Cyber Rules About to Get Real.

We have previously reported on NY’s onerous cyber rules. The rules go into effect by month’s end.

Specifically, n August 28, 2017, insurance companies that do business in NY will be obligated to institute policies and procedures that preserve and protect PII of clients, insureds, and other entities in accordance with 23 NYCRR §500 (et seq.). The rationale of the policy was explained by the Superintendent of the DFS:
Consumers must be confident that their sensitive nonpublic information is being protected and handled appropriately by the financial institutions that they are doing business with. DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs. Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.

Insurance companies, and other covered entities, are required to perform cybersecurity assessments in accordance with a written policy developed by the covered entity, that includes:
• An evaluation of encryption of data containing PII (both in transit and at-rest);
• The development of a Crisis Response Team (“CRT”) to respond to a breach;
• TFA or MFA;
• Identify and assess internal and external cybersecurity threats;
• Utilize defensive infrastructure in conjunction with appropriate policies and procedures to protect PII;
• Capability of detecting and responding to any intrusion;
• Ability to fulfill the statutorily required breach notification statutes.

Moreover, the regulations require a specific policy that regulates 14 different aspects of the covered entities operations. If this is not enough to develop specific in-house policies, the regulations also require that insurance companies ensure that other entities it does business with and transfers materials containing PII, to maintain and adhere to strict cybersecurity regulations that include a requirement for TFA, encryption, written policies, and periodic assessments of the efficacies and compliance to the policies. The insurance company is required to promulgate a policy for its third-party service providers that complies with the above requirements. If not, the insurance company may be held liable.

Furthermore, we note that this will soon be the policy in all 50 states. It is easier to implement these changes and requirements now as opposed to being forced to implement the policies at a rush and possibly not achieving full compliance.

Special thanks to Matt Care for his contributions to this post.

For more information about this post please e-mail Bob Cosgrove.

WCM Partner to Speak at Privacy Shield Certifications Webinar.

WCM Partner Bob Cosgrove, a CIPP-US and CIPM, will be one of two speakers at an August 31, 2017 webinar entitled Privacy Shield Certifications: Things You Need to Know. Mr. Cosgrove will focus his portion of the presentation on:
1. Privacy Shield: Requirements and advantages of participating in the event of litigation.
2. Serving Two Masters: The litigation process, discovery, and data transfer from the European Union.
a. Why discovery involving European Data is a challenge and what Privacy Shield does and does not do to remedy the problem.
3. There is Nothing New Under the Sun: The implications of Privacy Shield on member state data blocking legislation.
a. Blocking legislation in member countries is still effective.
b. How the United States courts have handled blocking legislation and data transfer restrictions.
4. Privacy Shield Enforcement: The arbitration process and liability for failure to comply with Privacy Shield requirements.
If you are interested in the webinar, more information can be found here, or e-mail Bob Cosgrove.

Standing Taking a Seat in Cyber Claims.

The standard defense to a data breach lawsuit has been — there was no actual injury (only the fear of a potential injury), so the plaintiffs lack standing and the case must be dismissed. This defense has historically resulted in the dismissal of data breach lawsuits. But this standing defense is under siege and the Third Circuit might have given it a permanent seat.

In re: Horizon Data Breach Litigation, Horizon, a large health insurer, had two laptops stolen. The laptops contained the PII (or personally identifiable information) of hundreds of thousands of people. A class action lawsuit was filed in which the plaintiffs alleged that because Horizon did not take reasonable steps to secure its data, the plaintiffs were exposed to a potential vulnerability to identity theft. The district court dismissed the action, on the basis of standing, as none of the putative class members could show that the breached information was used to their detriment. The Third Circuit, in a published and precedential decision that was the first of its kind, reversed and found that, even without evidence that the information was used improperly, the plaintiffs had standing to proceed with their claims.

This decision is big news as it comes from a federal circuit court and means that the standing defense is losing its hold as a viable defense. Standing, in short, is taking a seat.

Special thanks to Matt Care for his contribution to this post. For more information, please e-mail Bob Cosgrove.

Pennsylvania Superior Court Finds Employers Have No Duty to Protect Electronically Stored Personal Information

In Dittman v. UPMC,  breach of contract and negligence actions were brought against an employer when employees’ personal information was stolen from the employer’s computer system and used to file fraudulent tax returns and steal tax refunds.  Particularly, the names, birth dates, social security numbers, tax information, addresses, salaries, and bank information of approximately 62,000 UPMC employees and former employees were accessed and stolen from UPMC’s computer system.  The information stolen was personal information that UPMC required employees to provide as a condition of employment.

The employees filed a class action lawsuit, arguing that UPMC had a legal duty to protect their personal and financial information and that UPMC failed to properly encrypt the data and establish adequate firewalls to protect the information in its network.  UPMC filed preliminary objections to the complaint, arguing that the employees lacked standing to assert these claims on behalf of an individual who had not yet been injured and that the negligence and breach of contract claims failed as a matter of law.  The trial court sustained the preliminary objections and dismissed the claims.

On appeal, the Superior Court agreed with the trial court that UPMC did not owe a duty of reasonable care in its collection and storage of the employees’ data.  In coming to that conclusion, the Superior Court weighed five factors.  First, the Superior Court found that the relationship between the parties, that of employer and employee, weighed in favor of imposing a duty on the employer.  Second, the Court reasoned that employers have an obvious need to collect and electronically store the personal information of their employees.  Although the foreseeability of a data breach is a substantial risk, the utility of electronically storing information outweighs the risk.  Next, the Court reasoned that it was unnecessary to have a judicially imposed duty requiring employers to incur significant costs to increase security when there is not true way to prevent security breaches altogether.  Finally, the Court found that it was not in the public interest to impose a duty and expend judicial resources, as there was already legislature to  address the issue.

Thanks to Alexandra Perry for her contribution to this post and please write to Mike Bono if you would like more information.

Going to Need a Bigger Boat? Will Cyber Rules Finally Impact Insurers and Their Vendors (Like Lawyers)?

You might have noticed that cybersecurity issues are a little bit in the news these days. But, we’re not here to talk about Russian spies influencing US presidential elections (although that would be an interesting discussion). Rather, we’re here to talk about boring NY bureaucrats, who have just promulgated (for comment) 23 NYCRR 500, CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES that is set to go into effect on January 1, 2017 (yes, that’s less than 3 months from now). The proposed regulation is currently in its comment period and, if adopted, will apply to insurers who do more than $5,000,000 in gross revenue and are regulated by the NY Department of Financial Services. It will also likely serve as the blueprint for other states across the country. So what does the regulation propose to do?

Basically, to prevent and mitigate a “cybersecurity event”, i.e. an act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system, a regulated entity (like an insurance company) is obligated to ensure that non-public information (like names, dates of birth and social security numbers) are protected. To do that, you must:

(1) develop and implement a cybersecurity program that includes penetration testing, vulnerability assessments, an audit trail system, access privilege limitations, application security, risk assessments, a data retention policy, encryption of nonpublic information and an incident response plan;

(2) develop and implement a cybersecurity policy that includes training and monitoring;

(3) have a chief information security officer (and other personnel); and

(4) have a third-party information security policy that will apply to all third-parties doing business with the insurer.

But, you might ask, what does this really mean for me? It means that you’re going to need a bigger boat (to paraphrase Jaws) if you want to stay ahead of this shark and avoid fines and penalties by the NY Department of Financial Services (and also avoid lawsuits where failure to follow the NY regulations will serve as a blueprint for what you were supposed to do and failed to do). Insurers and their vendors (like attorneys) have in their possession voluminous amounts of information (like medical records, discovery responses and transcripts) that include non-public information. Yet, how often is such information being transmitted by insurers to their attorneys (and from attorneys to their insurers) in unsecured ways? How many insurers are capable of downloading and adding to their files information that is sent by attorneys in secured ways (e.g. via Sharefile — which is our preferred data transmission method at WCM)? I think the answer is “not as many as you would hope.” We here at WCM are happy to help work with you as to what you need to do (and to do what we can for you to help ensure compliance). But, there’s a lot of work to be done and not a lot of time to start doing it.

For more information about this post please e-mail Bob Cosgrove .

Editors Note — Due to public outcry, implementation of the regulations has been delayed to March 1, 2017. The shark remains in the water, but there is not yet blood.

Do CGL Policies Now Insure Data Breaches?

The case that everyone is talking about is Travelers Indemnity v. Portal Health, a just released, unpublished Fourth Circuit opinion. The quick story is that the Fourth Circuit affirmed the trial court opinion and held that Travelers owed coverage (specifically defense) under a CGL policy for a data breach. The real story is a bit more nuanced.

In the case, Portal Healthcare, a Virginia based company, was sued in NY in a class action lawsuit. In the lawsuit, patients of Glen Falls Hospital claimed that Portal Healthcare failed to safeguard medical records entrusted to Portal Healthcare by the hospital and instead allowed those records to be posted on the internet – accessible to everyone via a Google search. Portal Healthcare was insured by Travelers under two consecutive commercial general liability insurance policies – a 2012 policy and a 2013 policy. The Policies were not standard policies – rather they contained special endorsements that expanded the scope of personal injury, advertising injury and web site injury.

Specifically, the 2012 Policy contained a Web Xtend Liability Endorsement that deleted and replaced the definition of Personal and Advertising Injury liability. The 2013 Policy contained an Amendment of Coverage B – Personal And Advertising Liability Endorsement that deleted and replaced the definition of Personal and Advertising Injury liability. Under both endorsements, the parties (and court) seemed to agree that coverage was triggered if the underlying complaint alleged: (1) injury arising out of the offense of “electronic publication of material that . . . gives unreasonable publicity to a person’s private life” (the language utilized in the insuring agreement of the 2012 Policy) or (2) injury caused by the offense of “electronic publication of material that . . . discloses information about a person’s private life” (the language utilized in the insuring agreement of the 2013 Policy).

In respect of the first point, Travelers argued that, although the data was available to the general public, since Portal Healthcare did not intend to publish it, publication did not occur. This argument was rejected by the court which held that it was the fact of publication (and not the intent of publisher) that mattered.

In respect of the second point, Travelers argued that there was no “publicity” given to a person’s private life as the leak was not intended to generate publicity. This argument was also rejected by the court which held that since the leaked data was available to the general public, publicity had occurred.

All of this seems rather straightforward, so why all the fuss? It seems that a top sheet review might be to blame. When you look at the trial court’s decision and the policies themselves, you see that the Travelers’ decision to broaden the scope of potential claims that would qualify as “personal and advertising injury” is the root cause of the decision. So, it’s true that CGL policies might have more potential exposure to data breaches – but only if you enhance the coverages.
For more information about this post please e-mail Bob Cosgrove.

What’s in a Name? Information Privacy Finds “New” Cause of Action in PA

As we have reported over the last several months, information and data privacy have become hot button issues in litigation.  Even still, it appears the trend in many jurisdictions has been to force fit many of these claims into predetermined, well established legal principles like negligence or breach of contract.  That trend, however, may be falling by the wayside in Pennsylvania where at least one Common Pleas judge has found that plaintiffs alleging misuse of their personally identifiable information (PII) may, in some instances, bring a newly recognized cause of action for defamation.

In Griffith v. PPL Susquehanna LLC, a pair of plaintiffs filed suit against their former employer which operated a nuclear power facility in Salem Township, Pennsylvania.  In particular, the plaintiffs alleged that PPL defamed them after their respective tenures at the Salem power plant ended by spreading false information through the Personnel Access Data System (PADS), a centralized database used by nuclear facilities throughout the country to process industry workers.  According to the plaintiffs, PPL used the PADS system to share unspecified “falsehoods” that prevented them from finding work at other nuclear facilities in retaliation for whistleblowing safety violations at the Salem site.

In response to the plaintiffs’ suit, PPL filed two rounds of preliminary objections aimed, in part, at dismissing the defamation claims.  Specifically, PPL argued that because the PADS system is not a public access vehicle, but rather for the internal use of the nuclear industry, the plaintiffs could not prove that false personal information had been published against them.  Unconvinced, however, Common Pleas Judge Denis P. Cohen concluded that the alleged dissemination of this personnel information by PPL to other members of the nuclear industry via the PADS system was legally sufficient to sustain a cause of action for defamation because plaintiffs alleged that the sharing of personal information caused lost employment opportunities.

Griffith demonstrates that information and data privacy claims continue to rapidly evolve in litigation.  Where even months ago, plaintiffs challenging the use of their PII may have been asked to fit their claims into preexisting molds in order to sustain recovery, Griffith in some ways signals a new reality wherein courts are responding to such litigation with greater flexibility and creativity.  Thanks to Adam Gomez for his contribution.  Please email Brian Gibbons with any questions.

Fraudulent Medical Claims Submitted by Computer not Covered under Cyber Liability Policy (NY)

In Universal American Corp. v. National Fire Insurance Co. of Pittsburgh, the New York Court of Appeals dealt with whether a cyber liability policy provide coverage for losses sustained as a result of submission and payment of fraudulent medical provider claims.  Plaintiff Universal American Corp. is a health insurance company that offers federal government-regulated alternatives to Medicare.  Universal sustained over $18 million dollars in losses when it paid fraudulent medical claims for services that were never actually rendered.  Universal’s computerized billing system allowed health care providers to access and submit fraudulent claims directly to Universal and obtain payment.  Interestingly, the great majority of claims were processed and paid automatically without manual review.

Universal sought coverage for the damages sustained pursuant to a rider of a financial institution bond issued by defendant National Union Fire Insurance Company.  The rider, entitled “Computer Systems” and “Computer System Fraud,” provided indemnification for “losses resulting directly from a fraudulent entry of Electronic Data or Computer Program into, or change of Electronic Data or Computer Program, within the Insured’s proprietary Computer System.”  The New York Court of Appeals held that the language of the rider unambiguously applies to losses incurred from unauthorized access to the computer system — e.g., computer hacking or data breach by a third-party — and not to losses resulting from fraudulent claims submitted by authorized users.

The Court’s ruling reiterated the fact that simply because a claim arises out of the improper use of a computer does not mean the insured’s cyber liability policy will provide coverage particularly where, as here, the culprit was authorized to access the computer system.

Thanks to Brett Kuller for his contribution to this post and please write to Mike Bono for more information.

European Union’s Highest Court Says US Not Fit to Receive Personal Data.

The EU’s highest court recently invalidated the Safe Harbor agreement for data transfers (of personally identifiable information) between EU countries and the US. The Safe Harbor agreement was created to allow for the transfer of data between the EU and US notwithstanding the fact that the US data privacy laws and regulations are far less stringent than European ones. In the case of Maximillian Schrems v. Data Protection Commissioner, the EU high court said that the Safe Harbor work around solution was no longer viable.

In reaching this conclusion, the Court cited inadequate US safety protocols, which became apparent in the wake of the Edward Snowden revelations. Specifically, the Court stressed that the EU places much more emphasis on digital privacy as a fundamental right than the US does. Thus, the Court first held that “legislation [like what exists in the US] permitting the public authorities to have access on a generalized basis to the content of electronic communications” is a violation of the right to privacy contained in the EU Charter of Fundamental rights. Second, the Court found that companies needed to allow consumers to delete their digital footprints (a/k/a the right to be forgotten). Third, the Court held that consumers need more judicial access for data privacy violations to hold companies accountable (which is often not possible in the US because of the standing issues on which we have previously written). Because of these deficiencies, the Court ruled that the Safe Harbor agreement had to go.

So, why should you care? First, if you are an American company that conducts business in the EU (or a European company that conducts business in the US), you now have to be careful as to what data you share across borders. This gets interesting if, for example, you are a London based insurance company that transacts business in the US and that is embroiled in a bad faith lawsuit in the US. How, for example, can you now produce personnel jackets of employees (which are discoverable as a matter of course in a bad faith claim)? If you do, are you in violation of Schrems? If you don’t, are you guilty of contempt of court?

And what then of companies that are involved in litigation and have European operations (or parents). If they produce documents, are they subject to EU fines? If they don’t are they breaching the “cooperation” clause in a standard ISO based insurance policies?

Schrems does not answer these questions (and it does not seem that the dangers of US litigation was high on the Court’s list of concerns). But, the danger is real and the only solution would seemingly take place on the US federal level, that is, in Congress, which would have to enact federal legislation to address the issue. Anyone want to take any bets on whether that is likely to happen in this Congress?

Special thanks to Matt Care for his contributions to this post. For more information please e-mail Bob Cosgrove .

Third Circuit Affirms Federal Trade Commission Role as Data Privacy Enforcer

As we have previously reported, the United States District Court for the District of New Jersey in FTC v. Wyndham Worldwide held that Section 45(a) of the Federal Trade Commission (“FTC”) Act permitted the FTC to prosecute civil actions for cyber security breaches arising out of or related to “unfair” or “deceptive” practices.  However, on appeal, the United States Court of Appeal for the Third Circuit found data controllers and processors who fail to live up to their privacy statements fall under the purview of the FTC.

By way of refresher, the case below in Wyndham pitted the FTC against the international hospitality corporation, and stemmed from a string of cyber-attacks that compromised more than 619,000 consumer payment account numbers and resulted in $10.6 million in fraudulent charges. In light of the magnitude of the data breach, the FTC commenced its own suit against Wyndham arguing that violations of the company’s own privacy statement constituted “unfair” or “deceptive” trade practices that the FTC is empowered to curtail through civil enforcement.  Wyndham responded to the FTC’s claims by filing a motion to dismiss that was ultimately denied by Judge Esther Salas.

On appeal, Wyndham’s attack on the trial court decision was simple: the FTC is only empowered to sue corporations for “unfair” or “deceptive” trade practices that are “unscrupulous” or “unethical”, and any civil action alleging conduct short of that is outside Section 45(a).  Despite this articulation of the scope of the FTC Act, the Third Circuit reasoned that Section 45(a) instead applies wherever corporate conduct is inequitable and, in respect of data privacy breaches, can warrant prosecution when “a company . . . publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”  Moreover, even if the privacy issues arise out of a criminal act (as most, if not all, do), the Court concluded that this interpretation of Section 45(a) is supported by the foreseeability of a data breach affecting personal financial information.

While Wyndham is a watershed case for the federal government’s enforcement of citizens’ data privacy rights, the real question posed by the defendant is whether such an action can survive the conspicuous absence of uniform data privacy laws or regulations in the United States.  For our part, however, the reasoning in Wyndham is at least clear insofar as federal courts need not entertain the lack of a national or state data privacy regime when analyzing third-party liability if, in fact, the data controller or processor at issue publishes its own privacy statement or protocol.   Thanks to Adam Gomez for his contribution to this post.  Please email Brian Gibbons with any questions.