House Energy and Commerce Committee Holds Hearing on Security of Internet of Things

What the experts are saying.

The hearing was motivated by the revelation that cybersecurity is no longer just about protecting  laptops or securing digital data. IoT insecurity puts human safety at risk, as everything from home appliances to automobiles and medical technology are becoming connected to the Internet. Representatives from both committees pressed expert witnesses Mr. Dale Drew of Level 3 Communications, Dr. Kevin Fu of Virta Labs and the University of Michigan, and Mr. Bruce Schneier of the Harvard Kennedy School of Government for examples of legislation that could target the cybersecurity concerns related to the Internet of Things.

These experts shared conflicting opinions about whether it is in fact possible for the government to establish one set of security standards that covers all Internet-connected devices, as these devices do many different things and are powered by many different types of technology. Mr. Schneier reminded the subcommittees that “[your smartphone] is not a phone; it’s a computer that makes phone calls.” The same applies to a long list of devices including WiFi-connected baby monitors, thermostats, refrigerators, DVR players, GPS systems, children’s toys, and of course, electronic voting booths. In his testimony, Mr. Drew explained that “bad actors are increasingly attracted to IoT devices since they can use those devices without being detected for long periods of time, they know most devices will not be monitored or updated, and they know there are no endpoint protection capabilities on IoT devices to remove threats.” Nevertheless, they agreed that a collaborative and, above all, proactive approach by both the government and manufacturers of these devices will be essential.

Fortunately, we already have a potential starting point. The National Institute of Standards and Technology recently issued a comprehensive set of guidelines and best practices for securing IoT devices and systems throughout their entire life cycle. But simply establishing these best practices on paper will not be enough. Dr. Fu reiterated the most important takeaway from the hearing: that proper security measures for IoT devices must be “built in, not bolted on.” Protective measures like encryption must be incorporated into the fundamental design of a device, not tacked on as an afterthought. They also must secure a device from its creation, through its life with a consumer, and after “retirement” since old but active devices are still vulnerable to hijacking by botnets like the one used in last month’s massive distributed denial of service (“DDoS”) attack on global Internet routing company Dyn.

Looking ahead to the future.

Currently, there are few market incentives to spend time and money producing more secure encrypted devices.  There are likewise no significant legal or economic penalties for selling devices to consumers that are insecure. In short, consumers are focused on buying sleek and affordable new products rather than on the networks that connect them. However, if massive DDoS attacks continue the same way that data breaches have in recent years, the priorities of consumers and manufacturers alike are bound to evolve.

Will a greater focus on security slow down the rate of technological innovation? Despite some concerns, Dr. Fu and Mr Schneier reassured the subcommittees that efforts to improve cybersecurity will spur innovation in the tech industry, not hold it back. As consumers and manufacturers become more aware of the implications of poorly secured devices, incorporating features like end-to-end encryption will be understood not as necessary obstacles, but as valuable solutions to very real and costly problems.

ARTICLE BY Cynthia J. Larose, Michael B. Katz & Joanne Dynak of Mintz Levin
©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Insurance Coverage Issues for Cyber-Physical Risks

internet of thingsThe recent National Institute of Standards and Technology (NIST)publication of cybersecurity guidance for the Internet of Things (IoT) is a useful reminder that hacking incidents can result not only in privacy breaches, but also in bodily injury or property damage — via critical infrastructure, medical devices and hospital equipment, networked home appliances, or even children’s toys. In addition to enhanced system security engineering and preventive education efforts, insurance is an increasingly essential component in any enterprise risk management approach to cyber vulnerabilities. But purchasers of cyber insurance are finding that nearly all of the available cyber insurance products expressly exclude coverage for physical bodily injury and property damage.

These exclusions are no doubt assumed to “dovetail” with (i.e., to avoid duplicating) the bodily injury and property damage coverage traditionally afforded by general liability and first-party property insurance policies. But it is not always clear whether those more conventional policies cover bodily injury or property damage arising from a cyber-related peril (so-called “cyber-physical” risks). Unless an insurance program specifically addresses these risks, the determination of coverage for physical harm from a cyber-attack may depend on a close reading of policy language and a fact-intensive analysis of how the harm arose.

Policyholders would be well advised to understand the potential cyber-physical risks they face; to analyze all their current lines of coverage to determine whether and how each would respond to those risks; to seek clarifications in their current insurance wordings; to explore new “difference in conditions” insurance products designed to plug any gaps in coverage for such risks; and, ultimately, to expect disputes with their insurers if these novel cyber-physical harms should materialize.

