Cybersecurity Best Practices — How General Counsel Can Prepare For The Worst

Posted on November 06, 2017 by Matthew Siegel, Ethan Price-Livingston

Take note GCs: The question is not if you will have to respond to a cybersecurity incident—the question is when. That was the message from speakers and panelists at the Association of Corporate Counsel’s annual meeting this year.

Indeed, the majority of all U.S. businesses have experienced at least one cybersecurity incident in the last year, with some estimates as high as 80%. And a data breach involving so-called knowledge assets (confidential business information) costs an average of $5.4 million to resolve, up to a maximum of $270 million for the largest breaches.

The good news for GCs is that having a well-designed response plan in place can lower the risk of a breach and greatly minimize the damage if a breach occurs. Some best practices discussed at the ACC meeting, and elsewhere, are worth considering:

Best Practices

  • Cultivate close relationships with IT directors to make it more likely that GCs are contacted in the event of a breach or crisis.
  • Extend the relationships to as many IT employees as possible to overcome the personal responsibility that some employees feel when a breach occurs.
  • Evaluate and routinely measure employee security training levels.
  • Meet with as many relevant departments as possible to assess the specific risks and issues that could arise if/when a breach occurs.
  • Conduct a thorough survey of the data collected by the organization, focusing on employee, consumer, medical, and financial data, and determine if any data does not need to be stored.
  • Critically examine contracts and breach procedures of existing vendors that are privy to sensitive data or have access to internal systems.
  • Perform vendor due diligence before committing to any new contractual relationships and consider requiring vendors to fill out a questionnaire indicating their experience and policies with data breaches, training level of their employees, and general control procedures for sensitive data.
  • For vendors that have access to critical information, consider requiring the vendors to provide independent third-party security assessments or audits.
  • Create a standard data privacy and security addendum that can be attached to vendor contracts (which are usually drafted by vendors) to ensure that the organization’s data is being protected and include risk allocation provisions that apply should the vendor be subject to or lead to a breach.
  • Monitor relationships with vendors to ensure continued compliance with contract provisions, applicable laws, regulations, and industry standards. Further, ensure that once the relationship ends, the vendor destroys or returns company data as appropriate.
  • Document the plan. Create a list of policies and procedures to be followed if there is an incident, and include clearly defined roles and individuals who need to be contacted.
  • Make sure to focus on the immediate aftermath of a breach — the first 48 hours being most critical — and ensure that internal and external communications keep stakeholders apprised as the situation develops.
  • Consider working with a public relations firm to develop consistent messaging that can be efficiently communicated in a crisis.
  • Create an internal response team, including members of management, IT, legal, and public relations that can quickly decide remedial steps and appropriate communication.
  • Consider the company’s overall insurance program and whether cyber risks are covered.
Tagged with: , , , , , , ,
Posted in Data Breach, Data Security

Financial Services Committee Rounds Out Equifax Hearings

Posted on October 5, 2017 by Rob Freeman

The House Financial Services Committee this morning rounded out a full week of congressional hearings for former Equifax CEO Richard Smith. Chairman Jeb Hensarling (R-TX) reiterated his earlier calls for national standards for data security and breach notifications.

Ranking Member Maxine Waters (D-CA) blasted the “stranglehold” that credit reporting agencies have on the American consumer and touted her newly introduced bill, H.R. 3755, the Comprehensive Consumer Credit Reporting Reform Act. H.R. 3755 would shift the burden of fixing credit mistakes towards the agencies and away from consumers. It would additionally limit the use of credit reports in the employment background check process.

Ranking Member Waters questioned the relevance of Smith’s presence before the committee, arguing that since he is no longer a permanent member of Equifax he cannot adequately inform Congress of the steps the company is taking to address the breach. Smith defended the relevancy of his testimony, stating that he is still an advisor to company leadership.

With five panel hearings completed, both the House and Senate have had extensive opportunity to both criticize Equifax for its shortcomings and gather information on the breach itself. Whether Congress will use this information and come to a consensus on how to ensure consumers’ rights are protected in the future remains to be seen.

 

Tagged with: , , , , , , ,
Posted in Cyber crimes, Cyberattack, Data Breach, Data Security, Legislation, Privacy

Equifax Hearings – Round Three

Posted on October 4, 2017 by Rob Freeman

Richard Smith, former Chairman and CEO of Equifax, faced his third congressional hearing in two days, appearing this afternoon before the Senate Judiciary Committee’s Privacy, Technology, and the Law Subcommittee to discuss the recently revealed Equifax data breach and efforts to monitor data broker cybersecurity.

