Don’t Gamble with the GDPR

The European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect on May 25, and so do the significant fines against businesses that are not in compliance. Failure to comply carries penalties of up to 4 percent of global annual revenue per violation or $20 million Euros – whichever is highest.

This regulatory rollout is notable for U.S.-based hospitality businesses because the GDPR is not just limited to the EU. Rather, the GDPR applies to any organization, no matter where it has operations, if it offers goods or services to, or monitors the behavior of, EU individuals. It also applies to organizations that process or hold the personal data of EU individuals regardless of the company’s location. In other words, if a hotel markets its goods or services to EU individuals, beyond merely having a website, the GDPR applies.

The personal data at issue includes an individual’s name, address, date of birth, identification number, billing information, and any information that can be used alone or with other data to identify a person.

The risks are particularly high for the U.S. hospitality industry, including casino-resorts, because their businesses trigger GDPR-compliance obligations on numerous fronts. Hotels collect personal data from their guests to reserve rooms, coordinate event tickets, and offer loyalty/reward programs and other targeted incentives. Hotels with onsite casinos also collect and use financial information to set up gaming accounts, to track player win/loss activity, and to comply with federal anti-money laundering “know your customer” regulations.

Privacy Law Lags in the U.S.

Before getting into the details of GDPR, it is important to understand that the concept of privacy in the United States is vastly different from the concept of privacy in the rest of the world. For example, while the United States does not even have a federal law standardizing data breach notification across the country, the EU has had a significant privacy directive, the Data Protection Directive, since 1995. The GDPR is replacing the Directive in an attempt to standardize and improve data protection across the EU member states.

Where’s the Data?

Probably the most difficult part of the GDPR is understanding what data a company has, where it got it, how it is getting it, where it is stored, and with whom it is sharing that data. Depending on the size and geographical sprawl of the company, the data identification and audit process can be quite mind-boggling.

A proper data mapping process will take a micro-approach in determining what information the company has, where the information is located, who has access to the information, how the information is used, and how the information is transferred to any third parties. Once a company fully understands what information it has, why it has it, and what it is doing with it, it can start preparing for the GDPR.

What Does the Compliance Requirement Look Like in Application?

One of the key issues for GDPR-compliance is data subject consent. The concept is easy enough to understand: if a company takes a person’s personal information, it has to fully inform the individual why it is taking the information; what it may do with that information; and, unless a legitimate basis exists, obtain express consent from the individual to collect and use that information.

In terms of what a company has to do to get express consent under the GDPR, it means that a company will have to review and revise (and possibly implement) its internal policies, privacy notices, and vendor contracts to do the following:

  • Inform individuals what data you are collecting and why;

  • Inform individuals how you may use their data;

  • Inform individuals how you may share their data and, in turn, what the entities you shared the data with may do with it; and

  • Provide the individual a clear and concise mechanism to provide express consent for allowing the collection, each use, and transfer of information.

At a functional level, this process entails modifying some internal processes regarding data collection that will allow for express consent. In other words, rather than language such as, “by continuing to stay at this hotel, you consent to the terms of our Privacy Policy,” or “by continuing to use this website, you consent to the terms of our Privacy Policy,” individuals must be given an opportunity not to consent to the collection of their information, e.g., a click-box consent versus an automatically checked box.

The more difficult part regarding consent is that there is no grandfather clause for personal information collected pre-GDPR. This means that companies with personal data subject to the GDPR will no longer be allowed to have or use that information unless the personal information was obtained in line with the consent requirements of the GDPR or the company obtains proper consent for use of the data prior to the GDPR’s effective date of May 25, 2018.

What Are the Other “Lawful Basis” to Collect Data Other Than Consent?

Although consent will provide hotels the largest green light to collect, process, and use personal data, there are other lawful basis that may exist that will allow a hotel the right to collect data. This may include when it is necessary to perform a contract, to comply with legal obligations (such as AML compliance), or when necessary to serve the hotel’s legitimate interests without overriding the interests of the individual. This means that during the internal audit process of a hotel’s personal information collection methods (e.g., online forms, guest check-in forms, loyalty/rewards programs registration form, etc.), each guest question asked should be reviewed to ensure the information requested is either not personal information or that there is a lawful reason for asking for the information. For example, a guest’s arrival and departure date is relevant data for purposes of scheduling; however, a guest’s birthday, other than ensuring the person is of the legal age to consent, is more difficult to justify.

What Other Data Subject Rights Must Be Communicated?

Another significant requirement is the GDPR’s requirement that guests be informed of various other rights they have and how they can exercise them including:

  • The right of access to their personal information;

  • The right to rectify their personal information;

  • The right to erase their personal information (the right to be forgotten);

  • The right to restrict processing of their personal information;

  • The right to object;

  • The right of portability, i.e., to have their data transferred to another entity; and

  • The right not to be included in automated marketing initiatives or profiling.

Not only should these data subject rights be spelled out clearly in all guest-facing privacy notices and consent forms, but those notices/forms should include instructions and contact information informing the individuals how to exercise their rights.

What Is Required with Vendor Contracts?

Third parties are given access to certain data for various reasons, including to process credit card payments, implement loyalty/rewards programs, etc. For a hotel to allow a third party to access personal data, it must enter into a GDPR-compliance Data Processing Agreement (DPA) or revise an existing one so that it is GDPR compliant. This is because downstream processors of information protected by the GDPR must also comply with the GDPR. These processor requirements combined with the controller requirements, i.e., those of the hotel that control the data, require that a controller and processor entered into a written agreement that expressly provides:

  • The subject matter and duration of processing;

  • The nature and purpose of the processing;

  • The type of personal data and categories of data subject;

  • The obligations and rights of the controller;

  • The processor will only act on the written instructions of the controller;

  • The processor will ensure that people processing the data are subject to duty of confidence;

  • That the processor will take appropriate measures to ensure the security of processing;

  • The processor will only engage sub-processors with the prior consent of the controller under a written contract;

  • The processor will assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;

  • The processor will assist the controller in meetings its GDPR obligations in relation to the security of processing, the notification of personal data breaches, and data protection impact assessments;

  • The processor will delete or return all personal data to the controller as required at the end of the contract; and that

  • The processor will submit to audits and inspections to provide the controller with whatever information it needs to ensure that they are both meeting the Article 28 obligations and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

Other GDPR Concerns and Key Features

Consent and data portability are not the only thing that hotels and gambling companies need to think about once GDPR becomes a reality. They also need to think about the following issues:

  • Demonstrating compliance. All companies will need to be able to prove they are complying with the GDPR. This means keeping records of issue such as consent.

  • Data protection officer. Most companies that deal with large-scale data processing will need to appoint a data protection officer.

  • Breach reporting. Breaches of data must be reported to authorities within 72 hours and to affected individuals “without undue delay.” This means that hotels will need to have policies and procedures in place to comply with this requirement and, where applicable, ensure that any processors are contractually required to cooperate with the breach-notification process.