© 2016 Covington & Burling LLP

Cybersecurity Due Diligence Is Crucial in All M&A—Including Energy M&A Transactions

Can a single data breach kill or sideline a deal? Perhaps so. Last month Verizon signaled that Yahoo!’s disclosure of a 2014 cyberattack might be a “material” change to its July $4.83 billion takeover bid—which could lead Verizon to renegotiate or even drop the deal entirely. Concern over cybersecurity issues is not unique to technology or telecommunications combinations. In a 2016 NYSE Governance Services survey of public company directors and officers, only 26% of respondents would consider acquiring a company that recently suffered a high-profile data breach—while 85% of respondents claimed that it was “very” or “somewhat” likely that a major security vulnerability would affect a merger or acquisition under their watch (e.g., 52% said it would significantly lower valuation).

Bottom Line: Cybersecurity should play a more meaningful role in the due diligence portion of any potential M&A deal. Certainly this is so when a material portion of the value in the acquisition comes from intangible assets that might be most vulnerable to hackers. Financial information comes to mind. Personal information of employees does as well. But companies also need to be concerned about their trade secrets, know-how and other confidential business information whose value inheres in its secrecy. Therefore, a merely perfunctory approach to cybersecurity can become very costly. The union of companies today is a union of information, malware and all.

Energy M&A Is Not Immune

To weather the plunge in prices, many oil companies have sought out new innovations to reduce the cost of extraction and exploration. Investments in digital technologies will likely only increase—a 2015 Microsoft and Accenture survey of oil and gas industry professionals found that “Big Data” and the “Industrial Internet of Things” (IIoT) are targets for greater spend in the next three to five years. Cybersecurity threats were perceived in the survey as one of the top two barriers to realizing value from these technologies.

These developments in energy industry—bigger data and bigger vulnerabilities—are here to stay. The proposed merger of General Electric and Baker Hughes also speaks to the growing importance of analytics to oil production. Commentators note that the acquisition would allow GE more fully to implement its Predix platform, an application of IIoT to connect everything from wellhead sensors to spreadsheets. However, as last month’s massive cyberattack on DNS provider Dyn, Inc. demonstrated, the IIoT holds unique challenges as well as great promise for operational efficiency. (In this attack, reportedly 400,000 internet-linked gadgets were hacked and used to reroute web traffic to overload servers.)

Bottom Line: Robust cybersecurity diligence should be de rigueur for energy M&A.

What Can Companies Do to Protect Deal Value?

For starters, energy companies should treat cybersecurity as a separate and more involved category for due diligence.

Liability for or damages from legacy data breaches or malware can become expensive—damages to systems, theft of information and liability from the release of personal or reputation-damaging information, to name a few. Therefore, anticipating problems post-merger, cataloguing past vulnerabilities and most importantly, discovering actual breaches before closing is crucial to avoid deals blowing hot and cold.

Companies should retain IT specialists who can do an objective assessment of the cybersecurity posture of a proposed merger or acquisition. This can help prospective acquirers better determine the adequacy of a target’s cybersecurity programs, such as its policies over incident response, how access to data is distributed, the extent of a company’s online presence and vulnerabilities, and how remediation of any potential cyberthreats or actual breaches may best proceed.

A cybersecurity questionnaire should also be developed, covering such topics as:

  • How and where has company data been stored?

  • Who has had access?

  • Have there been any actual or attempted intrusions into (or leaks) of company data?

An acquirer could further insist on specific representations and warranties from a target company regarding their cybersecurity compliance, as well as bargain towards indemnity for prior data breaches.

On the target side, energy companies should prepare (in turn) for more scrutiny over their data security and privacy practices. Among other benefits to “knowing thyself,” getting ahead of this process should offer targeted companies a better negotiating position. It would also allow them to take a more proactive role in defining the policies of the combined company post-merger. At the very least, these efforts could help avoid the kind of hiccups and uncertainties that lead to undervaluation. In any event, poor cybersecurity practices can give an impression that a target lacks risk management in other areas—not an ideal pose to strike in any bargain.

Parting Thoughts

It is a trope in cybersecurity writing to invoke figures like Sun Tzu and shoehorn in quotes about war stratagem. Well, these habits are in some ways unavoidable: For all intents and purposes, fighting anonymous hackers resembles battle prep—a method of self-awareness and readiness that defies box-checking.

