Pennsylvania Supreme Court Holds Employers Have a Duty to Exercise Reasonable Care to Safeguard Sensitive Personal Information About Their Employees

To date, Pennsylvania has not adopted a comprehensive law specifying how sensitive personal information about individuals must be secured or the protections that holders of this information must use to minimize risk of breach. [1] Pennsylvania only requires that, in the event of a breach, holders of sensitive personal information notify the affected individuals so they can take appropriate precautions against misuse of their information. Pennsylvania does have some laws specific to particular industries, such as health care and insurance, regarding how sensitive personal information may be used or disclosed, but there is no single mandate across all industries obligating holders of sensitive personal information to secure it in any particular way.

Employers, however, are a common denominator among all industries, and recently, the Pennsylvania Supreme Court in Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center held that when employers (regardless of the industry, the size of the employer, or the number of employees they hire) require their employees to provide sensitive personal information, such as Social Security numbers, bank accounts, tax returns, or other financial information, those employers have a legal duty to exercise reasonable care to safeguard that information when they store it on an Internet-accessible computer system. [2] Employers who do not exercise reasonable care to safeguard the sensitive personal information may be liable for financial damages to their employees in the event of a breach. [3]

All employers who collect sensitive personal information about their employees and maintain the information electronically on an Internet-accessible system are affected by the court’s decision. The court’s analysis also suggests that, regardless of how the information is stored (i.e., electronically or otherwise), an employer has a duty to exercise reasonable care to safeguard the sensitive personal information it collects about its employees from known threats to the information. This alert examines the court’s holding and identifies questions employers should be asking about their data requests, data security practices, and data-retention policies and procedures, and it offers suggestions for mitigating associated risks that apply regardless of whether employers store the information on an Internet-accessible computer.

What Happened?

UPMC’s Internet-connected computer system was hacked and sensitive personal information about its employees was accessed and stolen. This information included names, birth dates, Social Security numbers, addresses, tax forms, and bank account information. The hackers used the stolen information to file false tax returns, and affected employees incurred financial damages. As a result, several UPMC employees filed a class-action lawsuit against UPMC on behalf of all 62,000 current and former UPMC employees whose data were accessed and stolen. The employees alleged that:

• UPMC affirmatively required employees to provide certain sensitive personal and financial information (including names, birth dates, Social Security numbers, addresses, tax forms, and bank account information) as a condition of employment.
• UPMC had a duty to exercise reasonable care to protect their employees’ personal and financial information from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.
• UPMC stored the employees’ sensitive personal information on its Internet-accessible computer system without adopting adequate security measures, such as encryption, adequate firewalls, and an adequate authentication protocol, to safeguard that information, which allowed hackers to access the system and steal the information.
• UPMC breached its duty to exercise reasonable care to protect the information, which allowed hackers to access the system and steal the information.
• UPMC was liable to the employees for the financial damages they incurred resulting from the breach.

UPMC filed preliminary objections to the complaint — Pennsylvania’s form of a motion to dismiss — and asserted that the economic-loss doctrine barred the employees from recovering purely economic damages. Under the economic-loss doctrine, actions sounding in tort require physical injury or property damage in order to recover for a breach of duty. [4] The trial court agreed with UPMC that the economic-loss doctrine barred recovery. [5] The trial court also found UPMC owed no existing duty to the employees as they alleged, and the “‘courts should not impose ‘a new affirmative duty of care that would allow data breach actions to recover damages recognized in common law negligence actions.’” [6] The trial court accordingly dismissed the complaint.

The employees appealed to the Pennsylvania Superior Court, and in a split decision, the Superior Court affirmed the trial court’s determination that employers did not owe their employees a duty under Pennsylvania law to exercise reasonable care to safeguard their sensitive personal information. [7] The Superior Court also agreed that the economic-loss doctrine barred recovery. [8] The Superior Court therefore affirmed the trial court’s order sustaining UPMC’s preliminary objections and dismissing the claim. [9]

The Pennsylvania Supreme Court’s Review

The Pennsylvania Supreme Court granted a discretionary appeal to determine the narrow questions of (1) whether an employer in Pennsylvania has a legal duty to use reasonable care to safeguard sensitive personal information about its employees when the employer chooses to store such information on an Internet-accessible computer system, and (2) if so, whether the employees could recover purely financial damages resulting from the breach of the duty. As discussed more fully below, the Supreme Court held that (i) employers have an existing duty to employees under Pennsylvania common law to exercise reasonable care in collecting and storing their sensitive personal information on their computer systems, and (ii) purely financial damages may be recovered if employers fail to exercise reasonable care in securing the sensitive personal information. [10]

First, the Supreme Court disagreed with the lower courts’ analysis that, if employers owed such a duty to exercise reasonable care to safeguard their employees’ sensitive personal information, such duty was a “new, affirmative duty” and was being created solely by the employees’ allegations. [11] In the Supreme Court’s view, the employees’ allegations were simply a “novel factual scenario” to apply an existing duty employers owe to the employees. [12]The Supreme Court stated that, as it has observed previously, “in scenarios involving an actor’s affirmative conduct, he is generally ‘under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm arising out of the act.’” [13] The Supreme Court concluded that, in this case, the employees alleged such affirmative conduct on the part of UPMC — namely, that “as a condition of employment, UPMC required them to provide certain personal and financial information, which UPMC collected and stored on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol. These factual assertions plainly constitute affirmative conduct on the part of UPMC.” [14] The Supreme Court also agreed with the employees that “this affirmative conduct resulted in UPMC owing the employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” [15]

With respect to the economic-loss doctrine, the Supreme Court held that the decisions relied upon by the trial court and the Superior Court “do not stand for the proposition that the economic loss doctrine, as applied in Pennsylvania, precludes all negligence claims seeking solely economic damages.” [16] Instead, the ability to recover “turns on the determination of the source of the duty plaintiff claims the defendant owed.” [17] In cases where the duty arises outside the context of a contract between the parties, the breach of that duty may be the basis of a negligence claim. [18] According to the Supreme Court, the employees’ allegations in the complaint existed independently from any contractual obligations between the parties. Accordingly, the employees had stated a claim upon which they could recover if their allegations proved to be true.

The Implications of the Court’s Holding for Employers

Private employers in Pennsylvania (regardless of industry) who affirmatively request sensitive personal information from their new or existing employees and who maintain the sensitive personal information on Internet-connected computer systems have an existing duty to exercise reasonable care to safeguard that information. [19] As a result, employers (regardless of size or number of employees) should be evaluating their data collection and maintenance policies and procedures to mitigate the risk of being found not to have exercised reasonable care in safeguarding the information. In particular, employers should be answering the following questions:

1. Is the information really needed? Employers should be able to connect each data request to a legitimate business need (e.g., a legal requirement) and limit the data requested to the minimum amount of data required to achieve that legitimate business purpose. Some data elements are essential: names, addresses, Social Security numbers, and birth dates. This data is necessary to pay employees, to report tax withholdings, and to prevent fraud, among other purposes. Any data being requested from employees that is not absolutely necessary for a legitimate business purpose should be reevaluated and collection discontinued if it is determined to be unnecessary. Unnecessary data should also be deleted.

2. Could any of the information collected and maintained about the employees and determined to be necessary for a legitimate employer-purpose harm employees if it were stolen? To make this determination, employers must have a thorough understanding of precisely what information they maintain about employees. Information such as names and addresses likely does not qualify as sensitive personal information (although there are always exceptions) but financial information does. In order for an employer to be able to show it exercised reasonable care, it must first know the nature of the data in its possession.

3. What are foreseeable threats to the information being inappropriately accessed or stolen?Information being stored electronically is literally under attack. If employers maintain sensitive personal information about their employers electronically (or employers hire vendors who do so), they must understand these threats and how they might come to fruition. As noted above, however, the Supreme Court’s analysis applies equally to sensitive personal information in other forms, such as paper. If an employer could reasonably foresee that the paper records could be misused, the employer likewise has an existing duty to exercise reasonable care to protect it (e.g., locked file cabinets with limited access).

4. Based on the nature of the information and the identified foreseeable threats to that information, have appropriate safeguards to protecting the information been identified and implemented?Safeguards may vary depending on the nature of the underlying data and the identified foreseeable risks, although certain security practices have become or are quickly becoming fairly standard and failure to implement them would likely be seen as a failure to exercise reasonable care. At a minimum, employers should be able to demonstrate that people with appropriate experience and knowledge in safeguarding information are involved in these decisions.

5. Have the steps taken to safeguard the information been documented? The Supreme Court’s holding does not impose strict liability on employers in the event they get hacked and sensitive personal information about employees is accessed or stolen. The Supreme Court’s holding requires the exercise of reasonable care to safeguard the information from foreseeable threats. The best way to be able to support that reasonable care was exercised is to document all the steps taken including those listed above.

6. Does the cyber insurance policy cover breaches of employee data? It probably does, but employers should check the scope of coverage and ensure that nothing in the policy excludes the types of financial damages the employees in UPMC experienced.

Conclusion

The Supreme Court’s holding drives home that employers must use reasonable care in the collection of sensitive employee data and adds an incentive for doing so (the risk of incurring economic damages for breach).


NOTES:

[1] Indeed, there is no overarching definition of “sensitive personal information,” but it typically includes personal information that if acquired inappropriately could be used to harm the person to whom it belonged, such as Social Security or a driver’s license number coupled with bank account information.
[2] Dittman v. UPMC d/b/a The Univ. of Pittsburgh Med. Ctr. & UPMC McKeesport, No. 43 WAP 2017, slip op. at 1–2 (Pa. Nov. 21, 2018) (herein, “UPMC”).
[3] Id.
[4] See Bilt-Rite v. The Architectural Studio, 866 A.2d 270, 273 (Pa. 2005).
[5] See UPMC, slip op. at 4–5.
[6] See id. at 5 (quoting Bilt-Rite, supra). The trial court also “observed that the Legislature is aware of and has considered the issues that Employees sought the court to consider herein as evidenced by the Breach of Personal Information Notification Act (Data Breach Act), 73 P.S. §§ 2301 – 2329. Specifically, the court explained that, under the Data Breach Act, the Legislature has imposed a duty on entities to provide notice of a data breach only … and given the Office of the Attorney General the exclusive authority to bring an action for violation of the notification requirement … The court thus reasoned that, as public policy was a matter for the Legislature, it was not for the courts to alter the Legislature’s direction.” Id. at 6–7.
[7] Id. at 8–9.
[8] Id. at 7.
[9] Id.
[10] Id. at 1–2.
[11] Id. at 15.
[12] Id. at 10. Indeed, “[c]ommon-law duties stated in general terms are framed in such fashion for the very reason that they have broad-scale application.” Id. at 15–16. “‘Like any other cause of action at common law, negligence evolves through either directly applicable decisional law or by analogy, meaning that a defendant is not categorically exempt from liability simply because appellate decisional law has not specifically addressed a theory of liability in a particular context.’” Id. at 16 (quoting Scampone v. Highland Park Care Ctr., LLC, 57 A.3d 582, 299 (Pa. 2012)).
[13] Id. at 16 (emphasis added).
[14] Id. (emphasis added).
[15] Id. at 16–17. In arriving at this conclusion, the Supreme Court also rejected UPMC’s argument that “the presence of third-party criminality in this case eliminates the duty it owes to Employees …” Id. at 17. The Supreme Court acknowledged that an actor otherwise owing a duty “cannot be liable for third-party conduct that could ‘conceivably occur.’” Id. at 17. However, the Supreme Court agreed that “liability could be found if the actor ‘realized or should have realized the likelihood that such a situation might be created and that a third person might avail himself of the opportunity to commit such a tort or crime.’” Id. at 17–18 (quoting Mahan v. Am-Gard, Inc., 841 A.2d 1052 1061 (Pa. Super. 2003)) (emphasis added).
[16] Id. at 28.
[17] Id.
[18] Id.
[19] The court did not consider whether a cause of action would exist against local or state agencies under the limited waivers of sovereign immunity.

 

Copyright 2018 K & L Gates
This post was written by Patricia C. Shea of K & L Gates.
Read more about Cybersecurity concerns on the National Law Review’s Communication page.

Trump Administration Moves to Address Cybersecurity Concerns, Congress Funds Cyber Programs

On September 21, 2018, the Trump Administration released a National Cybersecurity Strategy (“Strategy”), to define its national cybersecurity policy and implement efforts to streamline responsibilities for mitigation and responses to cybersecurity events across federal agencies.  This Strategy also addresses working with the private sector to protect assets, train the workforce and mitigate any future cyber-attacks. 

The National Cybersecurity Strategy, a statement of Administration policy rather than a Presidential directive, builds on prior efforts by the Obama Administration to develop a comprehensive and coherent nationwide strategy to promote cybersecurity across multiple levels of government and among myriad industries.  While other agencies—notably the Departments of Defense and Homeland Security—have issued more narrowly-tailored plans and policies, this is the first major cybersecurity document to apply to the entire federal government.   The Strategy provides an important glimpse into the current Administration’s plan to address the ever-increasing cyber threats to national security imposed by malicious nation-state, non-state, and independent actors.

Specifically, the Strategy identifies four major areas of focus that may be of interest to stakeholders:

  • Supply Chain Risk Management.  Through this Strategy, the Administration directs federal agencies to integrate supply chain risk management practices into agency procurement and traditional risk management processes, including the creation of a supply chain risk assessment shared service to reduce duplicative supply chain activities across federal agencies.  The Strategy also mandates federal investment in more secure supply chain technologies. There are several bills pending before the Congress that would mandate requirements for supply chain risk management for federal agencies into law, including S. 3085, the “Federal Acquisition Supply Chain Security Act of 2018”.   This bill was reported favorably by the Senate Homeland Security and Governmental Affairs Committee on September 26th.  (More information on S. 3085 is available here.)
  • Strengthening Information Sharing Efforts.  The Strategy commits to strengthen information sharing efforts in order to protect critical infrastructure assets and allow information and communications technology (ICT) providers to respond to malicious cyber activity in a more timely and effective manner.  These actions include sharing threat and vulnerability information with cleared ICT operators, declassifying information as much as possible, and promoting an adaptable, sustainable and secure technology supply chain.
  • Building a Robust Cybersecurity Workforce.  The Strategy outlines actions the Administration will take to recruit and maintain a highly skilled cybersecurity workforce through the expansion of Federal recruitment and training efforts, while also re-skilling employees into cybersecurity careers.  It also will explore the capability of maintaining distributed cybersecurity personnel at the Department of Homeland Security that can be deployed across Federal agencies. There are several bills pending before the Congress that would create an employee rotation for government workers focused on cybersecurity.  Among them, S. 3437 the “Federal Rotational Cyber Workforce Program Act of 2018” was reported favorably by the Senate Homeland Security and Governmental Affairs Committee on September 26th.  (More information on S. 3437 is available here.)
  • Deterrence and Offensive Capabilities.  The Strategy authorizes federal agencies to conduct counter-offensive or “hack back” operations against malicious actors.  This continues the Administration’s departure from policies of previous Administrations, including its August decision to rescind Presidential Policy Directive 20, which governed the federal agency approval process for offensive cyber operations.

Recent Congressional Actions on Cybersecurity

In addition to the initiatives specifically outlined above, both chambers of Congress have taken additional steps to address cybersecurity across critical infrastructure sectors.  Importantly, Congress agreed to provide funding and direction for the newly-created Office of Cybersecurity, Energy Security, and Emergency Response (CESER) within the Department of Energy.  The recently enacted FY 2019 Energy and Water, Development and Related Agencies Appropriations bill, which was part of a broader funding package signed into law by the President on September 21, 2018, included $120 million for the CESER office and specific direction that funding be applied to research and development focusing on supply chain risks.  This research may tackle how IT systems, software, and networks pose legitimate cyber risks to the broader infrastructure they serve, including through malware and unknown software vulnerabilities.  The summary and text of the Appropriations bill is available here.

Additionally, this week, the House Energy and Commerce Subcommittee on Energy will hear testimony from Karen Evans, Assistant Secretary for CESER, as a part of its “DOE Modernization” hearing series. Committee members are likely to question Ms. Evans on CESER’s role in the implementation of the Strategy, as well as issues including securing energy infrastructure from cybersecurity threats, public-private partnerships, and electricity grid resilience. Additional information on this hearing is available here.

Outlook

The Strategy is the first step for the Administration to define broader cybersecurity threats and begin to develop a cohesive plan to combat cyber-attacks.  The document itself does not contain many specific imminent actions that the Administration will take and questions remain over who within the Trump Administration is personally responsible for coordinating these and other cybersecurity efforts.

The Strategy does, however, identify areas in which the Administration will seek to work with Congress on legislative solutions to promote these goals.  For example, the document specifically references efforts to work with Congress to “update electronic surveillance and computer crime statutes” to better enable law enforcement to deter criminal activity.  Further, the Administration indicates it will work with the Congress to promote education and training opportunities to develop a robust cybersecurity workforce.  Congress has been innately focused on cyber workforce issues already, with a slate of existing bills introduced by members of both parties to strengthen education and training programs in this area as noted above.

With midterm elections looming in 41 days, both Democrats and Republicans in Congress are preparing their legislative agendas for the 116th Congress set to convene in January.  Democrats and Republicans alike have indicated that cybersecurity will be at the top of the legislative agenda.  Whether  it is through action on election security, autonomous vehicles, electric utility stabilization policies, or other critical infrastructure areas, cybersecurity will continue be a major topic of discussion through 2019.

This post was written by Tracy A. Nagelbush and Michael Weiner of Van Ness Feldman LLP.

 

© 2018 Van Ness Feldman LLP

Transferring Cybersecurity Risk: Considerations When Obtaining Cyber Insurance

While procuring cyber insurance is an increasingly important business decision, choosing cyber insurance is not a simple process of merely identifying the amount of coverage desired and then paying for the corresponding premium.  Instead, as set forth below, it presents a matrix of considerations to be explored to ensure receipt of appropriate coverage when needed.

The Importance of Cyber Insurance

In the face of continued and more destructive cyber threats and the advent of more demanding statutory and regulatory requirements, it is critical for a company not only to mitigate risk through comprehensive cybersecurity management but also to transfer that risk by obtaining tailored cyber insurance.  Indeed, more rigorous regulations, along with their attendant financial penalties for noncompliance (such as the EU’s General Data Protection Regulation (“GDPR”), which became effective May 25, 2018, or the NY Department of Financial Services (“NYDFS”) cybersecurity regulation, which was instituted in 2017) are likely to become the norm, not the exception.  Violation of these more recent rules and requirements (and potential expenses and related fines) also do not apply only when data is lost through an actual breach, but also when data is destroyed or cannot be accessed (ransomware) and when data is improperly collected.  Moreover, cyber risks and costs are indiscriminate and affect all industries.

To offset these serious risks, cyber insurance usually is necessary.  Third-party cyber liability claims are not covered under most general liability policies including the Insurance Service Organization’s industry standard GL form.  Director & Officer liability policies usually exclude cyber liability claims.  Property policies, including the ISO “All Risk” form, typically exclude first party cyber claims.  Limited first party cyber coverage may be available through crime policies, and some Information Technology Industry Errors & Omissions policies afford third party cyber coverage.  In most cases, however, only a cyber policy can assure a company of the desired coverage.  A company has a much better chance for coverage and a prompt resolution of its claim under a cyber policy without the need to resort to litigation.

While cyber insurance has been available since the late 1990’s, it is rapidly expanding because of the continued need for a holistic approach to cybersecurity protection.  Indeed, insurance companies expect a surge of business as companies rush to purchase cyber insurance following the arrival of tougher regulations like the GDPR.

Cyber security and liability risks also often involve highly-technical, rapidly evolving information technology issues.  A prospective insured should inquire regarding the cyber experience of its broker, particularly if it is not using a large multi-line producer who has access to an IT consultant or cyber specialist.  Some brokers specialize in cyber insurance, and an insured should consider using a broker who possesses cyber experience.  While “bare bones” cyber coverage is available from authorized or “admitted” insurers, more comprehensive niche cyber coverage often is available only in the surplus lines or “non-admitted” market and can be brokered only by surplus lines producers.

The selection of an insurer is even more important.  In addition to issues of Best’s Financial Quality and Size Ratings, many insurers offer low cost, bares bones thirdparty coverage, while other insurers offer broader, albeit more expensive, coverage, and better claim service.

Cost-wise, premiums will be lower for those companies with comprehensive cyber-risk management plans in place with demonstrated levels of security and internal controls, i.e., better security equals lower risk, which equals more competitive pricing.  A company therefore is further incentivized to ensure it has adequate procedures in place to prevent, detect, investigate, and report data breaches.

The Level of Coverage Needed: Initial Considerations

One of the most important steps in the process of obtaining cyber insurance is to determine what type of coverage a company needs based on reasonably anticipated cyber risks inherent to a company’s business and position in the marketplace.  There are multiple considerations a company should undertake in assessing the kind and amount of coverage needed.

What type of company are you?

A company should consider:

>> its industry and the type of services it offers;

>> the type of data it handles (e.g., financial information, health information, credit information);

>> the makeup of its customers (e.g., whether they include EU citizens); and

>> what regulations it must follow.

Depending upon the kind of data it collects and handles, the company will be subject to a different array of regulations, which should inform the company regarding the type of cyber insurance coverage to be sought.  If a company is a financial institution, it must comply with the privacy rules of the Gramm Leach Bliley Act.  If the company handles personal health information, it will be subject to the privacy requirements of the Health Insurance Portability and Accountability Act, HIPAA.  If the company handles the data of EU citizens, it will be subject to the privacy restrictions (and severe potential penalties) of the GDPR.

First-Party and Third-Party Costs

The company also should think about the kinds of costs it may incur to manage a cyber incident/breach and whether cyber insurance coverage to defer or recoup all of those costs is necessary or prudent.  Such first-party costs can include:

>> forensic investigation costs to determine the source of the cyber incident/ breach and the extent of harm caused

>> remediation costs to rectify any network problem or software deficiencies

>> notification costs to customers whose data was compromised

>> data restoration costs of data stolen, lost, or altered

>> business interruption costs to help restore business functions and to maintain business capabilities while responding to a cyber incident

>> legal costs to evaluate regulatory obligations and assess any liability

>> public relation costs to help maintain and/or restore confidence in the company

Considering these first-party costs, however, is not as straightforward as it may seem.  For instance, assuming a company wants a policy to cover notification costs to advise its customers of a data breach, a company still needs to determine the type of notification it envisions.  Does it merely want to comply with statutory notification requirements or might it want to take a more aggressive approach to notification for customer relation purposes?  And how is the company going to notify its customers?  Email?  Regular mail?  First Class mail?  Similarly, when assessing remediation costs, the company also needs to determine if it wants to provide credit monitoring to its customers and have those costs covered under a cyber policy.  A company must think through these issues to help ensure the right cyber insurance coverage is obtained.

Furthermore, a company may also incur third-party costs as a result of a cyber-event, such as defending against a litigation or regulatory action.  Contemplating cyber coverage for these types of third-party costs also compels additional considerations regarding the extent of coverage desired.  For example, legal fees in defending a claim often can approach or even exceed the ultimate cost of settling the claim.  A company should decide if it wants its litigation costs to erode the policy’s limit of liability, sometimes referred to as being “cost-inclusive,” or whether defense costs should be in addition to the limit of liability.  With regard to a regulatory inquiry, while payment of fines and penalties is unlawful in some jurisdictions and is often excluded from coverage, the company must determine if it wants coverage to include investigatory costs in responding to the governmental inquiry.  Some policies cover up to half of the investigatory costs of responding to a governmental inquiry or subpoena, usually subject to a sublimit on liability.

Do the Provisions of the Policy Ensure the Desired Coverage?

Once a company identifies the coverage it hopes to purchase, it then is essential to carefully consider the specific provisions of a cyber policy to ensure receipt of the level of coverage sought for the cyber risk possibilities reasonably envisioned.  Among the questions when analyzing the policy’s provisions are:

>> When is coverage triggered?

>— Is the policy written on an “occurrence” basis, i.e., the breach must occur during the policy period to be covered, or is it written on a claimsmade basis, i.e., the claim must be made and reported during the policy period in order for coverage to be available?

>— If the policy is written on a claims-made basis, does the breach nevertheless have to occur during the policy period, does it merely have to be discovered in the policy period, or both?

— Is intentional conduct required (by a third-party or malicious company insider) or can coverage be triggered by the negligence of an employee?

>— Is the conduct of a malicious insider to the company covered or must the cyber incident be caused by an outside third-party?

>— Must data have been disseminated outside the company (a breach) or will the policy also cover situations where data is destroyed or cannot be accessed (e.g., ransomware)?

>> What kind of information is covered?

>— How is “personal information” defined?

>— Is “confidential corporate information” covered?

>> Does the policy require minimum security requirements be maintained to protect the company’s computer network and data?

>> What devices are covered?

>— Are only the company’s servers and computers covered?

>— How are mobile devices (laptops, mobile phone, thumb drives) treated?

>— If the company allows employees to use personal devices or work remotely (BYOD – Bring Your Own Device policies), are cyber incidents originating on an employee’s personal device covered?

>> Are cyber breaches or incidents caused by vendors assisting the company (e.g., HVAC, data processors, cloud providers) covered?

>— Would coverage only extend to breaches caused by a vendor on the company’s network?

>— Would coverage extend to a breach of a vendor’s network housing the company’s data?

>> What are the policy provisions regarding notice and defense of a claim?

>— How quickly does the policy require a claim to be reported to the carrier?

>— Whose knowledge of a breach is imputed to the company for the purpose of determining whether a claim has been reported late and whether an exclusion applies?

>— Does the definition of “claim” include responding to a subpoena?

— Is the defense obligation of the policy a “duty to defend” where the insurer controls the defense and settlement of a claim or does the policy have a duty to advance defense costs, which permits the policyholder to control the defense and settlement of the claim at the cost of the insurer?

>— If the policy has a duty to advance costs, are there limitations on who the company can retain as outside counsel or as a forensic expert?

>— Are regulatory investigations covered?

>— Does the policy cover investigatory costs in responding to a governmental inquiry?

>— Are fines covered?  If so, is the company domiciled in a jurisdiction where indemnification against fines and penalties is not against public policy?

>— How is regulator defined?  Does it cover EU regulators?

To be sure, disputes between policyholders and insurance carriers are inevitable, and insurers will attempt to strictly construe policies against coverage.  Courts are just beginning to interpret cyber insurance policy provisions, sometimes coming out on opposite sides of the same issue depending upon the jurisdiction.

For instance, courts have disagreed whether cyber insurance policies cover losses resulting from social engineering, i.e., when a company employee is falsely manipulated to wire out company funds based on what is believed to be a legitimate email authorizing the transfer but what is actually an email initiated by a fraudster.  Insurers may assert that a loss caused by social engineering (also known as business email compromise) is not a direct loss under the computer fraud provisions of a cyber insurance policy.  Carriers attempt to distinguish between fraudulently causing a transfer (via social engineering) and causing a fraudulent transfer (via hacking into a company’s computer network to wire out funds).

Insurers also have sought to disclaim coverage by invoking exclusions for a company’s failure to maintain agreed-upon levels of cybersecurity to protect the company’s network and data.  Courts have been asked to construe cyber policy provisions to determine whether the insured satisfied the policy’s security requirements.  Considering that industry cybersecurity measures are constantly updated, a company should attempt to avoid a situation where a court’s interpretation of policy language and evaluation of a company’s cybersecurity efforts will determine whether it can recoup losses from a cyber event.

Conclusion

As criminals find new and more inventive ways to attack computer systems or fraudulently cause the theft of company funds, a company faces the increased risk of loss, which can result from a combination of illegal activity, imperfect network security, and employee negligence.  As such, a company should undertake a complete strategy to combat cybersecurity-related threats, which includes procuring appropriate insurance coverage to manage reasonably anticipated cyber risks.  Carriers may attempt to dispute claims, so a company must give special attention to cyber policy language to avoid the possibility of coverage being denied.  To help negotiate policy provisions to avoid ambiguities and potential grounds for disputes, a company should explore using an insurance professional to help negotiate a policy with the desired coverage, including identifying additional policy endorsements that may be available to cover certain specific cyber threats.  When procuring cyber insurance, considering the questions and issues outlined above may make the difference between receiving expected cyber coverage and not.

 

© Copyright 2018 Sills Cummis & Gross P.C.
This post was written by Joseph B. Shumofsky and Thomas S. Novak from Sills Cummis & Gross P.C.

Fake Apps Find Their Way to Google Play!

Over the last two months a string of fake banking apps have hit the Google Play store, leaving many customers wondering whether they have been affected by the scam. A report by security firm ESET found users of three Indian banks were targeted by the apps which all claimed to increase credit card limits, only to convince customers to divulge their personal data, including credit card and internet banking details. The impact of this scam was heightened as the data stolen from unsuspecting customers was then leaked online by way of an exposed server.

The report claims these apps all utilise the same process:

  1. Once the app is downloaded and launched a form appears which asks the user to fill in credit card details (including credit card number, expiry date, CVV and login credentials)
  2. Once the form is completed and submitted a pop up customer service box is displayed
  3. The pop up box thanks users for their interest in the bank and indicates a ‘Customer Service Executive’ will be in contact shortly
  4. In the meantime, no representative makes contact with the customer and the data entered into the form is sent back to the attacker’s server – IN PLAIN TEXT.

The ESET report alarming revealed that the listing of stolen data on the attacker’s server is accessible to anyone with the link to the data, this means sensitive stolen personal data was available to absolutely anyone who happens to comes across it.

Whilst, the reality is any app on your personal smartphone may place your phone and personal data at risk, (as discussed here ‘Research Reports say risks to smartphone security aren’t phoney‘)

Customers can mitigate risk by:

  • only using their financial institutions official banking apps, these are downloadable from the relevant institution’s official website;
  • paying attention to the ratings, customer reviews when downloading from Google Play;
  • implementing security controls on your smartphone device from a reputable mobile security provider; and
  • contracting their financial institution directly to seek further guidance on the particular banking apps in use.

It cannot be overlooked, whilst Google Play moved quickly to remove the apps we query how it was so easy for cyber criminals to launch fake apps on Google Play in the first place.

Copyright 2018 K & L Gates.

This post was written by Cameron Abbott  and Jessica McIntosh of K & L Gates.

Read more stories like this on the National Law Review’s Cybersecurity legal news page.

Will Your Company’s Insurance Cover Losses Due to Phishing and Social Engineering Fraud?

Six Tips for Evaluating and Seeking Coverage for Business Email Compromises

If your company fell victim to a business email compromise – a scam that frequently involves hackers fraudulently impersonating a corporate officer, vendor, business partner, or others, getting companies to wire money to the hackers – would your insurance cover your loss?  There is reason to be concerned about this sort of attack, as the FBI has explained that the “scam continues to grow and evolve, targeting small, medium, and large business and personal transactions. Between December 2016 and May 2018, there was a 136% increase in identified global exposed losses” in actual and attempted losses in U.S. dollars.  The good news for policyholders is that courts across the country have been ruling that crime insurance policies should provide coverage for this sort of loss, at least where it is not specifically excluded.

How do business email compromises work?

In early versions of business email compromises, the hackers send emails that appear to be from company executives, discussing corporate acquisitions, or other financial transactions, and are received by company employees in the finance department.  See, e.g.Medidata Sols., Inc. v. Federal Ins. Co., 268 F. Supp. 3d 471 (S.D.N.Y. 2017), aff’d, — F. App’x — (2d Cir. 2018).  The employee is told that the transaction is highly confidential, and that the employee should work closely with an attorney or other financial advisor to help close the deal.  The employee then is told to wire money to cover the costs of the transaction, very often to a foreign country.  Having been defrauded, the employee logs in to an online banking site, and approves a wire transfer.

In other versions of a business email compromise, hackers get access to email accounts of one party, sometimes via a brute force attack where an attacker breaks into a system by guessing a password, or via a phishing attackwhere a user is fooled into typing a username and password into a fraudulent site.  Then, the hacker sends out emails from the compromised account, pretending to be a vendor, and asking for payment to be sent to a different bank account.  See, e.g.Am. Tooling Center, Inc. v. Travelers Cas. & Sur. Co. of Am., — F.3d — (6th Cir. 2018).  Again, having been defrauded, the employee has money wired to the fraudster, instead of to the vendor.

Will insurance cover losses due to business email compromises?

The answer to whether insurance carriers will cover these losses – without court intervention – is “it depends.”  Recent decisions have ordered insurance carriers to provide coverage.  And the insurance industry has been scrambling to write new endorsements for their insurance policies that the insurance companies say provide coverage for business email compromises.

A common place for seeking coverage for these losses is under crime insurance policies.  Many crime insurance policies include coverage for “computer fraud,” “funds transfer fraud,” or even “computer and funds transfer fraud.”  Exemplar “computer fraud” coverage applies to “direct loss” of money resulting from the fraudulent entry, change, or deletion of computer data, or when a computer is used to cause money to be transferred fraudulently.  Exemplar “funds transfer fraud” coverage applies to “direct loss” of money caused by a message that was received initially by the policyholder, which purports to have been sent by an employee, but was sent fraudulently by someone else, that directs a financial institution to transfer money.  A reasonable policyholder, which fell victim to a fraudulent scheme via a computer, or transferred funds because of a fraudulent scheme, likely would think that computer and funds transfer fraud coverages would apply to the losses.

What have courts said?

Two recent decisions from federal courts of appeal have resulted in coverage under crime policies for business email compromise losses.

The first is the July 6, 2018 opinion issued in Medidata Solutions, Inc. v. Federal Insurance Co., No. 17-2492 (2d Cir.).  The Medidata trial court ruled that a crime insurance policy provides coverage for a fraudulent scheme and wire transfer.  The Court of Appeals for the Second Circuit affirmed the trial court’s decision.  In Medidata, the policyholder’s employees received emails that purported and appeared to be from high level company personnel but were, in fact, sent by fraudsters.  Based on those emails, and messages from purported outside counsel, Medidata wired nearly $5 million to the fraudsters.  It sought coverage under a crime policy that it bought from Chubb that had computer fraud, funds transfer fraud, and other coverages.  The trial court ruled that computer fraud and funds transfer fraud coverages both applied.  It rejected the arguments that the loss was not “direct” because there were steps in between the original fraudulent message and the wiring of funds.

On appeal, the Second Circuit ruled that Medidata’s loss was “direct” under the insurance policy language.  “Federal Insurance further argue[d],” as carriers have done in many business email compromise cases, “that Medidata did not sustain a ‘direct loss’ as a result of the spoofing attack, within the meaning of the policy.”  Slip op. at 3.  The Court of Appeals held that because “[t]he spoofed emails directed Medidata employees to transfer funds in accordance with an acquisition, and the employees made the transfer that same day,” the loss wasdirect.  Id.  The court rejected the insurance carrier’s argument that the loss was not direct because “the Medidata employees themselves had to take action to effectuate the transfer”; the employees’ actions were not “sufficient to sever the causal relationship between the spoofing attack and the losses incurred.”  Slip op. at 3.  The Court of Appeals did not address the trial court’s ruling that funds transfer fraud coverage applied, “[h]aving concluded the Medidata’s losses were covered under the computer fraud provision.”  Id.

Shortly after Medidata was issued, the Sixth Circuit decided on July 13, 2018 that computer fraud coverage applies to losses resulting from a business email compromise in American Tooling Center, Inc. v. Travelers Casualty & Surety Co., No. 17-2014 (6th Cir.).  There, the policyholder (ATC) wired money to fraudsters, instead of a vendor, because of a business email compromise.  The Sixth Circuit reversed the district court, ruling that the losses are “direct,” covered by crime insurance.

In a decision that will be published, the Court of Appeals held there was “‘direct loss’ [that] was ‘directly caused’ by the computer fraud,” even though the policyholder had engaged in “multiple internal actions” and “signed into the banking portal and manually entered the fraudulent banking information emailed by the impersonator” after receiving the initial fraudulent emails.  Id.

Holding that coverage applied, the Sixth Circuit distinguished the Eleventh Circuit’s decision regarding computer fraud coverage in Interactive Communications v. Great American, No. 17-11712, ___ F. App’x ___, 2018 WL 2149769 (11th Cir. May 10, 2018).  Id. at 9-10.  After the policyholder in American Tooling had “received the fraudulent email at step one,” it “conducted a series of internal actions, all induced by the fraudulent email, which led to the transfer of the money to the impersonator at step two.”  The loss occurred at step two; as such, “the computer fraud ‘directly caused’ [the policyholder’s] ‘direct loss.’”  Id. at 10.  By contrast, the Sixth Circuit explained, the policyholder in Interactive Communications only suffered losses at step four in a significantly more complicated chain of events.  See id. at 9-10.

These decisions are great news for policyholders pursuing coverage under crime policies for losses resulting from business email compromises.  And, in light of this new authority, policyholders would be well-advised to examine denial letters carefully, giving due consideration to whether these decisions could be used to argue in favor of coverage.

What options are available to policyholders going forward?

Cynical viewers of insurance history might view the state of coverage as similar to what the industry has done in the past.  That is, initially, cover new claims under “old” policies.  Then, after claims get expensive, hire coverage counsel to tell courts why the carriers must not have meant to cover these new claims (whether the drafting history reflects such an intent or not).  Next, get insurance regulators to approve exclusions purportedly tailored explicitly to the risk, and, at the same time, sell new policy endorsements (often for additional premium) that provide lower limits of coverage for the risk.

That’s what is happening in connection with insurance for business email compromises.  At least one insurance group that drafts crime insurance policies has asked for a definition of computer and funds transfer fraud to be changed, and a new social engineering fraud endorsement to be approved for sale.  Insurers have rolled out these endorsements with limits of coverage that often are capped at low amounts, and might also have high retentions.  These endorsements frequently are available for crime policies and, sometimes, are available for cyberinsurance policies as well.

So what are some options for policyholders trying to structure an insurance program for these risks?  These questions should provide helpful tips:

1. What does the insurance policy include? Policyholders would be well-advised to see whether the insurance program includes social engineering fraud endorsements or coverage parts.

2. What are the applicable limits? Policyholders would be well-advised to check the policy limits that would apply to those coverages.  Binder letters might not disclose a sublimit, and the policyholder might not realize the limit of coverage is lower than the full policy limit until it is too late.

3. Are coverages available under more than one policy? At the time of policy renewal, policyholders would be well-advised to consider asking whether social engineering fraud coverage can be added to a crime program and a cyberinsurance program.

4. Will excess coverage apply, and, if so, when? Policyholders would be well-advised to explore whether excess policies will provide this coverage, and, if so, will “drop down” to attach at the level of any sublimit, to avoid donut holes in the coverage.

5. Will other policy provisions provide coverage, beyond narrow endorsements? If the policyholder faces a claim, policyholders would be well-advised to determine whether other coverages might apply to the losses, notwithstanding a social engineering fraud endorsement.

6. What happens if the insurance carrier says, “no,” or that sublimits apply? If the insurance carrier denies coverage, or tries to apply a sublimit, policyholders would be well-advised to be mindful of the interpretation that two Courts of Appeals have used for computer fraud coverage in similar contexts.

 

© 2018 BARNES & THORNBURG LLP
This post was written by Scott N. Godes of Barnes & Thornburg LLP.

Dutch Supervisory Authority Announces GDPR Investigation

On July 17, 2018, the Dutch Supervisory Authority announced that it will start a preliminary investigation to assess whether certain large corporations comply with the EU’s General Data Protection Regulation (“GDPR”) – see the official press release here (in Dutch).  To that end, the authority will review the “records of processing activities” from thirty randomly selected corporations which are located in the Netherlands.

Article 30 of the GDPR requires data controllers and processors to maintain a record of their processing activities.  These records must, among other things, include a description of the categories of data subjects and types of personal data processed, as well as the recipients of the data and the transfer mechanisms used.  While small organizations with less than 250 employees are generally exempted, but there are several exceptions to the exemption which may still cause this obligation to apply to them as well.

The thirty corporations will be selected from ten different economic sectors across the Netherlands, namely: metal industry, water supply, construction, trade, catering, travel, communications, financial services, business services and healthcare.

According to the authority, the correct maintenance of records of processing activities is an important first indication of an organization’s compliance with the new EU data protection rules.

 

© 2018 Covington & Burling LLP
This post was written by Kristof Van Quathem of Covington & Burling LLP.

California’s Turn: California Consumer Privacy Act of 2018 Enhances Privacy Protections and Control for Consumers

On Friday, June 29, 2018, California passed comprehensive privacy legislation, the California Consumer Privacy Act of 2018.  The legislation is some of the most progressive privacy legislation in the United States, with comparisons drawn to the European Union’s General Data Protection Regulation, or GDPR, which went into effect on May 25, 2018.  Karen Schuler, leader of BDO’s National Data and Information Governance and a former forensic investigator for the SEC, provides some insight into this legislation, how it compares to the EU’s GDPR, and how businesses can navigate the complexities of today’s privacy regulatory landscape.

California Consumer Privacy Act 2018

The California Consumer Privacy Act of 2018 was passed by both the California Senate and Assembly, and quickly signed into law by Governor Brown, hours before a deadline to withdraw a voter-led initiative that could potentially put into place even stricter privacy regulations for businesses.  This legislation will have a tremendous impact on the privacy landscape in the United States and beyond, as the legislation provides consumers with much more control of their information, as well as an expanded definition of personal information and the ability of consumers to control whether companies sell or share their data.  This law goes into effect on January 1, 2020. You can read more about the California Privacy Act of 2018 here.

California Privacy Legislation v. GDPR

In many ways, the California law has some similarities to GDPR, however, there are notable differences, and ways that the California legislation goes even further.

Karen Schuler, leader of BDO’s National Data & Information Governance practice and former forensic investigator for the SEC, points out:

“the theme that resonates throughout both GDPR and the California Consumer Privacy Act is to limit or prevent harm to its residents. . . both seem to be keenly focused on lawful processing of data, as well as knowing where your personal information goes and ensuring that companies protect data accordingly.”

One way California goes a bit further is in the ability of consumers to prevent a company from selling or otherwise sharing consumer information.  Schuler says, “California has proposed that if a consumer chooses not to have their information sold, then the company must respect that.” While GDPR was data protections for consumers, and allows consumers rights as far as modifying, deleting and accessing their information, there is no precedent where GDPR can stop a company from selling consumer data if the company has a legal basis to do so.

In terms of a compliance burden, Schuler hypothesizes that companies who are in good shape as far as GDPR goes might have a bit of a head start in terms of compliance with the California legislation, however, there is still a lot of work to do before the law goes into effect on January 1, 2020.  Schuler says, “There are also different descriptions of personal data between regulations like HIPAA, PCI, GDPR and others that may require – under this law – companies to look at their categorizations of data. For some organizations this is an extremely large undertaking.”

Compliance with Privacy Regulations: No Short-Cuts

With these stricter regulations coming into play, companies are in a place where understanding data flows is of primary importance. In many ways, GDPR compliance was a wake-up call to the complexities of data privacy issues in companies.  Schuler says, “Ultimately, we have found that companies are making good strides against becoming GDPR compliant, but that they may have waited too long and underestimated the level of effort it takes to institute a strong privacy or GDPR governance program.”  When talking about how companies institute compliance to whatever regulation they are trying to understand and implement, Schuler says, “It is critical companies understand where data exists, who stores it, who has access to it, how its categorized and protected.” Additionally, across industries companies are moving to a culture of mindfulness around privacy and data security issues, a lengthy process that can require a lot of training and requires buy-in from all levels of the company.

While the United States still has a patchwork of privacy regulations, including breach notification statutes, this California legislation could be a game-changer.  What is clear is that companies will need to contend with privacy legislation and consumer protections. Understanding the data flows in an organization is crucial to compliance, and it turns out GDPR may have just been the beginning.

This post was written by Eilene Spear.

Copyright ©2018 National Law Forum, LLC.

Three Important Considerations For All Businesses in Light of GDPR

Today, the European General Data Protection Regulation (“GDPR”) takes effect. The GDPR is the most comprehensive and complex privacy regulation currently enacted. The GDPR can apply to a business or organization (including a non-profit organization) anywhere in the world and its potential financial impact is huge; fines can reach up to € 20 million Euros (over $23 million USD) or 4% of an entity’s total revenue, whichever is greater. Not surprisingly, the potential for this type of penalty has caused concern and chaos leading up to the May 25, 2018 effective date. In light of this significant international development, all organizations should consider the following:

1. Does the GDPR Apply?

If your entity “processes” the “personal data” of anyone within the European Union, then the GDPR may apply. “Personal data” under the GDPR is any information that could identify an individual, directly or indirectly, like a name, email address or even an IP address. The GDPR also broadly defines “processing” to include activities such as collecting, storing or using the personal data. For more information on how to determine if the GDPR applies to your entity, watch our 3-minute video on the subject.

2. If the GDPR Does Apply, What is the Compliance Strategy?

You need a plan. Yes, it would have been ideal to have it in place by today but if the GDPR applies to your entity, do not delay any further in creating a GDPR compliance strategy. A GDPR compliance strategy starts with a detailed examination of your entity’s data collection and use practices. Those practices must comply with the GDPR requirements and your entity may need to implement new or revised policies to address specific compliance requirements. This process is specific to the particular practices of each entity – there is no one-size-fits-all GDPR compliance program. You can find the regulatory language here.

3. Even If the GDPR Does Not Apply, How Do You Handle the Data You Collect?

Even if the GDPR does not apply to your entity, there are significant risks and liability surrounding the data collection and processing practices of any business. Data breaches happen every day. No business is immune. Each organization should closely examine its data collection and use practices and determine if it absolutely needs all of the data it collects. Then, the organization must determine whether the steps it is taking to protect the data it collects are reasonable in today’s environment. In Massachusetts, businesses must undergo this process and create a written information security plan. In Connecticut, having such a plan may help avoid a government enforcement action if you experience a data breach. In addition, the Federal Trade Commission and states’ Attorneys General are actively pursuing companies with questionable privacy practices.

© Copyright 2018 Murtha Cullina.
This post was written by Dena M. Castricone and Daniel J. Kagan of Murtha Cullina.

White House Eliminates Top Cybersecurity Position

On May 15, the White House announced that it was eliminating the position of Cybersecurity Coordinator at the National Security Council, the highest position at the White House devoted to Cybersecurity. While not unexpected, this move is significant.

Symbolically, eliminating this senior position arguably send a signal that this Administration is less focused on cybersecurity as a priority.

Functionally, it means there will be no single person in the White House accountable to the President and the National Security Advisor on cyber issues.

Administratively, and perhaps most significantly, the White House’s ability to coordinate cybersecurity among the agencies, arbitrate disputes, and set direction for policy initiatives government-wide will likely be degraded.

While the White House is explaining the move by saying it will streamline management, increase efficiency, reduce bureaucracy and raise accountability, in the short run at least it seems likely to sow some confusion and increase the criticism of federal cybersecurity policy that has already gone on for several years.

Putting it Into Practice: Any hopes companies harbored for increased clarity and leadership from the Administration on cybersecurity seem to be fading. Companies will have to spend more time monitoring the cybersecurity initiatives and requirements of individual agencies, which will likely become less coordinated going forward.

Copyright © 2018, Sheppard Mullin Richter & Hampton LLP.

The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)

The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.

Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010.

The Yahoo Data Breaches

In December 2014, Yahoo’s security team discovered that Russian hackers had obtained its “crown jewels”—the usernames, email addresses, phone numbers, birthdates, passwords and security questions/answers for at least 500 million Yahoo accounts. Within days of the discovery, according to the SEC, “members of Yahoo’s senior management and legal teams received various internal reports from Yahoo’s Chief Information Security Officer (CISO) stating that the theft of hundreds of millions of Yahoo users’ personal data had occurred.” Yahoo’s internal security team thereafter was aware that the same hackers were continuously targeting Yahoo’s user database throughout 2015 and early 2016, and also received reports that Yahoo user credentials were for sale on the dark web.

In the summer of 2016, Yahoo was in negotiations with Verizon to sell its operating business. In response to due diligence questions about its history of data breaches, Yahoo gave Verizon a spreadsheet falsely representing that it was aware of only four minor breaches involving users’ personal information.  In June 2016, a new Yahoo CISO (hired in October 2015) concluded that Yahoo’s entire database, including the personal data of its users, had likely been stolen by nation-state hackers and could be exposed on the dark web in the immediate future. At least one member of Yahoo’s senior management was informed of this conclusion. Yahoo nonetheless failed to disclose this information to Verizon or the investing public. It instead filed the Verizon stock purchase agreement—containing an affirmative misrepresentation as to the non-existence of such breaches—as an exhibit to a July 25, 2016, Form 8-K, announcing the transaction.

On September 22, 2016, Yahoo finally disclosed the 2014 data breach to Verizon and in a press release attached to a Form 8-K.  Yahoo’s disclosure pegged the number of affected Yahoo users at 500 million.

The following day, Yahoo’s stock price dropped by 3%, and it lost $1.3 billion in market capitalization. After Verizon declared the disclosure and data breach a “material adverse event” under the Stock Purchase Agreement, Yahoo agreed to reduce the purchase price by $350 million (a 7.25% reduction in price) and agreed to share liabilities and expenses relating to the breaches going forward.

Since September 2016, Yahoo has twice revised its data breach disclosure.  In December 2016, Yahoo disclosed that hackers had stolen data from 1 billion Yahoo users in August 2013, and had also forged cookies that would allow an intruder to access user accounts without supplying a valid password in 2015 and 2016. On March 1, 2017, Yahoo filed its 2016 Form 10-K, describing the 2014 hacking incident as having been committed by a “state-sponsored actor,” and the August 2013 hacking incident by an “unauthorized third party.”  As to the August 2013 incident, Yahoo stated that “we have not been able to identify the intrusion associated with this theft.” Yahoo disclosed security incident expenses of $16 million ($5 million for forensics and $11 million for lawyers), and flatly stated: “The Company does not have cybersecurity liability insurance.”

The same day, Yahoo’s general counsel resigned as an independent committee of the Yahoo Board received an internal investigation report concluding that “[t]he 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident.” The internal investigation found that “senior executives and relevant legal staff were aware [in late 2014] that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool.”

The report concluded that “failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident.” Yahoo’s CEO, Marissa Mayer, also forfeited her annual bonus as a result of the report’s findings.

On September 1, 2017, a California federal judge partially denied Yahoo’s motion to dismiss the data breach class actions. Then, on October 3, 2017, Yahoo disclosed that all of its users (3 billion accounts) had likely been affected by the hacking activity that traces back to August 2013. During a subsequent hearing held in the consumer data breach class action, a Yahoo lawyer stated that the company had confirmed the new totals on October 2, 2017, based on further forensic investigation conducted in September 2017. That forensic investigation was prompted, Yahoo’s counsel said, by recent information obtained from a third party about the scope of the August 2013 breach. As a result of the new disclosures, the federal judge granted the plaintiffs’ request to amend their complaint to add new allegations and causes of action, potentially including fraud claims and requests for punitive damages.

The SEC Breaks New Cybersecurity Ground

Just a month after issuing new interpretive guidance about public company disclosures of cyberattacks (see our Post and Alert), the SEC has now issued its first cease-and-desist order and penalty against a public company for failing to disclose known cyber incidents in its public filings. The SEC’s administrative order alleges that Yahoo violated Sections 17(a)(2) & (3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934 and related rules when its senior executives discovered a massive data breach in December 2014, but failed to disclose it until after its July 2016 merger announcement with Verizon.

During that two-year window, Yahoo filed a number of reports and statements with the SEC that misled investors about Yahoo’s cybersecurity history. For instance, in its 2014-2016 annual and quarterly reports, the SEC found that Yahoo included risk factor disclosures stating that the company “faced the risk” of potential future data breaches, “without disclosing that a massive data breach had in fact already occurred.”

Yahoo management’s discussion and analysis of financial condition and results of operation (MD&A) was also misleading, because it “omitted known trends and uncertainties with regard to liquidity or net revenue presented by the 2014 breach.” Knowing full well of the massive breach, Yahoo nonetheless filed a July 2016 proxy statement relating to its proposed sale to Verizon that falsely denied knowledge of any such massive breach. It also filed a stock purchase agreement that it knew contained a material misrepresentation as to the non-existence of the data breaches.

Despite being informed of the data breach within days of its discovery, Yahoo’s legal and management team failed to properly investigate the breach and made no effort to disclose it to investors. As the SEC described the deficiency, “Yahoo senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings to be misleading.” Yahoo’s in-house lawyers and management also did not share information with its auditors or outside counsel to assess disclosure obligations in public filings.

In announcing the penalty, SEC officials noted that Yahoo left “its investors totally in the dark about a massive data breach” for two years, and that “public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.” The SEC also noted that Yahoo must cooperate fully with its ongoing investigation, which may lead to penalties against individuals.

The First Hacker Faces Sentencing

Coincidentally, on the same day that the SEC announced its administrative order and penalty against Yahoo, one of the four hackers indicted for the Yahoo cyberattacks (and the only one in U.S. custody) appeared for sentencing before a U.S. District Judge in San Francisco. Karim Baratov, a 23-year-old hacker-for-hire, had been indicted in March 2017 for various computer hacking, economic espionage, and other offenses relating to the 2014 Yahoo intrusion.

His co-defendants, who remain in Russia, are two officers of the Russian Federal Security Service (FSB) and a Russian hacker who has been on the FBI’s Cyber Most Wanted list since November 2013. The indictment alleges that the Russian intelligence officers used criminal hackers to execute the hacks on Yahoo’s systems, and then to exploit some of that stolen information to hack into other accounts held by targeted individuals.

Baratov is the small fish in the group. His role in the hacking conspiracy focused on gaining unauthorized access to non-Yahoo email accounts of individuals of interest identified through the Yahoo data harvest.  Unbeknownst to Baratov, he was doing the bidding of Russian intelligence officers, who did not disclose their identities to the hacker-for-hire. Baratov asked no questions in return for commissions paid on each account he compromised.

In November 2017, Baratov pled guilty to conspiracy to commit computer fraud and aggravated identity theft. He admitted that, between 2010 and 2017, he hacked into the webmail accounts of more than 11,000 victims, stole and sold the information contained in their email accounts, and provided his customers with ongoing access to those accounts. Baratov was indiscriminate in his hacking for hire, even hacking for a customer who appeared to engage in violence against targeted individuals for money. Between 2014 and 2016, he was paid by one of the Russian intelligence officers to hack into at least 80 webmail accounts of individuals of interest to Russian intelligence identified through the 2014 Yahoo incident. Baratov provided his handler with the contents of each account, plus ongoing access to the account.

The government is seeking eight years of imprisonment, arguing that Baratov “stole and provided his customers the keys to break into the private lives of targeted victims.” In particular, the government cites the need to deter Baratov and other hackers from engaging in cybercrime-for-hire operations. The length of the sentence alone suggests that Baratov is not cooperating against other individuals. Baratov’s lawyers have requested a sentence of no more than 45 months, stressing Baratov’s unwitting involvement in the Yahoo attack as a proxy for Russian intelligence officers.

In a somewhat unusual move, the sentencing judge delayed sentencing and asked both parties to submit additional briefing discussing other hacking sentences. The judge expressed concern that the government’s sentencing request was severe and that an eight-year term could create an “unwarranted sentencing disparity” with sentences imposed on other hackers.

The government is going to the mat for Baratov’s victims.  On May 8, 2018, the government fired back in a supplemental sentencing memorandum that reaffirms its recommended sentence of 8 years of imprisonment. The memorandum contains an insightful summary of federal hacking sentences imposed on defendants, with similar records who engaged in similar conduct, between 2008 and 2018. The government surveys various types of hacking cases, from payment card breaches to botnets, banking Trojans and theft and exploitation of intimate images of victims.

The government points to U.S. Sentencing Guidelines Commission data showing that federal courts almost always have imposed sentences within the advisory Guidelines range on hackers who steal personal information and do not earn a government-sponsored sentence reduction (generally due to lack of cooperation in the government’s investigation). The government also expands on the distinctions between different types of hacking conduct and how each should be viewed at sentencing. It focuses on Baratov’s role as an indiscriminate hacker-for-hire, who targeted individuals chosen by his customers for comprehensive data theft and continuous surveillance. Considering all of the available data, the government presents a very persuasive argument that its recommended sentence of eight years of imprisonment is appropriate. Baratov’s lawyers may now respond in writing, and sentencing is scheduled for May 29, 2018.

Lessons from the Yahoo Hacking Incidents and Responses

There are many lessons to be learned from Yahoo’s cyber incident odyssey. Here are some of them:

The Criminal Conduct

  • Cybercrime as a service is growing substantially.

  • Nation-state cyber actors are using criminal hackers as proxies to attack private entities and individuals. In fact, the Yahoo fact pattern shows that the Russian intelligence services have been doing so since at least 2014.

  • Cyber threat actors—from nation-states to lone wolves – are targeting enormous populations of individuals for cyber intrusions, with goals ranging from espionage to data theft/sale, to extortion.

  • User credentials remain hacker gold, providing continued, unauthorized access to online accounts for virtually any targeted victim.

  • Compromises of one online account (such as a Yahoo account) often lead to compromises of other accounts tied to targeted individuals. Credential sharing between accounts and the failure to employ multi-factor authentication makes these compromises very easy to execute.

The Incident Responses

  • It’s not so much about the breach, as it is about the cover up. Yahoo ran into trouble with the SEC, other regulators and civil litigants because it failed to disclose its data breaches in a reasonable amount of time. Yahoo’s post-breach injuries were self-inflicted and could have been largely avoided if it had properly investigated, responded to, and disclosed the breaches in real time.

  • SEC disclosures in particular must account for known incidents that could be viewed as material for securities law purposes.  Speaking in the future tense about potential incidents will no longer be sufficient when a company has actual knowledge of significant cyber incidents.

  • Regulators are laying the foundation for ramped-up enforcement actions with real penalties. Like Uber with its recent FTC settlement, Yahoo received some leniency for being first in terms of the SEC’s administrative order and penalty. The stage is now set and everyone is on notice of the type of conduct that will trigger an enforcement action.

  • Yahoo was roundly applauded for its outstanding cooperation with law enforcement agencies investigating the attacks. These investigations go nowhere without extensive victim involvement. Yahoo stepped up in that regard, and that seems to have helped with the SEC, at least.

  • Lawyers must play a key role in the investigation and response to cyber incidents, and their jobs may depend on it. Cyber incident investigations are among the most complex types of investigations that exist. This is not an area for dabblers and rookies. Organizations need to hire in-house lawyers with actual experience and expertise in cybersecurity and cyber incident investigations.

  • Senior executives need to become competent in handling the crisis of cyber incident response. Yahoo’s senior executives knew of the breaches well before they were disclosed. Why the delay? And who made the decision not to disclose in a timely fashion?

  • The failures of Yahoo’s senior executives illustrate precisely why the board of directors now must play a critical role not just in proactive cybersecurity, but in overseeing the response to any major cyber incident. The board must check senior management when it makes the wrong call on incident disclosure.

The Litigation

  • Securities fraud class actions may fare much better than consumer data breach class actions. The significant stock drop coupled with the clear misrepresentations about the material fact of a massive data breach created a strong securities class action that led to an $80 million settlement.  The lack of financial harm to consumers whose accounts were breached is not a problem for securities fraud plaintiffs.

  • Consumer data breach class actions are more routinely going to reach the discovery phase. The days of early dismissals for lack of standing are disappearing quickly.  This change will make the proper internal investigation into incidents and each step of the response process much more critical.

  • Although the jury is still out on how any particular federal judge will sentence a particular hacker, the data is trending in a very positive direction for victims. At least at the federal level, hacks focused on the exploitation of personal information are being met with stiff sentences in many cases. A hacker’s best hope is to earn government-sponsored sentencing reductions due to extensive cooperation. This trend should encourage hacking victims (organizations and individuals alike) to report these crimes to federal law enforcement and to cooperate in the investigation and prosecution of the cybercriminals who attack them.

  • Even if a particular judge ultimately goes south on a government-requested hacking sentence, the DOJ’s willingness to fight hard for a substantial sentence in cases such as this one sends a strong signal to the private sector that victims will be taken seriously and protected if they work with the law enforcement community to combat significant cybercrime activity.

Copyright © by Ballard Spahr LLP
This post was written by Edward J. McAndrew of Ballard Spahr LLP.