Cyber-Security Alert: D.C. Area Hospital Chain MedStar Targeted By Hackers

Posted on April 15, 2016 by Dana Petrillo No Comments ↓

MedStar, a Washington, D.C.-area hospital chain, became the latest healthcare industry victim of a cyber-attack when hackers breached its systems with a crippling virus. MedStar operates 10 hospitals in the D.C./Baltimore region, employs 30,000 staff, has 6,000 affiliated physicians, and serviced more than 4.5 million patient visits in 2015.

After being paralyzed by the virus, MedStar’s entire IT system for its 10 hospitals was forced to shut down and revert to paper records. The chain’s approximately 35,000 employees did not have access to emails and could not look up digital patient records in the attack’s wake. The FBI is assisting the chain by investigating the incident. It’s unclear at the moment whether or not the hackers are demanding ransom from MedStar in exchange for removing the virus.

The recent cyber-attack at MedStar comes weeks after Hollywood Presbyterian Medical Center in Los Angeles paid hackers 40 bitcoins, or about $17,000, to regain control of its computer system, which hackers had seized with ransomware using an infected email attachment.

Hackers increasingly target healthcare entities as security protections in healthcare often lag behind those in banking and financial sectors. Healthcare information contains a treasure trove of patients’ personal information, and a complete healthcare record is worth at least ten times more on the black market than credit card information. Also, hospitals are considered critical infrastructure that cannot reasonably be closed or incapacitated for any great length of time, and so may be more inclined to bowing to hackers’ demands for ransom.

This latest attack just goes to show the importance of cybersecurity at hospitals and other healthcare entities. In addition to the recent Hollywood Presbyterian Medical Center attack, data breaches and cyber-attacks have also recently occurred at Excellus Blue Cross Blue Shield, UCLA Health System, Premera Blue Cross, and Anthem Inc.

For more information, please contact Dana Petrillo, or another member of Cozen O’Connor’s Health Law team.

Tagged with: , , , , , , , ,
Posted in Cyber crimes, Cyberattack, Data Breach, Data Security, HIPAA, Privacy

Insurance Company Must Defend Against Data Breach Class Action, 4th Cir. Says

Posted on April 13, 2016 by Matthew Siegel, Armeen Mistry
No Comments ↓

On Monday, the Fourth Circuit held that Travelers must defend Portal Healthcare in a class action claim arising out of an alleged medical records data breach.

The class action, filed in New York state court in April 2013, alleges that Portal negligently failed to secure its server containing confidential records of patients at a hospital in Glen Falls, New York. This alleged failure made the records publicly available online. When patients noticed their personal information was readily available online, they notified Portal and subsequently filed suit.

After the data breach, Portal sought coverage under two policies it maintained with Travelers, which purported to cover electronic publication of materials from January 2012 to January 2014.  Travelers denied coverage and Portal brought suit in Virginia federal court.

In an unpublished opinion. the Fourth Circuit panel on Monday adopted the reasoning of the trial court’s August 2014 decision. In that decision, U.S. District Judge Gerald Bruce Lee held that by disclosing confidential patient information, Portal had effectively published that information. As such, he concluded that Travelers had a duty to defend Portal, as the breach had triggered the personal and advertising injury coverage provision contained in the Travelers policy. Travelers argued that it had no duty to defend because Portal did not intend to publish the medical information, and because the class members offered no evidence that any third parties had actually viewed the information. Rejecting this argument, Judge Lee noted that “publication occurs when information ‘is placed before the public,’ not when a member of the public reads the information placed before it.”

Travelers appealed, and the Fourth Circuit panel confirmed Judge Lee’s “sound legal analysis.” The Fourth Circuit affirmed Judge Lee’s ruling based on the “eight corners” rule, whereby the court compares the allegations of the complaint to the language of the policy to determine whether the claim could potentially fall within the coverage grant. “We agree with the opinion that Travelers has a duty to defend Portal against the class-action complaint,” the Fourth Circuit wrote. “Given the eight corners of the pertinent documents, Travelers’ efforts to parse alternative dictionary definitions [of publication] do not absolve it of the duty to defend Portal.”

