New York State Proposes Cybersecurity Regulation Impacting Banks, Insurance Companies & Other Financial Services Institutions

New York Governor Andrew M. Cuomo announced yesterday a new proposed regulation to address the growing threat posed by cyber-attacks. According to the State’s press release, the proposed regulation, which is subject to a 45-day notice and public comment period before final issuance, “aims NYDFS-Logo-300x300to protect consumer data and financial systems from terrorist organizations and other criminal enterprises.”  In the past 18 months, several other states – including Connecticut, Nevada, and Washington – have also taken legislative action to promote greater protection against cyber-threats.

Once in place, New York’s regulation will require regulated organizations – specifically banks, insurance companies, and other financial services institutions regulated by the State’s Department of Financial Services – to: (1) establish a cybersecurity program; (2) adopt a written cybersecurity policy; (3) designate a Chief Information Security Officer; and (4) implement policies and procedures designed to ensure the security of information systems. The Department of Financial Services has published guidance fleshing out each of the foregoing requirements.

In the wake of Gov. Cuomo’s announcement, banks, insurance companies, and subject financial services institutions that do business in New York should carefully review their current programs, policies, and procedures to evaluate what action, if any, they will need to take to comply with the new obligations contemplated by the State’s proposed regulation.

 

3 Essential Steps For Responding To Ransomware Attacks

Likely because most victims comply with their demands, the incidence of attacks by ransomware hackers has exploded in 2016. Guidance issued by the U.S. Department of Health and Human Services (“HHS”) in July notes that, on average, there have been 4,000 reported ransomware attacks per day thus far in 2016, far exceeding the average of 1,000 attacks per day last year.

What Is Ransomware?

Ransomware is a type of malware that denies the affected user access to his or her data, typically by encrypting it. Once the user’s data is encrypted, the hacker who launched the ransomware attack notifies him or her that, in order to obtain a key to decrypt the data, he or she must pay a ransom, often in a cryptocurrency such as Bitcoin.  Hackers sometimes impersonate government entities – like the IRS or FBI – in their ransom notes.

Image result for ransomwareImage result for ransomware

Can I Just Pay The Ransom And Move On?

While it may be tempting to do so, there are serious risks to this approach. Even if the ransom demanded by a ransomware hacker is not prohibitively expensive, an organization victimized by an attack must bear in mind that simply paying off the hacker is unlikely to make its problems go away.

As an initial matter, there is no guarantee that, upon receipt of the ransom payment, the hacker will provide a fully functional key that enables your organization to regain access to its data. Moreover, your organization must evaluate whether the ransomware attack triggered legal obligations under federal or state privacy laws, or other regulatory or contractual requirements.

What Are My Legal Obligations In The Event Of A Ransomware Attack?

Determining your organization’s legal obligations in responding to a ransomware attack requires a fact-specific inquiry. For organizations subject to HIPAA, for example, HHS’s guidance indicates that a ransomware attack is presumed to be a breach triggering HIPAA obligations unless the affected organization can demonstrate that there is a low probability that protected health information (“PHI”) has been compromised.  This low probability analysis, the HHS instructs, should include consideration of a the following four factors, among others: (1) the nature of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.

Image result for ransomware

Organizations that are not subject to HIPAA must also assess their legal obligations in the wake of a ransomware attack, such as those imposed by the Gramm-Leach-Bliley Act or under state law. Under the data breach laws of certain states – such as New Jersey, Connecticut, Florida, Kansas, and Louisiana – unauthorized access to personal information constitutes a breach, even absent evidence that the personal information accessed was actually acquired.  Organizations whose affected employees or consumers work or reside in these states thus face increased risk that a ransomware incident will trigger breach notification obligations.

Additionally, during some ransomware attacks, hackers do not simply block the user’s access to its data, but also exfiltrate that data to external locations, and/or destroy or alter it. Accordingly, organizations subject to the data breach laws of any state may be required to take certain actions in the event of a ransomware incident.

What Should I Do After I Discover A Ransomware Attack?