Energy companies could take these words to heart from the inestimable Miyamoto Musashi, a samurai who won 60 duels: “If you consciously try to thwart opponents, you are already late.” (A sentiment echoed more recently by Mike Tyson’s truistic “Everyone has a plan until they get punched in the mouth.”)

And This Key Takeaway: Any cybersecurity program must go hand-in-hand with a corporate culture that respects data as among its most valued assets. Efforts in detection, reporting and remediation are challenges that fall throughout the ranks and, if reflexive to the unknown, stand the best chance of being fully realized.

Bottom Line: Mind Your Data!

President Donald J. Trump – What Lies Ahead for Privacy, Cybersecurity, e-Communication?

President TrumpFollowing a brutal campaign – one laced with Wikileaks’ email dumps, confidential Clinton emails left unprotected, flurries of Twitter and other social media activity – it will be interesting to see how a Trump Administration will address the serious issues of privacy, cybersecurity and electronic communications, including in social media.

Mr. Trump had not been too specific with many of his positions while campaigning, so it is difficult to have a sense of where his administration might focus. But, one place to look is his campaign website where the now President-elect outlined a vision, summarized as follows:

  • Order an immediate review of all U.S. cyber defenses and vulnerabilities by individuals from the military, law enforcement, and the private sector, the “Cyber Review Team.”

  • The Cyber Review Team will provide specific recommendations for safeguarding with the best defense technologies tailored to the likely threats.

  • The Cyber Review Team will establish detailed protocols and mandatory cyber awareness training for all government employees.

  • Instruct the U.S. Department of Justice to coordinate responses to cyber threats.

  • Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.

There is nothing new here as these positions appear generally to continue the work of prior administrations in the area of cybersecurity. Perhaps insight into President-elect Trump’s direction in these areas will be influenced by his campaign experiences.

Should we expect a tightening of cybersecurity requirements through new statutes and regulations?

Mr. Trump has expressed a desire to reduce regulation, not increase it. However, political party hackings and unfavorable email dumps from Wikileaks, coupled with continued data breaches affecting private and public sector entities, may prompt his administration and Congress to do more. Politics aside, cybersecurity clearly is a top national security threat, and it is having a significant impact on private sector risk management strategies and individual security. Some additional regulation may be coming.

An important question for many, especially for organizations that have suffered a multi-state data breach, is whether we will see a federal data breach notification standard, one that would “trump” the current patchwork of state laws. With Republicans in control of the executive and legislative branches, at least for the next two years, and considering the past legislative activity in this area, a federal law on data breach notification that supersedes state law does not seem likely.

Should we expect an expansion of privacy rights or other protections for electronic communication such as email or social media communication?

Again, much has been made of the disclosure of private email during the campaign, and President-elect Trump is famous (or infamous) for his use of social media, particularly his Twitter account. For some time, however, many have expressed concern that federal laws such as the Electronic Communications Privacy Act and the Stored Communications Act are in need of significant updates to address new technologies and usage, while others continue to have questions about the application of the Communications Decency Act. We also have seen an increase in scrutiny over the content of electronic communications by the National Labor Relations Board, and more than twenty states have passed laws concerning the privacy of social media and online personal accounts. Meanwhile, the emergence of Big Data, artificial intelligence, IoT, cognitive computing and other technologies continue to spur significant privacy questions about the collection and use of data.

While there may be a tightening of the rules concerning how certain federal employees handle work emails, based on what we have seen, it does not appear at this point that a Trump Administration will make these issues a priority for the private sector.

We’ll just have to wait and see.

Jackson Lewis P.C. © 2016

Legal Challenge to EU-US Privacy Shield Framework

EU-US Privacy ShieldAs widely expected, the EU-US Privacy Shield is being challenged before the European courts.

What is Privacy Shield?

In October 2015, the Court of Justice of the European Union (CJEU) ruledthat the European Commission’s decision on adequacy for the Safe Harbor scheme was invalid.  The European Union and the United States agreed a new framework for the exchange of personal data for commercial purposes called the Privacy Shield to replace Safe Harbor. The Privacy Shield Framework was deemed adequate for the transfer of personal data by the European Commission in a decision dated 12 July 2016. Adequacy is granted only where the standard of protection in a third country is “essentially equivalent” to the rights and freedoms guaranteed by the EU regime on data protection.

