Tag: privacy

New Year to Bring Increased Regulatory Focus on Cybersecurity for Financial Institutions

Having weathered the cybersecurity turbulence of 2014, the financial services sector can look forward to increased regulatory attention from federal, state and non-governmental regulators in 2015. First, in the wake of data breaches at major banks and financial institutions, and drawing upon its mid-2014 “Report on Cyber Security in the Banking Sector,”1 the New York Department of Financial Services (the “NYDFS” or the “Department”) has announced a New Cybersecurity Examination Process for the banks under its regulatory jurisdiction (the “Examination Letter”). Additionally, the Chairman of the federal Commodity Futures Trading Commission (“CFTC”) has testified before a Senate committee that the CFTC will increase its attention to cybersecurity during its upcoming examinations of clearinghouses and exchanges. Also, the Conference of State Bank Supervisors (“CSBS”) has issued a resource guide for bank executives on cybersecurity that community bank CEOs, senior executives and board members are being strongly encouraged to use to address cybersecurity threats at their banks.

These latest regulatory developments impacting financial institutions will likely affect the cybersecurity policies of other regulators, including enforcement actions against regulated entities that fail to implement adequate cybersecurity programs. Thus, even if your organization is not a financial institution regulated by the NYDFS, CFTC or a state banking regulator, the key takeaways discussed below will provide insight into the types of questions regulators will pose, and offer practical guidance for developing a compliant privacy and data security program to mitigate cybersecurity risks. The December 2014 ruling that retailer Target had an affirmative duty to protect its customers’ personal and financial information illustrates that these pronouncements provide important guidance not just to regulated entities, but to companies generally.

NYDFS’s Examination Letter

On December 10, 2014, the NYDFS issued the Examination Letter to all New York chartered and licensed banking institutions announcing the Department’s new, targeted cybersecurity preparedness assessment. In an effort to promote greater cybersecurity across the financial services industry, the NYDFS warned that it will expand its routine information technology examinations to include cybersecurity. However, as noted in an article in American Banker2, the Examination Letter provides no indication that the examinations will differentiate among banks by size, meaning a smaller community bank may be subject to the same cybersecurity requirements as multinational banks with significantly more resources.

The new examination procedures are designed to encourage “all financial institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than as a subset of information technology.” According to Benjamin M. Lawsky, Superintendent of the NYDFS, new procedures are also intended to promote a “laser-like focus on this issue by both banks and regulators” given that regulatory examination rankings can have a significant impact on the operations of financial institutions, including their ability to enter into new business lines or make acquisitions.

The Examination Letter notes that the NYDFS will be incorporating the following new security-oriented topics into its pre-examination “First Day Letters” to assist in expediting the Department’s review of financial institutions’ cybersecurity preparedness:3

  • Corporate governance, including written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;

  • Cybersecurity incident detection, monitoring and reporting processes;

  • Resources devoted to information security and overall risk management;

  • The risks posed by shared infrastructure;

  • Protections against intrusion, including multifactor or adaptive authentication, and server and database configurations;

  • Information security testing and monitoring, including penetration testing;

  • Training of information security professionals as well as all other personnel;

  • Vetting and management of third-party service providers; and

  • Cybersecurity insurance coverage and other third-party protections.

In addition to the information requested in the First Day Letter, the NYDFS stated that it will schedule IT/cybersecurity examinations following the risk assessments of each financial institution. The new IT/cybersecurity examinations will take a deeper look into the financial institution’s ability to prevent, detect and respond to data breaches and other cyber attacks by requesting:

  • The qualifications of the institution’s Chief Information Security Officer, or the individual otherwise responsible for information security;

  • Copies of the institution’s information security policies and procedures;

  • The institution’s data classification approaches and data access management controls;

  • The institution’s vulnerability management programs, including its consideration of applications, servers, endpoints, mobile, network and other devices;

  • The institution’s patch management program, including how updates, patches and fixes are obtained and disseminated;

  • The institution’s due diligence process regarding information security practices used to vet, select and monitor third-party service providers;

  • Application development standards used by the institution, including the extent to which security and privacy requirements are incorporated into application development processes;

  • The institution’s incident response program, including how incidents are reported, escalated and remediated; and

  • The relationship between information security and the organization’s business continuity program.

The NYDFS’s Examination Letter is essentially a “take-home test” for any New York chartered or licensed banking institution or regulated firm preparing for an NYDFS examination or conducting its own internal audit to strengthen its cybersecurity practices and incident response preparedness. Additionally, although the new examination procedures do not impose cybersecurity requirements on regulated entities per se, the NYDFS is essentially announcing the standards and practices it expects to be adopted in any compliant cybersecurity program. For now, the new cybersecurity examination procedures are limited to banks, but it is likely that the NYDFS will extend these same types of procedures to the other financial services firms it regulates, such as insurance companies and investment companies.

CFTC’s Increased Focus on Cybersecurity

On December 10, 2014, CFTC Chairman Timothy Massad testified before a Senate Agriculture Committee hearing that cybersecurity is “perhaps the single most important new risk to financial stability.” As a result, cybersecurity will become an increasingly important aspect of the CFTC’s oversight for futures and swaps markets.

Chairman Massad testified that the CFTC requires clearinghouses, swap execution facilities, designated contract markets and other market infrastructures to implement system safeguards, which must include four elements: (1) a program of risk analysis and oversight to identify and minimize sources of cyber and operational risks; (2) automated systems that are reliable, secure and scalable; (3) emergency procedures, backup facilities and a business continuity/disaster recovery plan; and (4) regular, objective, independent testing to verify that the system safeguards are sufficient. Each CFTC-regulated entity must also have a risk management program that addresses seven key elements, including information security, systems development, quality assurance and governance. Furthermore, these entities must notify the CFTC promptly of cybersecurity incidents.

Although the CFTC does not conduct independent testing of its cybersecurity requirements, it reviews evidence provided for satisfaction of the requirements. Chairman Massad testified that the CFTC’s upcoming examinations will focus on the following areas:

  • Governance—Are the board of directors and top management devoting sufficient attention to cybersecurity?

  • Resources—Are sufficient resources and capabilities being devoted to monitor and control cyber-related risks across all levels of the organization?

  • Policies and Procedures—Are adequate plans and policies in place to address information security, physical security, system operations and other critical areas? Is the regulated entity actually following its plans and policies, and considering how plans and policies may need to be amended from time to time in light of technological, market or other security developments?

  • Vigilance and Responsiveness to Identified Weaknesses and Problems—If a weakness or deficiency is identified, does the regulated entity take prompt and thorough action to address it? Does it not only fix the immediate problem, but also examine the root causes of the deficiency?4

CSBS Guidance for Financial Services Officers and Directors

On December 17, 2014, the CSBS issued “Cybersecurity 101: A Resource Guide for Bank Executives” (the “CSBS Resource Guide”), which is designed to aid chief executive officers, senior executives and board members in their understanding, oversight and implementation of effective cybersecurity programs. The CSBS Resource Guide is organized according to the five core cybersecurity functions of the Commerce Department’s National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity: (1) identify internal and external cybersecurity risks; (2) protect organizational systems, assets and data; (3) detect systems intrusions, data breaches and unauthorized access; (4) respond to a potential cybersecurity event; and (5) recover from a cybersecurity event by restoring normal operations and services. For each of these core functions, the CSBS Resource Guide provides questions that chief executive officers should ask, as well as training guidance and a model checklist to follow in the event of a data breach.

