it may seem.  For instance, assuming a company wants a policy to cover notification costs to advise its customers of a data breach, a company still needs to determine the type of notification it envisions.  Does it merely want to comply with statutory notification requirements or might it want to take a more aggressive approach to notification for customer relation purposes?  And how is the company going to notify its customers?  Email?  Regular mail?  First Class mail?  Similarly, when assessing remediation costs, the company also needs to determine if it wants to provide credit monitoring to its customers and have those costs covered under a cyber policy.  A company must think through these issues to help ensure the right cyber insurance coverage is obtained.

Furthermore, a company may also incur third-party costs as a result of a cyber-event, such as defending against a litigation or regulatory action.  Contemplating cyber coverage for these types of third-party costs also compels additional considerations regarding the extent of coverage desired.  For example, legal fees in defending a claim often can approach or even exceed the ultimate cost of settling the claim.  A company should decide if it wants its litigation costs to erode the policy’s limit of liability, sometimes referred to as being “cost-inclusive,” or whether defense costs should be in addition to the limit of liability.  With regard to a regulatory inquiry, while payment of fines and penalties is unlawful in some jurisdictions and is often excluded from coverage, the company must determine if it wants coverage to include investigatory costs in responding to the governmental inquiry.  Some policies cover up to half of the investigatory costs of responding to a governmental inquiry or subpoena, usually subject to a sublimit on liability.

Do the Provisions of the Policy Ensure the Desired Coverage?

Once a company identifies the coverage it hopes to purchase, it then is essential to carefully consider the specific provisions of a cyber policy to ensure receipt of the level of coverage sought for the cyber risk possibilities reasonably envisioned.  Among the questions when analyzing the policy’s provisions are:

>> When is coverage triggered?

>— Is the policy written on an “occurrence” basis, i.e., the breach must occur during the policy period to be covered, or is it written on a claimsmade basis, i.e., the claim must be made and reported during the policy period in order for coverage to be available?

>— If the policy is written on a claims-made basis, does the breach nevertheless have to occur during the policy period, does it merely have to be discovered in the policy period, or both?

— Is intentional conduct required (by a third-party or malicious company insider) or can coverage be triggered by the negligence of an employee?

>— Is the conduct of a malicious insider to the company covered or must the cyber incident be caused by an outside third-party?

>— Must data have been disseminated outside the company (a breach) or will the policy also cover situations where data is destroyed or cannot be accessed (e.g., ransomware)?

>> What kind of information is covered?

>— How is “personal information” defined?

>— Is “confidential corporate information” covered?

>> Does the policy require minimum security requirements be maintained to protect the company’s computer network and data?

>> What devices are covered?

>— Are only the company’s servers and computers covered?

>— How are mobile devices (laptops, mobile phone, thumb drives) treated?

>— If the company allows employees to use personal devices or work remotely (BYOD – Bring Your Own Device policies), are cyber incidents originating on an employee’s personal device covered?

>> Are cyber breaches or incidents caused by vendors assisting the company (e.g., HVAC, data processors, cloud providers) covered?

>— Would coverage only extend to breaches caused by a vendor on the company’s network?

>— Would coverage extend to a breach of a vendor’s network housing the company’s data?

>> What are the policy provisions regarding notice and defense of a claim?

>— How quickly does the policy require a claim to be reported to the carrier?

>— Whose knowledge of a breach is imputed to the company for the purpose of determining whether a claim has been reported late and whether an exclusion applies?

>— Does the definition of “claim” include responding to a subpoena?

— Is the defense obligation of the policy a “duty to defend” where the insurer controls the defense and settlement of a claim or does the policy have a duty to advance defense costs, which permits the policyholder to control the defense and settlement of the claim at the cost of the insurer?

>— If the policy has a duty to advance costs, are there limitations on who the company can retain as outside counsel or as a forensic expert?

>— Are regulatory investigations covered?

>— Does the policy cover investigatory costs in responding to a governmental inquiry?

>— Are fines covered?  If so, is the company domiciled in a jurisdiction where indemnification against fines and penalties is not against public policy?

>— How is regulator defined?  Does it cover EU regulators?

To be sure, disputes between policyholders and insurance carriers are inevitable, and insurers will attempt to strictly construe policies against coverage.  Courts are just beginning to interpret cyber insurance policy provisions, sometimes coming out on opposite sides of the same issue depending upon the jurisdiction.