In a departure from the previous Equifax hearings, members of the committee were more reserved in their criticism of the consumer credit agency, adopting a stern but not aggressive tone on both sides of the aisle. Ranking Member Al Franken (D-MN) also broke from the pattern of previous hearings by addressing not only the consumer protection implications of the breach but national security concerns as well.

Another dissimilarity with previous Equifax hearings was the subcommittee’s decision to feature a second panel of expert witnesses instead of focusing its attention solely on Smith. In the second witness panel, subcommittee members heard from Jamie Winteron, the Director of Strategic Research Initiatives at Arizona State University’s Global Security Initiative, and Tyler Moore, an assistant professor of cybersecurity and information assurance at the University of Tulsa’s Tandy School of Computer Science.

The Judiciary subcommittee’s relatively subdued tone and focus on industry experts likely reflects the members’ desire to use the hearing to arrive at a substantive solution rather than to pile on the chorus of voices criticizing Equifax. Nevertheless, Smith will appear one more time before Congress this week at a hearing before the House Financial Services Committee on Thursday morning.

 

Tagged with: , , , , , , ,
Posted in Cyber crimes, Cyberattack, Data Breach, Data Security, Legislation, Privacy

Equifax Hearings Continue on the Hill

Posted on October 4, 2017 by Rob Freeman

Former Equifax chief Richard Smith returned to Capitol Hill for a second day of congressional hearings into his company’s data breach, this time appearing before the Senate Banking, Housing, and Urban Affairs Committee.

Committee Chairman Mike Crapo (R-ID) characterized the Equifax breach as “shocking and concerning,” sentiments that were shared by both Republicans and Democrats alike. Ranking Member Sherrod Brown (D-OH) went further and said that “a goldmine for hackers” such as the trove of personal information stored by Equifax “should be a digital Fort Knox.” Brown continued to criticize Smith and Equifax for their handling of the breach, saying that the American public has grown accustomed to large companies getting off the hook for perpetrating similar large scale scandals.

During the hearing Smith unveiled Equifax’s plan to allow consumers to control access to their credit data by allowing them to lock and unlock their data at any time and at no cost. His proposal drew interest from the Banking committee members, who inquired about the details and logistics of the plan. According to Smith, this tool will roll out to consumers in early 2018.

The tool’s objectives mirror those of a bill touted by Representative Ben Ray Lujan (D-NM) in the previous day’s House Energy and Commerce Committee hearing on the Equifax breach. The Free Credit Freeze Act, H.R. 3878, would allow consumers to freeze and unfreeze their credit data at any time at no charge.

Smith is slated to appear before the Senate Judiciary Committee later this afternoon and before the House Financial Services Committee tomorrow morning. Whether after five high profile hearings Congress is able to come together with legislative solutions to both prevent such breaches from occurring in the future and mitigate the damage from the still-unfolding Equifax breach remains to be seen.

Tagged with: , , , , , ,
Posted in Cyber crimes, Cyberattack, Data Breach, Data Security, Litigation, Privacy

House Holds Hearings on Equifax Breach

Posted on October 3, 2017 by Rob Freeman

The House Committee on Energy and Commerce’s Subcommittee on Digital and Consumer Protection held the first in what will be a series of Congressional hearings on the recently revealed data breach at major credit agency Equifax. Former CEO of Equifax Richard Smith testified before the committee on the hack and took the opportunity to apologize to Congress and the impacted public for the damage.

The chairmen and ranking members of both the full committee and the subcommittee criticized Smith for the company’s cyber practices as well as its post-breach response. Committee Chairman Greg Walden (R-OR) accused Equifax of failing to put consumers first, while subcommittee Ranking Member Jan Schakowsky (D-IL) said that the company “deserves to be shamed.”

While Republicans on the panel lodged complaints with the former CEO over the breach during the hearing, Democratic members took a more aggressive stance. Led by Ranking Member Schakowsky and Representative Ben Ray Lujan (D-NM), the Democratic members pushed for specific legislative solutions. Schakowsky noted she had reintroduced the Secure and Protect Americans’ Data Act (SPADA) in advance of the hearing. SPADA would enhance companies’ data security requirements and require timely notification and assistance to consumers in the event of a data breach.

Representative Lujan similarly touted his Free Credit Freeze Act, which would allow consumers to freeze and unfreeze their credit at no cost in order to prevent hackers from creating new financial accounts with their stolen information.