Takeaways

In light of these developments, banks and other financial institutions should consider undertaking the following steps and customizing them to their specific circumstances and risks:

1. Conducting Periodic Cybersecurity Risk Assessments

  • Identify potential cybersecurity threats (including physical security threats) to security, confidentiality and integrity of personal and other sensitive information (both customer and internal) and related systems;

  • Evaluate effectiveness of current controls in light of identified risks;

  • Prioritize resources, assets and systems corresponding to the nature and level of threats and vulnerabilities, and revise procedures and controls, as necessary and appropriate, to address and mitigate areas of risk; and

  • Determine whether existing insurance policies will cover the threats identified in the risk assessment, and determine whether separate cyber coverage is needed.

2. Evaluating Potential Third-Party Vendor Risks

  • Review due diligence procedures for selecting vendors and procedures for approval/monitoring of vendor access to networks, customer data or other sensitive information;

  • Obtain copies of vendors’ written information security plans or certifications of compliance with applicable standards; and

  • Determine whether contracts with vendors include appropriate security measures, including incident response notification procedures and cyber insurance coverage.

3. Developing and Periodically Testing a Comprehensive Incident Response Plan

  • Implement a comprehensive, written incident response plan to respond proactively to actual or suspected cybersecurity events; and

  • Conduct periodic “table top” exercises of mock cybersecurity events with IT, legal, compliance, human resources and other business stakeholders.

ARTICLE BY

John C. Cleary
Bruce A. Radke
OF
Vedder Price

1 See http://www.dfs.ny.gov/about/press2014/pr1405061.htm
2 See http://www.americanbanker.com/news/bank-technology/new-york-cybersecurity-exams-will-be-tougher-than-ffiecs-1071603-1.html
3 The NYDFS’s new cybersecurity questions and topics are similar to the comprehensive cybersecurity questionnaire attached to the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations’ (“OCIE”) Risk Alert, issued on April 15, 2014, as part of the OCIE’s cybersecurity examinations of registered investment advisors and broker-dealers. Click here.
4 The NYDFS and the CFTC are certainly not the only banking and financial services regulators that have intensified their focus on cybersecurity. Indeed, during her December 10, 2014 testimony before the U.S. Senate Committee on Banking, Housing and Urban Affairs, Valerie Abend, chair of the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity and Critical Infrastructure Working Group, said the FFIEC’s interagency cybersecurity guidelines “require banks to develop and implement formal information security programs that are tailored to a bank’s assessment of the risks it faces, including internal and external threats to customer information and any method used to access, collect, store, use, transmit, protect, or dispose of the information.”

Consumer Claims Survive Motion to Dismiss in Target Data Breach Class Action

Mintz Levin Law Firm

A recent ruling by Federal District Judge Paul Magnuson will permit most of the consumer claims in the Target data breach litigation to survive Target’s motion to dismiss.  This most recent ruling follows on the heels of the court’s December 2 decision partially denying Target’s motion to dismiss consolidated complaint of the banks that issued the credit and debit cards that were subject to the breach.  The late 2013 data theft that gave rise to the consumer and issuer bank claims was caused by malware placed by hackers on Target’s point-of-sale (“POS”) terminals.  The malware allowed the hackers to record and steal payment card data as customers’ credit or debit cards were swiped.  In the consolidated consumer complaint, 117 named plaintiffs allege that Target wrongfully failed to prevent or timely disclose the data theft.  Plaintiffs also contend that Target failed to disclose the purported insufficiency of Target’s data security practices.  The consumers assert claims under the laws of 49 states and the District of Columbia for negligence, breach of contract, breach of data notification statutes and violation of state unfair trade practice statutes.  The consumer complaint also purports to assert those claims on behalf of a putative plaintiff class consisting of every Target customer whose credit or debit card information was stolen in the data breach.The court’s latest ruling rejected arguments by Target as to standing and damages that would have required dismissal of the consumer claims in their entirety.  The court did state, however, that Target can revisit the question of whether plaintiffs had sustained actionable injuries after discovery has concluded.  And, even though most of the consumer Plaintiffs’ claims survive, the court did rule that that certain of the claims alleged under particular states’ laws should be dismissed.  As is true of the court’s denial of Target’s motion to dismiss the issuer banks’ consolidated complaint, the denial of the motion to dismiss does not resolve the merits of the surviving consumer claims.  Like the surviving issuer bank claims, the consumer claims that were not dismissed will now be the subject of extensive discovery and further motion practice relating to class certification and summary judgment.

Court rejects Target’s arguments on standing and injury:  As is common in data breach cases, Target’s primary ground for seeking dismissal of the consumer claims was lack of standing due to the absence of actionable consumer injury.  In its motion to dismiss, Target argued that none of the plaintiffs had alleged a present injury sufficient to establish “case or controversy” standing under Article III of the United States Constitution.  Specifically, Target contended that none of plaintiffs’ alleged present injuries either constituted a present harm to plaintiffs or was fairly traceable to the theft of payment card data.  Target’s central argument was that allegations that unauthorized charges had been made on plaintiffs’ payment cards did not plead actionable injury because plaintiffs did not – indeed, likely could not – allege that such charges had not been or would not be reimbursed by the card issuing banks.  Target further argued that other alleged injuries could not fairly be traced to theft of payment card data because they could only have arisen from unrelated conduct (such as identity theft resulting from a plaintiff’s stolen social security number) or were not fairly traceable to the data theft itself (such as loss of access to funds based on plaintiffs’ own voluntary closing of accounts).

The court gave these arguments cursory treatment.  Judge Magnuson disagreed with Target’s injury analysis, finding that “Plaintiffs have alleged injury” in the form of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.”  Target contended that such alleged injuries are insufficient to confer standing because “Plaintiffs do not allege that their expenses were unreimbursed or say whether they or their bank closed their accounts . . . .”  The court rejected this argument, stating that Target had “set a too-high standard for Plaintiffs to meet at the motion-to-dismiss stage.”  In so ruling, however, Judge Magnuson merely deferred to another day a decision on whether the injuries alleged were indeed fairly traceable to the alleged wrong doing.  Despite concluding that Plaintiffs’ allegations were “sufficient at this stage to plead standing,” the court nonetheless stated that, “[s]hould discovery fail to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue.”  Thus, it remains open to Target to show that neither Plaintiffs nor putative class members suffered injuries fairly traceable to the data breach.

The court’s finding that Plaintiffs had alleged actionable injuries also supported its denial of Target’s request that the Court dismiss claims asserted under 26 state consumer protection laws that required allegation of pecuniary injury.  Similarly the court rejected Target’s argument that Plaintiffs’ negligence claims should be dismissed for failure to allege cognizable damages.