As mentioned above, the decision was unpublished, so it is not considered binding precedent in the Fourth Circuit; nor, of course, is it binding on any other court. Also, the facts are distinguishable from other data breach cases which have found that there is no coverage under a traditional liability policy for alleged “publication” of private information. In this case, the information was allegedly “published” by Portal — the insured under the policy — rather than by a third party, such as a hacker, as was the case with Sony, for example. Moreover, many traditional policies now have specific exclusions that address loss of electronic data. Thus, it is difficult to say whether this case will have any far-reaching implications or if it will be confined to its facts. Either way, it has generated a lot of buzz and it is certain to be – as it should be – a topic of conversation among those in the insurance industry. Whichever way you come down on the decision, it by no means settles the debate on whether a CGL policy covers a data breach claim, though it may provide some fodder for the debate to drag on a little longer.

The case is Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, No. 14-1944, U.S. Court of Appeals for the Fourth Circuit.

Tagged with: , , , , , ,
Posted in Data Breach, Data Security, Insurance, Litigation

OCR Announces Two Significant HIPAA Breach Settlements

Posted on March 24, 2016 by Gregory Fliszar, J. Nicole Martin
No Comments ↓

On consecutive days, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) recently announced two large HIPAA breach settlements. On March 16, 2016, OCR announced that it entered into a Resolution Agreement with North Memorial Health Care of Minnesota for $1.55 million plus a two-year corrective action plan. On March 17, 2016 OCR followed by announcing that Feinstein Institute for Medical research, a New York biomedical research institute, agreed to pay to OCR $3.9 million and enter into a three-year corrective action plan to settle potential HIPAA violations. Both cases resulted from the all too familiar scenario of breaches resulting from stolen, unencrypted laptops.

In the Minnesota hospital breach, the unencrypted laptop containing the PHI of over 9,000 individuals was stolen from the locked car of an employee of a business associate of the hospital.  According to the OCR’s investigation, the hospital failed to have a business associate agreement in place with that particular business associate. OCR also alleged that the hospital had not previously performed a risk analysis to identify and address potential risks and vulnerabilities to the ePHI it maintained, accessed or transmitted.

In the New York research corporation breach, OCR alleged that the institution did not have policies and procedures in place, including a policy on encryption and one that addressed use and access of electronic devices (e.g., the removal of the devices from the institution’s facility), nor did it have in place a security management process that sufficiently addressed potential security risks and vulnerabilities to ePHI, namely, its confidentiality, vulnerability or integrity. Notably, the stolen, unencrypted laptop contained the PHI of approximately 13,000 individuals.

As above, both OCR settlements also include multiple year corrective action plans requiring the hospital and research facility to conduct risk analyses/assessments, train their employees, and have HIPAA compliant policies and procedures in place. The Resolution Agreement for the Minnesota hospital breach is available here, and the Resolution Agreement for the New York research institute breach is available here.

Takeaways: The OCR’s 2016 breach enforcement is off to a very strong start with two high dollar settlements. Lessons learned from both breaches include the significance of encrypting electronic devices, conducting and updating on a regular basis security risk assessments and analyses, having adequate safeguards in place to protect PHI, having business associate agreements with all business associates, and having and implementing HIPAA policies and procedures to protect the security and privacy of PHI, including for example, policies related to encryption, authorized access to ePHI/PHI, and removal of electronic devices from facilities.

For more information, contact Greg Fliszar, J. Nicole Martin, or a member of Cozen O’Connor’s Health Law team.

Tagged with: , , , , , , , , , , , , , , , ,
Posted in Data Breach, Data Security, HIPAA

House Subcommittee Examines the Role of Cyber Insurance

Posted on March 23, 2016 by Howard Schweitzer No Comments ↓

On March 22, the House Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing on The Role of Cyber Insurance in Risk Management. The witnesses were Matthew McCabe, a Senior Advisory Specialist for cyber insurance at Marsh FINPRO, Adam Hamm, North Dakota Insurance Commissioner, Daniel Nutkis, CEO at Health Information Trust Alliance, and Tom Finan, CSO at Ark Network Security Solutions. The goal of the hearing was to evaluate the current state of the cyber insurance market and its potential for growth, as well as examining ways to promote the adoption of cyber best practices and the use of cyber insurance to more effectively manage risk.

