Cyber Rules About to Get Real.

We have previously reported on NY’s onerous cyber rules. The rules go into effect by month’s end.

Specifically, n August 28, 2017, insurance companies that do business in NY will be obligated to institute policies and procedures that preserve and protect PII of clients, insureds, and other entities in accordance with 23 NYCRR §500 (et seq.). The rationale of the policy was explained by the Superintendent of the DFS:
Consumers must be confident that their sensitive nonpublic information is being protected and handled appropriately by the financial institutions that they are doing business with. DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs. Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.

Insurance companies, and other covered entities, are required to perform cybersecurity assessments in accordance with a written policy developed by the covered entity, that includes:
• An evaluation of encryption of data containing PII (both in transit and at-rest);
• The development of a Crisis Response Team (“CRT”) to respond to a breach;
• TFA or MFA;
• Identify and assess internal and external cybersecurity threats;
• Utilize defensive infrastructure in conjunction with appropriate policies and procedures to protect PII;
• Capability of detecting and responding to any intrusion;
• Ability to fulfill the statutorily required breach notification statutes.

Moreover, the regulations require a specific policy that regulates 14 different aspects of the covered entities operations. If this is not enough to develop specific in-house policies, the regulations also require that insurance companies ensure that other entities it does business with and transfers materials containing PII, to maintain and adhere to strict cybersecurity regulations that include a requirement for TFA, encryption, written policies, and periodic assessments of the efficacies and compliance to the policies. The insurance company is required to promulgate a policy for its third-party service providers that complies with the above requirements. If not, the insurance company may be held liable.

Furthermore, we note that this will soon be the policy in all 50 states. It is easier to implement these changes and requirements now as opposed to being forced to implement the policies at a rush and possibly not achieving full compliance.

Special thanks to Matt Care for his contributions to this post.

For more information about this post please e-mail Bob Cosgrove.

WCM Partner to Speak at Privacy Shield Certifications Webinar.

WCM Partner Bob Cosgrove, a CIPP-US and CIPM, will be one of two speakers at an August 31, 2017 webinar entitled Privacy Shield Certifications: Things You Need to Know. Mr. Cosgrove will focus his portion of the presentation on:
1. Privacy Shield: Requirements and advantages of participating in the event of litigation.
2. Serving Two Masters: The litigation process, discovery, and data transfer from the European Union.
a. Why discovery involving European Data is a challenge and what Privacy Shield does and does not do to remedy the problem.
3. There is Nothing New Under the Sun: The implications of Privacy Shield on member state data blocking legislation.
a. Blocking legislation in member countries is still effective.
b. How the United States courts have handled blocking legislation and data transfer restrictions.
4. Privacy Shield Enforcement: The arbitration process and liability for failure to comply with Privacy Shield requirements.
If you are interested in the webinar, more information can be found here, or e-mail Bob Cosgrove.

Going to Need a Bigger Boat? Will Cyber Rules Finally Impact Insurers and Their Vendors (Like Lawyers)?

You might have noticed that cybersecurity issues are a little bit in the news these days. But, we’re not here to talk about Russian spies influencing US presidential elections (although that would be an interesting discussion). Rather, we’re here to talk about boring NY bureaucrats, who have just promulgated (for comment) 23 NYCRR 500, CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES that is set to go into effect on January 1, 2017 (yes, that’s less than 3 months from now). The proposed regulation is currently in its comment period and, if adopted, will apply to insurers who do more than $5,000,000 in gross revenue and are regulated by the NY Department of Financial Services. It will also likely serve as the blueprint for other states across the country. So what does the regulation propose to do?

Basically, to prevent and mitigate a “cybersecurity event”, i.e. an act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system, a regulated entity (like an insurance company) is obligated to ensure that non-public information (like names, dates of birth and social security numbers) are protected. To do that, you must:

(1) develop and implement a cybersecurity program that includes penetration testing, vulnerability assessments, an audit trail system, access privilege limitations, application security, risk assessments, a data retention policy, encryption of nonpublic information and an incident response plan;

(2) develop and implement a cybersecurity policy that includes training and monitoring;

(3) have a chief information security officer (and other personnel); and

(4) have a third-party information security policy that will apply to all third-parties doing business with the insurer.