Safe Harbor was challenged on the grounds that public authorities in the US had access to the content of electronic communications originating within the EU. When ruling on the European Commission’s adequacy decision in respect of Safe Harbor, the CJEU considered that the requirements for adequacy cannot be met where a regime compromises the right to respect for private life and fails to allow an individual to pursue legal remedies and to have access to their personal data.

The EU Article 29 Working Party recently published its opinion on the EU-U.S. Privacy Shield. It said that, despite improving some of the areas of the Safe Harbor scheme which had been particularly criticised, Privacy Shield still did not sufficiently address “massive and indiscriminate surveillance of individuals” by the US national security authorities in the light of the fight against terrorism.  The Working Party further added that this “can never be considered proportionate and strictly necessary in a democratic society as is required under the protection offered by the applicable fundamental rights”.

The Legal Challenge

The legal challenge was filed in Europe’s General Court (the Court of First Instance) on 16 September 2016 by a privacy advocacy group called Digital Rights Ireland but was only recently made public.  The General Court’s website reveals little more of substance about the challenge saying only that there is an “action for annulment” and the subject matter is “area of freedom, security and justice”. Reuters has reported that Digital Rights Ireland seeks annulment of the European Commission’s approval of the adequacy decision on the Privacy Shield Framework.

It remains to be seen how the case will be decided, but in reviewing Safe Harbor the CJEU established rationale on what adequacy means in light of the transfer of personal data. The Privacy Shield will remain in effect until the courts decide otherwise, which could take up to a year.

Matt Buckwell is co-author of this article. 

© Copyright 2016 Squire Patton Boggs (US) LLP

Cyber Security Awareness Needs To Last Beyond October

Cyber Security Awareness MonthThe U.S. Department of Homeland Security (DHS) has designed October as National Cyber Security Awareness Month. But as we leave October, remember that data security is an ongoing challenge that requires continued vigilance not just from information system hacking, but also from employee error and other threats. Setting up a comprehensive training and awareness program is critical – and this outline can help you continue keeping your organization aware of cyber security throughout the year.

DHS’ purpose is to engage and educate public and private sectors through events and initiatives that raise awareness about cybersecurity, make certain tools and resources available, and increase our resiliency in the event of a cyber incident. This is a great effort and DHS collects helpful information and a number of resources for visitors to its site. But by selecting October to draw attention to cyber security, surely DHS did not intend that October be the only month that we think about this important area.

Earlier this year, the FBI reported a significant increase in ransomware attacks. Late last year, the Wall Street Journal reported on a survey by the Association of Corporate Counsel (“ACC”) that found “employee error” is the most common reason for a data breach. Training and creating awareness to deal with these continued and growing risks is critical. In fact, for many organizations, doing so will help satisfy legal requirements for securing data. And, it is a mistake to believe that only organizations in certain industries like healthcare, financial services, retail, education and other regulated sectors have obligations to train employees about data security. A growing body of law coupled with the vast amounts of data most organizations maintain should prompt all organizations to assess their data privacy and security risks, and implement appropriate awareness and training programs.

Here are some questions to ask when setting up your own program, which are briefly discussed in the FBI report above:

  • Who should design and implement the program?

  • Who should be trained?

  • Who should conduct the training?

  • What should the training cover?

  • How often should training be provided to build awareness?

  • How should training be delivered?

  • Do we need to document the training?

No system is perfect, however, and even a good training and awareness program will not prevent data incidents from occurring. But in the absence of such a program, the question you will have to answer for your organizations likely will not be why didn’t the organization have a system in place to prevent all breaches. Instead, the question will be whether the organization had safeguards that were compliant and reasonable under the circumstances.

Jackson Lewis P.C. © 2016

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

ransomwareOn July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

What Is Ransomware?

Ransomware is a type of malware (malicious software). It is deployed through devices and systems through spam, phishing messages, websites and email attachments, or it can be directly installed by an attacker who has hacked into a system. In many instances, when a user clicks on the malicious link or opens the attachment, it infects the user’s data. Ransomware attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware. After the user’s data is encrypted, the ransomware attacker directs the user to pay a ransom in order to receive a decryption key. However, the attacker may also deploy ransomware that destroys or impermissibly transfers information from an information system to a remote location controlled by the attacker. Paying the ransom may result in the attacker providing the key necessary needed to decrypt the information, but it is not guaranteed. In 2016, at least four hospitals have reported attacks by ransomware, but additional attacks are believed to go unreported.