Court dismisses some state consumer protection law claims; most survive.  Plaintiffs brought unfair or deceptive trade practice claims under the consumer protection statutes of 49 states and the District of Columbia.  The court dismissed claims under Wisconsin law because the subject statute contains no private right of action.  The court also dismissed claims asserted on behalf of absent class members under the consumer protection laws of Alabama, Georgia, Kentucky, Louisiana, Mississippi, Montana, South Carolina, Tennessee and Utah, finding that the laws of those states, which preclude the assertion of consumer protection claims by means of a class action, “define the scope of the state-created right” and preclude certification of a class to pursue such claims (quoting Shady Grove Orthopedic Assocs. v. Allstate Ins. Co., 559 U.S. 393, 423 (2010)).  Otherwise, as noted above, Judge Magnuson found that plaintiffs’ allegations, including their allegations of injury, asserted actionable class and individual claims under the remaining states’ consumer protection statutes, and declined to dismiss such claims.

Certain data breach notice claims survive motion to dismiss.  Plaintiffs asserted claims against Target under the date breach notification statutes of 38 states, alleging that Target had failed to disclose the data breach as soon as required under those laws.  As with plaintiffs’ other claims, the court rejected as premature Target’s argument that plaintiffs had not alleged any actionable damages flowing from alleged violations of state data breach notification statutes.  Certain of Target’s arguments for dismissal based on statutory language prevailed.  Plaintiffs conceded that the data breach statutes in Florida, Oklahoma, and Utah did not permit a private right of action, and voluntarily withdrew those claims.  Where the applicable statutes provided only for enforcement by the state attorney general (as is true in Arkansas, Connecticut, Idaho, Massachusetts, Minnesota, Nebraska, Nevada and, Texas), the court dismissed Plaintiffs’ claims.  Where the remedies available under other states’ laws were non-exclusive or ambiguous –as was the case in Colorado, Delaware, Iowa, Kansas, Michigan and Wyoming – the court declined to dismiss Plaintiffs’ claims.  Where applicable state laws were silent as to the authority to enforce the enactment, the court inferred a private right of enforcement in all states except Rhode Island, where controlling authority holds that if a statute does not expressly provide for a private cause of action, such a right cannot be inferred.  As to all other states, the court agreed with plaintiffs’ argument that there is either a permissive cause of action or that there is a private right to enforce data breach notification statues under applicable state consumer protection statutes.

Negligence claims survive where not barred under the economic loss doctrine:  Actual damages is a required element of a common law negligence claim.  The court’s rejection of Target’s argument that Plaintiffs had failed to allege actionable injury precluded dismissal of Plaintiffs’ negligence claims in their entirety for failure to plead damages.  Under certain states’ laws, however, the so-called “economic loss doctrine” requires dismissal of claims for negligence where the alleged injury consists solely of economic loss rather than personal injury or property damage.  Following state authority, the court invoked the economic loss doctrine to dismiss negligence claims based on the economic loss rule under Alaska, California, Georgia, Illinois, Iowa and Massachusetts law.  The court declined to dismiss negligence claims under District of Columbia, Idaho and New Hampshire law, holding that precedent in those jurisdictions required additional factual development to determine whether there exists any special duty that would vitiate the economic loss doctrine.  Finally, the court held that the facts pleaded in the Complaint satisfied the exception to the economic loss doctrine applicable under New York and Pennsylvania law where there is a duty to protect from the specific harm alleged.

Breach of implied contract claims survive:  Judge Magnuson held that the existence of an implied contract turns on issue of fact that cannot be resolved at the motion to dismiss stage because “a jury could reasonably find that a customer’s use of a credit or debit card to pay at a retailer may include the implied contract term that the retailer “will take reasonable measures to protect the information” on those cards (citing In re Hannaford Bros. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 119 (D. Me. 2009)).

Breach of contract claim dismissed without prejudice:  The Complaint alleges that Target violated the terms of the card agreement for the Target REDcard, in which Target states that it “use[s] security measures that comply with federal law.”  The Complaint, however, fails to specify the federal law with which Target purportedly failed to comply.  Accordingly, the court dismissed that claim without prejudice, allowing Plaintiffs leave to replead that claim to specify, if possible, the state law that had been violated.

Bailment claim dismissed:  A common law bailment claim consists of wrongful failure to return tangible property entrusted to another.  Plaintiffs, however, do not and cannot allege that stolen payment card information was given to Target with expectation of return. Therefore, the court dismissed Plaintiffs’ bailment claim with prejudice.

Unjust enrichment claim survives:  Plaintiffs claim that Target is liable for unjust enrichment because it knowingly received or obtained something of value which in equity and good conscience it should not have received.  This claim is based on two theories.  The first is an “overcharge” theory claiming that Target charges an unearned premium for data security.  The second theory states that class members would not have shopped at Target had Target disclosed alleged deficiencies in its data security.  The court rejected the first theory as unsupported as a matter of law, but concluded, without citation to authority, that the “‘would not have shopped’ theory . . . is plausible and supports their claim for unjust enrichment.”

Significant obstacles remain for consumer claims:  The court’s refusal to accept Target’s injury arguments at the motion to dismiss stage does not eliminate Plaintiffs’ burden to prove that consumers suffered actionable losses.  Because consumers generally do not have to pay for fraudulent charges on their payment cards, such activity will not provide a basis to establish cognizable damages.  Nor is the cost of credit monitoring or other activities associated with avoiding identity theft or adverse credit history likely to provide grounds for proving actionable damages.  A majority of courts that have addressed the issue have held that such costs are not actionable as a necessary and reasonable consequence of a payment card data breach.  And even where fraud mitigation costs have been treated as cognizable injury – as was the case in Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011) – the court nonetheless denied plaintiffs’ motion for class certificationbecause questions of whether individual consumers’ remedial actions were reasonable and what such actions reasonably should have cost could not be determined without taking testimony from every member of the class, thereby raising highly individualized issues of fact and law that would preclude trying class members’ claims through proof common to the class as a whole.  The parties will have the opportunity to grapple with these issues after discovery has concluded.

ARTICLE BY

Kevin M. McGinty
OF
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C

Four Ways For A Financial Institution To Minimize Losses Related To A Data Breach

vonBriesen

The explosive growth of electronic credit and debit card transactions has increased the possibility of data breaches for financial institutions. The ongoing data breach litigation by financial institutions against Target is just one example of what could be the new normal with card-swipe electronic transactions now dominating commerce: according to Javelin Strategy and Research, only about twenty-five percent (25%) of point-of-purchase sales are currently made with cash, and that percentage is expected to continue to decline in the coming years.

This surge has been beneficial to the bottom line of many financial institutions, but the spike in electronic transactions has also increased the potential for data breaches and related liability. According to the Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis1 the average cost of a data theft from financial services companies in 2013 was $236 per customer account. The primary reason for the increase is the loss of customers following the data breach. Financial services providers continue to be most susceptible to high rates of customer defections as a result of data breaches. (Ponemon, 2014)

As the volume of electronic transactions has increased, hackers and cybercriminals have become more sophisticated and successful, as evidenced by recent high-profile data breaches involving Target, Neiman Marcus, eBay, and Jimmy John’s. While mega-breaches tend to grab the headlines, most data losses involve fewer than 10,000 customer records. (Ponemon, 2014) Nonetheless, these data losses can be costly, averaging $5.9 million per breach incident in 2013. (Ponemon, 2014)

What can financial institutions do to minimize their losses, when both large and small institutions can fall victim? Below are four proactive steps that may be taken by any size institution:

1. Preparation

Statistically, four factors are most important to reducing the cost of a data breach: a strong pre-incident security posture, a current incident response plan, business continuity management involvement, and leadership by a Chief Information Security Officer. Together, these can reduce the per capita cost of a data breach as much as 30%. (Ponemon, 2014) Good preparation should also include data security audits and breach response exercises to test preparedness.