© Copyright 2018 Dickinson Wright PLLC
This post was written by Sara H. Jodka of Dickinson Wright PLLC.

Fiat Chrysler Car Hacking Case Put In Neutral

Plaintiff lawyers’ continued search for damage theories to assert in claims arising from a data breach – or fear of a breach – received a potential setback this week when Chief Judge Michael Reagan of the United States District Court for the Southern District of Illinois permitted Fiat Chrysler and Harmon International to seek an interlocutory appeal of the court’s earlier ruling in Flynn v. Fiat Chrysler US that class plaintiffs had standing to bring their “car hacking” claims in federal court.  The ruling comes just one month before the scheduled start of trial. Fiat Chrysler and Harmon moved for an appeal after the Ninth Circuit ruled in a similar case, Cahen v. Toyota Motor Corp, that plaintiffs did not have standing to pursue diminution in value damages against Toyota based on a fear that the vehicles were susceptible to hacking.

 Both Flynn and Cahen were filed in 2015, following a series of well-publicized demonstrations by white hat hackers that certain Toyota and Fiat Chrysler cars could be hacked and remotely controlled by a third party, in potentially malicious ways. Plaintiffs in both lawsuits asserted that the cybersecurity vulnerabilities that gave rise to the potential for hacking constituted a design defect that reduced the value of their cars.

 The Ninth Circuit in Cahen previously rejected this diminution of value theory, agreeing with the District Court that “plaintiffs have not, for example, alleged a demonstrable effect on the market for their specific vehicles based on documented recalls or declining Kelley Bluebook values . . . nor have they alleged a risk so immediate that they were forced to replace or discontinue using their vehicles, thus incurring out-of-pocket damages.” In rejecting Fiat Chrysler’s motion to dismiss in the Flynn case, Judge Reagan reached a different conclusion, finding that plaintiffs had standing to seek diminution of value damages.  Key to the court’s decision was the fact that the cybersecurity defects in Chrysler cars that had been widely reported (originally in a Wired magazine article)  led to a nationwide recall. The recall itself gave rise to additional reports of car hacking involving Chrysler cars, which the plaintiffs argued provided a foundation for a jury to conclude that the market value of Fiat Chryslers had been reduced. Additionally, plaintiffs alleged that the recall had not fixed the cybersecurity vulnerabilities, which the court found could give rise to a conclusion that the market for Chryslers had been altered.

 In certifying the case for appeal, Judge Reagan explained that the initial finding of standing was debatable and noted that a ruling by the Seventh Circuit in favor of Fiat Chrysler would obviate the need for trial. The case remains stayed while the Seventh Circuit considers whether to agree to review the court’s standing ruling.

 A ruling by the Seventh Circuit rejecting the District Court’s standing analysis in Flynn would potentially close what had been a new front in data breach litigation. Flynn had been one of only a few data security cases in the country to proceed past the motion to dismiss stage on a diminution in value theory of damages. What made Flynn particularly remarkable is that there had not been an actual reported breach that resulted in physical or other damages.

 On the other hand, a ruling in favor of plaintiffs could have widespread ramifications and, in theory, could give rise to design defect claims against manufacturers of other connected products — such as refrigerators, medical devices, and smart televisions — based on data security vulnerabilities that increase the risk of hacking.

The Internet of Things is growing rapidly. According to Gartner, there are over 5 billion devices connected to the internet, and by 2020, there will be 25 billion, with revenues expected to exceed $300 billion. To be sure, there are important differences between the automobile market and the market for other consumer products that may limit the viability of overpayment damages claims for data security vulnerabilities outside of automobiles. Still, the potential that these IoT manufacturers could be subject to products liability claims stemming from cybersecurity vulnerabilities is an issue to watch carefully.

Copyright © by Ballard Spahr LLP
Philip N. Yannella of Ballard Spahr LLP

SEC Issues Updated Disclosure Guidance on Cybersecurity

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued updated interpretative guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The updated guidance reinforces and expands upon the prior guidance on cybersecurity disclosures issued by the SEC’s Division of Corporation Finance in October 2011. In addition to highlighting the disclosure requirements under the federal securities laws that public companies must pay particular attention to when considering their disclosure obligations with respect to cybersecurity risks and incidents, the updated guidance (1) emphasizes the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents, and (2) discusses the application of insider trading prohibitions and Regulation FD and selective disclosure prohibitions in the cybersecurity context. The guidance specifically notes that the SEC continues to monitor cybersecurity disclosures carefully through its filing review process.

Cybersecurity-Related Disclosures

Timely Disclosure of Material Nonpublic Information

In determining disclosure obligations regarding cybersecurity risks and incidents, companies should analyze the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and the impact of the incident on the company’s operations. When assessing the materiality of cybersecurity risks or incidents, the SEC notes that the following factors, among others, should be considered:

  • Nature, extent, and potential magnitude (particularly as it relates to any compromised information or the business and scope of company operations), and
  • Range of possible harm, including harm to the company’s reputation, financial performance, customer and vendor relationships, and possible litigation or regulatory investigations (both foreign and domestic).

When companies become aware of a cybersecurity incident or risk that would be material to investors, the SEC expects companies to disclose such information in a timely manner and sufficiently prior to the offer and sale of securities. In addition, steps should be taken to prevent directors and officers (and other corporate insiders aware of such information) from trading in the company’s securities until investors have been appropriately informed about the incident or risk. Importantly, the SEC states that an ongoing internal or external investigation regarding a cybersecurity incident “would not on its own provide a basis for avoiding disclosure of a material cybersecurity incident.”

Risk Factors

In evaluating cybersecurity risk factor disclosure, the guidance encourages companies to consider the following:

  • the occurrence of prior cybersecurity incidents, including severity and frequency;
  • the probability of the occurrence and potential magnitude of cybersecurity incidents;
  • the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
  • the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third party supplier and service provider risks;
  • the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
  • the potential for reputational harm;
  • existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
  • litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

The guidance also notes that effective communication of cybersecurity risks may require disclosure of previous or ongoing cybersecurity incidents, including incidents involving suppliers, customers, competitors and others.

MD&A of Financial Condition and Results of Operations

The guidance reminds companies that MD&A disclosure of cybersecurity matters may be necessary if the costs or other consequences associated with such matters represent a material event, trend or uncertainty that is reasonably likely to have a material effect on the company’s operations, liquidity or financial condition or would cause reported financial information not to be necessarily indicative of future results. Among other matters, the cost of ongoing cybersecurity efforts (including enhancements to existing efforts), the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents could inform a company’s MD&A analysis. In addition to the immediate costs incurred in connection with a cybersecurity incident, companies should also consider costs associated with:

  • loss of intellectual property;
  • implementing preventative measures;
  • maintaining insurance;
  • responding to litigation and regulatory investigations;
  • preparing for and complying with proposed or current legislation;
  • remediation efforts; and
  • addressing harm to reputation and the loss of competitive advantage.