HIPAA Security Rule and Best Practices

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

HHS has suggested that covered entities and business associates frequently back up their documents because ransomware denies access to the covered entity’s and business associate’s data. Maintaining frequent backups and ensuring the ability to recover data from a separate backup source is crucial to recovering from a ransomware attack. Test restorations should be periodically conducted to verify the integrity of backed-up data and provide confidence in an organization’s data restoration capabilities. Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and inaccessible from their networks.

Covered entities and business associates should also install malicious software protections and educate its workforce members on data security practices that can reduce the risk of ransomware, including how to detect malware-type emails, the importance of avoiding suspicious websites and complying with sound password policies.

Lastly, each covered entity or business associate should ensure that its incident response plan addresses ransomware incidents. Many entities have crafted their policies and incident response plans to focus on other more typical daily personal information risks, such as the lost laptop or personal device. A ransomware event should expressly trigger the activities required by the incident response plan, including the requirement to activate the response team, initiate the required investigation, identify appropriate remediation, determine legal and regulatory notification obligations, and conduct post-event review.

Indications of a Ransomware Attack

Indicators of a ransomware attack could include:

  • The receipt of an email from an attacker advising that files have been encrypted and demanding a ransom in exchange for the decryption key
  • A user’s realization that a link that was clicked on, a file attachment opened or a website visited may have been malicious in nature
  • An increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason (due to the ransomware searching for, encrypting and removing data files)
  • An inability to access certain files as the ransomware encrypts, deletes and renames and/or relocates data
  • Detection of suspicious network communications between the ransomware and the attackers’ command and control server(s) (this would most likely be detected by IT personnel via an intrusion detection or similar solution)

What to Do if Subject to a Ransomware Attack?

A covered entity or business associate that is subject to a ransomware attack may find it necessary to activate its contingency or business continuity plans. Once the contingency or business continuity plan is activated, an entity will be able to continue its day-to-day business operations while continuing to respond to, and recover from, a ransomware attack. The entity’s robust security incident procedures for responding to a ransomware attack should include the following processes to:

Activate the entity’s incident response plan and follow its requirements;

  • Notify the entity’s cyber liability insurer as soon as enough information is available to indicate a possible ransomware attack and within any time period required under the applicable policy;
  • Detect and conduct an analysis of the ransomware, determining the scope of the incident and identifying what networks, systems or applications are affected;
  • Determine the origin of the incident (who/what/where/when), including how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited);
  • Determine whether the incident is finished, is ongoing or has propagated additional incidents throughout the environment;
  • Contain and eradicate the ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation;
  • Recover from the ransomware attack by restoring data lost during the attack and returning to “business-as-usual” operations; and
  • Conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.

Additionally, it is recommended that an entity infected with ransomware consult, early on, with legal counsel who can assist with reporting the incident to the extent it is a criminal matter to law enforcement. Counsel frequently have ongoing contacts within the cybercrime units of the Federal Bureau of Investigation (FBI) or the United States Secret Service that may deploy appropriate resources to address the matter and to supply helpful information. These agencies work with federal, state, local and international partners to pursue cyber criminals globally and assist victims of cybercrime. Counsel can advise on the type of information appropriate to disclose to law enforcement, while taking steps to establish and maintain the attorney-client privilege and, if appropriate, the attorney work product protection. Counsel also can assist in preparing communications (e.g., mandatory notifications and reports to senior executives and boards), advise on potential legal exposure from the incident and provide representation in connection with government inquiries or litigation.

If Ransomware Infects a Covered Entity’s or a Business Associate’s Computer System, Is It a Per Se HIPAA Breach?

Not necessarily. Whether or not the presence of ransomware would be a breach under the HIPAA Privacy Rule or HIPAA Security Rule (the HIPAA Rules) is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” A covered entity or business associate should, however, perform a risk assessment after experiencing a ransomware incident to determine if a reportable breach has occurred and to determine the appropriate mitigating action.