But, you might ask, what does this really mean for me? It means that you’re going to need a bigger boat (to paraphrase Jaws) if you want to stay ahead of this shark and avoid fines and penalties by the NY Department of Financial Services (and also avoid lawsuits where failure to follow the NY regulations will serve as a blueprint for what you were supposed to do and failed to do). Insurers and their vendors (like attorneys) have in their possession voluminous amounts of information (like medical records, discovery responses and transcripts) that include non-public information. Yet, how often is such information being transmitted by insurers to their attorneys (and from attorneys to their insurers) in unsecured ways? How many insurers are capable of downloading and adding to their files information that is sent by attorneys in secured ways (e.g. via Sharefile — which is our preferred data transmission method at WCM)? I think the answer is “not as many as you would hope.” We here at WCM are happy to help work with you as to what you need to do (and to do what we can for you to help ensure compliance). But, there’s a lot of work to be done and not a lot of time to start doing it.

For more information about this post please e-mail Bob Cosgrove .

Editors Note — Due to public outcry, implementation of the regulations has been delayed to March 1, 2017. The shark remains in the water, but there is not yet blood.

What’s in a Name? Information Privacy Finds “New” Cause of Action in PA

As we have reported over the last several months, information and data privacy have become hot button issues in litigation.  Even still, it appears the trend in many jurisdictions has been to force fit many of these claims into predetermined, well established legal principles like negligence or breach of contract.  That trend, however, may be falling by the wayside in Pennsylvania where at least one Common Pleas judge has found that plaintiffs alleging misuse of their personally identifiable information (PII) may, in some instances, bring a newly recognized cause of action for defamation.

In Griffith v. PPL Susquehanna LLC, a pair of plaintiffs filed suit against their former employer which operated a nuclear power facility in Salem Township, Pennsylvania.  In particular, the plaintiffs alleged that PPL defamed them after their respective tenures at the Salem power plant ended by spreading false information through the Personnel Access Data System (PADS), a centralized database used by nuclear facilities throughout the country to process industry workers.  According to the plaintiffs, PPL used the PADS system to share unspecified “falsehoods” that prevented them from finding work at other nuclear facilities in retaliation for whistleblowing safety violations at the Salem site.

In response to the plaintiffs’ suit, PPL filed two rounds of preliminary objections aimed, in part, at dismissing the defamation claims.  Specifically, PPL argued that because the PADS system is not a public access vehicle, but rather for the internal use of the nuclear industry, the plaintiffs could not prove that false personal information had been published against them.  Unconvinced, however, Common Pleas Judge Denis P. Cohen concluded that the alleged dissemination of this personnel information by PPL to other members of the nuclear industry via the PADS system was legally sufficient to sustain a cause of action for defamation because plaintiffs alleged that the sharing of personal information caused lost employment opportunities.

Griffith demonstrates that information and data privacy claims continue to rapidly evolve in litigation.  Where even months ago, plaintiffs challenging the use of their PII may have been asked to fit their claims into preexisting molds in order to sustain recovery, Griffith in some ways signals a new reality wherein courts are responding to such litigation with greater flexibility and creativity.  Thanks to Adam Gomez for his contribution.  Please email Brian Gibbons with any questions.

Third Circuit Affirms Federal Trade Commission Role as Data Privacy Enforcer

As we have previously reported, the United States District Court for the District of New Jersey in FTC v. Wyndham Worldwide held that Section 45(a) of the Federal Trade Commission (“FTC”) Act permitted the FTC to prosecute civil actions for cyber security breaches arising out of or related to “unfair” or “deceptive” practices.  However, on appeal, the United States Court of Appeal for the Third Circuit found data controllers and processors who fail to live up to their privacy statements fall under the purview of the FTC.

By way of refresher, the case below in Wyndham pitted the FTC against the international hospitality corporation, and stemmed from a string of cyber-attacks that compromised more than 619,000 consumer payment account numbers and resulted in $10.6 million in fraudulent charges. In light of the magnitude of the data breach, the FTC commenced its own suit against Wyndham arguing that violations of the company’s own privacy statement constituted “unfair” or “deceptive” trade practices that the FTC is empowered to curtail through civil enforcement.  Wyndham responded to the FTC’s claims by filing a motion to dismiss that was ultimately denied by Judge Esther Salas.

On appeal, Wyndham’s attack on the trial court decision was simple: the FTC is only empowered to sue corporations for “unfair” or “deceptive” trade practices that are “unscrupulous” or “unethical”, and any civil action alleging conduct short of that is outside Section 45(a).  Despite this articulation of the scope of the FTC Act, the Third Circuit reasoned that Section 45(a) instead applies wherever corporate conduct is inequitable and, in respect of data privacy breaches, can warrant prosecution when “a company . . . publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”  Moreover, even if the privacy issues arise out of a criminal act (as most, if not all, do), the Court concluded that this interpretation of Section 45(a) is supported by the foreseeability of a data breach affecting personal financial information.

While Wyndham is a watershed case for the federal government’s enforcement of citizens’ data privacy rights, the real question posed by the defendant is whether such an action can survive the conspicuous absence of uniform data privacy laws or regulations in the United States.  For our part, however, the reasoning in Wyndham is at least clear insofar as federal courts need not entertain the lack of a national or state data privacy regime when analyzing third-party liability if, in fact, the data controller or processor at issue publishes its own privacy statement or protocol.   Thanks to Adam Gomez for his contribution to this post.  Please email Brian Gibbons with any questions.

Facebook Effectively Deputized in Search Warrant Ruling

It is difficult to read any story about Facebook and other social media platforms without encountering a discussion of the privacy concerns of their users.  In the judicial context, rules about compelling the disclosure of a user’s information for litigation purposes are still emerging. As explained by Dennis Wade in his lecture, A Carnival for the Skeptic:  Using Social Media in Claim and Defense Litigation, the trend is for civil courts to permit discovery so long as the party seeking evidence can establish a publicly-available factual predicate for obtaining information in the private areas of a user’s social media account.  Emerging issues about judicially compelling social media information is not limited to civil courts, however.

New York’s First Department recently considered Facebook’s challenge to the New York County District Attorney’s application for the issuance of 381 warrants in an investigation related to social security disability fraud. See Matter of 381 Search Warrants Directed to Facebook, Inc. According to the District Attorney’s office, there was “reasonable cause to believe” that the Facebook accounts constituted evidence of myriad crimes.  After being served with the warrants, and the District Attorney refused to withdraw the warrants, Facebook moved to quash the warrants.

When presented with the issue, the trial court denied Facebook’s motion to quash.  The lower court reasoned that Facebook could not assert the Fourth Amendment rights of its users.  Rather, it would have to wait until the warrants were executed, at which point the legality of the searches could be determined.  In affirming the trial court’s decision, the First Department provided a broad outline of the methods by which the Fourth Amendment, and New York’s warrant statutes, protect citizens’ privacy interests.

In a nutshell, the court explained that there are two procedural safeguards to protect citizens from unreasonable searches and seizures.  The first safeguard is the existence of a neutral and detached magistrate, in this case a judge, to determine whether a warrant is based on probable cause and describes the places to be searched and the items to be seized.  The second safeguard, and the most important, according to the court, is the post-execution motion to suppress.  That safeguard permits citizens to challenge the validity of warrants on numerous grounds (e.g. the government lacked probable cause; the warrant was not properly executed; the warrant was invalid on its face).  According to the First Department, these safeguards eliminate the need for a pre-execution motion to quash.

Facebook argued that the First Department should consider its motion to quash the warrants as analogous to a motion to quash a subpoena.  The social media giant argued that this was appropriate because, in the context of online information, where it, rather than law enforcement, was tasked with seizing the materials.  The Court rejected this argument, based on the reasoning that “[w]hile, for modern technological reasons, the manner in which the materials are gathered may deviate from the traditional, Facebook’s reason for seeking to quash the warrants does not.”  To hold otherwise, the court reasoned, would be to limit the scope of the Fourth Amendment to physical places.  Therefore, like the citizens Facebook seeks to protect, there was no right to challenge the validity of the warrants before they were executed.

The court also rejected Facebook’s argument that the Federal Stored Communications Act granted Facebook standing to contest the warrants.  While that statute grants internet service providers to court orders and subpoenas, the court held that the statute did not specifically grant the right to challenge warrants.

By acknowledging that “Facebook users share more intimate personal information through their Facebook accounts than may be revealed through rummaging about one’s home,” the court recognized that there are privacy concerns that need to be considered in the context of authorizing searches of an individual’s social media accounts.  But, the First Department also recognized the need to balance those interests with the need of law enforcement to obtain information relevant to criminal investigations.

Matter of 381 Search Warrants Directed to Facebook, Inc. is the latest in a growing line of court cases, including those in the civil context, that permits the disclosure of social media content.  While the way in which people store information may have changed in recent years, the judicial system’s rules to compel disclosure has not.  It simply applies those rules to the new ways of doing things.  Thanks to Mike Gauvin for his contribution to this post.  Please email Dennis Wade with any questions.

DDoS Attacks on Local Universities Highlights Increasing Cybersecurity Risks (PA & NJ)

Penn State and Rutgers University join the ever-growing list of victims to cybersecurity attacks. In only the past two months, both universities have suffered distributed denial of service attacks, or as they are more commonly referred, DDoS attacks.

A DDoS attack is intended to render a server or network unavailable to its users. DDoS attackers use multiple devices and multiple internet connections to flood a victim’s computer system with web traffic until it is crippled by the requests and goes offline. Aside from the debilitating effects of DDoS attacks, they are difficult to combat. Victims cannot focus their efforts on deflecting attacks from a single attacker or a single source. Rather, the victim is flooded with requests from hundreds or even thousands of sources. While DDoS attacks are often just a frustrating nuisance for a victim to deal with, these attacks are continuing to evolve into a serious threat for network operators across the world. For Rutgers, the DDoS attack not only caused multiple internet outages, but affected the university’s final exam schedule.

So, what makes universities such a target for DDoS and other cybersecurity attacks? As explained in a recent article in the New Jersey Law Journal, universities are relatively easy targets. The article quotes Vincent Polley, the head of technology consultancy KnowConnect to explain that because the university structure is a “confederation of schools that are fairly loosely coordinated…[there’s] frequently not a lot of top-down management.” Universities store vast amounts of their students’ personal and financial information, as well as sensitive research materials.

This begs the question: what can universities and colleges across the country do to protect their students’ information? According to a recent article in the New York Times, Penn State, like many other universities and colleges across the country, are beefing up their authentication requirements. Authentication requirement are generally used before a university system can be accessed remotely. Authentication techniques can be broken into three categories: (1) things only a specified individual knows (i.e. a password, pin number, mother’s maiden name, or other type of security question; (2) things that only a specified individual would have (i.e. a key, card badge, token, one-time password); or (3) something specific about the specified individual (i.e. an encoded fingerprint, voice recognition or an iris scan).

To further beef up security, schools like Penn State are requiring a two-factor authentication, which incorporates two of the above mentioned techniques to create a multilayer defense against unauthorized access. However, how effective these measures are against DDoS attacks and other cyberattacks remains to be seen.  Thanks to Erica Woebse for her contribution.  Please email Brian Gibbons with any questions.

White House Announces Federal Data Privacy Framework as Additional Breaches Signal Litigation

On the heels of an unprecedented year of major data breaches affecting some of America’s largest retailers, President Barack Obama recently announced his bid to propose new legislation that protects consumers from identity theft and other forms of digital trespass.   This proposal represents the first attempt at a national data privacy regime.

Citing that nearly 100 million Americans have had their personal information compromised and roughly ninety percent of the population has, at some point, lost exclusive control of their personal information, President Obama announced that he will seek to establish federal criteria for the reporting of data breaches.  The effect of the proposed federal criteria would preempt similar laws at the state level that tend to confuse or contradict.  Specifically, the President indicated that custodians like retailers and financial institutions will be required to report data breaches within thirty days so as to facilitate a proactive response from government agencies and consumers alike.  Perhaps most importantly, President Obama’s new data privacy infrastructure also seeks to establish a Consumer Privacy Bill of Rights that would codify basic principles of data privacy that all custodians must abide.  In addition, the Consumer Privacy Bill of Rights would set in place certain baseline protections across all industries that would operate as minimum standards for the care of sensitive personal data.

Although there is little doubt that a national data privacy framework will do much to aid consumer expectations in respect of how their private information is shared and protected, custodians such as retailers, educational institutions and financial establishments should be mindful that increased federal involvement is likely to mean greater regulatory oversight and potential for litigation.  With due apologies to our colleagues who must now confront the maelstrom of regulatory compliance, we with a litigation bend tend to foresee that federal data privacy legislation will not only require custodians to actively revisit their policies and procedures across the board, but will serve as the minimum standard of care for losses resulting from data breaches and in all likelihood give rise to per se negligence claims.

For our part, and the part of those intimately involved in industries where ever-evolving technologies impact the ability to account for private personal data, the suggestion of federal data legislation should therefore serve as a call to take action before potential losses make their way to courtrooms across the country that have likewise sensed the specter of litigation and eagerly awaited a uniform direction.  Thanks to Adam Gomez for contribution to this post.  Please contact Brian Gibbons with any questions.