In his opening statement, Subcommittee Chairman Rep. John Ratcliffe (R-TX) outlined the goals of the hearing and the importance of cybersecurity in an increasingly interconnected world. The potential for cyber insurance to encourage companies to improve risk management has been an important topic recently, which Mr. Ratcliffe underscored by pointing to a string of high profile breaches including Home Depot, Target, and JPMorgan Chase, which impacted everyday Americans. While noting that the cyber insurance market is still in its infancy, he conveyed optimism for the market’s future potential. Mr. Ratcliffe believes that cyber insurance may be one solution to improving the security of companies that store data online. In a premise that was reiterated throughout the hearing, he noted how the process of considering, applying for, and maintaining a cyber insurance policy forces companies to examine their own cyber security weaknesses and vulnerabilities. He also mentioned the work of the Department of Homeland Security’s Cyber Incident Data and Analysis Working Group, which is facilitating discussions with key stakeholders on mitigating risks, examining the potential value of a cyber incident data repository, developing new cyber risk scenarios and models, and seeking to help organizations to evaluate and improve cyber risk management. Ranking Member Rep. Cedric Richmond (D-LA) echoed these sentiments and raised the question of what a cyber insurance policy would look like in certain scenarios, such as if a company was already hacked, malware was dormant, but it still wanted to mitigate its subsequent risk. This brought up some of the challenges that are unique to cyber insurance compared to other types, such as homeowners insurance.

In the witnesses’ opening statements, they discussed the state of the cyber insurance market from an industry and regulatory perspective, as well as ways that it might grow. Mr. McCabe discussed cyber insurance as a product, how it helps improve resiliency against threats, and the use of data analysis to support and improve the industry. He also discussed Marsh’s role in helping clients assess their own risk exposure and helping them deal with the financial impact of a cyber incident. He argued for the importance of cybersecurity and risk management for the private sector, as well as to protect U.S. critical infrastructure that is increasingly connected to the internet and therefore increasingly vulnerable to cyber attacks. Read more ›

Tagged with: , , , ,
Posted in Data Security, Insurance

Feds Push for Better Cybersecurity

Posted on March 17, 2016 by Rob Freeman No Comments ↓

President Obama has long discussed the importance of improving governmental cybersecurity, but the issue gained significant traction last year after two massive breaches at the Office of Personnel Management (OPM). In February 2016, the President issued an Executive Order to establish a so-called Federal Privacy Council, charged with ensuring that all agencies of the federal government strive “to uphold the highest standards for collecting, maintaining, and using personal data.”

The Federal Privacy Council is an “interagency support structure” that will provide expertise and assistance, improve the management of current agency privacy programs, promote collaboration between agency privacy professionals and ensure effective implementation of privacy policy. Currently, only some federal agencies have mandated privacy officers, and the roles and positions of these officers vary from agency to agency. The Privacy Council is intended to reinforce the work that current agency privacy officials undertake and to coordinate exchange of information and best practices. It will also be in charge of professional development for privacy professionals.

The chair of the Privacy Council will be the OMB Deputy Director for Management, who can designate a Vice Chair, establish working groups and assign responsibilities. Council membership will also include senior privacy officials from 24 key federal agencies, from the Department of State to NASA. The OMB Director will determine the duties of these agency officials.

The establishment of this Council is part of the President’s Cybersecurity National Action Plan, which also includes a fund to modernize and improve the federal government’s IT infrastructure and calls for a Commission on Enhancing National Cybersecurity to bring lawmakers and private sector leaders together to make recommendations regarding government cybersecurity.

Major questions remain concerning the Privacy Council and the president’s larger cybersecurity agenda. The first is whether the proposals will garner the required support and cooperation of Congress. President Obama included $19 billion in his annual budget proposal for cybersecurity, but Republican lawmakers have so far been hostile toward other areas of his budget proposal. Obama met with Speaker Paul Ryan specifically on cybersecurity, an area that generally has bipartisan support, and has indicated that he anticipates success in finding the support he needs in Congress.

The second is whether the Privacy Council and related initiatives are staffed and structured to achieve success. The OMB director has not yet set out a role for the dozens of senior agency privacy officials and the Privacy Council Chair has not yet been appointed. Enforcement processes also remain unspecified, which can present problems for inter-agency programs.

Given the limited time left in Obama’s presidency and other challenges, it appears unlikely that the Council will make a significant impact—at least, not on its own and not in the near term. But the hope is that it can play a meaningful part in the broader, ongoing effort to reform the federal government’s outdated approach to cybersecurity.