If the ePHI was encrypted prior to the incident in accordance with the HHS guidance, there may not be a breach if the encryption that was in place rendered the affected PHI unreadable, unusable and indecipherable to the unauthorized person or people. If, however, the ePHI is encrypted by the ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Thus, in order to determine if the information was acquired and accessed in the incident, additional analysis will be required. Unless the covered entity or business associate can demonstrate that there is a “[l]ow probability that the PHI has been compromised,” based on the factors set forth in the HIPAA breach notification rule, a breach of PHI is presumed to have occurred. If a breach has occurred, the entity must comply with the applicable breach notification provisions under HIPAA and, if applicable, state law.

Does a Ransomware Event Trigger State Data Breach Notification Obligations?

Possibly. In a majority of states, data breach notification requirements are triggered when there is both “unauthorized access” to and “acquisition” of personally identifiable information. Whether a ransomware event meets the access and acquisition elements of these statutes is, as in the HIPAA analysis, a fact-specific determination. If, for example, the hackers were able to move the personally identifiable information from the entity’s network to their own, it is clear that the hackers achieved unauthorized access to and acquisition of the information. State data breach notification laws pertaining to the affected individuals would need to be analyzed and factored into the entity’s overall notification requirements.

Ransomware though is usually designed to extort money from victim entities rather than steal personally identifiable information. If the forensics team can present credible evidence that no personally identifiable information was acquired by the hackers, then these obligations may not be triggered. The forensics team, consistent with the incident response team requirements, should document findings that support a defensible decision under these statutes, in case of a subsequent regulatory investigation or litigation, not to notify affected individuals.

In a minority of states, the data breach notification requirements are triggered when there is simply “unauthorized access” to personally identifiable information. This lower standard may mean that the entity must notify its customers of a data breach even when no personally identifiable information is acquired by a hacker. Entities that maintain personally identifiable information of residents of Connecticut, New Jersey and Puerto Rico, for example, may find themselves in the unfortunate position of having to provide data breach notifications even when the information is not acquired by a hacker.

Finally, if the entity is providing services to a business customer, it will need to determine whether it is obligated to notify the business customer (as owner of the affected personal information) of the ransomware attack, taking into account state data breach notification requirements, contractual obligations to notify the business customer and the overall value of the commercial relationship.

Employee Error Accounts for Most Security Breaches

security breachesA recent study by a well-known information security company captures one of the most common information security fallacies: that information security is a technology problem. Most businesses view mitigating information security risks as falling squarely in the purview of their information technology department. However, this study reports that human error actually accounted for nearly two-thirds of security compromises, far exceeding causes like insecure websites and hacking.1 While technological measures (e.g., anti-virus software, access controls, firewalls, and intrusion detection systems) are clearly important, their effectiveness pales in comparison to the benefits gained by effective security awareness training.

Just as troubling, another recent study found a 789% increase in e-mail phishing attacks containing malicious code, including ransomware, in the first quarter of 2016 over the final quarter of 2015.2 Phishing, which is an attempt to obtain confidential information or access by fraudulently posing as a legitimate company seeking information via e-mail, instant message or other electronic communication, specifically preys on employees who have not been trained to recognize the scam. A successful phishing expedition can result in the loss of confidential and financial information, system disruption and consumer litigation exposure. Every industry is impacted and at risk.

The results of these studies should serve as a clarion call to businesses. While we have long known that the human component is the key to improved security,3 it is also one of the most neglected areas in many business’ information security programs. Security awareness training for employees is one of the most important and effective means of reducing the potential for costly errors in handling sensitive information and protecting company information systems. Regardless of how much money and effort a business spends on its technological security measures, it cannot achieve an adequate level of security without addressing the human component.

Awareness training can ensure employees have a solid understanding of employer security practices and policies, as well as the tell-tale signs of an attempt to gain improper access to computer systems and confidential information. In contrast, uninformed employees are susceptible to mistakes, malware, phishing attacks, and other forms of social engineering. They can do substantial harm to a company’s systems and place its data at risk. The recent spate of ransomware attacks highlight just how critical the human element really is, as almost every one of those attacks resulted from human error.

First and foremost, it is critical that training programs have the participation of and include input from all relevant stakeholders at the company, including Human Resources, IT, Information Security, Legal, and Compliance.