For instance, courts have disagreed whether cyber insurance policies cover losses resulting from social engineering, i.e., when a company employee is falsely manipulated to wire out company funds based on what is believed to be a legitimate email authorizing the transfer but what is actually an email initiated by a fraudster.  Insurers may assert that a loss caused by social engineering (also known as business email compromise) is not a direct loss under the computer fraud provisions of a cyber insurance policy.  Carriers attempt to distinguish between fraudulently causing a transfer (via social engineering) and causing a fraudulent transfer (via hacking into a company’s computer network to wire out funds).

Insurers also have sought to disclaim coverage by invoking exclusions for a company’s failure to maintain agreed-upon levels of cybersecurity to protect the company’s network and data.  Courts have been asked to construe cyber policy provisions to determine whether the insured satisfied the policy’s security requirements.  Considering that industry cybersecurity measures are constantly updated, a company should attempt to avoid a situation where a court’s interpretation of policy language and evaluation of a company’s cybersecurity efforts will determine whether it can recoup losses from a cyber event.

Conclusion

As criminals find new and more inventive ways to attack computer systems or fraudulently cause the theft of company funds, a company faces the increased risk of loss, which can result from a combination of illegal activity, imperfect network security, and employee negligence.  As such, a company should undertake a complete strategy to combat cybersecurity-related threats, which includes procuring appropriate insurance coverage to manage reasonably anticipated cyber risks.  Carriers may attempt to dispute claims, so a company must give special attention to cyber policy language to avoid the possibility of coverage being denied.  To help negotiate policy provisions to avoid ambiguities and potential grounds for disputes, a company should explore using an insurance professional to help negotiate a policy with the desired coverage, including identifying additional policy endorsements that may be available to cover certain specific cyber threats.  When procuring cyber insurance, considering the questions and issues outlined above may make the difference between receiving expected cyber coverage and not.

 

© Copyright 2018 Sills Cummis & Gross P.C.
This post was written by Joseph B. Shumofsky and Thomas S. Novak from Sills Cummis & Gross P.C.

Fake Apps Find Their Way to Google Play!

Over the last two months a string of fake banking apps have hit the Google Play store, leaving many customers wondering whether they have been affected by the scam. A report by security firm ESET found users of three Indian banks were targeted by the apps which all claimed to increase credit card limits, only to convince customers to divulge their personal data, including credit card and internet banking details. The impact of this scam was heightened as the data stolen from unsuspecting customers was then leaked online by way of an exposed server.

The report claims these apps all utilise the same process:

  1. Once the app is downloaded and launched a form appears which asks the user to fill in credit card details (including credit card number, expiry date, CVV and login credentials)
  2. Once the form is completed and submitted a pop up customer service box is displayed
  3. The pop up box thanks users for their interest in the bank and indicates a ‘Customer Service Executive’ will be in contact shortly
  4. In the meantime, no representative makes contact with the customer and the data entered into the form is sent back to the attacker’s server – IN PLAIN TEXT.

The ESET report alarming revealed that the listing of stolen data on the attacker’s server is accessible to anyone with the link to the data, this means sensitive stolen personal data was available to absolutely anyone who happens to comes across it.

Whilst, the reality is any app on your personal smartphone may place your phone and personal data at risk, (as discussed here ‘Research Reports say risks to smartphone security aren’t phoney‘)

Customers can mitigate risk by:

  • only using their financial institutions official banking apps, these are downloadable from the relevant institution’s official website;
  • paying attention to the ratings, customer reviews when downloading from Google Play;
  • implementing security controls on your smartphone device from a reputable mobile security provider; and
  • contracting their financial institution directly to seek further guidance on the particular banking apps in use.

It cannot be overlooked, whilst Google Play moved quickly to remove the apps we query how it was so easy for cyber criminals to launch fake apps on Google Play in the first place.

Copyright 2018 K & L Gates.

This post was written by Cameron Abbott  and Jessica McIntosh of K & L Gates.

Read more stories like this on the National Law Review’s Cybersecurity legal news page.

Will Your Company’s Insurance Cover Losses Due to Phishing and Social Engineering Fraud?

Six Tips for Evaluating and Seeking Coverage for Business Email Compromises

If your company fell victim to a business email compromise – a scam that frequently involves hackers fraudulently impersonating a corporate officer, vendor, business partner, or others, getting companies to wire money to the hackers – would your insurance cover your loss?  There is reason to be concerned about this sort of attack, as the FBI has explained that the “scam continues to grow and evolve, targeting small, medium, and large business and personal transactions. Between December 2016 and May 2018, there was a 136% increase in identified global exposed losses” in actual and attempted losses in U.S. dollars.  The good news for policyholders is that courts across the country have been ruling that crime insurance policies should provide coverage for this sort of loss, at least where it is not specifically excluded.