The subcommittee’s hearing kicks off a week of congressional scrutiny on data protection and the Equifax breach. The House Oversight and Governmental Reform Committee is slated to hold a hearing on the cybersecurity of the Internet of Things just hours after the Equifax panel concludes. On Wednesday, the Senate Banking and Judiciary committees will also hold hearings on the Equifax data breach at 10:00am and 2:30pm, respectively.

Tagged with: , , , , , ,
Posted in Cyberattack, Data Breach, Data Security, Legislation, Privacy, Regulations

Latest Spokeo Decision Adds to the Growing Body of Law Supporting Article III Standing for Cybersecurity Plaintiffs

Posted on August 30, 2017 by Matthew Siegel

We recently wrote about a decision in Attias v. CareFirst, Inc., holding that a class of plaintiffs whose information was compromised in a cyberattack had sufficiently demonstrated standing to survive a motion to dismiss. The U.S. Court of Appeals for the Ninth Circuit now has added to the toolbox for plaintiffs in cyber cases whose standing is challenged.

In Robins v. Spokeo, which the Ninth Circuit heard on remand from the U.S. Supreme Court, the issue was whether the plaintiff —who alleged that an inaccurate report about him on Spokeo’s consumer reporting web site constituted willful violations of the Fair Credit Reporting Act — had alleged a sufficiently “real” injury to meet the elements necessary for Article III standing.

The district court dismissed the complaint, holding that the plaintiff’s allegation of a bare violation of the statute did not show that he had suffered an injury-in-fact. The Ninth Circuit reversed in Spokeo I, holding that by alleging a violation of his statutory rights, the plaintiff had alleged a concrete and particularized injury. The U.S. Supreme Court granted certiorari and vacated that opinion, holding that the Ninth Circuit’s analysis had been incomplete, and remanded for further consideration of whether the injury was sufficiently concrete to support standing.

Specifically, the court considered “the extent to which violation of a statutory right can itself establish an injury sufficiently concrete for the purposes of Article III standing.” While the FCRA provides an individual right to sue for violations of the statute, the Supreme Court made clear that such a right does not satisfy the injury-in-fact requirement for Article III standing per se.

Rather, “even when a statute has allegedly been violated, Article III requires such violation to have caused some real — as opposed to purely legal — harm to the plaintiff.” Congress’s decision to provide a right of action is instructive, however, in cases in which the harm alleged is intangible, the Supreme Court noted in kicking the case back to the Ninth Circuit. And some statutory violations are enough on their face to demonstrate concrete harm. Thus, the Ninth Circuit faced two questions: “(1) whether the statutory provisions at issue were established to protect [the plaintiff’s] concrete rights (as opposed to purely procedural rights), and if so, (2) whether the specific procedural violations alleged in this case actually had, or present a material risk to, such interests.”

The court had “little difficulty” concluding that consumers have a concrete interest in accurate credit reporting about themselves, noting that “given the ubiquity and importance of consumer reports in modern life … the real-world implications of material inaccuracies in those reports seem patent on their face.” Further, “the interests that FCRA protects also resemble other reputational and privacy interests that have long been protected by the law.”

Turning to the second question, the court distinguished between a violation of the statute that did not result in the creation or dissemination of an inaccurate consumer report and a violation like the one at hand, which did result in dissemination of inaccurate information about the plaintiff. The latter category can support standing, if the nature of the inaccurate disclosure is such that it creates a real risk of harm. The Ninth Circuit determined that the inaccuracies at issue — which related to the plaintiff’s age, marital status, educational background, and employment history — are “the type that may be important to employers or others making use of the consumer report” and do not constitute insignificant technical statutory violations. Further, the court held, the injury was not speculative, because it had already occurred. “It is of no consequence how likely Robins is to suffer additional concrete harm” (emphasis in original).

Thus, the Ninth Circuit sent the case back to the district court for trial, paving the way for future FCRA plaintiffs whose standing to sue is called into question.

Tagged with: , , ,
Posted in Litigation, Privacy

CareFirst Data Breach Appeal Holds Three Key Lessons for Cyberattack Litigants

Posted on August 17, 2017 by Matthew Siegel

A recent federal appellate decision suggests that it might be getting easier for cyberattack plaintiffs to establish standing in a manner sufficient to survive a motion to dismiss. According to the U.S. Court of Appeals for the District of Columbia Circuit, people whose personal information was compromised in a cyberattack have standing to sue so long as they allege that a data breach traceable to the target company’s negligence exposed them to a substantial risk of identity theft, and they reasonably spent money to protect themselves in the wake of the attack. The case is Attias v. CareFirst, Inc., decided on August 1, 2017.