The guidance further notes that the impact of cybersecurity incidents on each reportable segment should also be considered.

Business and Legal Proceedings

Companies are reminded that disclosure may be called for in the (1) Business section of a company’s SEC filings if cybersecurity incidents or risks materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions, and (2) Legal Proceedings section if a cybersecurity incident results in material litigation against the company.

Financial Statement Disclosures

The SEC expects that a company’s financial reporting and control systems would be designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available. The guidance provides the following examples of ways that cybersecurity incidents and risks may impact a company’s financial statements:

  • expenses related to investigation, breach notification, remediation and litigation, including the costs of legal and other professional services;
  • loss of revenue, providing customers with incentives or a loss of customer relationship assets value;
  • claims related to warranties, breach of contract, product recall/replacement, indemnification of counterparties, and insurance premium increases; and
  • diminished future cash flows, impairment of intellectual, intangible or other assets; recognition of liabilities; or increased financing costs.

Board Risk Oversight

The securities laws require a company to disclose the extent of its board of directors’ role in the risk oversight of the company, including how the board administers its oversight function and the effect this has on the board’s leadership structure. To the extent cybersecurity risks are material to a company’s business, the disclosure should include the nature of the board’s role in overseeing management of that risk.

Cybersecurity-Related Policies and Procedures

Disclosure Controls and Procedures

The guidance encourages companies to adopt comprehensive policies and procedures related to cybersecurity and to regularly assess their compliance. Companies should evaluate whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents. Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.

The certifications and disclosures regarding the design and effectiveness of a company’s disclosure controls and procedures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.

Insider Trading

Companies and their directors, officers, and other corporate insiders should be mindful of compliance with insider trading laws in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches. The guidance urges companies to consider how their code of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents. Specifically, the guidance suggests that as part of the overall investigation and assessment during significant cybersecurity incidents, companies should consider whether and when it may be appropriate to implement restrictions on insiders trading in their securities to avoid the appearance of improper trading during the period following a cybersecurity incident and prior to the dissemination of disclosure.

Regulation FD and Selective Disclosure

Companies are expected to have policies and procedures in place to ensure that any disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively, and that any Regulation FD required public disclosure is made simultaneously (in the case of an intentional disclosure) or promptly (in the case of a non-intentional disclosure) and is otherwise compliant with the requirements of Regulation FD.

 

© 2018 Jones Walker LLP
This post was written by Monique A. Cenac and Brett Beter of Jones Walker LLP.

GDPR May 25th Deadline Approaching – Businesses Globally Will Feel Impact

In less than four months, the General Data Protection Regulation (the “GDPR” or the “Regulation”) will take effect in the European Union/European Economic Area, giving individuals in the EU/EEA greater control over their personal data and imposing a sweeping set of privacy and data protection rules on data controllers and data processors alike. Failure to comply with the Regulation’s requirements could result in substantial fines of up to the greater of €20 million or 4% of a company’s annual worldwide gross revenues. Although many American companies that do not have a physical presence in the EU/EEA may have been ignoring GDPR compliance based on the mistaken belief that the Regulation’s burdens and obligations do not apply outside of the EU/EEA, they are doing so at their own peril.

A common misconception is that the Regulation only applies to EU/EEA-based corporations or multinational corporations with operations within the EU/EEA. However, the GDPR’s broad reach applies to any company that is offering goods or services to individuals located within the EU/EEA or monitoring the behavior of individuals in the EU/EEA, even if the company is located outside of the European territory. All companies within the GDPR’s ambit also must ensure that their data processors (i.e., vendors and other partners) process all personal data on the companies’ behalf in accordance with the Regulation, and are fully liable for any damage caused by their vendors’ non-compliant processing. Unsurprisingly, companies are using indemnity and insurance clauses in data processing agreements with their vendors to contractually shift any damages caused by non-compliant processing activities back onto the non-compliant processors, even if those vendors are not located in the EU/EEA. As a result, many American organizations that do not have direct operations in the EU/EEA nevertheless will need to comply with the GDPR because they are receiving, storing, using, or otherwise processing personal data on behalf of customers or business partners that are subject to the Regulation and its penalties. Indeed, all companies with a direct or indirect connection to the EU/EEA – including business relationships with entities that are covered by the Regulation – should be assessing the potential implications of the GDPR for their businesses.

Compliance with the Regulation is a substantial undertaking that, for most organizations, necessitates a wide range of changes, including:

  • Implementing “Privacy by Default” and “Privacy by Design”;
  • Maintaining appropriate data security;
  • Notifying European data protection agencies and consumers of data breaches on an expedited basis;
  • Taking responsibility for the security and processing of third-party vendors;
  • Conducting “Data Protection Impact Assessments” on new processing activities;
  • Instituting safeguards for cross-border transfers; and
  • Recordkeeping sufficient to demonstrate compliance on demand.

Failure to comply with the Regulation’s requirements carries significant risk. Most prominently, the GDPR empowers regulators to impose fines for non-compliance of up to the greater of €20 million or 4% of worldwide annual gross revenue. In addition to fines, regulators also may block non-compliant companies from accessing the EU/EEA marketplace through a variety of legal and technological methods. Even setting these potential penalties aside, simply being investigated for a potential GDPR violation will be costly, burdensome and disruptive, since during a pending investigation regulators have the authority to demand records demonstrating a company’s compliance, impose temporary data processing bans, and suspend cross-border data flows.

The impending May 25, 2018 deadline means that there are only a few months left for companies to get their compliance programs in place before regulators begin enforcement. In light of the substantial regulatory penalties and serious contractual implications of non-compliance, any company that could be required to meet the Regulation’s obligations should be assessing their current operations and implementing the necessary controls to ensure that they are processing personal data in a GDPR-compliant manner.

 

© 2018 Neal, Gerber & Eisenberg LLP.
More on the GDPR at the NLR European Union Jurisdiction Page.

New OCR Checklist Outlines How Health Care Facilities Can Fight Cyber Extortion

As technology has advanced, cyber extortion attacks have risen, and they will continue to be a major security issue for organizations. Cyber extortion can take many forms, but it typically involves cybercriminals demanding money to stop or delay their malicious activities, which include stealing sensitive data or disrupting computer services. Health care and public health sector organizations that maintain sensitive data are often targets for cyber extortion attacks.

Ransomware is a form of cyber extortion where attackers deploy malware targeting an organization’s data, rendering it inaccessible, typically by encryption. The attackers then demand money in exchange for an encryption key to decrypt the data. Even after payment is made, organizations may still lose some of their data.

Other forms of cyber extortion include Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. These attacks normally direct a high volume of network traffic to targeted computers so the affected computers cannot respond and are otherwise inaccessible to legitimate users. Here, an attacker may initiate a DoS or DDoS attack against an organization and demand payment to stop the attack.