How do business email compromises work?

In early versions of business email compromises, the hackers send emails that appear to be from company executives, discussing corporate acquisitions, or other financial transactions, and are received by company employees in the finance department.  See, e.g.Medidata Sols., Inc. v. Federal Ins. Co., 268 F. Supp. 3d 471 (S.D.N.Y. 2017), aff’d, — F. App’x — (2d Cir. 2018).  The employee is told that the transaction is highly confidential, and that the employee should work closely with an attorney or other financial advisor to help close the deal.  The employee then is told to wire money to cover the costs of the transaction, very often to a foreign country.  Having been defrauded, the employee logs in to an online banking site, and approves a wire transfer.

In other versions of a business email compromise, hackers get access to email accounts of one party, sometimes via a brute force attack where an attacker breaks into a system by guessing a password, or via a phishing attackwhere a user is fooled into typing a username and password into a fraudulent site.  Then, the hacker sends out emails from the compromised account, pretending to be a vendor, and asking for payment to be sent to a different bank account.  See, e.g.Am. Tooling Center, Inc. v. Travelers Cas. & Sur. Co. of Am., — F.3d — (6th Cir. 2018).  Again, having been defrauded, the employee has money wired to the fraudster, instead of to the vendor.

Will insurance cover losses due to business email compromises?

The answer to whether insurance carriers will cover these losses – without court intervention – is “it depends.”  Recent decisions have ordered insurance carriers to provide coverage.  And the insurance industry has been scrambling to write new endorsements for their insurance policies that the insurance companies say provide coverage for business email compromises.

A common place for seeking coverage for these losses is under crime insurance policies.  Many crime insurance policies include coverage for “computer fraud,” “funds transfer fraud,” or even “computer and funds transfer fraud.”  Exemplar “computer fraud” coverage applies to “direct loss” of money resulting from the fraudulent entry, change, or deletion of computer data, or when a computer is used to cause money to be transferred fraudulently.  Exemplar “funds transfer fraud” coverage applies to “direct loss” of money caused by a message that was received initially by the policyholder, which purports to have been sent by an employee, but was sent fraudulently by someone else, that directs a financial institution to transfer money.  A reasonable policyholder, which fell victim to a fraudulent scheme via a computer, or transferred funds because of a fraudulent scheme, likely would think that computer and funds transfer fraud coverages would apply to the losses.

What have courts said?

Two recent decisions from federal courts of appeal have resulted in coverage under crime policies for business email compromise losses.

The first is the July 6, 2018 opinion issued in Medidata Solutions, Inc. v. Federal Insurance Co., No. 17-2492 (2d Cir.).  The Medidata trial court ruled that a crime insurance policy provides coverage for a fraudulent scheme and wire transfer.  The Court of Appeals for the Second Circuit affirmed the trial court’s decision.  In Medidata, the policyholder’s employees received emails that purported and appeared to be from high level company personnel but were, in fact, sent by fraudsters.  Based on those emails, and messages from purported outside counsel, Medidata wired nearly $5 million to the fraudsters.  It sought coverage under a crime policy that it bought from Chubb that had computer fraud, funds transfer fraud, and other coverages.  The trial court ruled that computer fraud and funds transfer fraud coverages both applied.  It rejected the arguments that the loss was not “direct” because there were steps in between the original fraudulent message and the wiring of funds.

On appeal, the Second Circuit ruled that Medidata’s loss was “direct” under the insurance policy language.  “Federal Insurance further argue[d],” as carriers have done in many business email compromise cases, “that Medidata did not sustain a ‘direct loss’ as a result of the spoofing attack, within the meaning of the policy.”  Slip op. at 3.  The Court of Appeals held that because “[t]he spoofed emails directed Medidata employees to transfer funds in accordance with an acquisition, and the employees made the transfer that same day,” the loss wasdirect.  Id.  The court rejected the insurance carrier’s argument that the loss was not direct because “the Medidata employees themselves had to take action to effectuate the transfer”; the employees’ actions were not “sufficient to sever the causal relationship between the spoofing attack and the losses incurred.”  Slip op. at 3.  The Court of Appeals did not address the trial court’s ruling that funds transfer fraud coverage applied, “[h]aving concluded the Medidata’s losses were covered under the computer fraud provision.”  Id.