In so holding, the Court of Appeals reversed the district court’s dismissal of the action, admonishing the lower court for giving “the complaint an unduly narrow reading.” Both decisions turned on whether the plaintiffs had alleged that their social security or credit card numbers had been stolen. The lower court concluded that the plaintiffs did not demonstrate a sufficiently substantial risk of harm, and therefore lacked standing, because they had “not suggested, let alone demonstrated how the CareFirst hackers could steal their identities without access to their social security or credit card numbers.”

The Court of Appeals took issue with this approach, because it presumed that the plaintiffs did not allege that this information had been stolen. However, the court noted, the complaint alleged that “PII/PHI/Sensitive Information” had been taken, and included in the definition of that term “patient credit card … and social security numbers.” Further, the complaint alleged that identity thieves could use the information accessed in the attack to “open new financial account[s] [and] incur charges in another person’s name.” At the motion dismiss stage, this combination of allegations is sufficient to establish a substantial risk of future harm, the court held.

A distinguishing feature of cyberattack cases, the court noted, is that an unauthorized party has already accessed another person’s information. In this circumstance, “it is much less speculative – at the very least, it is plausible – to infer that this party has both the intent and the ability to use that data for ill,” the court reasoned.

Having found that the plaintiffs had sufficiently alleged an “injury in fact” to establish standing, the Court of Appeals then addressed the second prong in the standing analysis: whether the injury could be fairly traceable to the alleged conduct of the defendant. CareFirst argued that this prong was not met, because there was no allegation that the attacker was affiliated with the company. But such a direct connection is not required, the Court of Appeals concluded. Rather, the plaintiffs’ allegations that CareFirst’s failure to properly secure their data creates enough of a link to the injury to satisfy the “fairly traceable” standard.

Finally, the court made short work of finding that the plaintiffs had satisfied the final requirement for standing – that the harm they suffered was “likely to be redressed by a favorable judicial decision” – by alleging that they had reasonably spent money to protect themselves against the potential for identity theft. This money could be recovered through an award of money damages, thereby meeting the third prong of the standing analysis.

In conclusion, Attias v. CareFirst carries three main takeaways for cyberattack litigants on the question of standing: (1) some courts will take a broad reading of complaint allegations at the motion to dismiss stage, and may infer from the cyberattack itself an intent harm to the victims; (2) the hacker need not be affiliated with the target company for the plaintiffs’ alleged harm to be traced back to that company; and (3) if the plaintiffs reasonably incurred costs to protect themselves from identity theft in the wake of the attack, they will, at least in some jurisdictions, satisfy prong three of the standing analysis.

Tagged with: , , , , ,
Posted in Cyberattack, Data Breach, Litigation

Will the New General Data Protection Regulations (“GDPR”) Be a Block in the Chain?

Posted on April 27, 2017 by Natalie Cooksammy

Yes, I know that I ooze wit, but seriously, on the 25 May 2018, the new GDPR will come into force, which replaces the current data protection regulations (irrespective of Brexit). The principle at the heart of the GDPR is that personal data can only be gathered under strict conditions for legitimate purposes. More importantly however, among other things, it gives people the “right to be forgotten.” With this in mind, how will the GDPR fit in with the blockchain? After all, isn’t the whole purpose of the blockchain to record the ownership of just about anything, by using a fully trustworthy peer-to-peer payment system, that provides a neutral, permanent, irrefutable, and more importantly, transparent, record of all transactions?  How can a data controller erase personal information on the blockchain?

It seems to me as organisations are forging ahead to be compliant by 2018, this new wide-ranging and challenging obligation needs a practical and universally agreed solution. Otherwise we are going to embark on a era of satellite litigation of what constitutes “reasonable steps” – against a backdrop of ever changing advancements in technology.

The solution may not rest with the lawyers alone (boo) – but a combination of legal drafting and a Blockchain platform which allows transactions/smart contracts to be created off-chain in stake channels, which protects people’s privacy.