If you believe your organization has been victimized by a ransomware attack, you should proceed as follows, carefully documenting each of the steps laid out below:

ONE: Notify your cyber liability insurer. This step is essential not only to ensure applicable coverage, but also because your insurance contact will likely be able to provide valuable early-stage guidance, such as on retention of qualified data security professionals to investigate the ransomware incident, and implementation of appropriate measures to mitigate existing and future risk.

TWO: Investigate the incident. Your internal or outside data security professionals should immediately launch (and document) an investigation of the incident. This investigation should include, at minimum, analysis of:

  • When the incident occurred.
  • The methods the hackers used to carry out the attack.
  • Which of your systems were affected.
  • The nature of the data affected – e.g., was PHI or personal information accessed or acquired. (Most state breach notification laws define personal information as the affected individual’s full name, or first initial and last name, in combination with any of the following data elements: (i) social security number; (ii) government identification card number; or (iii) account number or credit / debit card number with any required security code, access code, or password.)
  • The states in which the individuals whose data was affected work or reside.
  • Whether there is evidence that the affected data was exfiltrated to the attacker’s servers, or elsewhere.
  • Whether the attack is completed or ongoing; and, if that latter, whether additional systems have been compromised.
  • What mitigation measures were and are in place. For example:
    • Were the affected files encrypted and, if so, is there evidence that the hackers successfully decrypted those files.
    • What data backup, disaster recovery, and/or data restoration plans did you have in place.
    • What post-discovery steps did you take to prevent continued or future acquisition, access, use, or disclosure of the compromised data.

THREE: Consult legal counsel.  As discussed above, ransomware attacks may trigger obligations under federal and state privacy laws, such as HIPAA, the Gramm-Leach-Bliley Act, and state breach notification laws.  They may also require an affected organization to comply with other regulatory and contractual requirements, and to communicate with government agencies like the FBI, U.S. Secret Service, or state attorneys general offices.  Consulting an experienced attorney upon discovery of a ransomware attack will ensure that your organization complies with applicable legal requirements, thereby controlling the costs inflicted by the attack to full extent possible.

No Harm, No Foul (And No Class Action Lawsuit): TCPA Class Action Dismissed For Failure to Allege Harm

Earlier this month, United States District Court Judge Peter Sheridan dismissed a class action brought against Work Out World (“WOW”) under the Telephone Consumer Protection Act (TCPA).  In doing so, Judge Sheridan relied on the recent decision by the United States Supreme Court in Spokeo, Inc. v. Robins.

The named plaintiff, Norreen Susinno, filed a class action complaint against WOW alleging WOW negligently, knowingly and/or willfully contacted the plaintiffs on their cellular telephones in violation of the TCPA and thereby invaded their privacy.  Ms. Susinno sought to certify a nationwide class of all persons who, in the preceding four years, had received telephone calls from WOW which were made with the use of an automatic telephone dialing system and/or used an artificial or prerecorded voice.

On June 10, 2016, WOW filed a motion to dismiss the complaint. Following a hearing on the motion to dismiss, Judge Sheridan granted WOW’s motion and dismissed the matter with prejudice.

Although Ms. Susinno filed an appeal of the district court’s decision, the decision may be very helpful to companies that are looking for various arguments to dispose of and otherwise defend against class claims, particularly where the alleged harm at issue is negligible, to the extent there is any harm at all.

For additional insight regarding this case, please see our related post on our Employment Class and Collective Action Update.

Sharing of Passwords Under Certain Circumstances Unlawful

Many companies have experienced the departure of an employee and the elimination of that former employees access to the company’s computers and networks. In the recent case of USA v. Nosal, D.C. No. 3:08-cr-00237-EMC-1 (July 5, 2016), the Ninth Circuit Court of Appeals was presented with the following facts:  Nosal, a former employee of Korn/Ferry departed and launched a competitive entity.  When Nosal left the company, the company revoked his computer access credentials.  After his departure, Nosal was nevertheless able to continue accessing the company’s confidential and proprietary information when his former secretary provided Nosal with her database access credentials.  In Nosal, the question for the court was whether the jury properly convicted David Nosal of the crime of conspiracy under the Computer Fraud and Abuse Act (“CFAA”) for accessing and downloading information from the company’s database “without authorization.”  The Court in a 2-1 decision held that indeed Nosal violated the criminal provisions of CFAA even though he did not himself access and download the information.