Shortly after Medidata was issued, the Sixth Circuit decided on July 13, 2018 that computer fraud coverage applies to losses resulting from a business email compromise in American Tooling Center, Inc. v. Travelers Casualty & Surety Co., No. 17-2014 (6th Cir.).  There, the policyholder (ATC) wired money to fraudsters, instead of a vendor, because of a business email compromise.  The Sixth Circuit reversed the district court, ruling that the losses are “direct,” covered by crime insurance.

In a decision that will be published, the Court of Appeals held there was “‘direct loss’ [that] was ‘directly caused’ by the computer fraud,” even though the policyholder had engaged in “multiple internal actions” and “signed into the banking portal and manually entered the fraudulent banking information emailed by the impersonator” after receiving the initial fraudulent emails.  Id.

Holding that coverage applied, the Sixth Circuit distinguished the Eleventh Circuit’s decision regarding computer fraud coverage in Interactive Communications v. Great American, No. 17-11712, ___ F. App’x ___, 2018 WL 2149769 (11th Cir. May 10, 2018).  Id. at 9-10.  After the policyholder in American Tooling had “received the fraudulent email at step one,” it “conducted a series of internal actions, all induced by the fraudulent email, which led to the transfer of the money to the impersonator at step two.”  The loss occurred at step two; as such, “the computer fraud ‘directly caused’ [the policyholder’s] ‘direct loss.’”  Id. at 10.  By contrast, the Sixth Circuit explained, the policyholder in Interactive Communications only suffered losses at step four in a significantly more complicated chain of events.  See id. at 9-10.

These decisions are great news for policyholders pursuing coverage under crime policies for losses resulting from business email compromises.  And, in light of this new authority, policyholders would be well-advised to examine denial letters carefully, giving due consideration to whether these decisions could be used to argue in favor of coverage.

What options are available to policyholders going forward?

Cynical viewers of insurance history might view the state of coverage as similar to what the industry has done in the past.  That is, initially, cover new claims under “old” policies.  Then, after claims get expensive, hire coverage counsel to tell courts why the carriers must not have meant to cover these new claims (whether the drafting history reflects such an intent or not).  Next, get insurance regulators to approve exclusions purportedly tailored explicitly to the risk, and, at the same time, sell new policy endorsements (often for additional premium) that provide lower limits of coverage for the risk.

That’s what is happening in connection with insurance for business email compromises.  At least one insurance group that drafts crime insurance policies has asked for a definition of computer and funds transfer fraud to be changed, and a new social engineering fraud endorsement to be approved for sale.  Insurers have rolled out these endorsements with limits of coverage that often are capped at low amounts, and might also have high retentions.  These endorsements frequently are available for crime policies and, sometimes, are available for cyberinsurance policies as well.

So what are some options for policyholders trying to structure an insurance program for these risks?  These questions should provide helpful tips:

1. What does the insurance policy include? Policyholders would be well-advised to see whether the insurance program includes social engineering fraud endorsements or coverage parts.

2. What are the applicable limits? Policyholders would be well-advised to check the policy limits that would apply to those coverages.  Binder letters might not disclose a sublimit, and the policyholder might not realize the limit of coverage is lower than the full policy limit until it is too late.

3. Are coverages available under more than one policy? At the time of policy renewal, policyholders would be well-advised to consider asking whether social engineering fraud coverage can be added to a crime program and a cyberinsurance program.

4. Will excess coverage apply, and, if so, when? Policyholders would be well-advised to explore whether excess policies will provide this coverage, and, if so, will “drop down” to attach at the level of any sublimit, to avoid donut holes in the coverage.

5. Will other policy provisions provide coverage, beyond narrow endorsements? If the policyholder faces a claim, policyholders would be well-advised to determine whether other coverages might apply to the losses, notwithstanding a social engineering fraud endorsement.

6. What happens if the insurance carrier says, “no,” or that sublimits apply? If the insurance carrier denies coverage, or tries to apply a sublimit, policyholders would be well-advised to be mindful of the interpretation that two Courts of Appeals have used for computer fraud coverage in similar contexts.

 

© 2018 BARNES & THORNBURG LLP
This post was written by Scott N. Godes of Barnes & Thornburg LLP.

Dutch Supervisory Authority Announces GDPR Investigation

On July 17, 2018, the Dutch Supervisory Authority announced that it will start a preliminary investigation to assess whether certain large corporations comply with the EU’s General Data Protection Regulation (“GDPR”) – see the official press release here (in Dutch).  To that end, the authority will review the “records of processing activities” from thirty randomly selected corporations which are located in the Netherlands.

