The coverage landscape for “Business E-mail Compromise” (BEC) scams remains somewhat tenuous, as organizations and carriers continue to battle in court over the extent of coverage. Although recent positive, policyholder-friendly trends in the Eighth Circuit (hacker who took over a bank’s computer system) and federal district court in Georgia (scheme based on spoofing a CEO’s e-mail) found insurance coverage for fraudulently transferred funds, a recent unpublished Fifth Circuit opinion moves in the other direction. Unfortunately, this new ruling—and the uncertainty it creates—may embolden insurers in fighting coverage for these scams under crime insurance policies.
In the 1969 film Butch Cassidy and the Sundance Kid, after Butch and Sundance rob Union Pacific Railroad (“Union Pacific”) the first time, Union Pacific employs a stronger safe. After Butch and Sundance rob Union Pacific a second time, Union Pacific forgoes the safe and hires a posse of unrelenting gunmen, hell bent on capturing and/or killing the duo. The posse ultimately forces Butch and Sundance to flee to Bolivia—where they resume their bank-robbing antics. Ultimately, it takes the Bolivian army to stop them. In their case, albeit fictional, the active deterrent (the posse) was more effective at protecting Union Pacific’s money than the passive deterrent (the safe), in part, because Butch and Sundance were highly-motivated actors.
Last week, as part of its Fall Technology Series, the Federal Trade Commission (“FTC”) hosted a much-anticipated workshop to explore the privacy concerns associated with drones. Although many in the audience hoped that this workshop would provide some insight into the FTC’s perspective and position on regulation of drones and privacy, the workshop left attendees with more questions than answers. We were there, and provide you with some of the key takeaways.
Data breach notification requirements are going global. By spring 2018, companies operating in the European Union must comply with the new General Data Protection Regulation’s (GDPR) data breach notification requirements and the Network and Information Security (NIS) Directive’s security incident notification requirements. Stricter and more far-reaching notification obligations underscore the importance of establishing a proactive Security Incident Response Policy to analyze potential legal obligations and prepare to respond to incidents long before they occur.
Even today, most companies—even technology companies—do not think they have information that the U.S. Government wants or needs, particularly as it might relate to a national security investigation. The reality is that as terrorists and others who threaten national security use a broader spectrum of technology resources to communicate and to finance and conduct operations, the U.S. Government has significantly increased its collection of data from technology companies and others.
In this Corporate Counsel article, Orrick attorneys Renee Phillips and Shea Leitch discuss the emerging issue of cybersecurity whistleblowing. The authors discuss scenarios in which cybersecurity whistleblowers may step forward and how a company can best address complaints internally and mitigate the potential of regulatory scrutiny. Click here to read the full article.
What should companies do when ransomware hits? The FBI says: (a) report it to law enforcement and (b) do not pay the ransom. Given the recent onslaught in ransomware attacks—such as a 2016 variant that compromised an estimated 100,000 computers a day—companies should consider how their incident response plans account for decision-making in response to ransomware, and include this scenario in their next (or an interim) tabletop simulation.
FBI Public Service Announcement
In a September 15 announcement, the FBI urged companies to come forward and report ransomware attacks to law enforcement. The FBI acknowledged that companies may hesitate to contact law enforcement for a variety of reasons: uncertainly as to whether a specific attack warrants law enforcement attention, fear of adverse reputational impact or even embarrassment, or a belief that reporting is unnecessary where a ransom has been paid or data back-ups have restored services.
Notwithstanding these dynamics, the FBI is calling on companies to help in the fight: “Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases.”
The FBI also offered some best practices that companies should consider incorporating into their cybersecurity program and/or their disaster recovery and business continuity plans. These recommendations include: regular backups that are verified, securing backups, implementation of anti-virus and anti-malware solutions, increased employee awareness training, institution of principle of least privilege policies, and more. READ MORE
The Sixth Circuit joined the growing trend of appellate courts holding that plaintiffs had demonstrated standing for data breach class actions in Galaria et al. v. Nationwide Mutual Insurance Company. In a recent order, the Sixth Circuit highlighted yet another fact that supports standing, that clients should consider in their post-breach response efforts: a recommendation that consumers set up fraud alerts and place security freezes on credit reports, without an accompanying offer to pay for the security freeze itself.
Happy U.S. National Cybersecurity Awareness Month! One year ago, in recognition of the Department of Homeland Security’s annual campaign to raise awareness about cybersecurity, Orrick’s Cybersecurity & Data Privacy Group launched its award winning blog Trust Anchor.
Almost daily we hear news about data breaches, cybersecurity and privacy enforcement proceedings, litigation, and new laws and regulations. Trust Anchor covers it all: recent cases, legislative and regulatory developments, emerging compliance standards and best practices for cybersecurity and privacy risk management, insurance trends and more! But, we don’t just report on these events, we highlight key takeaways and what these developments mean for you.
On September 12, 2016, the Data Protection Authority of the German Federal State of North Rhine-Westphalia (“DPA NRW”) became one of the first EU data protection authorities to issue guidance on the implementation of the Privacy Shield. Although the guidance is primarily directed at German companies that engage U.S. providers (any third party service providers), U.S. providers should understand the guidance to better understand what German and EU customers may ask of them in addition to EU/U.S. Privacy Shield certification.
The DPA NRW raised the following issues that U.S. companies should consider:
1. Privacy Shield Alone May Not Be Sufficient For Transfers of Personal Data
Pursuant to the guidance, European companies considering transfers of personal data abroad must make a two-step assessment of data privacy compliance.
First, there must be a statutory basis for the transfer that is consistent with the local law of the concerned EU Member State, and as of May 2018, also with the EU General Data Protection Regulation. Second, the personal data held by EU companies should only be transferred to countries with an adequately high level of data protection comparable to the protection in the EU.
Privacy Shield, however, only addresses the latter. More specifically, the EU Commission’s adequacy decision of July 12, 2016 held that U.S. companies certified under the Privacy Shield provide an adequate level of protection.
Practically, what does this mean? In addition to the Privacy Shield certification, U.S. companies may need to enter into a data processing agreement with their EU partner that satisfies the relevant EU Member State statutory provisions that apply to data processing agreements. One example of such statutory provisions is Section 11 of the German Federal Data Protection Act, which contains fairly detailed requirements on the content of data processing agreements. In particular, it requires both parties to agree on rather specific technical and organizational measures that the processor has implemented to protect the security of the data to be processed.
2. Data Controllers Transferring Personal Data under the Privacy Shield Have Additional Duties
Under the guidance, even if a U.S. company is Privacy Shield certified, data controllers are still responsible for independently verifying that data privacy protections are upheld. That means that before transferring personal data to a Privacy Shield certified U.S. company the data controllers must confirm that:
- the Privacy Shield certification actually exists;
- the Privacy Shield certification is up to date (the certification has to be renewed annually); and
- the personal data the data controller intends to transfer is covered by the certification.
Thus, U.S. companies should expect that data controllers will ask the U.S. company questions regarding these points, and likely require the U.S. company to attest that it complies with its privacy obligations with respect to the concerned data subjects. For verification of the status of a Privacy Shield certification, the U.S. Department of Commerce keeps and updates a list of certified companies https://www.privacyshield.gov/list.
For U.S. companies that are using the nine month grace period for compliance with the onward transfer principle of the Privacy Shield, the guidance indicates that the EU data controller should have the U.S. company confirm when it has completed compliance with the onward transfer principle. For U.S. companies, this will underscore the importance of reviewing, and where necessary updating, vendor and service provider contracts to ensure compliance with the Privacy Shield’s onward transfer principle by, among other things, contractually restricting the vendor or service provider’s data processing activities and requiring protection consistent with the Privacy Shield Principles.
3. Employee Data is Special
The Privacy Shield contains special provisions regarding transfers of employee data. If the Privacy Shield certification covers employee data, the company must agree to cooperate and comply with the EU DPAs with respect to such data. This means that the use of such data will still remain subject to EU law, and complaints from data subjects about the use of the data will be adjudicated by the EU DPAs. In addition, the following principles must also be followed by the EU companies transferring employee data to the United States:
- The Privacy Shield Principle of choice may be impacted by generally applicable regulations from EU Member States that do not allow for the continued processing of employee data for purposes other than the purpose for which they were collected. EU data controllers (e.g. in general, the employing entities) may further restrict U.S. companies from such uses and require contractual restrictions.
- U.S. companies and/or the data transferring EU entity (employer) need to respect an employee’s exercise of his/her right of choice against processing their personal data and must not disadvantage the employee in any way.
- If specific protection for employee data is needed, appropriate measures have to be taken, e.g. pseudonymization or anonymization of data should be considered.
4. Privacy Shield May Not Be a Long Term Solution.
Despite raising various concerns about the EU/U.S. Privacy Shield, the DPA NRW agreed to give the program one year to address those concerns. After this initial year, the Article 29 Working Party plans to review whether its concerns have been addressed, and if the Privacy Shield is effective and functioning. Depending on the outcome of this annual assessment, the DPA NRW reserves the right to reevaluate and potentially stop data transfers under the Privacy Shield. Accordingly, U.S. companies relying on the Privacy Shield should carefully weigh the uncertainty it offers as a long term solution.
At the same time, the DPA NRW guidance points out that the outcome of this assessment will also have an impact on other methods of transatlantic data flows such as binding corporate rules and EU model contractual clauses which are currently likewise under scrutiny.
For more details on the Privacy Shield, or for help exploring whether it is appropriate for your company, please contact any member of Orrick’s Cybersecurity and Privacy team.