Additionally, cyber extortion can occur when an attacker gains access to an organization’s computer system, steals sensitive data from the organization and threatens to publish that data. The attacker threatens revealing sensitive data, including protected health information (PHI), to coerce payment.

On January 30, 2018, the HHS Office for Civil Rights (OCR) published a checklist to assist HIPAA covered entities and business associates on how to respond to a cyber extortion attack. Organizations can reduce the chances of a cyber extortion attack by:

  • Implementing a robust risk analysis and risk management program that identifies and addresses cyber risks holistically, throughout the entire organization;
  • Implementing robust inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis;
  • Training employees to better identify suspicious emails and other messaging technologies that could introduce malicious software into the organization;
  • Deploying proactive anti-malware solutions to identify and prevent malicious software intrusions;
  • Patching systems to fix known vulnerabilities that could be exploited by attackers or malicious software;
  • Hardening internal network defenses and limiting internal network access to deny or slow the lateral movement of an attacker and/or propagation of malicious software;
  • Implementing and testing robust contingency and disaster recovery plans to ensure the organization is capable and ready to recover from a cyber-attack;
  • Encrypting and backing up sensitive data;
  • Implementing robust audit logs and reviewing such logs regularly for suspicious activity; and
  • Remaining vigilant for new and emerging cyber threats and vulnerabilities.

If a cyber extortion attack does happen, organizations should be prepared to take the necessary steps to prevent any more damage. In the event of a cyber-attack or similar emergency an entity:

  • Must execute its response and mitigation procedures and contingency plans;
  • Should report the crime to other law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigation (FBI) and/or the Secret Service. Any such reports should not include protected health information, unless otherwise permitted by the HIPAA Privacy Rule;
  • Should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs.
  • Must report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals, and notify affected individuals and the media unless a law enforcement official has requested a delay in the reporting. An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify individuals without unreasonable delay, but no later than 60 days after discovery; and OCR within 60 days after the end of the calendar year in which the breach was discovered.
© 2018 Dinsmore & Shohl LLPDinsmore & Shohl LLP. All rights reserved.

NIST Releases Updated Draft of Cybersecurity Framework

On December 5, 2017, the National Institute of Standards and Technology (“NIST”) announced the publication of a second draft of a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”), Version 1.1, Draft 2. NIST has also published an updated draft Roadmap to the Cybersecurity Framework, which “details public and private sector efforts related to and supportive of [the] Framework.”

Updates to the Cybersecurity Framework

The second draft of Version 1.1 is largely consistent with Version 1.0. Indeed, the second draft was explicitly designed to maintain compatibility with Version 1.0 so that current users of the Cybersecurity Framework are able to implement the Version 1.1 “with minimal or no disruption.” Nevertheless, there are notable changes between the second draft of Version 1.1 and Version 1.0, which include:

Increased emphasis that the Cybersecurity Framework is intended for broad application across all industry sectors and types of organizations. Although the Cybersecurity Framework was originally developed to improve cybersecurity risk management in critical infrastructure sectors, the revisions note that the Cybersecurity Framework “can be used by organizations in any sector or community” and is intended to be useful to companies, government agencies, and nonprofits, “regardless of their focus or size.” As with Version 1.0, users of the Cybersecurity Framework Version 1.1 are “encouraged to customize the Framework to maximize individual organizational value.” This update is consistent with previous updatesto NIST’s other publications, which indicate that NIST is attempting to broaden the focus and encourage use of its cybersecurity guidelines by state, local, and tribal governments, as well as private sector organizations.

An explicit acknowledgement of a broader range of cybersecurity threats. As with Version 1.0, NIST intended the Cybersecurity Framework to be technology-neutral. This revision explicitly notes that the Cybersecurity Framework can be used by all organizations, “whether their cybersecurity focus is primarily on information technology (“IT”), cyber-physical systems (“CPS”) or connected devices more generally, including the Internet of Things (“IoT”). This change is also consistent with previous updates to NIST’s other publications, which have recently been amended to recognize that cybersecurity risk impacts many different types of systems.

Augmented focus on cybersecurity management of the supply chain. The revised draft expanded section 3.3 to emphasize the importance of assessing the cybersecurity risks up and down supply chains. NIST explains that cyber supply chain risk management (“SCRM”) should address both “the cybersecurity effect an organization has on external parties and the cybersecurity effect external parties have on an organization.” The revised draft incorporates these activities into the Cybersecurity Framework Implementation Tiers, which generally categorize organizations based on the maturity of their cybersecurity programs and awareness. For example, organizations in Tier 1, with the least mature or “partial” awareness, are “generally unaware” of the cyber supply chain risks of products and services, while organizations in Tier 4 use “real-time or near real-time information to understand and consistently act upon” cyber supply chain risks and communicate proactively “to develop and maintain strong supply chain relationships.” The revised draft emphasizes that all organizations should consider cyber SCRM when managing cybersecurity risks.

Increased emphasis on cybersecurity measures and metrics. NIST added a new section 4.0 to the Cybersecurity Framework that highlights the benefits of self-assessing cybersecurity risk based on meaningful measurement criteria, and emphasizes “the correlation of business results to cybersecurity risk management.” According to the draft, “metrics” can “facilitate decision making and improve performance and accountability.” For example, an organization can have standards for system availability and this measurement can be used at a metric for developing appropriate safeguards to evaluate delivery of services under the Framework’s Protect Function. This revision is consistent with the recently-released NIST Special Publication 800-171A, discussed in a previous blog post, which explains the types of cybersecurity assessments that can be used to evaluate compliance with the security controls of NIST Special Publication 800-171.

Future Developments to the Cybersecurity Framework

NIST is soliciting public comments on the draft Cybersecurity Framework and Roadmap no later than Friday, January 19, 2018. Comments can be emailed to cyberframework@nist.gov.

NIST intends to publish a final Cybersecurity Framework Version 1.1 in early calendar year 2018.

 

© 2017 Covington & Burling LLP
This post was written by Susan B. Cassidy and Moriah Daugherty of Covington & Burling LLP.
 

So…Everyone’s Been Compromised? What To Do In The Wake of the Equifax Breach

By now, you’ve probably heard that over 143 million records containing highly sensitive personal information have been compromised in the Equifax data breach. With numbers exceeding 40% of the population of the United States at risk, chances are good that you or someone you know – or more precisely, many people you know – will be affected. But until you know for certain, you are probably wondering what to do until you find out.

To be sure, there has been a lot of confusion. Many feel there was an unreasonable delay in reporting the breach. And now that it has been reported, some have suggested that people who sign up with the Equifax website to determine if they were in the breach might be bound to an arbitration clause and thereby waive their right to file suit if necessary later (although Equifax has since said that is not the case). Others have reported that the “personal identification number” (PIN) provided by Equifax for those who do register with the site is nothing more than a date and time stamp, which could be subject to a brute-force attack, which is not necessarily reassuring when dealing with personal information. Still others have reported that the site itself is subject to vulnerabilities such as cross-site scripting (XSS), which could give hackers another mechanism to steal personal information. And some have even questioned the validity of the responses provided by Equifax when people query to see if they might have been impacted.

In all the chaos, it’s hard to know how to best proceed. Fortunately, you have options other than using Equifax’s website.

1. Place a Credit Freeze

Know that if you are a victim of the breach, you will be notified by Equifax eventually. In the meantime, consider placing a credit freeze on your accounts with the three major credit reporting bureaus. All three major credit reporting bureaus allow consumers to freeze their credit reports for a small fee, and you will need to place a freeze with each credit bureau. If you are the victim of identity fraud, or if your state’s law mandates, a credit freeze can be implemented without charge. In some states, you may incur a small fee. Lists of fees for residents of various states can be found at the TransUnionExperian, and Equifax websites. Placing a freeze on your credit reports will restrict access to your information and make it more difficult for identity thieves to open accounts in your name. This will not affect your credit score but there may be a second fee associated with lifting a credit freeze, so it is important to research your options before proceeding. Also, know that you will likely face a delay period before a freeze can be lifted, so spur-of-the-moment credit opportunities might suffer.

Here is information for freezing your credit with each credit bureau:

Equifax Credit Freeze

  • You may do a credit freeze online or by certified mail (return receipt requested) to:

            Equifax Security Freeze

            P.O. Box 105788

            Atlanta, GA 30348

  • To unfreeze, you must do a temporary thaw by regular mail, online or by calling 1-800-685-1111 (for New York residents call 1-800-349-9960).

Experian Credit Freeze

  • You may do a credit freeze online, by calling 1-888-EXPERIAN (1-888-397-3742) or by certified mail (return receipt requested) to:

            Experian

            P.O. Box 9554

            Allen, TX 75013

  • To unfreeze, you must do a temporary thaw online or by calling 1-888-397-3742.

TransUnion Credit Freeze

  • You may do a credit freeze online, by phone (1-888-909-8872) or by certified mail (return receipt requested) to:

            TransUnion LLC

            P.O. Box 2000

            Chester, PA 19016

  • To unfreeze, you must do a temporary thaw online or by calling 1-888-909-8872.

After you complete a freeze, make sure you have a pen and paper handy because you will be given a PIN code to keep in a safe place.

2. Obtain a Free Copy of Your Credit Report

Consider setting up a schedule to obtain a copy of your free annual credit report from each of the reporting bureaus on a staggered basis. By obtaining and reviewing a report from one of the credit reporting bureaus every three or four months, you can better position yourself to respond to unusual or fraudulent activity more frequently. Admittedly, there is a chance that one of the reporting bureaus might miss an account that is reported by the other two but the benefit offsets the risk.

3. Notify Law Enforcement and Obtain a Police Report

If you find you are the victim of identity fraud (that is, actual fraudulent activity – not just being a member of the class of affected persons), notify your local law enforcement agency to file a police report. Having a police report will help you to challenge fraudulent activity, will provide you with verification of the fraud to provide to credit companies’ fraud investigators, and will be beneficial if future fraud occurs. To that end, be aware that additional fraud may arise closer to the federal tax filing deadline and having a police report already on file can help you resolve identity fraud problems with the Internal Revenue Service if false tax returns are filed under your identity.

4. Obtain an IRS IP PIN

Given the nature of the information involved in the breach, an additional option for individuals residing in Florida, Georgia, and Washington, D.C. is to obtain an IRS IP PIN, which is a 6-digit number assigned to eligible taxpayers to help prevent the misuse of Social Security numbers in federal tax filings. An IP PIN helps the IRS verify a taxpayer’s identity and accept their electronic or paper tax return. When a taxpayer has an IP PIN, it prevents someone else from filing a tax return with the taxpayer’s SSN.

If a return is e-filed with a taxpayer’s SSN and an incorrect or missing IP PIN, the IRS’s system will reject it until the taxpayer submits it with the correct IP PIN or the taxpayer files on paper. If the same conditions occur on a paper filed return, the IRS will delay its processing and any refund the taxpayer may be due for the taxpayer’s protection while the IRS determines if it is truly the taxpayer’s.

Information regarding eligibility for an IRS IP PIN and instructions is available here and to access the IRS’s FAQs on the issue, please go here.

Conclusion

Clearly, the Equifax breach raises many issues about which many individuals need to be concerned – and the pathway forward is uncertain at the moment. But by being proactive, being cautious, and taking appropriate remedial measures available to everyone, you can better position yourself to avoid fraud, protect your rights, and mitigate future fraud that might arise.

 This post was written by Justin L. Root Sara H. Jodka of Dickinson Wright PLLC © Copyright 2017
For more legal news go to The National Law Review

Wave of the Future or a Step Too Far? Wisconsin Company Offers Employees Microchip Implants, Employment Issues Abound

When wireless is perfectly applied the whole earth will be converted into a huge brain, which in fact it is, all things being particles of a real and rhythmic whole. We shall be able to communicate with one another instantly, irrespective of distance. . . . and the instruments through which we shall be able to do his will be amazingly simple compared with our present telephone. A man will be able to carry one in his vest pocket.

–Nikola Tesla, 1926

While we may now take Tesla’s connected world for granted, one cannot help but wonder what readers thought of his predictions in 1926 when he made the above statements in a magazine interview. It remains to be seen whether a similar pattern of skepticism, realization, and acceptance will eventually emerge regarding news that a vending machine company is offering its employees the opportunity to have microchips embedded in their hands to allow more convenient access to facilities, computers, and financial accounts.

The Wisconsin-based employer is reportedly the first in the United States to offer microchips (at a cost to the employer of $300 each) to employees on a voluntary basis. The microchip, roughly the size of a grain of rice, would be inserted into an employee’s hand between the thumb and forefinger, and could be used instead of a key to access buildings, log onto computers or printers, and even pay for goods in the company’s break room. It is not unlike fingerprint or other biometric technology that is becoming more widely used. In this case, however, the pertinent information is stored on the embedded microchip.

The company noted that in the future, the chip may also be able to store medical information or be used for transactions outside of the company. The chip’s technology is not, however, currently able to use GPS to track employees’ whereabouts.

Employers considering whether to implement such emerging technology may want to carefully assess whether the convenience outweighs the risks. Among the legal issues are the following:

Personal Privacy

While the company making headlines has stated that it will not use the technology to track its employees’ whereabouts (and the technology cannot currently support GPS monitoring), embedded microchips like this could create an electronic trail of the employee’s whereabouts whenever the employee is scanned to access secured locations.

Depending on where access points are installed, an employer could gain useful information, such as how long an employee spent in the break room, in the same vicinity as another employee who was allegedly harassed, or where material went missing. Further, having a record of frequent “check-ins” throughout the day as the employee accesses buildings, printers, computers, vehicles, etc. might aid in verifying time records for payroll purposes or compliance with delivery schedules and other customer expectations. This technology is already available to employers through access cards, login PINs, and other devices. The embedded chip would be another technology to use for that purpose, and it would be more difficult to trick the system with “buddy punches” and other surreptitious behavior with microchip technology. On the other hand, an employer could also theoretically confirm how long an employee spent in the restroom, at a union meeting, or complaining to human resources.

If embedded chips ever advance to the point of supporting GPS, a current body of case law regarding non-embedded GPS devices (like phones and devices installed on company vehicles) offers insights into potential legal risks. Companies use these technologies to track the whereabouts of employees, but that also gives companies information that could form the basis of a discrimination claim. For example, a company may learn that an employee is regularly at a medical clinic, which the employee might use to claim disability discrimination. Or, in Wisconsin where state law protects against discrimination based on the use or non-use of lawful products, the employer might learn that the employee spends a lot of off-duty time at the neighborhood bar, which could lead to a claim that the employee was discriminated against for using legal products while not on duty.

In addition, requiring GPS tracking of employees’ whereabouts is a mandatory subject of bargaining for unionized employees. Even for non-union employees, courts have found that employers go too far if they track employees’ whereabouts in places where employees would have a reasonable expectation of privacy (like their homes). Public employers face even greater risks in using GPS technology because courts have found that GPS technology may qualify as a search under the Fourth Amendment.

Data Privacy

Information from the chip (e.g., banking information and medical information) has value and could be the target of theft. Just as personal information could be hacked from other company databases and infrastructure, hacking may be a possibility with this new technology. Because the chip is provided by the employer, would the employer be liable for damages resulting from the misappropriation of stolen information? If an employer were negligent in implementing security protocols on the microchips, there could be litigation over the employer’s liability.

Workers’ Compensation

If an employee has a medical reaction from the implant or the procedure of implanting the chip (for example, developing an infection), there is a possibility that the medical reaction could give rise to a workers’ compensation claim because the chip was provided by the employer for work-related reasons.

Medical and Religious Accommodation

The employer in question here is not requiring employees to embed the chips, but requiring employees to do so would be difficult. Employees would likely have a right to opt out of the requirement based on medical or religious objections. It is not unlike requiring employees to get an annual flu vaccine. Some employees are medically unable and must be granted a medical accommodation under the Americans with Disabilities Act and applicable state laws (absent an undue hardship to the employer). Others may object on religious grounds and therefore qualify for accommodations on that basis.  At least one court has supported an employee’s right to decline on religious grounds far less invasive biometric access technology.

A Look Into the Future

While the microchips currently in use appear to serve limited purposes, it is not farfetched that the technology will continue to develop and allow new uses. Employees may be comfortable with the current use, but not with future uses. Clear communication with employees as to the capabilities and uses of the chip would be essential to minimizing legal risk.

Even more practically, the technology of the chip itself may become outdated or employees might leave their employment with the company and the company would need to determine what to do with the chip already embedded into the employee. This could create medical challenges in removing the chip or controversies with the employee over who has rights to the chip itself or is obligated to pay for its removal.

While the company at issue here has not made implanting a microchip a condition of employment, social, economic, and practical influences could leave employees with little alternative. Just like the convenience of direct deposit has made paper payroll checks virtually obsolete, so too the convenience of chip technology may render physical keys, identification badges, and similar access control measures a thing of the past. Why risk losing or forgetting your identification badge when you can guarantee the necessary data is with you at all times? Financially, it seems likely that an employer could offer an incentive to employees who make use of the chip technology much like auto insurance companies offer premium reductions to those who permit tracking of their driving habits. Many employers already offer shift premiums, are chip premiums on the horizon?

Ultimately, while this developing technology may certainly provide some added convenience and may not be all that significant a departure from our society’s current reliance on mobile devices, embedding a microchip into an employee’s body takes the invasiveness of the technology and the legal ramifications one step further and requires a thoughtful weighing of the risks versus the benefits.

More legal analysis is added daily at The National Law Review.

This post was written by Keith E. Kopplin  and Sarah J. Platt of Ogletree, Deakins, Nash, Smoak & Stewart, P.C..

Third-Party Aspects of Cybersecurity Protections: Beyond your reach but within your control

Data privacy and cybersecurity issues are ongoing concerns for companies in today’s world.  It is nothing new to hear.  By now, every company is aware of the existence of cybersecurity threats and the need to try to protect itself.  There are almost daily reports of data breaches and/or ransomware attacks.  Companies spend substantial resources to try to ensure the security of their confidential information, as well as the personal and confidential information of their customers, employees and business partners.  As part of those efforts, companies are faced with managing and understanding their various legal and regulatory obligations governing the protection, disclosure and/or sharing of data – depending on their specific industry and the type of data they handle – as well as meeting the expectations of their customers to avoid reputational harm.

Despite the many steps involved in developing wide-ranging cybersecurity protocols – such as establishing a security incident response plan, designating someone to be responsible for cybersecurity and data privacy, training and retraining employees, and requiring passwords to be changed regularly – it is not enough merely to manage risks internal to the company.  Companies are subject to third-party factors not within their immediate control, in particular vendors and employee BYOD (Bring Your Own Device).  If those cybersecurity challenges are not afforded sufficient oversight, they will expose a company to significant risks that will undo all of the company’s hard work trying to secure and defend its data from unauthorized disclosures or cyberattacks.  Although companies may afford some consideration to vendor management and BYOD policies, absent rigorous follow up, a company may too easily leave a gaping hole in its cybersecurity protections.

VENDORS

To accomplish business functions and objectives and to improve services, companies regularly rely on third-party service providers and vendors.  To that end, vendors may get access to and get control over confidential or personal information to perform the contracted services.  That information may belong to the company, employees of the company, the clients of the company and/or business partners of the company.

When information is placed into the hands of a vendor and/or onto its computer systems, stored in its facilities, or handled by its employees or business partners, the information is subject to unknown risks based on what could happen to the information while with the third-party.  The possibility of a security breach or the unauthorized use or access to the information still exists but a company cannot be sure what the vendor will do to protect against or address those dangers if they arise.  A company cannot rely on its vendors to maintain necessary security protocols and instead must be vigilant by exercising reasonable due diligence over its vendors and instituting appropriate protections.  To achieve this task, a company needs to consider the type of information involved, the level of protection required, the risks at issue and how those risks can be managed and mitigated.

Due Diligence

A company must perform due diligence over the vendor and the services to be provided and should consider, among other things, supplying a questionnaire to the vendor to answer a host of cybersecurity related questions including:

> What services will the vendor provide?  Gain an understanding of the services being provided by the vendor, including whether the vendor only gains access to, or actually takes possession of, any information.  There is an important difference between a vendor (i) having access to a company’s network to implement a third-party solution or provide a thirdparty service and (ii) taking possession of and/or storing information on its network or even the network of its own third-party vendors.

> Who will have access to the information?  A company should know who at the vendor will have access to the information.  Which employees?  Will the vendor need assistance from other third-parties to provide the contracted-for services?  Does the vendor perform background checks of its employees?  Do protocols exist to prevent employees who are not authorized from having access to the information?