Article 30 of the GDPR requires data controllers and processors to maintain a record of their processing activities.  These records must, among other things, include a description of the categories of data subjects and types of personal data processed, as well as the recipients of the data and the transfer mechanisms used.  While small organizations with less than 250 employees are generally exempted, but there are several exceptions to the exemption which may still cause this obligation to apply to them as well.

The thirty corporations will be selected from ten different economic sectors across the Netherlands, namely: metal industry, water supply, construction, trade, catering, travel, communications, financial services, business services and healthcare.

According to the authority, the correct maintenance of records of processing activities is an important first indication of an organization’s compliance with the new EU data protection rules.

 

© 2018 Covington & Burling LLP
This post was written by Kristof Van Quathem of Covington & Burling LLP.

California’s Turn: California Consumer Privacy Act of 2018 Enhances Privacy Protections and Control for Consumers

On Friday, June 29, 2018, California passed comprehensive privacy legislation, the California Consumer Privacy Act of 2018.  The legislation is some of the most progressive privacy legislation in the United States, with comparisons drawn to the European Union’s General Data Protection Regulation, or GDPR, which went into effect on May 25, 2018.  Karen Schuler, leader of BDO’s National Data and Information Governance and a former forensic investigator for the SEC, provides some insight into this legislation, how it compares to the EU’s GDPR, and how businesses can navigate the complexities of today’s privacy regulatory landscape.

California Consumer Privacy Act 2018

The California Consumer Privacy Act of 2018 was passed by both the California Senate and Assembly, and quickly signed into law by Governor Brown, hours before a deadline to withdraw a voter-led initiative that could potentially put into place even stricter privacy regulations for businesses.  This legislation will have a tremendous impact on the privacy landscape in the United States and beyond, as the legislation provides consumers with much more control of their information, as well as an expanded definition of personal information and the ability of consumers to control whether companies sell or share their data.  This law goes into effect on January 1, 2020. You can read more about the California Privacy Act of 2018 here.

California Privacy Legislation v. GDPR

In many ways, the California law has some similarities to GDPR, however, there are notable differences, and ways that the California legislation goes even further.

Karen Schuler, leader of BDO’s National Data & Information Governance practice and former forensic investigator for the SEC, points out:

“the theme that resonates throughout both GDPR and the California Consumer Privacy Act is to limit or prevent harm to its residents. . . both seem to be keenly focused on lawful processing of data, as well as knowing where your personal information goes and ensuring that companies protect data accordingly.”

One way California goes a bit further is in the ability of consumers to prevent a company from selling or otherwise sharing consumer information.  Schuler says, “California has proposed that if a consumer chooses not to have their information sold, then the company must respect that.” While GDPR was data protections for consumers, and allows consumers rights as far as modifying, deleting and accessing their information, there is no precedent where GDPR can stop a company from selling consumer data if the company has a legal basis to do so.

In terms of a compliance burden, Schuler hypothesizes that companies who are in good shape as far as GDPR goes might have a bit of a head start in terms of compliance with the California legislation, however, there is still a lot of work to do before the law goes into effect on January 1, 2020.  Schuler says, “There are also different descriptions of personal data between regulations like HIPAA, PCI, GDPR and others that may require – under this law – companies to look at their categorizations of data. For some organizations this is an extremely large undertaking.”

Compliance with Privacy Regulations: No Short-Cuts

With these stricter regulations coming into play, companies are in a place where understanding data flows is of primary importance. In many ways, GDPR compliance was a wake-up call to the complexities of data privacy issues in companies.  Schuler says, “Ultimately, we have found that companies are making good strides against becoming GDPR compliant, but that they may have waited too long and underestimated the level of effort it takes to institute a strong privacy or GDPR governance program.”  When talking about how companies institute compliance to whatever regulation they are trying to understand and implement, Schuler says, “It is critical companies understand where data exists, who stores it, who has access to it, how its categorized and protected.” Additionally, across industries companies are moving to a culture of mindfulness around privacy and data security issues, a lengthy process that can require a lot of training and requires buy-in from all levels of the company.

While the United States still has a patchwork of privacy regulations, including breach notification statutes, this California legislation could be a game-changer.  What is clear is that companies will need to contend with privacy legislation and consumer protections. Understanding the data flows in an organization is crucial to compliance, and it turns out GDPR may have just been the beginning.

This post was written by Eilene Spear.

Copyright ©2018 National Law Forum, LLC.