Key aspects of any successful training program should also include the following:

  • Train on an ongoing basis. Avoid limiting training to when an employee is first hired or assigned to a new role in the organization

  • Train creatively, not just in a non-interactive classroom setting

  • Look for means to introduce interactivity into the training process

  • Have a means of measuring progress

To be truly effective, a security awareness program must provide “multiple methods of communicating awareness and educating employees as well (for example, posters, letters, memos, web based training, meetings, and promotions).”[1]

Training can be conducted through a number of means:

  • Classroom sessions

  • Webinars

  • Security posters and other materials in common areas

  • Brown bag lunches

  • Helpful hints distributed to employees via e-mail or corporate intranet posts

  • Simulated phishing attacks (e.g., systems that will periodically send phishinge-mail to employees attempting to lure them into clicking on an attachment or a hyperlink and then alerting the employee that they have engaged in an insecure activity)

Additionally, having comprehensive and understandable employee policies is critical to a company’s information security safeguards. Readable and effective policies can be used in conjunction with effective employee training to reduce data security incidents caused by human error.

Finally, one of the most effective ways to increase employee security awareness is to help employees understand that good security practices can also benefit them personally. Being security-aware not only serves to protect their employer’s systems, but also helps in better securing the employee’s own personal data and computers. For example, by being more vigilant in identifying potential phishing attacks at work, the employee will become more vigilant in using home e-mail accounts and thereby protect their own data, photographs, financial accounts, etc.


1https://www.egress.com/news/egress-ico-foi-2016
2http://phishme.com/phishme-q1-2016-malware-review/
3 See, e.g., Common Sense Guide to Mitigating Insider Threats, 4th Edition.http://www.sei.cmu.edu/reports/12tr012.pdf.

Fiduciary Risk in Data Privacy and Cybersecurity? You Bet!

Health plan administrators are (or certainly should be) well-versed in their obligations under the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH). Failure to secure protected health information (PHI) from disclosure can result in civil monetary penalties of up to $1.5 million and potential criminal penalties of up to 10 years’ imprisonment. Penalties of this size have the tendency to get people’s attention. But, if you are a retirement plan fiduciary or administrator (which likely includes officers and other senior-level executives at a company), are you aware of your obligations to protect sensitive data and other personal information in your control and the control of your vendors?

Retirement plans store extensive personal data on each participant and beneficiary. This data ranges from Social Security numbers and addresses to dates of birth, bank account and financial information, and other records and is stored physically and in electronic forms for years, if not decades. The term often used for this type of information is “personal identifiable information” (PII). While stored, numerous human resources and benefits department personnel, participants, beneficiaries, recordkeepers, trustees, consultants, and other vendors have access to some or all of this highly sensitive information. The extensive trove of PII presents an attractive, and often undersecured and easily exploitable, opportunity for criminals intent on stealing identities or on the outright theft of plan assets and benefit payments.

Federal laws similar to HIPAA but applicable to retirement plans have not (yet) been enacted. However, this does not mean that retirement plan fiduciaries and administrators are off the hook. Under the Employee Retirement Income Security Act of 1974 (ERISA), as amended, a fiduciary is required to discharge his or her duties solely in the interests of plan participants and beneficiaries, and, in doing so, must adhere to a standard of care frequently described as the “prudent expert” standard. Under this standard, it is not difficult to conclude that a retirement plan fiduciary who does not take certain precautions with regard to the protection of PII may be in breach of his or her fiduciary duty. And, although a breach of an ERISA fiduciary duty does not trigger clear statutory penalties like those applicable under HIPAA and HITECH, under ERISA, fiduciaries are personally liable for their fiduciary breaches.

So, what precautions should retirement plan fiduciaries take to help ensure that they have fulfilled their fiduciary duties with respect to data privacy and cybersecurity? What should a fiduciary do in the event of a data privacy or cybersecurity breach? Presently, 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted some form of breach notification law, and it is unsettled whether these breach notification laws are preempted by ERISA.

Copyright © 2016 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

Early Settlement of Home Depot Consumer Data Breach Claims – Start of Trend?

Last week, a federal court in Atlanta issued an order preliminarily approving a proposed settlement – valued up to $19.5 million – of the consumer claims arising from the 2014 theft of payment card data from Home Depot.  The cash and noncash terms of the proposed settlement are unexceptional.  What is unusual about this settlement is its timing. According to plaintiffs’ brief seeking preliminary approval of the settlement, rather than wait for a decision on Home Depot’s still-pending motion to dismiss, the parties conducted a mediation after argument on the motion, and concluded a negotiated settlement before the motion was decided.  The decision to settle early in the case – before discovery or summary judgment – may signal a recognition that the likely settlement value of the case did not warrant the substantial cost of additional litigation for either side.  Insofar as that logic would apply with equal force in just about any consumer payment card data breach case, the early resolution of the Home Depot case could provide a model for future settlements.

