In the latest sign that data breach class actions are here to stay—and, indeed, growing—the D.C. Circuit resuscitated claims against health insurer CareFirst BlueCross and Blue Shield, following a 2015 breach that compromised member names, dates of birth, email addresses, and subscriber identification numbers of approximately 1.1 million individuals. The decision aligns the second most powerful federal appellate court in the nation with pre-Spokeo decisions in Neiman Marcus and P.F. Chang and post-Spokeo decisions in other circuits (Third, Seventh, and Eleventh). In short, an increased risk of identity theft constitutes an imminent injury-in-fact, and the risk of future injury is substantial enough to support Article III standing.
The D.C. Circuit’s holding is an important development. First, the D.C. Circuit went beyond credit card numbers and social security numbers to expand the scope of data types that create a risk to individuals (i.e., names, birthdates, emails, and health insurance subscriber ID numbers). Second, the decision makes clear that organizations should carefully consider the interplay between encryption (plus other technical data protection measures) and “risk of harm” exceptions to notification, including exceptions that may be available under HIPAA and GLBA statutory regimes. READ MORE
August 28, 2017 marks the end of the initial 180-day grace period for compliance under the New York Department of Financial Services’ “first-in-the-nation” cybersecurity regulations (the “Rules”). The initial regulations were proposed last year, but NY DFS received robust public comments that led to significant amendments. While the proposed regulations set out proscriptive, one-size-fits-all requirements, the final Rules align more closely to flexible federal, financial sector guidance, captured in the NIST cybersecurity framework and the FFIEC cybersecurity assessment tool. Accordingly, the final Rules require that cybersecurity programs be calibrated to periodic “risk assessments” that give entities discretion to specify the criteria used to identify, evaluate, and remediate risks, in the context of technological developments and corporate controls.
While covered entities are technically required to be in compliance with the Rules as of Monday, there are additional transitional periods for certain items (see below), and entities have until February 15, 2018 to submit their first certifications to NY DFS. For organizations still working through compliance requirements, the below steps may help to prioritize and implement a work plan. READ MORE
Last week, as part of its Fall Technology Series, the Federal Trade Commission (“FTC”) hosted a much-anticipated workshop to explore the privacy concerns associated with drones. Although many in the audience hoped that this workshop would provide some insight into the FTC’s perspective and position on regulation of drones and privacy, the workshop left attendees with more questions than answers. We were there, and provide you with some of the key takeaways.
Even today, most companies—even technology companies—do not think they have information that the U.S. Government wants or needs, particularly as it might relate to a national security investigation. The reality is that as terrorists and others who threaten national security use a broader spectrum of technology resources to communicate and to finance and conduct operations, the U.S. Government has significantly increased its collection of data from technology companies and others.
What should companies do when ransomware hits? The FBI says: (a) report it to law enforcement and (b) do not pay the ransom. Given the recent onslaught in ransomware attacks—such as a 2016 variant that compromised an estimated 100,000 computers a day—companies should consider how their incident response plans account for decision-making in response to ransomware, and include this scenario in their next (or an interim) tabletop simulation.
FBI Public Service Announcement
In a September 15 announcement, the FBI urged companies to come forward and report ransomware attacks to law enforcement. The FBI acknowledged that companies may hesitate to contact law enforcement for a variety of reasons: uncertainly as to whether a specific attack warrants law enforcement attention, fear of adverse reputational impact or even embarrassment, or a belief that reporting is unnecessary where a ransom has been paid or data back-ups have restored services.
Notwithstanding these dynamics, the FBI is calling on companies to help in the fight: “Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases.”
The FBI also offered some best practices that companies should consider incorporating into their cybersecurity program and/or their disaster recovery and business continuity plans. These recommendations include: regular backups that are verified, securing backups, implementation of anti-virus and anti-malware solutions, increased employee awareness training, institution of principle of least privilege policies, and more. READ MORE
The shockwaves continue from the October 6, 2015 ruling of the Court of Justice of the European Union (CJEU), the European Union’s highest court, invalidating the U.S.-EU “Safe Harbor” data transfer regime in a controversy arising out of Maximillian Schrems’ complaint to the Irish Data Protection Commissioner. The Schrems decision obviously has huge privacy implications for companies that transferred data under the Safe Harbor regime, but it may also impact such companies’ cyber insurance.
On August 11, 2015, the SEC announced that it was bringing fraud charges against 32 defendants for their alleged participation in a five-year, international hacking and insider trading scheme. According to the SEC, two Ukrainian men hacked into at least two major newswire services, stole non-public copies of embargoed corporate announcements containing quarterly and annual earnings data, and provided the announcements to 30 other defendants, who traded off the information. In parallel actions, the U.S. Attorney’s Offices for the District of New Jersey and the Eastern District of New York also announced criminal charges against some defendants named in the SEC’s action. The SEC’s enforcement action may be a harbinger of events to come. As we have written, cybersecurity is emerging as the SEC’s newest area of focus for enforcement actions.
Data breach here, date breach there, data breach everywhere? Every day we are learning about the importance of and risks associated with cybersecurity. Those risks are not limited to big corporations or even the private sector. Schools, of all levels, are increasingly faced with cybersecurity-related questions and potential for liability, and they are beginning to seek coverage for those risks. But educational institutions as policyholders have issues in addition to those affecting large, company-wide databases that are usually considered when procuring cyberinsurance policies. Educational institutions as policyholders must ensure that any coverage they procure covers these risks. READ MORE