2. Purchasing Data Breach and Other Insurance

One in three companies has insurance to protect against data breach losses (Marsh LLC, Benchmarking Trends: Interest in Cyber Insurance Continues to Climb, 2014)2. Covered risks typically include disclosure of confidential data, malicious or accidental loss of data, introduction of malicious codes or viruses, crisis management and public relations expenses, business interruption expenses, and data or system restoration. In 2013, cyber insurance policies sold to retailers, hospitals, banks, and other businesses jumped significantly. (Marsh LLC, 2014) Given the potentially tremendous costs associated with a data breach, cyber insurance policies are no longer a niche or specialty product, and are quickly becoming a necessity in the financial services industry and a key component of risk management for financial institutions.

In addition to policies specifically covering data breaches, it is important to consider whether an institution’s losses may be covered under the terms of an existing policy. Some courts have found that traditional policies include coverage for data breach claims. In Netscape Communications Corp. v. Federal Insurance Co., decided in 2009, the Ninth Circuit Court of Appeals held that personal and advertising injury coverage in a commercial general liability (“CGL”) policy applied to claims alleging that the insured had violated the plaintiff’s right of privacy in private online communications. In Retail Ventures, Inc. v. National Union Fire Insurance Co., the Sixth Circuit Court of Appeals found that coverage may also apply under a financial institution’s crime policy. In WMS Industries, Inc. v. Federal Insurance Co., the Fifth Circuit Court of Appeals affirmed the district court’s holding that all-risk and first-party property policies may provide coverage for data damage and business interruption arising out of data breaches. Lastly, in Retail Systems, Inc. v. CNA Insurance Companies, the Minnesota Court of Appeals found that an insured’s loss of a computer tape containing third-party data was “property damage” and, therefore, was covered by CGL insurance.

Even if there may be a question as to whether coverage is available, notice of the breach should be given to the insurer immediately. Financial institutions should consider consulting with their insurance providers to confirm whether or not their standard policies cover data breaches and, if so, whether there are any coverage limits or exclusions. “Too often, the close scrutiny of policy coverage does not occur until after a claim is made. This makes misunderstanding and disappointment a distinct, and potentially costly, risk. Even sophisticated companies stumble. In 2011, SONY suffered a series of cyber security breaches affecting data in its online gaming systems. The SONY insurer said the company did not have a cyber insurance policy, that SONY’s existing policies only covered tangible property damage, not cyber incidents, and therefore the insurer would not provide any coverage for the company’s nearly $200 million loss. SONY spokespersons contested these statements, expressing their belief that at least some of the losses were covered. (Mark F. Foley, Digital Lex: Insurance Coverage for the Cyber World (Feb. 19, 2013), at http://www.WTNNews.com. See, Insurance Against Cyber Attacks Expected to Boom, New York Times online, December 23, 2011)

Banks, or their counsel, should also proactively review vendor or third-party contractor agreements to confirm that the vendor or third party contractor has an obligation to indemnify the financial institution for losses related to a data breach, and that the financial institution is named as an additional insured under the vendor’s or third-party contractor’s insurance policy covering such breaches. Contracts that do not provide these protections should be updated.

3. Using Regulatory Tools and Guidance

In September 2014, FDIC Chairman Martin Gruenberg stated that “internet cyber threats have rapidly become the most urgent category of technological challenges facing our banks.” As a result, the FDIC now defines cybersecurity as “an issue of highest importance” for itself and the Federal Financial Institutions Examination Council.

The FFIEC recently formed a Cybersecurity and Critical Infrastructure Working Group that works with the intelligence community, law enforcement and the Department of Homeland Security on cybersecurity issues. The Working Group is currently assessing the banking sector’s preparedness to combat and respond to cybersecurity threats. The report will include a regulatory self-assessment to evaluate readiness and identify areas requiring additional attention.

The FDIC also created a “Cyber Challenge” online resource that features videos and a simulation exercise. As part of this effort, the FDIC also requires third-party technology service providers (TSPs) to update financial institutions on operational threats the FDIC identifies at a TSP during an examination.

The rollout of these resources, coupled with the recent guidance from the OCC and the Fed regarding the management of third party relationships (for a more in-depth discussion, please see our January 2014 Commercial Law Update, “Managing Third Party Relationships: New Regulatory Guidance for Banks“), demonstrates the increased scrutiny regulators are giving to these issues and why they are hot-button topics for financial institutions to tackle.

4. Filing Lawsuits Against Parties Responsible for Data Breaches

A recent example of financial institutions going on the offensive with regard to a data breach by a service provider is the lawsuit brought by several banks against Target, In re Target Corporation Customer Data Security Breach Litigation, Case No. 14-md-02522, which is currently pending in Minnesota federal district court. The banks are seeking class-action status for banks across the country arising out of the compromise of at least 40 million credit cards, which affected up to 110 million people whose personal information, such as email addresses and phone numbers, were stolen.

The banks seek millions of dollars of damages to recover money spent reimbursing fraudulent charges and issuing new credit and debit cards.

The court recently denied Target’s motion to dismiss all of the claims, concluding that Target played a “key role” in the data breach. In denying the motion, the court held that “Plaintiffs have plausibly alleged that Target’s actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers’ attack began – caused foreseeable harm to plaintiffs” and also concluded that “Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered.” At this stage, the banks are proceeding with claims for negligence and violations of Minnesota’s Plastic Security Card Act.

As illustrated by the Target litigation, if losses are not covered by insurance or if the institution otherwise cannot be made whole, a financial institution should consider trying to recover damages through litigation. However, the Target case is still being litigated, and the law is not settled as to whether third parties, such as merchants who process credit and debit cards, may be held liable to an issuing financial institution for damages arising out of the merchant’s data breach.

Financial institutions would be well-served by utilizing these resources to protect against cyber attacks and should keep a close eye on upcoming regulatory guidance in this area as it is clear that the regulators are focusing on ways to protect against, and minimize the number of, data breaches and their effect on financial institutions.

ARTICLE BY

Mark E. Schmidt
Brion T. Winters
Mark F. Foley
William E. Taibl
OF
von Briesen & Roper, S.C.