Prior to settlement, Home Depot had followed the standard playbook for defense of a consumer data breach claim, seeking dismissal of the action on standing grounds due to plaintiffs’ inability to establish injury resulting from the theft of credit and debit card numbers.  While defendants have had notable success in defeating consumer data breach claims on standing grounds – primarily because card issuers hold consumers harmless for fraud losses on their cards – recent decisions, exemplified by the denial of the motion to dismiss consumer claims in the Target data breach litigation, have concluded that consumers do suffer injury in the form of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.”  The growing frequency of courts finding standing to bring consumer payment card data breach claims posed for Home Depot the not-inconsiderable risk that the consumer claims would survive its motion to dismiss, requiring Home Depot to proceed to expensive document and deposition discovery.

At the same time, the cost of settling consumer claims has proven to be relatively small, even for classes numbering in the tens of millions of consumers.  The “injuries” that courts have relied upon to find standing still do not add up to large dollar value claims on a per-class member basis.  In the Target case, the claims of the 40 million-member consumer class settled for $10 million.  The small size of the Target settlement relative to the size of the class was not an anomaly.  As previously reported, plaintiffs in Target submitted a chart to the court detailing prior consumer data breach settlements.  The chart showed that the cash cost of a large data breach settlement is typically $1.00 or less per class member.  The Target settlement itself came in at approximately $0.25 per class member.  The pattern revealed in Target’s submission and in the Target settlement itself surely sent a strong signal to both sides as to the likely settlement range for the consumer claims in the Home Depot case.

Meanwhile, even as the motion to dismiss was being considered by the court, the parties were engaged in the process of planning for discovery.  At the time of the settlement the parties had already come to agreement on a scheduling order, merits and expert discovery protocols, a confidentiality agreement and protective order, and a stipulation concerning authentication of documents.  The case settled during the negotiation of a protocol for discovery of electronically stored information.  On top of all of this, plaintiffs had propounded 126 document requests on Home Depot.  Based on those activities, the parties would have understood that the impending costs of document production by Home Depot and document review by plaintiffs would be staggering, as would the subsequent cost to both parties of extensive deposition practice and expert discovery.  Given the benchmark established by Target and other similar cases, the anticipated discovery costs in Home Depot could easily equal or exceed the likely cost to settle the consumer claims.

Unsurprisingly, the proposed Home Depot settlement falls comfortably within the range indicated by the survey of data breach settlements that was submitted to the court in Target.  The Home Depot settlement provides for payment of $13 million to the class, and guarantees that Home Depot will spend $6.5 million to pay for credit protection for the class.  Note, however, that cash payments to class members from the $13 million settlement fund will be distributed on a claims-made basis.  If class members fail to claim the entire $13 million, the undistributed balance may be used to defray the cost of notice to the class and then, if funds still remain, the cost of purchasing credit protection.  If the claim rate is low enough, it is possible that Home Depot’s entire payment obligation under the settlement for the benefit of the class will not exceed $13 million settlement floor.  Either way, the settlement range of $13 million to $19.5 million will yield per-class member benefits for the 40 million class members whose payment card numbers were stolen of between $0.33  and $0.49 per person.  Note that here, as in Target, attorneys’ fees are requested in addition to the class distribution, with the request here equaling $8.475 million.  Home Depot has the right to challenge the fee award, but has waived any right of appeal from the trial court’s fee determination.

It is also worth noting how the cost of the consumer settlement compares to the overall cost of settlement.  As was the case for Target, the cost of settling the consumer claims is a small portion of the overall costs to Home Depot arising from the data breach.  According to a report by Reuters, Home Depot said it had booked $161 million of pre-tax expenses for the breach, including for the consumer settlement, and after accounting for expected insurance proceeds (reported by Home Depot in its last Form 10Q quarterly report to total about $100 million).  Thus, the largest amount that Home Depot could pay in settlement of the consumer claims (including attorneys’ fees) would equal just under 11% of the $261 million in breach-related expenses incurred by Home Depot.  The ability to settle for around 10% of the total data breach exposure – and the opportunity to avoid incurring additional litigation expenses that would drive up both totals – would provide another justification for striking an early deal to resolve the consumer claims.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.