We are in a strange new world. Who would have ever envisaged 20 years ago that lawyers (who are renowned technophobes – hence the reason why they became lawyers) and computer scientists (who love having to consider every analytical possibility when designing a code) would become ideal business partners …

Tagged with: , , , ,
Posted in Data Security, Privacy, Regulations

Coca-Cola Dodges Privacy Class Action

Posted on April 12, 2017 by Matthew Siegel, Leigh Ann Benson

Coca-Cola won big last month when it secured summary judgment in a privacy class action brought by a former bottling plant employee concerning compromised personal information. Hon. Joseph Leeson of the Eastern District of Pennsylvania found that Coca-Cola was not under any contractual obligation to protect its employees’ personal information.

The issues arose when an ill-motived former IT employee disposed of old Coca-Cola laptops that were still storing employee information, including addresses, phone numbers and SSNs. The proposed class action was brought on behalf of the 74,000 employees whose information was compromised.

The court rejected plaintiff’s arguments that a handful of company policies, when woven together, impose a contractual duty on Coca-Cola to safeguard information for the benefit of employees. Coca-Cola argued that its detailed security policies create obligations to safeguard Company information to support business operations, but not to shield employees personally. The judge agreed, ruling the relevant policy provisions serve to protect the company, not the employees.

Cited provisions came from Code of Conduct, the Protection Policy and the Acceptable Use Policy, and read, in part: “Computer hardware, software, and data must be safeguarded from damage, theft, fraudulent manipulation, and unauthorized access to and disclosure of Company information.” Another provision stated that “[w]e all have an obligation to safeguard Company assets including exercising care in using Company equipment, vehicles, and bringing to the attention of high management any waste, misuse, destruction, or theft of Company property or illegal activity.”

It is also noteworthy that, despite not being contractually obligated to protect employee information, Coca-Cola was responsible and proactive in response to the incident. Coca-Cola informed employees of the lost laptops and provided one year of free credit monitoring and fraud restoration services. Ironically, plaintiff claimed that Coca-Cola should compensate him for wages lost because of the time required to submit the necessary information to obtain the protection services. The court explicitly rejected this as well.

The case is Enslin v. The Coca-Cola Co., No. 2:14-cv-06476, in the U.S. District Court for the Eastern District of Pennsylvania.

Tagged with: , , , , , ,
Posted in Data Breach, Data Security, Litigation, Privacy

Win for Insurance Industry in Computer Fraud Coverage Ruling

Posted on March 31, 2017 by Matthew Siegel, Leigh Ann Benson

Computers are involved at some point in almost every business transaction—that is the reality of life in the digital age. The implications of that fact are still being worked out with respect to the interpretation of insurance contract computer fraud provisions. This month, a judge in the Northern District of Georgia issued a narrow reading, handing the insurance company an important victory.

InComm is a debit card processing company that allows consumers to purchase credits, referred to as “chits,” which can be loaded onto a debit card. From November 2013 through May 2014, a system vulnerability allowed consumers to redeem a single chit multiple times, thereby receiving more than the value they had purchased. In total, InComm processed more than 25,000 unauthorized redemptions, mistakenly transmitting more than $11 million to various debit card issuers.

Once InComm discovered the losses, it sought coverage from its insurer, Great American Insurance Company (“GAIC”). Citing to the policy’s computer fraud provision, GAIC denied and InComm responded by filing suit for breach of contract and bad faith and seeking a declaration of coverage.

The relevant computer fraud provision stated: “[GAIC] will pay for loss of, and loss from damage to, money, securities, and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: (a) to a person (other than a messenger) outside those premises; or (b) to a place outside those premises.”

In the case of InComm, the company’s redemption program allowed cardholders to conduct debit card activity by dialing in by phone and using either voice or touchtone commands to claim chits. Therefore, the unauthorized transactions at issue (conducted by sophisticated identity theft perpetrators) were accomplished using a phone, not a computer.

In granting summary judgment to GAIC, the court found that the computer fraud provision did not apply because the actual fraud was committed using a phone. The court explained that simply because “a computer was somehow involved in a loss does not establish that the wrongdoer ‘used’ a computer to cause the loss.” Finding to the contrary would “unreasonably expand the scope” of the computer fraud provision, which was intended to limit coverage to computer fraud. Finally, the judge concluded, to accept “lawyerly arguments” that coverage should be expanded to include losses “involving a computer engaged at any point in the causal chain” would “strain the ordinary understanding of computer fraud.”

The case is InComm Holdings Inc. v. Great American Insurance Co., No. 1:15-cv-2671 (N.D. Ga. Mar. 16, 2017).

Tagged with: , ,
Posted in Legislation, Litigation
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs