Strengthening Data Security Through Human Resources and Information Technology Teamwork

Human Resources (“HR”) and information technology (“IT”) departments play unique and important roles within an organization. With instances of data breaches on the rise, however, companies should be mindful of the importance of regular communication and collaboration between employees in these departments with respect to issues of data security. Addressing such issues should not be tasked only to HR employees or IT departments but, rather, employees from both departments should work in collaboration toward creating and maintaining data protection processes.

Among other things, employees in HR and IT departments should work together with respect to creating data security policies and procedures to help ensure they are aligned and effective. In addition to partnering in the formation of data security policies and practices, HR and IT departments should join forces to provide practical training to employees on issues such as avoidance of data breaches brought about by phishing emails, ransomware attacks, or other scams that place data security at risk. Teamwork among HR and IT departments also is important with respect to identifying and responding to potential and actual data breaches, as well as consistently and appropriately addressing data security policy violations with employees whose conduct has or might put the security of a company’s data at risk.

Collaboration between HR and IT professionals builds a more fortified defense against potential data breaches or other data security issues and makes a company better prepared to respond in the event of a breach. Employees in IT departments can provide valuable insight to HR employees, who have varying degrees of knowledge about IT and its many attendant risks. In turn, HR employees can work with IT employees toward implementation and enforcement of policies geared toward best practices in protecting data.

Working alone, HR and IT departments can make strides in furtherance of data protection. But working together hand-in-hand, they can provide an organization with greater protection from the risk of a data breach and place a company on stronger footing with respect to identifying and responding to the risks and consequences of a potential or actual data breach.

Lyft Drivers Allege Uber Spied on them for Competitive Edge

Co-author: Devin Rauchwerger 

A former Lyft driver filed a class action lawsuit in the Northern District of California against Uber, alleging Uber violated the Electronic Communications Privacy Act (“ECPA”), the California Invasion of Privacy Act (“CIPA”), and other common law invasions of privacy and unfair competition.  The plaintiff seeks to represent two classes: 1) all individuals in the U.S. who worked as Lyft drivers while not working for Uber whose private information and whereabouts was obtained by Uber’s unlawful access of Lyft computer systems; and 2) a similar California class.  The lawsuit estimates the national class at 126,000 individuals or more.

Plaintiff alleges Uber developed a spyware system named “Hell” which permitted Uber to access Lyft computer systems by posing as Lyft customers.  By posing as a customer, Uber could determine the location of up to eight Lyft drivers and obtain their unique Lyft ID.  Once Uber had the particular driver ID, they were able to indefinitely track that particular driver’s location.

The lawsuit further alleges Uber used the information gathered from Lyft drivers to determine how many drivers Lyft had in particular areas, what the average charge was for rides, and which Lyft drivers were also working for Uber.  Uber then offered incentives to the drivers who were using dual platforms to encourage them to only use Uber.

It is also believed another objective of the Hell program was to generate more rides for Uber drivers who were also using the Lyft platform.  Using this method, if there were several Uber drivers in the area when a pickup was requested, Uber’s program would route the person to the Uber driver who also happened to be a Lyft driver, thus ensuring that the driver worked more frequently for Uber.

Uber was already on rocky terms from a privacy perspective even before information about the Hell program was first released in April 2017.  In March of this year, a report came out about a different program called Greyball which Uber initially created to avoid abusive riders.  The report claimed Uber used the Greyball program to avoid government regulators who were attempting to catch Uber drivers in restricted or banned areas.  The Greyball program issued law enforcement members a fake Uber app which prevented them from successfully obtaining rides in the restricted or banned areas.  Use of the program stopped after it was publicly discovered.

While Uber has not officially admitted to the use of the Hell program, they have failed to publicly deny the program’s existence.

We will continue to monitor the developments of this lawsuit, as well as decisions regarding Uber’s other questionable privacy practices. As this incident exemplifies, this area of the law continues to change, but its pace is behind the changes in technology so it is important to consult with privacy counsel before implementing new technologies.

Retailer Successfully Defends Text Messaging TCPA Claim

Earlier this month, the United States Court of Appeals for the Seventh Circuit in Blow v. Bijora upheld a lower court decision rejecting a plaintiff’s claim that she did not consent to receive text messages from the defendant retailer. Plaintiff brought this class action seeking $1.8 billion in damages by alleging that the company’s practice of sending promotional text messages violated the Telephone Consumer Protection Act (“TCPA”) and related state law.

The case involved a Chicago-based retailer, Akira, that engaged a separate company to offer text message marketing services. The text messages informed customers of promotions, discounts, and in-store events. Akira used a variety of methods to collect customers’ cell phone numbers – customers could opt in by providing their cell numbers in the store, by texting to an opt-in number posted in the store, or by filling out an opt-in card.

Plaintiff alleged that Akira violated the TCPA’s prohibition against using an automatic telephone dialing system to make calls without the express consent of the recipient. The court noted that it was undisputed that text messages to a cell phone constitute “calls” within the meaning of the TCPA. The lower court concluded that the system used did not involve an autodialer to send the promotional text messages. Following a detailed analysis of the TCPA and related regulations, the appellate court concluded there were unresolved issues as to whether the system used was in fact a prohibited autodialer. As such, the court concluded that it was premature to grant summary judgment to Akira on the issue of the autodialer.

Nevertheless, the Seventh Circuit granted summary judgment to Akira finding that Plaintiff had in fact consented to receive the text messages. The record demonstrated that she gave her cell phone number to Akira on several different occasions in addition to signing up for a “frequent buyer card” that included her phone number. In addition, upon receipt of her first text message, Plaintiff admitted that she had to confirm agreement by texting “AKIRA” to a short code number and that she received a message instructing that she could end her participation by texting “STOP.” Based on this evidence, the appeals court concluded that Plaintiff had provided express consent to receipt of the text messages.

Although the company prevailed, it is important for companies using this technology to be mindful of the significant regulations that are applicable. Text message (or SMS) promotional marketing is gaining steam as many consumers have migrated to mobile platforms. Any entity that seeks to avail itself of this service must be mindful of the legal and regulatory guidelines that govern text message communications. Similarly, if contracting out these services, companies should ensure that their vendors are compliant with all regulatory requirements.

For further information on the TCPA, click here.

Update: Case Involving Sharing of Passwords May Be Headed to the Supreme Court

Last August, we reported on a Ninth Circuit case in which a former employee was convicted of a crime under the Computer Fraud and Abuse Act (“CFAA”) for accessing and downloading information from his former company’s database “without authorization.”  The former employee has now asked that the U.S. Supreme review the Ninth Circuit’s decision.

The question presented to the high Court is, “Whether a person who obtains an account holder’s permission to access a computer nevertheless ‘accesses a computer without authorization’ in violation of the CFAA when he acts without permission from the computer’s owner.”

According to the petition, the Ninth Circuit decision is at odds with other circuit court opinions that look to the computer owner’s “intentions, expectations, and contractual or agency relationships to determine whether access to a computer is authorized.”

The petition argues that the appellate court’s ruling “exposes a broad range of innocuous, day-to-day activity to criminal prosecution” such as an assistant who logs into an executive’s email account or a spouse who logs on to her husband’s email account. However, as the Ninth Circuit majority stated, “[t]his case is not about password sharing” and noted that the case “bears little resemblance to asking a spouse to log in to an email account to print a boarding pass.” The key issue according to the appellate court is whether the access is without authorization. It would seem that an argument comparing a secretary’s access to access by a former employee is hardly compelling. Still, as noted in our earlier post, companies should at a minimum include in their policies and agreements prohibitions on current employees providing their passwords to former employees or even unauthorized current employees.

A full copy of the former employee’s petition can be found here.

We will continue to monitor this case as it develops.

Global Cyberattack Exploits Known Vulnerabilities

As you likely know by now, international cybercriminals launched a worldwide ransomware attack last Friday with the European law enforcement agency Europol reporting over 100,000 affected organizations in 150 countries, including the U.S. Reports indicate that health care providers, universities, and other large companies were all targeted. The Department of Health and Human Services also confirmed evidence of the attack occurring within the U.S. The attack exploited a known vulnerability in the Microsoft operating system, for which a patch is available. The Department of Homeland Security is encouraging all Americans to update their security systems and back up data to prevent possible loss, and is also reminding users not to click on unfamiliar links or open unfamiliar documents in emails.

We echo DHS, and urge all organizations to take steps to help protect against an attack from occurring, while strengthening response preparedness should an attack occur. For regulated entities, this means at a minimum heeding compliance with applicable cybersecurity regulations, including training and creating awareness among all workforce members who can access the organization’s IT systems. For assistance with prevention or preparedness, or if you think you were the victim of a security incident as the result of these recent attacks, or otherwise have had your IT systems compromised, do not hesitate to contact Jackson Lewis’ 24/7 Data Incident Response Team to assist you with the next steps. We are available 24/7 at 844-544-5296 or breach@jacksonlewis.com.

Falling on the heels of President Trump’s Executive Order on cybersecurity, this global attack is sure to increase pressure on implementation of the directives outlined in this order and elevate our nation’s public and private cybersecurity readiness to the fore of political discussion. And with the impending selection of a new FBI director, look for cybersecurity to be a topic of questioning for whoever faces the gauntlet of Senate confirmation for this position. The apparent paralyzing effect of this attack across sectors of critical infrastructure such as telecom, rail, finance and health and human services highlights the need for law enforcement at all levels to be well versed in cyber competency. But it also serves as a reminder that human error, from lax cybersecurity practices to errant email handling, remains one of the top vulnerabilities facing organizations and enterprises today.

Law Firms: Updated Cybersecurity Primer and Other Resources

Several years ago, we published a short primer for law firms intending to provide a brief discussion of key cybersecurity issues, including some helpful steps for safeguarding the client personal and confidential information they maintain. Since then, attacks against firms have increased, ethical rules are tightening, and clients are growing concerned.  In at least one instance – and likely more to follow – client concerns resulted in litigation between firm and client over the adequacy of the firm’s cybersecurity safeguards.

We updated that primer (download here). We also prepared a two-part webinar series to help firms think through their cybersecurity risks. Part One provides an overview of the legal, contractual and ethical risks firms face. Part Two discusses some best practices for navigating client service agreements, breach response and assessments.

The recent global ransomware attack should spur all organizations to think about what they are doing to safeguard their systems and data. Of course, doing something now and leaving those efforts on the shelf is not the right approach. The process of evaluating risks and implementing steps to address those risks is ongoing.

President Trump’s Executive Order on Cybersecurity…

On May 11, 2017 – after weeks of anticipation – the White House released an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.  There could not be better timing with a global cyberattack unleashing ransomware against governments and companies in nearly 100 countries around the globe. This newly released Executive Order is a virtually complete re-cast of the draft Executive Order, with everything but the General Provisions in new format, structure and language.  The core concepts that were included in the prior draft, however, appear to be consistent in the final EO (with the promised tweaks).

The EO is intended to modernize, improve and maintain the infrastructure of federal agency information technology and coordinate the efforts of these agencies, and thereby provide for increased risk management. The heads of federal agencies will

be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.

These measures must be taken in accordance with the NIST cybersecurity standards (or any successor thereto).  Risk management reports detailing measures taken to date and action plans for implement the NIST cybersecurity standards must be provided to the Office of Management and Budget and the Secretary of Homeland Security within 90 days of the EO (or, at light speed for government). Within 60 days of these reports, the Director of OMB and his designated posse must report to the President on whether the agency reports are appropriate and sufficient, together with a plan to implement through policies and additional measures that may be needed (aligned with the NIST cybersecurity standards), as well as budgetary needs.

The EO also covers cybersecurity of critical infrastructure, building upon Executive Order 13636, ordered by President Obama in 2013. Headed by the Secretary of Homeland Security, a designated group of agencies will collaborate to tag measures that could be taken by federal agencies to support the cybersecurity of critical infrastructure in collaboration with identified critical infrastructure entities.  This group must provide a report to the President within 180 days of the EO.  Additionally, an “open and transparent” process will be used to foster collaboration among agencies and other stakeholders to reduce botnet threats.  A cast of agencies is designated to lead this effort, work with the stakeholders, and provide a report which would be publicly available in preliminary format within 240 days after the EO and final within one year of the EO.  (The term “appropriate stakeholders” is defined as “any non-executive branch person or entity that elects to participate in an open and transparent process” as established by the Secretaries of Homeland Security and Commerce.)

The third and final topic covered by the EO addresses cybersecurity for the nation, to address “strategic options for deterring adversaries and better protecting the American people from cyber threats,” a means to address international cybersecurity priorities, and workforce development in the cybersecurity field.   Assigned groups of agencies will submit reports to the President on these matters in 90 days, 90 days and 120 days, respectively.

We will look forward to more on the reports under the EO, as they inform the direction ahead.

Company Awarded Damages After Former Employee Hacks Its Systems and Hijacks Its Website

A company can recover damages from its former employee in connection with his hacking into its payroll system to inflate his pay, accessing its proprietary files without authorization and hijacking its website, a federal court ruled. Tyan, Inc. v. Yovan Garcia, Case No. CV 15-05443- MWF (JPRx) (C.D. Cali. May 2, 2017).

The Defendant worked as a patrol officer for a security company. The company noticed that its payroll system indicated that the Defendant was working substantial overtime hours that were inconsistent with his scheduled hours. Upon further investigation, the company learned that that the Defendant accessed the payroll system without authorization from the laptop in his patrol car. When the company confronted him, the Defendant claimed a competitor hacked the payroll system as a means to pay him to keep quiet about his discovery that the competitor had taken confidential information from the company. A few months later, shortly after the Defendant left the company, the company’s computer system was hacked and its website was hijacked. The company later filed suit against the Defendant alleging he was responsible for the hack and the hijacking.

Following a bench trial, the court concluded the Defendant had used an administrative password the company had not given him to inflate his hours in its payroll system. The court also found the Defendant hijacked the company’s website and posted an unflattering image of the company’s owner on the website. In addition, the court found the Defendant engaged in a conspiracy to steal confidential files from the company’s computer system by accessing it remotely without authorization and destroyed some of the company’s computer files and servers.

The court concluded that the aim of the conspiracy in which the Defendant was engaged was twofold: first, to damage his former employer in an effort to reduce its competitive advantage; and second, to obtain access to those files that gave his former employer its business advantage, and use them to solicit its clients on behalf of a company he started. The court also found that by accessing the company’s protected network to artificially inflate his hours and by participating in the conspiracy to hack the company’s systems, the Defendant was liable for violations of the Computer Fraud Abuse Act, the Stored Communications Act, the California Computer Data Access and Fraud Act, and the California Uniform Trade Secrets Act.

As a result of Defendant’s misconduct, the court awarded the company $318,661.70 in actual damages, including damages for the inflated wages the company paid the Defendant, the cost of consultant services to repair the damage from the hack, increased payroll costs for time spent by employees rebuilding records and databases destroyed in the hack, the resale value of the company’s proprietary files, and lost profits caused by the hack. The court declined to award punitive damages under the California Uniform Trade Secrets Act, but left open the possibility that the Plaintiff may recover its attorneys’ fees at a later date.

Take Away

Companies are reminded that malicious insiders, in particular disgruntled former employees, with access to areas of the system external hackers generally can’t easily access, often result in the most costly data breaches.

Steps should be taken to mitigate insider threats including:

  • Limiting remote access to company systems
  • Increased monitoring of company systems following a negative workplace event such as the departure of a disgruntled employee
  • Changing passwords and deactivating accounts during the termination process

BTI Names Jackson Lewis one of the Top Cybersecurity Firms

The BTI Law Firms Best at Cybersecurity 2017, a report issued by the BTI Consulting Group (pdf), lists Jackson Lewis as one of the country’s top law firms for cybersecurity and data privacy. The report was compiled “based solely on in-depth telephone interviews with leading legal decision makers,” representing more than 15 different industry segments in organizations with $1 billion or more in annual revenues. Our cybersecurity team is grateful for the recognition from our clients.

Cybersecurity and privacy issues are among the most challenging for virtually all of our clients. Today, organizations contend with vast amounts of data, an expanding, multi-layered regulatory environment, technology that evolves at a blistering pace, and sophisticated cybercriminals who can wreak havoc from thousands of miles away. Our Privacy, e-Communication and Data Security Group is committed to helping our clients navigate these cybersecurity challenges through a variety of services, such as:

  • workthruITtm. Our online applications provide helpful resources including a data breach readiness assessment, a data security assessment and a comprehensive survey of the country’s data breach notification laws. And, there are more cybersecurity and privacy apps coming. Learn more about workthruITtm here.
  • Data Incident Response Team. A tidal wave of ransomware attacks, spearphishing scams and other forms of data breach have victimized thousands of organizations. Having handled more than 500 data incidents, and as part of our commitment to client service, we announced recently a 24/7 Data Incident Response Team to be available on a moment’s notice in the event of a security incident. Learn more about our Data Incident Response Team here.
  • Prevention and Compliance: Assessments, Policies and Training. Of course it is better to avoid a breach than to experience one. So, our team works with clients to assist them with conducting risk assessments, developing policies and procedures, and training their workforce. We strive to understand our clients’ industries because not only is there likely to be different legal requirements, the customary practices and expectations in the industry also are different.
  • Vendor Selection and Management. A cybersecurity program is only as strong as its weakest link and that link could be an organization’s third party service provider. We help organizations assess their vendors’ cybersecurity capabilities, as well as negotiate and draft cybersecurity agreements including business associate agreements to help our clients minimize the risks their vendors present.
  • Government Inquiries and Litigation. We represent our clients before federal and state agencies as well in litigations to respond to claims, inquiries, investigations and compliance reviews involving cybersecurity and privacy.

Cybersecurity and privacy are necessary considerations for doing business today, and we are excited to partner with our clients to help them safely and efficiently maximize the opportunities that information and technology present. Artificial intelligence, internet of things, and “Big Data” present even greater opportunities ahead, with an even greater need to supply adequate time, resources and effort toward cybersecurity and privacy.

Small Healthcare Provider Pays $31,000 for Failing to Have a Business Associate Agreement With File Storage Vendor

Disclosing protected health information (PHI) to a business associate without a compliant business associate agreement (BAA) is an improper disclosure under the HIPAA privacy and security regulations. According to the HHS Office for Civil Rights (OCR), an error like that can cost a small healthcare provider $31,000.

OCR recently announced a resolution agreement (pdf) with the Center for Children’s Digestive Health, S.C. (CCDH), a “small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.” According to the resolution agreement, OCR apparently learned of the missing BAA while investigating CCDH’s file storage vendor, FileFax, Inc., which stored CCDH’s PHI. Responsible for enforcing the privacy and security rules under HIPAA, OCR then commenced a compliance review of CCDH. It reported finding that neither CCDH nor FileFax could produce a signed BAA applicable to periods that CCDH had shared PHI with FileFax.  Without an admission of liability, CCDH agreed to resolve the matter by paying $31,000 and agreeing to comply with a comprehensive Corrective Action Plan (CAP).

The Health Information Technology for Economic and Clinical Health (HITECH) Act made a number of changes to HIPAA, including to the rules concerning “business associates.” Among those changes were updates to BAAs that the HIPAA rules require covered entities to maintain with their business associates. A covered entity’s business associates include third-party service providers, such as: claims administrators, accounting firms, law firms, consultants, cloud and other data storage providers.

The regulations make clear that even though business associates are directly subject to many of the HIPAA privacy and security requirements, BAAs remain necessary for compliance. A starting point for BAA compliance is the set of sample provisions posted by the OCR. However, there are other issues that parties to a BAA will want to address, such as: specificity concerning the safeguards that should be in place, data breach coordination and response, indemnity, cybersecurity insurance, and agency status. More information about business associates and BAAs can be accessed here.

Covered entities also should remember that the HIPAA regulations are not the only rules that require written assurances from third-party service providers concerning security of personal information. A number of state laws (e.g., California, Massachusetts, Maryland, New Mexico, New York, Oregon) require businesses to have contracts with third-party service providers to safeguard personal information. Of course, even in the absence of a federal or state law, taking steps to ensure vendors secure the confidential information they are provided, such as through a detailed data security agreement, is a prudent practice.

LexBlog