Tagged with: , , ,
Posted in Legislation, Privacy, Regulations

iWon’t: Apple’s Face-Off with the DOJ

Posted on March 8, 2016 by Matthew Siegel No Comments ↓

shutterstock_

In what is quickly becoming one of the closest-watched cases in the country, Apple is now at loggerheads with the Department of Justice and FBI over its refusal to unlock the iPhone of one of the San Bernardino shooters.

The government has demanded that Apple provide technical assistance to unlock the phone so that the FBI can search its contents for evidence. Specifically, the government wants Apple to develop software to override the phone’s security feature that wipes data stored on the phone after ten failed attempts to enter the correct password.  Federal prosecutors have said that the software would affect only the seized phone, and that they need access to the phone because, based upon communications already recovered from Apple’s iCloud servers, they believe it may contain communications and data relevant to the shooting that could shed light on whether the shooters were planning other attacks and whether they received any foreign aid.

Apple recently filed a lengthy motion opposing the government’s motion to compel. The company’s central argument is that the operative statute (the All Writs Act of 1789) does not give the Department of Justice the power to compel Apple to create the new software that would be required to bypass the iPhone’s embedded security.

In its recent court filing, Apple argues that the All Writs Act “is intended to enable the federal courts to fill in gaps in the law so they can exercise the authority they already possess by virtue of the express powers granted to them by the Constitution and Congress; it does not grant the courts free-wheeling authority to change the substantive law, resolve policy disputes, or exercise new powers that Congress has not afforded them.”

Apple describes the contemplated software as “a back door to defeat the encryption on the iPhone.” The company notes that Congress already has considered and rejected legislation that would have accomplished what the government now seeks to achieve through judicial decree. And from a practical standpoint, the company decries the effort it would take to develop and administer such technology as approaching herculean proportions.

Further, Apple argues, the order flies in the face of essential protections guaranteed by the U.S. Constitution. In Apple’s view, ordering it to create code is tantamount to compelling speech, in violation of the First Amendment. Additionally, the company argues, “conscripting a private party with an extraordinarily attenuated connection to the crime to do the government’s bidding in a way that is statutorily unauthorized, highly burdensome, and contrary to the party’s core principles, violates Apple’s substantive due process right to be free from ‘arbitrary deprivation of [its] liberty by government.’”

This case highlights a deepening disconnect between technology companies and the law enforcement community, and both sides have called for Congress to take legislative action. Apple CEO Tim Cook has said the company is prepared to take the fight to the U.S. Supreme Court, if necessary. A hearing on the motion is scheduled for March 22 in the United States District Court for the Central District of California.

Tagged with: , , , ,
Posted in Data Security, Litigation, Privacy

SuperValu Latest in Debate over Standing

Posted on February 03, 2016 by Matthew Siegel, Armeen Mistry
No Comments ↓

Last month, a Minnesota federal judge tossed out extensive multidistrict legislation concerning a proposed class action of SuperValu shoppers. Shoppers from Illinois, Minnesota, and Idaho had alleged that the supermarket chain caused them harm when hackers penetrated SuperValu’s systems and installed malicious software on its payment card systems. The complaint listed dozens of state and federal privacy violations.

The problem with their case, according to Judge Ann D. Montgomery of the U.S. District Court for the District of Minnesota, was that between the sixteen named shoppers in the proposed class, the only evidence of harm was a single unauthorized charge. In In re: SuperValu, Inc., Customer Security Breach Litigation, No. 14-MD-2586 ADM/TNL, Judge Montgomery held that this single charge could not reliably be traced back to SuperValu’s hack, given the frequency of credit card fraud. Without any other instances of harm, the judge said it was complete speculation as to whether the hackers were actually successful in using the data they obtained.

In 2014, SuperValu reported two separate breaches. The first occurred in August against the company’s Cub Foods, Farm Fresh, Hornbacher’s, Shop ‘n Save, and Shoppers Food & Pharmacy systems and the second occurred one month later at its Albertson’s stores.

The debate over standing in data breach litigation has been raging as of late and we have reported on several of the more notable opinions (see here, here, and here for a few examples).  In one of those cases, the U.S. District Court for the Eastern District of Pennsylvania found a plaintiff who had suffered identifiable identity attacks after a breach did have standing and the court allowed the plaintiff’s claims for breach of contract and restitution to move forward.  See Enslin v. The Coca-Cola Co., No. 2:14-CV-06476 (E.D. Pa. Sept. 29, 2015).

Comparing the case to the Target data breach, Judge Montgomery noted that previous cases included detailed allegations of extensive misuse of customer data information. “Here, the singular incident from one named plaintiff over the course of more than a year following the data breach is not sufficient to ‘nudge’ plaintiffs’ class claims of data misuse or imminent misuse ‘across the line from conceivable to plausible.’” This increased risk of future harm was not enough to demonstrate standing.

Although members of the proposed class argued that they had suffered harm based on the time and money spent monitoring their accounts, Judge Montgomery ruled that this fear of future harm was not enough to establish standing under Article III.

The full text of Judge Montgomery’s opinion is available here. As the plaintiffs’ case in SuperValu was dismissed without prejudice, it remains to be seen whether they will bring an amended complaint.

Tagged with: , , , , ,
Posted in Cyberattack, Data Breach, Litigation

Michaels Crafts Successful Motion to Dismiss in Data Breach Case

Posted on January 28, 2016 by Matthew Siegel No Comments ↓

Plaintiffs continue to battle for standing in data breach cases, and another federal court recently added to a growing body of decisions helpful to companies who find themselves on the receiving end of a lawsuit after falling victim to hackers.  The United States District Court for the Eastern District of New York decided last month in Whalen v. Michaels Stores, Inc. that craft supplies giant Michaels Stores, Inc. (“Michaels”) is not liable to a putative class of plaintiffs whose credit card information was stolen when the company’s computer system was hacked in early 2014.  Finding that the plaintiff alleged no unreimbursed fraudulent charges, and no impending injury, the court granted the company’s motion to dismiss for lack of standing.

Mary Jane Whalen sued Michaels on behalf of a class of individuals similarly situated, alleging that her credit card information was among the data hackers obtained from Michaels and its subsidiary, Aaron Brothers, in a security breach that reached approximately 2.6 million cards.  In an effort to establish Article III standing, the plaintiff alleged that she and the putative class members suffered five types of injury:

  1. actual damages including monetary losses arising from unauthorized bank account withdrawals, fraudulent card payments, and/or related bank fees charges to their accounts;
  2. loss of time and money associated with credit monitoring and obtaining replacement cards;
  3. overpayment for Michaels’ services;
  4. lost value of credit card information; and
  5. violation of New York General Business Law § 349.

The court rejected each of these theories.  As to actual damages, the court noted that the plaintiff had not alleged that she had lost any money.  Rather, she merely alleged that her credit card (which she cancelled) had been “physically presented for payment” to a gym and a concert venue in Ecuador.  She did not allege that the charges were approved or that she suffered any loss because of them.  Even if the charges had been approved, the court noted, the plaintiff “would not have suffered any liability ‘given the zero-fraud-liability policy of every major credit card issuer in the country, including Whalen’s card issuer.’”

The court made short work of the plaintiff’s second alleged injury, relying upon the Supreme Court’s admonition in Clapper v. Amnesty International, USA that plaintiffs “cannot manufacture standing” through credit monitoring.  Moreover, Michaels offered one year of free credit monitoring to those affected by the breach.

The plaintiff’s third theory of harm, overpayment for services, hinged on the idea that she would not have used her credit card at Michaels had she known that her information would not be reasonably safeguarded.  The court found that this argument rang hollow, noting that the plaintiff “failed to allege that Michaels charges a different price for credit card payments and cash payments or that Michaels uses any customer payment for its security services.”

The court seemed to find the plaintiff’s fourth alleged injury — diminished value of her credit card information — nonsensical, simply noting that “without allegations about how her cancelled credit card information lost value, Whalen does not have standing on this ground.”  And an alleged statutory violation is likewise insufficient to gain standing, the court held.

Having rejected each of the plaintiff’s attempts to show actual harm, the court then turned to her argument that she faced an increased risk of future harm sufficient to confer standing.  It is well-established that such harm must be “certainly impending,” or present a “substantial risk,” to constitute an injury-in-fact for Article III purposes.  Fatal to the plaintiff’s argument on this point was her own allegation that “fraudulent use of cards might not be apparent for years,” (emphasis added by the court) and the fact that in the nearly years between the breach and the filing of her complaint, the plaintiff had suffered no harm.

The decision reinforces the idea that a security breach should not expose a company to liability to those whose information was taken, unless plaintiffs are able to demonstrate they suffered some demonstrable loss, or are very likely to in the foreseeable future.

Tagged with: , , , , ,
Posted in Data Breach, Data Security, Litigation, Privacy

Chris Correa Isn’t Billy Beane and This Isn’t Moneyball

Posted on January 23, 2016 by Jason B. Bonk No Comments ↓

The lights going on and off within the head of former St. Louis Cardinals scouting director Chris Correa were once probably flickering more actively than the lights inside of The Staples Center just before the Los Angeles Lakers take to the hardwood floors behind the sounds of The Who’s “Baba O’Riley.” That song, the chorus of which is, “It’s only teenage wasteland,” has been echoed by many music fans over the last four decades. It’s also something Mr. Correa ought to have learned a bit more about before hacking into the Houston Astros’ data systems during the last several years, a crime to which Mr. Correa has now pleaded guilty. In case Correa forgot, his actions are not at the sophistication level, nor does he have the creative liberties, of the Golden Globe winning show, “Mr. Robot,” which detailed the exploits of a group of disillusioned hackers with Robin Hood-like motivations.

Instead, Mr. Correa lives like the rest of society, and what he did was illegal. He has now formally copped a plea to the illegal systems and e-mail hacking of managerial level members of the Cardinals’ rival franchise, the Houston Astros, including the Astros’ General Manager, Jeff Lunhow. Correa faces at least five criminal counts, each punishable by a hefty fine and prison term.

Oddly, Correa denied any wrongdoing whatsoever when first terminated by the Cardinals organization, which makes the story even murkier. The recent plea agreement confirms his involvement in some kind of scheme to steal scouting and draft information that might give the Cardinals a competitive edge against their rivals down in southeast Texas. Was Correa acting as a rogue employee? Hard to say. Were his actions illegal? Absolutely.

Does Correa deserve maximum punishment? Probably not, especially in light of the sports scandals regarding doping, domestic abuse and deflated footballs that have plagued American sports of late. Does he deserve punishment sufficient to remind him that he’s not living in a “Teenage Wasteland,” the term so appropriately coined by the band The Who? Certainly.

Correa may have wished he were just like Peter Brand, the General Manager working under Billy Beane in the Oakland Athletics organization. Brand facilitated the statistical analysis for Billy Beane and the A’s in what has now become known as “Moneyball” thanks to a well-written book by Michael Lewis, and a movie made famous by Brad Pitt and Jonah Hill. Correa’s behavior, however, does not resemble the creative analytic accomplishments by the Athletics during those years when they revamped the techniques of MLB scouting through the use of statistics. What Correa did rises to trade secret theft and possibly corporate espionage. Correa worked his way up the ranks by stealing information that belonged to another MLB franchise, not through careful analysis of scouting information that was widely (and legally) available. Read more ›

Tagged with: , , , , ,
Posted in Cyber crimes, Cyberattack, Data Breach, Data Security, Privacy, Standards

Wyndham Settles with FTC

Posted on January 21, 2016 by Katie M. Sluss No Comments ↓

Last month, Wyndham Worldwide Corp. settled its lengthy civil case with the Federal Trade Commission.  The suit began in 2012, when the FTC sued Wyndham and three of its subsidiaries, alleging three data breaches between 2008 and 2010 were a result of Wyndham’s data security failures.  Despite Wyndham’s attempts to dismiss the suit by arguing the FTC had no authority over Wyndham’s conduct, the Third Circuit Court of Appeals upheld the FTC’s authority under Section 5 of the FTC Act.

The settlement that resulted from this suit requires Wyndham to establish and maintain, for the next 20 years, a comprehensive security program that is designed to protect cardholder data.  Among other things, this comprehensive security program requires Wyndham to identify material internal and external risks to cardholder data, design and implement reasonable safeguards to control the risks identified through the risk assessment and conduct regular testing and monitoring of the effectiveness of the safeguards’ key controls, systems and procedures.

Additionally, Wyndham is required to obtain annual information security assessments by a qualified, objective, independent third-party professional and, following discovery of a breach involving more than 10,000 unique payments card numbers, Wyndham must obtain an assessment that meets the requirements by the PCI Security Standards Council.  The settlement did not include an admission of wrongdoing by Wyndham nor a monetary sanction.

As the courts continue to determine the scope of the FTC’s authority under Section 5 of the FTC Act, companies must continue to ensure adequate security safeguards are in place, because even without monetary sanctions, the additional audits and government oversight that can be required as a result of data security failures may be lengthy and costly.

Posted in FTC, Litigation, Regulations, Standards
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs