Amidst mounting pressure to pursue cybersecurity more aggressively, the Federal Trade Commission (“FTC”), the federal government’s most active enforcer in the space, has recently imposed increasingly stringent cybersecurity requirements in its consent orders. Given that FTC consent orders typically carry 20-year terms and a potential fine of $42,530 (which the FTC may contend applies to each consumer subject to a breach), it is vital for companies faced with an FTC cybersecurity investigation to take every possible step to narrow the scope of relief requested by the FTC. Several recent FTC cybersecurity settlements illustrate an emerging pattern: a company that litigates may secure a better deal than it would have received in an initial settlement, if not defeat the action entirely. But when considering whether to settle or litigate with the FTC, companies must still balance the various legal, business, and reputational risks at stake.
Privacy & Cybersecurity Litigation partner Michelle Visser, counsel David Cohen and associate Nicole Gelsomini authored this blog post for the Washington Legal Foundation on the unsettled state of the law on constitutional standing in privacy and cybersecurity cases in the wake of two recent Supreme Court developments. Constitutional standing challenges are, and will continue to be, an important potential tool for privacy and cybersecurity defendants seeking to dismiss certain class actions brought in federal court. To establish standing, a private plaintiff must show, among other things, that he or she faces an actual or imminent concrete injury from the defendant’s conduct. As explained in the Washington Legal Foundation post, however, the Supreme Court recently passed on two chances to clarify the test that will govern this standing inquiry, leaving defendants to wade through conflicting and ambiguous lower court precedent. The uncertain and nuanced state of this area of law underscores the importance of retaining experienced cybersecurity and privacy defense counsel when faced with this type of suit.
In June 2018, medical laboratory LabMD obtained the first-ever court decision overturning a Federal Trade Commission (FTC) cybersecurity enforcement action. (The team directing that effort – led by Doug Meal and Michelle Visser – joined Orrick in January 2019). There, the Eleventh Circuit held that an FTC cease-and-desist order imposing injunctive relief requiring LabMD to implement “reasonable” data security was impermissibly vague. In the wake of LabMD, the FTC’s new Chairman, Joseph Simons, stated that he was “very nervous” that the agency lacked the remedial authority it needed to deter allegedly insufficient data security practices and that, among other things, the FTC was exploring whether it has additional untapped authority it could use in this space. In this regard, Chairman Simons and Commissioner Rebecca Kelly Slaughter announced that the FTC is examining whether it can “further maximize its enforcement reach, in all areas, through strategic use of additional remedies” such as “monetary relief.” READ MORE
Noting the “astounding” statistics on the use of smartphones and other mobile devices to “shop, bank, play, read, post, watch, date, record, and go” across consumer populations, the FTC has recently re-focused its attention on mobile security issues. As the amount of information collected on mobile devices, and through applications on those devices, continues to rise exponentially, unsurprisingly, mobile devices have become increasingly fertile grounds for cyberattacks. Against this backdrop, in February 2018 the FTC issued a 134-page report titled Mobile Security Updates: Understanding the Issues (the “Report”). Not long afterward, on April 2, 2018, the FTC appointed a new Acting General Counsel, Alden Abbot, who has substantial experience in the mobile-communication industry, including serving in key legal roles at Blackberry Corporation and the National Telecommunications and Information Administration in the Department of Commerce. Although the Report is narrowly focused on processes for patching vulnerabilities and software updates, the FTC notes that the Report is “part of an on-going dialogue” and that it intends to work with industry, consumer groups, and lawmakers to further the “goals of reasonable security and greater transparency” in its efforts to improve mobile-device security. READ MORE
A recent skirmish about standing in data breach class actions (this time in the Eighth Circuit), involving securities and brokerage firm Scottrade, suggests that, even if plaintiffs win that limited question, there are other key battles that can win the war for defendants. As we reported with Neiman Marcus, P.F. Chang’s, Nationwide, and Barnes & Noble, the Eighth Circuit’s decision in Kuhn v. Scottrade offers important proactive steps that organizations should consider taking that can mitigate post-breach litigation exposure. READ MORE
In the latest sign that data breach class actions are here to stay—and, indeed, growing—the D.C. Circuit resuscitated claims against health insurer CareFirst BlueCross and Blue Shield, following a 2015 breach that compromised member names, dates of birth, email addresses, and subscriber identification numbers of approximately 1.1 million individuals. The decision aligns the second most powerful federal appellate court in the nation with pre-Spokeo decisions in Neiman Marcus and P.F. Chang and post-Spokeo decisions in other circuits (Third, Seventh, and Eleventh). In short, an increased risk of identity theft constitutes an imminent injury-in-fact, and the risk of future injury is substantial enough to support Article III standing.
The D.C. Circuit’s holding is an important development. First, the D.C. Circuit went beyond credit card numbers and social security numbers to expand the scope of data types that create a risk to individuals (i.e., names, birthdates, emails, and health insurance subscriber ID numbers). Second, the decision makes clear that organizations should carefully consider the interplay between encryption (plus other technical data protection measures) and “risk of harm” exceptions to notification, including exceptions that may be available under HIPAA and GLBA statutory regimes. READ MORE
August 28, 2017 marks the end of the initial 180-day grace period for compliance under the New York Department of Financial Services’ “first-in-the-nation” cybersecurity regulations (the “Rules”). The initial regulations were proposed last year, but NY DFS received robust public comments that led to significant amendments. While the proposed regulations set out proscriptive, one-size-fits-all requirements, the final Rules align more closely to flexible federal, financial sector guidance, captured in the NIST cybersecurity framework and the FFIEC cybersecurity assessment tool. Accordingly, the final Rules require that cybersecurity programs be calibrated to periodic “risk assessments” that give entities discretion to specify the criteria used to identify, evaluate, and remediate risks, in the context of technological developments and corporate controls.
While covered entities are technically required to be in compliance with the Rules as of Monday, there are additional transitional periods for certain items (see below), and entities have until February 15, 2018 to submit their first certifications to NY DFS. For organizations still working through compliance requirements, the below steps may help to prioritize and implement a work plan. READ MORE
Last week, as part of its Fall Technology Series, the Federal Trade Commission (“FTC”) hosted a much-anticipated workshop to explore the privacy concerns associated with drones. Although many in the audience hoped that this workshop would provide some insight into the FTC’s perspective and position on regulation of drones and privacy, the workshop left attendees with more questions than answers. We were there, and provide you with some of the key takeaways.
Even today, most companies—even technology companies—do not think they have information that the U.S. Government wants or needs, particularly as it might relate to a national security investigation. The reality is that as terrorists and others who threaten national security use a broader spectrum of technology resources to communicate and to finance and conduct operations, the U.S. Government has significantly increased its collection of data from technology companies and others.
What should companies do when ransomware hits? The FBI says: (a) report it to law enforcement and (b) do not pay the ransom. Given the recent onslaught in ransomware attacks—such as a 2016 variant that compromised an estimated 100,000 computers a day—companies should consider how their incident response plans account for decision-making in response to ransomware, and include this scenario in their next (or an interim) tabletop simulation.
FBI Public Service Announcement
In a September 15 announcement, the FBI urged companies to come forward and report ransomware attacks to law enforcement. The FBI acknowledged that companies may hesitate to contact law enforcement for a variety of reasons: uncertainly as to whether a specific attack warrants law enforcement attention, fear of adverse reputational impact or even embarrassment, or a belief that reporting is unnecessary where a ransom has been paid or data back-ups have restored services.
Notwithstanding these dynamics, the FBI is calling on companies to help in the fight: “Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases.”
The FBI also offered some best practices that companies should consider incorporating into their cybersecurity program and/or their disaster recovery and business continuity plans. These recommendations include: regular backups that are verified, securing backups, implementation of anti-virus and anti-malware solutions, increased employee awareness training, institution of principle of least privilege policies, and more. READ MORE