> What security controls does the vendor have in place?  A company should review the vendor’s controls and procedures to make sure they comply not only with applicable legal and regulatory requirements but also with the company’s own standards.  Does the vendor have the financial wherewithal to manage cybersecurity risks?  Does the vendor have cybersecurity insurance?  Does the vendor have a security incident response plan?  To what extent has the vendor trained with or used the plan?  Has the vendor suffered a cyberattack?  If so, it actually may be a good thing depending on how the vendor responded to the attack and what, if anything, it did to improve its security following the attack.  What training is in place for the vendor’s employees?  How is the vendor monitoring itself to ensure compliance with its own procedures?

The Contract

A company should seek to include strong contractual language to obligate the vendor to exercise its own cybersecurity management and to cooperate with the company to ensure protection of the company’s data.  There are multiple provisions to consider when engaging vendors and drafting or updating contracts to afford the company appropriate protections.  A one-size-fits-all approach for vendors will not work and clauses will need to be modified to take account of, among other things:

 > The sensitivity of the information at issue – Does the information include only strictly confidential information, such as trade secrets or news of a potential merger?  Does the information include personal information, such as names, signatures, addresses, email addresses, or telephone numbers?  Does the information include what is considered more highly sensitive personal information, such as SSNs, financial account information, credit card information, tax information, or medical data?

> The standard of care and obligations for the treatment of information – A company should want its vendors to meet the same standards the company demands of itself.  Vendors should be required to acknowledge that they will have access to or will take possession of information and that they will use reasonable care to perform their services, including the collection, access, use, storage, disposal, transmission and disclosure of information, as applicable.  This can, and often should, include: limiting access to only necessary employees; securing business facilities, data centers, paper files, servers and back-up systems; implementing database security protocols, including authentication and access controls; encrypting highly sensitive personal information; and providing privacy security training to employees.  Contracts also should provide that vendors are responsible for any unauthorized receipt, transmission, storage, disposal, use, or disclosure of information, including the actions and/or omissions of their employees and/or relevant third-parties who the vendors retain.

> Expectations in the event of a security breach at the company – A company should include a provision requiring a vendor’s reasonable cooperation if the company experiences a breach.  A company should have a contact at each of its vendors, who is available 24/7 to help resolve a security breach.  Compliance with a company’s own obligations to deal with a breach (including notification or remediation) could be delayed if a vendor refuses to timely provide necessary information or copies of relevant documents.  A company also can negotiate to include an indemnification provision requiring a vendor to reimburse the company for reasonable costs incurred in responding to and mitigating damages caused by any security breach related to the work performed by the vendor.

> Expectations in the event of a security breach at the vendor – A company should demand reasonable notification if the vendor experiences a security breach and require the vendor to take reasonable steps and use best efforts to remediate the breach and to try to prevent future breaches.  A company should negotiate for a provision permitting the company to audit the vendor’s security procedures and perhaps even to physically inspect the vendor’s servers and data storage facilities if the data at issue is particularly sensitive.

Monitoring

Due diligence and contractual provisions are necessary steps in managing the cybersecurity risks that a vendor presents, but absent consistent and proactive monitoring of the vendor relationship, including periodic audits and updates to vendor contracts, all prior efforts to protect the company in this respect will be undermined.  Determining who within the company is responsible for the relationship  – HR? Procurement? Legal? – is critical to help manage the vendor relationship.

> Schedule annual or semi-annual reviews of the vendor relationship –  A company not only should confirm that the vendor is following its cybersecurity protocols but also should inquire if any material changes to those protocols have been instituted that impact the manner in which the vendor handles the company’s data.  Depending on the level of sensitivity of the data being handled by the vendor, a company may consider retaining a third-party reviewer to evaluate the vendor.

> Update the vendor contract, as necessary – A company employee should be responsible to review vendor contracts annually to determine if any changes are necessary in view of cybersecurity concerns.

BYOD

Ransomware – where a hacker demands a ransom to unencrypt a company’s data caused by malicious software that the hacker deposited onto the company’s network to hold it hostage – certainly is a heightened concern for all companies.  It is the fastest growing malware targeting all industries, with more than 50% growth in recent years.  Every company is wary of ransomware and is trying to do as much as possible to protect itself from hackers.  The best practices against ransomware are to (i) periodically train and retrain your employees to be on the lookout for ransomware; (ii) constantly backup you data systems; and (iii) split up the locations where data is maintained to limit the damage in the event some servers fall victim to ransomware.  One thing that easily is overlooked, however, or is afforded more limited consideration, is a company’s BYOD policy and enforcement of that policy.

Permitting a company’s employees to use their own personal electronic devices to work remotely will lower overhead costs and improve efficiency but will bring a host of security and compliance concerns.  The cybersecurity and privacy protocols that the company established and vigorously pursues inside the company must also be followed by its employees when using their personal devices – home computers, tablets, smartphones – outside the company.  Employees likely are more interested, however, in the ease of access to work remotely than in ensuring that proper cybersecurity measures are followed with respect to their personal devices.  Are the employees using sophisticated passwords on their personal devices or any passwords at all?  Do the employees’ personal devices have automatic locks?  Are the employees using the most current software and installing security updates?

These concerns are real.  In May of 2017, the Wannacry ransomware attack infected more than 200,000 computers in over 100 countries, incapacitating companies and hospitals.  Hackers took advantage of the failure to install a patch to Microsoft Windows, which Microsoft had issued weeks earlier.  Even worse, it was discovered that some infected computers were using outdated versions of Microsoft Windows for which the patch would not have worked regardless.  Companies cannot risk pouring significant resources into establishing a comprehensive security program only to suffer a ransomware attack or otherwise to have its efforts undercut by an employee working remotely who failed to install appropriate security protocols on his/her personal devices.

The dangers to be wary of include, among others: > Personal devices may not automatically lock or have a timeout function. > Employees may not use sophisticated passwords to protect their personal devices. > Employees may use unsecured Wi-Fi hotspots to access the company’s systems, subjecting the company to heightened risk. > Employees may access the company’s systems using outdated software that is vulnerable to cyberattacks.

Combatting the Dangers

To address the added risks that accompany allowing BYOD, a company must develop, disseminate and institute a comprehensive BYOD policy.  That policy should identify the necessary security protocols that the employee must follow to use a personal device to work remotely, including, among other things:

 > Sophisticated passwords

> Automatic locks

> Encryption of data

> Installation of updated software and security apps

> Remote access from secure WiFi only

> Reporting procedures for lost/stolen devices

A company also should use mobile device management technology to permit the company to remotely access the personal devices of its employees to install any necessary software updates or to limit access to company systems.  Of course, the employee must be given notice that the company may use such technology and the capabilities of that technology.  Among other things, mobile device management technology can:

> Create a virtual partition separating work data and personal data

> Limit an employee’s access to work data

> Allow a company to push security updates onto an employee’s personal device

Enforcement

Similar to vendor management, the cybersecurity efforts undertaken by having a robust BYOD policy in place, or even using mobile management technology, are significantly weakened unless a company enforces the policy it has instituted.

> A BYOD policy should be a prominent part of any employee cybersecurity training.

> The company should inform the employee of the company’s right to access/monitor/delete information from an employee’s personal device in the event of, among other things, litigation and e-discovery requests, internal investigations, or the employee’s termination.

CONCLUSION

Implementing the above recommendations will not guarantee a company will not suffer a breach but will stem the threats created by third-party aspects of its cybersecurity program.  Even if a company ultimately suffers a breach, having had these protections in place to administer the risks associated with vendor management and BYOD certainly will help safeguard the company from the scrutiny of regulators or the criticism of their customers, which would be worse!

This post was written byJoseph B. Shumofsky of  Sills Cummis & Gross P.C.
More legal analysis at The National Law Review.

Weapons in the Cyber Defense Arsenal

In May 2017, the world experienced an unprecedented global cyberattack that targeted the public and private sectors, including an auto factory in France, dozens of hospitals and health care facilities in the United Kingdom, gas stations in China and banks in Russia. This is just the tip of the iceberg and more attacks are certain to follow. As this experience shows, companies of all sizes, across all industries, in every country are vulnerable to cyberattacks that can have devastating consequences for their businesses and operations.

The Malware Families

Exploiting vulnerabilities in Microsoft® software, hackers launched a widespread ransomware attack targeting hundreds of thousands of companies worldwide. The vector, “WannaCry” malware, encrypts electronic files and locks them until released by the hacker after a ransom is paid in untraceable Bitcoin. The malware also has the ability to spread to all other computer systems on a network. On the heels of WannaCry, a new attack called “Adylkuzz” is crippling computers by diverting their processing power.

The most prevalent types of ransomware found in 2016 were Cerber and Locky. Microsoft detected Cerber, used in spam campaigns, in more than 600,000 computers and observed that it was one of the most profitable of 2016. Spread via malicious spam emails that have an executable virus file, Cerber has gained increasing popularity due to its Ransomware-as-a-Service (RaaS) business model, which enables less sophisticated hackers to lease the malware.

data security privacy FCC cybersecurityCheck Point Software indicated that Locky was the second most prevalent piece of malware worldwide in November 2016.  Microsoft detected Locky in more than 500,000 computers in 2016. First discovered in February 2016, Locky is typically delivered via an email attachment (including Microsoft Office documents and compressed attachments) in phishing campaigns designed to entice unsuspecting individuals to click on the attachment. Of course, as the most recent global attacks demonstrate, hackers are devising and deploying new variants of ransomware with different capabilities all the time.

The Rise of Ransomware Attacks

The rise in ransomware attacks is directly related to the ease with which it is deployed and the quick return for the attackers. The U.S. Department of Justice has reported that there was an average of more than 4,000 ransomware attacks daily in 2016, a 300 percent increase over the prior year. Some experts believe that ransomware may be one of the most profitable cybercrime tactics in history, earning approximately $1 billion in 2016. Worse yet, even with the ransom paid, some data already may have been compromised or may never be recovered.

The risk is even greater if your ransom-encrypted data contains protected health information (PHI). In July 2016, the U.S. Department of Health and Human Services, Office of Civil Rights (HHS/OCR) advised that the encryption or permanent loss of PHI would trigger HIPAA’s Breach Notification Rule for the affected population, unless a low probability that the recovered PHI had been compromised could be demonstrated. This means a mandated investigation to confirm the likelihood that the PHI was not accessed or otherwise compromised.

Ransomware Statistics

According to security products and solutions provider Symantec Corporation, ransomware was the most dangerous cybercrime threat facing consumers and businesses in 2016:

  • The majority of 2016 ransomware infections happened in consumer computers, at 69 percent, with enterprises at 31 percent.

  • The average ransom demanded in 2016 rose to $1,077, up from $294 in 2015.

  • There was a 36 percent increase in ransomware infections from 340,665 in 2015 to 463,841 in 2016.

  • The number of ransomware “families” found totaled 101 in 2016, triple the 30 found in 2015.

  • The biggest event of 2016 was the beginning of RaaS, or the development of malware packages that can be sold to attackers in return for a percentage of the profits.

  • Since January 1, 2016, more than 4,000 ransomware attacks have occurred − a 300 percent increase over the 1,000 daily attacks seen in 2015.

  • In the second half of 2016, the percentage of recognized ransomware attacks from all malware attacks globally doubled from 5.5 percent to 10.5 percent.

The Best Defense Is a Good Offense

While no perfectly secure computer system exists, companies can take precautionary measures to increase their preparedness and reduce their exposure to potentially crippling cyberattacks. While Microsoft no longer supports Windows XP operating systems, which were hit the hardest by WannaCry, Microsoft has made an emergency patch available to protect against WannaCry. However, those still using Windows XP should upgrade all devices to a more current operating system that is still fully supported by Microsoft to ensure protection against emerging threats. Currently, that means upgrading to Windows 7, Windows 8 or Windows 10.

Even current, supported software needs to be updated when prompted by the computer. Those who delay installing updates may find themselves at risk. Microsoft issued a patch for supported operating systems in March 2017 to protect against the vulnerability that WannaCry exploited. Needless to say, many companies did not bother to patch their systems in a timely manner.

Ransomware creates even greater business disruption when a company does not have secure backups of files that are critical to key business functions and operations. It also is important for companies to back up files frequently, because a stale backup that is several months old or older may not be particularly useful. Companies also should make certain that their antivirus and anti-malware software is current to protect against emerging threats.

In addition, companies need to train their employees on detecting and mitigating potential cyber threats. Employees are frequently a company’s first line of defense against many forms of routine cyberattacks that originate from seemingly innocuous emails, attachments and links from unknown sources. Indeed, many cyberattacks can be avoided if employees are simply trained not to click on suspicious links or attachments that could surreptitiously install malware.

Last but not least, companies should consider purchasing cyber liability insurance coverage, which is readily available. While cyber policies are still evolving and there are no standardized policy forms, coverage can be purchased at varying price points with different levels of coverage. Some of the more comprehensive forms of coverage provide additional “bells and whistles” such as immediate access to preapproved professionals that can guide companies through the legal and technical web of cybersecurity events and incident response.

Other cyber policies afford bundled coverages that may include:

  • The costs of a forensics investigation to identify the source and scope of an incident

  • Notification to affected individuals

  • Remediation in the form of credit monitoring and identity theft restoration services

  • Costs to restore lost, stolen or corrupted data and computer equipment

  • Defense of third-party claims and regulatory investigations arising out of a cyberattack.

 

This post was written by Anjali C. Das, Kevin M. Scott and John Busch of Wilson Elser Moskowitz Edelman & Dicker LLP.data security privacy FCC cybersecurity