Employer Liability for Employees’ Privacy Violations: What Your Organization Should Learn from Walgreens’ Expensive Lesson (Hint: It Has Little To Do with HIPAA)

Poyner Spruill Law firm

You may already have read the scintillating facts surrounding a jury award of $1.44 million (recently challenged unsuccessfully on appeal) against Walgreen Co. following its pharmacist’s alleged inappropriate review and disclosure of patient records. What caught our attention was not so much the lurid details (the pharmacist was alleged to have looked up her boyfriend’s ex in Walgreens’ patient records, apparently to determine whether the ex might have passed an STD to her boyfriend). The more notable development was an employer footing the bill for a large jury verdict even though the employee violated the company’s policies as well as the law. This alert describes how Walgreens was put on the hook for its employees’ misdeeds, and examines whether a similar rationale could be applied in other privacy contexts (not just HIPAA) to create a new trend in employer liability for employee privacy violations. The implications are significant given the relative lack of success plaintiffs have encountered to-date when attempting to prosecute perceived privacy violations in court.

Employer Liability

Against the pharmacist, the patient pursued state-law claims of negligence/professional malpractice, invasion of privacy/public disclosure of private facts, and invasion of privacy/intrusion. She sought to hold Walgreens liable through respondeat superior (vicarious liability), and also included direct claims for negligent training, negligent supervision, negligent retention, and negligence/professional malpractice. While the trial judge dismissed the negligent training claim against Walgreens and the invasion of privacy by intrusion claim against the pharmacist, he allowed the other claims to proceed. The jury returned a general verdict for the patient, finding the pharmacist and Walgreens jointly liable for $1.44 million in damages.

The linchpin of respondeat superior is that an employer can only be held vicariously liable for damage caused by an employee if the employee was acting “within the scope of employment” when the injury occurred. When it appealed the jury verdict, Walgreens seized on this factor and argued that the pharmacist’s actions were outside the scope of employment because she clearly violated Walgreens policy. The appellate court disagreed, citing case law holding an employee’s actions are within the scope of employment if those actions are of the same “general nature” as the actions authorized by the employer, even when the employee’s specific actions are against company policy. The court reasoned that the pharmacist’s improper access of  the patient’s records was of the same “general nature” as the actions authorized by Walgreens because  the pharmacist took the same steps to access  the patient’s records as she would have in properly accessing records of other patients. The pharmacist was authorized to use the Walgreens computer system and printer, handle prescriptions for Walgreens customers, look up customer information on the Walgreens computer system, review patient prescription histories, and make prescription-related printouts. The court found that the pharmacist’s conduct in accessing  this patient’s records for personal reasons, while against company policy, was of the same “general nature” as the conduct authorized by Walgreens, and therefore at least some of her actions were within the scope of her employment. Since the pharmacist was acting within the scope of employment, the court affirmed that Walgreens could be held liable under respondeat superior.

Acknowledging Walgreens could not be held vicariously liable unless the pharmacist was also liable, the court turned next to the issue of the jury’s verdict concerning the pharmacist. As the jury returned only a general verdict (which does not indicate the specific grounds on which it made its decision), the court speculated on the theory of liability for the pharmacist, and held that the jury could have properly found the pharmacist liable under a general negligence theory. The key factors in a negligence claim are a duty owed to the plaintiff by the defendant, a breach of that duty by the defendant, causation, and damages. To establish the pharmacist owed a duty to the patient, the court looked to a state law requiring pharmacists to hold patient records and information in the strictest of confidences. Finding this statute to clearly establish that the pharmacist owed a duty of confidentiality the patient, the court found it unquestionable that the pharmacist’s actions breached that duty, and that the patient sustained at least some damages as a result. Therefore, the court concluded the jury could properly have found the pharmacist directly liable for the breach of confidentiality, and Walgreens vicariously liable for the breach.

Potential Impact

Commentary on this case has largely focused on HIPAA implications, and sometimes the more specific prospect of employer liability for employee HIPAA violations. Importantly, HIPAA was not a factor in the appellate court’s reasoning. Rather, the court looked primarily to state law for privacy expectations and a duty of confidentiality. That distinction creates broader implications for employer liability beyond HIPAA or health care generally.

A multitude of state laws now impose confidentiality, privacy and security obligations. Some are limited to certain professional occupations (e.g., pharmacists, physicians, even <<gasp>> lawyers), but many are more general. For example, many states have enacted requirements to maintain general or specific security measures without regard to industry. In fact, states increasingly read privacy and security obligations into their application of unfair and deceptive trade practices statutes, imposing a duty to maintain privacy and security across sectors and without regard to types of personal information affected.

The Indiana appellate court’s reasoning in the Walgreens’ case clearly suggests that employees owing a statutory duty of confidentiality under state law could be liable for a breach of such duties, and their employers may be vicariously liable for the reasons noted. While some state laws specifically enumerate such duties at the employee level (particularly where a license is held by the individual), it is not clear that distinction made a difference to the court’s rationale, meaning courts applying general privacy or security laws may consider following suit, even if the law does not create duties specifically aimed at employees.

Further, the Indiana appellate court’s broad characterization of what constitutes actions “within the scope of employment” could leave many employers on the hook for large damage awards, even if the underlying employee violation is indisputably against company policy.

While the Walgreens outcome alone may not establish a trend toward more frequent employer liability, it is important to recognize the case may be novel only in the size of the verdict awarded. For example, in 2006, the North Carolina Court of Appeals used similar reasoning to overturn the dismissal of a plaintiff’s negligent infliction of emotional distress claim against a doctor who allegedly allowed his office manager to improperly access the plaintiff’s medical records (Acosta v. Byrum).

What Should You Do?

The Walgreens outcome makes clear that policies, training and other compliance efforts may not indemnify employers against an employee’s breach of confidentiality or privacy. In addition to keeping an eye on further developments that either support or erode this potential liability trend, employers should consider whether broad technical access to systems is necessary and justified. Flat access rights can be necessary, particularly in health care settings where care often trumps privacy as a consideration. However, technical access limitations are the most effective way to demonstrate that employee misdeeds, when orchestrated in violation of systems-based (rather than merely policy-based) access controls, should not be held against the employer because they are clearly outside the scope of employment. Interestingly, the same approach can strengthen employer’s Computer Fraud and Abuse Act claims and can reduce the risk of HIPAA enforcement that may arise from similar facts.

ARTICLE BY

Jacob A. Lopes
Elizabeth H. Johnson
OF
Poyner Spruill LLP

New State Privacy Laws Go Into Effect on Jan. 1, 2015 (California and Delaware)

State legislators have recently passed a number of bills that impose new data security and privacy requirements on companies nationwide. The laws include new data breach notification requirements, marketing restrictions, and data destruction rules. Below is an overview of the new laws and amendments that will go into effect on January 1, 2015.

Amendments to California’s Data Security and Breach Notification Law

In October 2014, California Governor Jerry Brown signed into law California bill AB 1710, an amendment to California’s existing data security and breach notification law. As a result, the following changes to California’s law will go into effect on Jan. 1:

1. Companies that maintain personal information about Californians will need to implement and maintain reasonable security procedures and practices.

California’s current data security and breach law requires companies that own or license personal information about Californians to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”  For purposes of this data security requirement, California defines “personal information” as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code.

Under existing law, the terms “own” and “license” include personal information retained as a part of a business’s internal customer accounts or for the purpose of using the information in transactions.

As of Jan. 1, California law will require companies that merely “maintain” personal information about Californians (such as cloud providers), but do not own or license the information, also implement and maintain reasonable security procedures and practices appropriate to the nature of the information.

2. Companies that maintain personal information about Californians will be required to immediately notify the owner or licensee of the personal information in the event of a breach.

California currently requires companies that own or license personal information to disclose a data breach where it is reasonably believed that unencrypted personal information about a Californian was acquired without authorization. Current law also provides that such disclosure be made “in the most expedient time possible and without unreasonable delay.”

As of Jan. 1, companies that maintain personal information will be required to notify the owner or licensee of the personal information “immediately” after discovery of a breach if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

For purposes of data breach disclosure, “personal information” includes login credentials (“[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account,”) as well as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code.

As a reminder, other than for user name and password breaches (discussed below), current California law requires that a breach notification must be written in plain language and must include specific types of information about the breach.

Where the security breach involves the breach of online account information and no other personal information, then California law requires a business to provide the security breach notification in electronic or other form, directing the person whose personal information has been breached to promptly change her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with that business as well as all other online accounts for which the person uses the same name or email address and password or security question or answer.

However, where the security breach involves the breach of login credentials of an email account provided by a business, the business must not send the security breach notification to that email address. Instead, the business may comply with California law by providing notice by hard copy written notice or by clear and conspicuous notice delivered to the individual online when the individual is connected to the online account from an IP address or online location from which the business knows the resident customarily accesses the account.

3. After a breach, companies might be required to provide free identity theft prevention and mitigation services for 12 months.

AB 1710’s co-author stated in a press release that the bill “[r]equires the source of the breach to offer identity theft prevention and mitigation services for 12 months at no cost to individuals affected by a data breach. However, it is not clear whether this position is supported by the text of the bill, which only states that “if any” identity theft prevention and mitigation services are to be provided, then such services must be provided for 12 months at no cost.  An earlier version of the bill had stated that identity theft and mitigation services “shall beprovided” to individuals affected by a data breach.

Given the ambiguity of the requirement to provide free identity theft prevention and mitigation services, whether and how this provision will be enforced in 2015 is something to watch.

4. Companies may not sell, advertise for sale, or offer to sell an individual’s social security number.

The amendment also includes a new prohibition on social security numbers. As of Jan. 1, California law will prohibit the sale, the advertisement for sale, and the offer to sell an individual’s social security number. Businesses that own, license, or maintain information on an individual’s social security number will want to keep this new prohibition in mind when contemplating data transfer or broker agreements, or other transactions involving the personal information of Californians.

California’s New Minor Privacy Marketing and Privacy Law

California’s “Privacy Rights for California Minors in the Digital World Law”, SB 568, (1) bars some online operators from marketing certain products and services to minors, and (2) allows minors under 18 to request deletion of certain content from websites on which they have registered (known informally as the “eraser law.”)

1. Restrictions on Marketing to Minors

Operators of websites, online services, online applications, and mobile applications that are directed to minors are prohibited from marketing or advertising the following products and services:

  • Alcoholic beverages

  • Tobacco, cigarette, or cigarette papers, or blunt wraps, or any other preparation of tobacco, or any other instrument or paraphernalia that is designed for the smoking or ingestion of tobacco, products prepared from tobacco, or any controlled substance

  • Electronic cigarettes

  • Salvia divinorum or Salvinorin A, or any substance or material containing Salvia divinorum or Salvinorin A

  • Drug paraphernalia

  • Firearms or handguns, ammunition or reloaded ammunition, handgun safety certificates, BB device

  • Less lethal weapons

  • Dangerous fireworks

  • Aerosol containers of paint capable of defacing property

  • Etching cream capable of defacing property

  • Tanning in an ultraviolet tanning device

  • Dietary supplement products containing ephedrine group alkaloids

  • Tickets or shares in a lottery game

  • Body branding or permanent tattoos

  • Obscene matter

These operators also are prohibited from: (1) knowingly using, disclosing, or compiling a minor’s personal information for the purposes of marketing or advertising any of those prohibited products or services, and (2) knowingly allowing a third party to use, disclose, or compile the minor’s personal information to market or advertise these products or services.

If an operator has actual knowledge that a minor is using the services, the operator may not target marketing or advertising to that minor based on the minor’s personal information.  The operator also may not use, disclose, or compile the minor’s personal information to market or advertise the prohibited products or services, nor may the operator allow a third party to use, disclose, or compile the minor’s personal information for the prohibited products and services.

2. Deletion Requirement

If a minor is a registered user of a website, online service, online application, or mobile application, the operator must allow the minor to remove content and information that the minor had publicly posted on the website, service, or app.  Operators also are required to provide notice of this right to registered minors.

Operators are not required to delete content or information if:

  • Any federal or state law requires the operator to maintain the content or information;

  • The content or information was provided by an individual other than the minor;

  • The content or information is anonymized;

  • The minor did not properly follow the instructions for requesting deletion; or

  • The minor received compensation or consideration for providing the content.

Amendments to California’s Invasion of Privacy Law

California’s Invasion of Privacy law will also receive an update on January 1, 2015. The California Invasion of Privacy law currently prohibits the attempt to capture, in a manner that is offensive to a reasonable person, any type of visual image, sound recording, or other physical impression, when the person is engaged in a personal or familial activity under circumstances where they had a reasonable expectation of privacy. Current California law prohibits the activities described where the attempt to capture is done through a visual or auditory enhancing device. As of January 1, 2015, the above activities will be prohibited when done using any device.

New Delaware Data Destruction Law

Companies conducting business in Delaware will be required to take all reasonable steps to destroy or arrange for the destruction of a consumer’s personal identifying information when those records are no longer retained. Destruction may occur by shredding, erasing, or otherwise destroying or modifying the personal identifying information so as to render the information unreadable or indecipherable.

The Delaware law defines personal identifying information as a consumer’s first name or first initial and last name in combination with one of the following: signature; date of birth; social security number; passport number; driver’s license or state identification card number; insurance policy number; financial services account number, bank account number, credit card number, or other financial information; or confidential health care information.

Entities subject to the Gramm-Leach-Bliley Act, covered entities subject to HIPAA, and consumer reporting agencies subject to the FCRA are exempt from the new law. Other entities, however, may be subject to private enforcement actions, which allow for the recovery of treble damages. These have the potential to add up quickly, as each record unreasonably disposed of constitutes a violation under the statute. In addition, the Delaware Attorney General and Division of Consumer Protection of the Department of Justice may bring suit in certain circumstances.

ARTICLE BY

David N. Fagan
Kurt Wimmer
Jeff Kosseff
Katherine R. H. Gasztonyi
OF
Covington & Burling LLP

Just in Time for the Holidays: Another HIPAA Settlement

Mcdermott Will Emery Law Firm

On December 2, 2014, the Office for Civil Rights (OCR) and Anchorage Community Mental Health Services, Inc., (ACMHS) entered into a Resolution Agreement and Corrective Action Plan (CAP) to settle alleged violations of the HIPAA Security Rule, which governs the safeguarding of electronic protected health information (ePHI).  OCR initiated an investigation into ACMHS’s compliance with HIPAA after receiving a March 2, 2012 notification from the provider regarding a breach of unsecured ePHI affecting 2,743 individuals.  The breach resulted from malware that compromised ACMHS’s information technology resources.

OCR’s investigation found that ACMHS (1) had never performed an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by ACMHS; (2) had never implemented Security Rule policies and procedures; and (3) since 2008, had failed to implement technical security measures to guard against unauthorized access to ePHI transmitted electronically, by failing to ensure that appropriate firewalls were in place and regularly updated with available patches.

ACMHS agreed to pay $150,000 and to comply with the requirements set forth in the CAP to settle the allegations.  The CAP has a two-year term and obligates ACMHS to take the following actions:

  • Revise, adopt and distribute to its workforce updated Security Rule policies and procedures that have been approved by OCR

  • Develop and provide updated security awareness training (based on training materials approved by OCR) to applicable workforce members, and update and repeat the training annually

  • Conduct annual risk assessments of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by ACMHS, and document the security measures implemented to reduce the risks and vulnerabilities to a reasonable and appropriate level

  • Investigate and report to OCR any violations of its Security Rule policies and procedures by workforce members

  • Submit annual reports to OCR describing ACMHS’s compliance with the CAP

In announcing the settlement, OCR Director Jocelyn Samuels said, “[s]uccessful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis.  This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”  A copy of the Resolution Agreement and CAP can be found here.

The settlement is another reminder that covered entities and business associates should ensure that they have taken steps necessary and appropriate to safeguard the ePHI in their possession.  Conducting regular ePHI risk assessments, addressing any identified security vulnerabilities, implementing and updating comprehensive HIPAA policies and procedures, and appropriately training workforce members who have access to ePHI are all steps that covered entities and business associates must take to comply with HIPAA and protect ePHI.

FTC Denies AgeCheq Parental Consent Application But Trumpets General Support for COPPA Common Consent Mechanisms

Covington BUrling Law Firm

The Federal Trade Commission (“FTC”) recently reiterated its support for the use of “common consent” mechanisms that permit multiple operators to use a single system for providing notices and obtaining verifiable consent under the Children’s Online Privacy Protection Act (“COPPA”). COPPA generally requires operators of websites or online services that are directed to children under 13 or that have actual knowledge that they are collecting personal information from children under 13 to provide notice and obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13.   The FTC’s regulations implementing COPPA (the “COPPA Rule”) do not explicitly address common consent mechanisms, but in the Statement of Basis and Purpose accompanying 2013 revisions to the COPPA Rule, the FTC stated that “nothing forecloses operators from using a common consent mechanism as long as it meets the Rule’s basic notice and consent requirements.”

The FTC’s latest endorsement of common consent mechanisms appeared in a letter explaining why the FTC was denying AgeCheq, Inc.’s application for approval of a common consent method.  The COPPA Rule establishes a voluntary process whereby companies may submit a formal application to have new methods of parental consent considered by the FTC.  The FTC denied AgeCheq’s application because it “incorporates methods already enumerated” in the COPPA Rule: (1) a financial transaction, and (2) a print-and-send form.   The implementation of these approved methods of consent in a common consent mechanism was not enough to merit a separate approval from the FTC .  According to the FTC, the COPPA Rule’s new consent approval process was intended to vet new methods of obtaining verifiable parental consent rather than specificimplementations of approved methods.  While AgeCheq’s application was technically “denied,” the FTC emphasized that AgeCheq and other “[c]ompanies are free to develop common consent mechanisms without applying to the Commission for approval.”  In support of common consent mechanisms, the FTC quoted language from the 2013 Statement of Basis and Purpose and pointed out that at least one COPPA Safe Harbor program already relies on a common consent mechanism.

ARTICLE BY

Shelton L. Abramson
OF
Covington & Burling LLP

Data Breach Developments in California (Part 2)

Morgan Lewis

Last week, we discussed three important changes to California’s data breach law that become effective January 1, 2015. Part two of this series looks at the data breach report recently released by the California Attorney General.

California Data Breach Report

In October, the California Attorney General’s data breach report presented key findings on breaches occurring in California and recommendations for lawmakers and affected industries. Notable findings and recommendations from the report are summarized below.

  • Data breaches are on the rise. Among other findings, the report found that the number of data breaches in California increased by 28% from 2012 to 2013, with “intentional unauthorized intrusions into computer systems” showing the biggest increase among breach categories and accounting for 53% of reported incidents.

  • Breaches of payment card data in the retail industry are most likely to result in fraud. The report found that from 2012 to 2013, the retail industry experienced 77 breaches, or 26% of all breaches, representing the largest share among industry sectors. Almost all (90%) of these breaches involved payment card data, which, according to the report, is the most likely data breach category to result in fraud.

  • Offers of mitigation services are on the rise and can be helpful to affected individuals. The report notes that after experiencing a data breach, entities are commonly offering mitigation services, such as free credit monitoring or other identity theft protection services, which can be helpful by providing advanced notice to individuals whose information is used fraudulently. However, the report found that no offers were made in 28% of incidents where the services would have been helpful. As discussed in part one, the new California law requires breach notices to include offers of mitigation services in certain circumstances.

  • Retailers should take action to “devalue payment card data.” Based on the finding that retail breaches involving payment card data are most likely to result in fraud, the report recommends that retailers take advantage of “promising” new technology, such as chip cards and tokenization, to enhance their security measures and “devalue payment card data.” The report also encourages retailers to implement tokenization technology for online and mobile transactions.

  • Lawmakers should clarify the roles of data owners and data maintainers in providing notices. Interestingly, the report recommends that the California legislature should clarify the notice obligations of owners and maintainers under the law. Specifically, the report explains that the law appears to require data maintainers to notify data owners of breaches, while the data owners must notify the affected individuals. Given this difference in responsibility, important breach notices may be delayed because the owners and maintainers may not agree on their respective obligations.

ARTICLE BY

Barbara Murphy Melby
Christopher C Archer
OF
Morgan, Lewis & Bockius LLP

California To Expand Its Data Breach Notification Rules

Sheppard Mullin Law Firm

California has broadened its data breach notification statutes in response to the increasing number of large data breaches of customer information.  AB 1710, which Governor Jerry Brown signed into law, amends California’s Data Breach Notification Law to (1) ban the sale, advertising for sale or offering for sale of social security numbers, (2) extend the existing data-security law and obligations applicable to entities that own or license customer information to entities that “maintain” the information, and (3) require that if the person or business providing notification of a breach under the statute was the source of the breach then the notice must include an offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost for 12 months along with any information necessary to take advantage of the offer.  The last of these amendments has spurned some debate over whether the statute actually mandates an offer of credit monitoring or other services given its use of the phrase “if any.”  It is also unclear what exactly is intended by or who qualifies as “the source of the breach.”

The use and placement of the phrase “if any” in the statute does create some ambiguity.  The statute, however, speaks in mandatory terms when it states the notification “shall include” an offer of these services.  Its plain language also suggests the phrase “if any” is directed to the question of whether appropriate identity theft or mitigation services exist and are available – not whether or not they must be offered.  A review of the measure’s legislative history confirms this.  The Committee analyses all discuss this element of the statute as “requiring” an offer of services.  Indeed, the legislative analysis immediately following the addition of the phrase “if any” defined the problem under existing law to be that it does not require any prevention or mitigation steps and states that this measure (AB 1710) addresses this issue by requiring an offer of appropriate “identity theft prevention and mitigation services, if any are available,…”  This interpretation is also consistent with the fact that an offer is only required when the breach involves disclosure of highly sensitive information that tends to lead to identity theft or credit card fraud, i.e., the customer’s social security, driver’s license or California identification number.

The standard of whether or not such services would, to some degree, be appropriate will not likely be the primary conversation that this amendment sparks.  The more lively topic will likely be who is the “source of the breach” (and even then the offer is only required when you are both the source of the breach and the party giving notice under the statute) and what standards apply for determining “appropriate” services.  The legislative history is not as equally helpful on these questions.  Thus, until the scope of this new requirement becomes more clear, businesses involved in a breach under the statute need to carefully think through the risks of offering certain services when providing notice.

These new rules take effect on January 1, 2015.  To review the amended statute or its legislative history click here.

ARTICLE BY

Brian R. Blackman
OF
Sheppard, Mullin, Richter & Hampton LLP

Protecting Trade Secrets in the Cloud

FINAL SW logo wLLP2

The business community’s growing use of cloud-based computing services provides great benefits due to cost-savings and mobile information access.  However, business leaders should understand the risks of storing valuable trade secrets in the cloud.  This article provides the business community tips on how to safeguard valuable trade secrets stored in the cloud from being freely disclosed to the public, thus putting the business at risk of losing protections that courts grant trade secrets.

As businesses’ profit margins have continued to shrink since the Great Recession, more companies have looked to reduce costs by reducing growing expenses related to their information technology departments.[1] The first line item to draw attention in the IT budget is frequently the rising costs associated with maintaining and upgrading system hardware.  Businesses often find that housing and operating multiple servers stretches IT budgets thin by increasing maintenance, labor, and operational costs.  The solution so many businesses have turned to is to move their valuable data to virtual servers, or the “cloud.”[2]  A recent survey of IT executives provides that companies will triple their IT spending on cloud-based services in 2014 over 2011.[3]  Cloud service providers have also seen demand increase as they increase their cloud capabilities.[4]

Although cloud-based servers provide businesses with substantial financial and operational benefits, businesses must recognize that there are perils to shifting data to the cloud.  One of the key concerns businesses should consider before moving data to the cloud is the risk that its valuable trade secrets will lose protection as a result of insufficient safeguards to protect against disclosure.  This article addresses that concern and provides businesses keys for seeking to protect valuable secrets in the cloud.

What is a Protectable Trade Secret

The initial step for a business to determine how to protect its trade secrets is to understand how the law characterizes a trade secret.  Information qualifies as a trade secret only if it derives independent economic value as a result of not being generally known or readily ascertainable, and be subject to reasonable efforts to maintain its secrecy.  Trade secrets are broadly defined as information, including technical or non-technical data, a formula, pattern, compilation, program, device, method, technique, drawing, process, financial data, strategies, pricing information, and lists of customers, prospective customers, and suppliers.

Businesses Need to Take Reasonable Efforts to Protect Trade Secrets in the Cloud

Trade secrets are only protectable when the owner takes reasonable efforts to prevent them from being freely disclosed to the public so that the information does not become generally known.

Information does not have to be cloaked in absolute secrecy to be a trade secret, as long as a business’s efforts to maintain secrecy or confidentiality are reasonable.  It is easy for one to imagine how a business may protect confidential documents that are stored locally.  Computer files may be password-protected with several layers of encryption software, with access limited to specified personnel.  Similarly, paper files may be stored in locked cabinets, in secured rooms, where only specified personnel are granted access.

However, those seemingly straight-forward security protocols become murky when information is stored in the cloud.  Unlike storing data on local servers, storing data in the cloud requires the owner to disclose confidential information to a third-party vendor.  In most situations, disclosing data to a third-party eliminates trade secret protections.   Therefore, businesses must take additional steps to ensure that its data remains secure.

Three Keys to Protecting Trade Secrets Stored in the Cloud

There are no fail-safe measures to protect data stored in the cloud.  The best way for a business to protect its trade secrets is to locally store and protect its most valuable data with the proper data security protocols.  A business, however, should not fear the cloud as long as it takes certain steps to ensure that it exercises reasonable efforts to protect its cloud-based data.

First, business leaders must conduct appropriate due diligence before selecting a cloud-provider.  The business should conduct necessary research to select a reputable, well-established company that has the physical and technological capabilities to store and protect data.

Conducting due diligence on a provider includes ensuring that the provider has taken necessary steps to establish appropriate physical and virtual security protocols to protect the confidentiality of your information.  Inquire how the provider establishes physical security measures, and monitoring capabilities to prevent unauthorized access to its data centers and infrastructure.  Also, learn how the provider limits its employees’ access to customer data and determine the internal controls that the provider has in place to prevent unauthorized viewing, copying, or emailing of customer information.

A business should also inquire about the provider’s virtual security protocols.  A business must generally understand how its cloud-provider’s encryption software and security management systems work to protect data.  If your business is not capable of independently evaluating whether the provider has proper security protocols, a good indicator is to ask the provider for its client list.  If the provider has clients that are typically security-conscious companies, such as financial institutions or healthcare facilities, that is a good indication that the provider has been vetted and it has proper security measures in place.  Finally, the provider should maintain sufficient data-protection insurance coverage to protect against potential data breaches or system failures.

Second, a business must have contractual safeguards in place with its cloud-provider to adequately protect its intellectual property and trade secrets.  The contract should establish that the business owns the data, that it will be segregated from other data groups, and that the business may enjoy unfettered access to the data.  The contract should specify that the business can demand that the data be deleted or returned request, and detail how the provider will purge the data to ensure that it is properly deleted upon termination of the relationship.  The contract should require regular data backup and recovery tests, while restricting the provider from accessing, using or copying data for its own purpose.  Finally, the contract should establish the provider’s obligations to notify the business of a data breach or system failure.

Third, a business should also consider adding multiple layers of authentication and encryption to data containing trade secrets before transmitting it to the cloud-provider.  However, a business should consider if the additional encryption efforts could adversely affect the business’s ability to access, utilize, and port data for its normal business use.

Conclusion

There are several financial and operational benefits for a business to store data in the cloud.  However, businesses must understand that there are also risks to storing its valuable trade secrets on virtual servers.  Businesses need to take reasonable efforts to protect the confidentiality and secrecy of its most valuable data and information.

[1] Dave Rosenberg.  Reducing IT Infrastructure Costs via Outsourcing.  May 7, 2009.  news.cnet.com/8301-13846_3-10235742-62.html

[2] Thor Olavsrud.  How Cloud Computing Helps Cut Costs, Boost Profits.  March 12, 2013. www.cio.com/article/730036/How_Cloud_Computing_Helps_Cut_Costs_Boost_Profits

[3] Andrew Horne. Transformational Change in IT Will Drive 2014 Spending.  November 5, 2013.  http://blogs.wsj.com/cio/2013/11/05/transformational-change-in-it-will-drive-2014-spending/

[4] IBM Commits $1.2bn to Cloud Data Centre Expansion.  January 17, 2014. www.bbc.co.uk/news/business-25773266