The CFAA prohibits access to a computer or computer system by ones who are either exceeding authorized use or are not authorized users.  18 U.S.C. § 1030.  The applicable section of the CFAA addressed in the Nosal case provides that:

Whoever . . . knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct further the intended fraud and obtains anything of value. . .shall be punished. . . . .

The prosecution successfully argued that after Nosal left the company, he lacked any rights to use the company’s network.  Because he lacked rights to access the network, the use of the secretary’s login credentials violated the CFAA’s ban on access “without authorization.” The court found that Nosal violated the CFAA because he “knowingly and with intent to defraud blatantly circumvented the affirmative revocation of his computer access.  This access falls squarely within the CFAA’s prohibition on access ‘without authorization’ and thus we affirm Nosal’s conviction for violations of . . . the CFAA.”

But, what about the fact that a person who did have authorization – Nosal’s secretary – granted Nosal permission to access the database?  On this point, the court stated that access:

‘without authorization’ is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.

The court further stated that an “employee could willy nilly give out passwords to anyone outside the company – former employees whose access had been revoked, competitors, industrious hackers, or bank robbers who find it less risky and more convenient to access accounts via the Internet rather than through armed robbery.”

As a result of this decision, some privacy groups have expressed concern that the court’s ruling could make it easier to prosecute people for ordinary password sharing, such as when a husband logs into his wife’s Facebook account with her credentials and permission, or to print a boarding pass.

However, the majority addressed this concern square on stating that “hypotheticals about the dire consequences of criminalizing password sharing. . . miss the mark in this case.  This case is not about password sharing” and noted that the case “bears little resemblance to asking a spouse to log in to an email account to print a boarding pass.”

While this decision involved a criminal prosecution, with which most companies would not be involved, it is still worthy of consideration for employers.  Many employers have some form of agreement in place that would make accessing the company’s database after termination a violation.  In light of Nosal it would be prudent for a company to also include in its policies and agreements what is seemingly obvious – prohibit current employees from providing their passwords to former employees.  At least with this statement in writing, the company will have (1) a basis upon which to take appropriate disciplinary action – including termination – against the current employee who provided their password to a former employee, and (2) the ability to commence a civil legal action against the former employee under the CFAA.

Smaller HIPAA Breaches To Get More Attention by Office for Civil Rights

The HIPAA breach notification rule has two buckets for classifying data breaches – those that involve “protected health information” (PHI) of 500 or more individuals and those that involve fewer than 500 individuals. Since the breach notification rule became effective, the Office of Civil Rights’ (OCR) focus has been on the 500 and over bucket. But no more. The agency announced yesterday that beginning this month, it will more widely investigate the root causes of breaches affecting fewer than 500 individuals. Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.

OCR investigates all reported breaches involving the PHI of 500 or more individuals. However, it has not ignored smaller breaches. For example, following an investigation concerning a breach affecting 441 individuals in 2013, OCR reached a settlement with the covered entity for $50,000. The plan to look at more smaller breaches makes some sense from an enforcement perspective as the extent of an entity’s noncompliance does not necessarily correlate with the number of individuals affected by a breach. For example, it would seem more likely that a covered entity that suffered five breaches during a year, each affecting 200 individuals, would have more significant gaps in its HIPAA compliance than an organization with one breach during the year affecting 1,000 individuals.

OCR is not saying it will be investigating all smaller breaches. As noted above, Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, and it will apply that discretion considering the following factors:

  • The size of the breach;
  • Theft of or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • The amount, nature and sensitivity of the PHI involved;  or
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

This is just one more reason covered entities and business associates need to achieve and maintain compliance with the HIPAA privacy and security rules. Now small breaches are more likely to lead to an OCR investigation that could find substantial and systemic compliance violations. In a year when millions of dollars in penalties and settlements have been paid to OCR, it is clear that HIPAA enforcement is on the rise.

EU-U.S. Privacy Shield Q&A

Last month, the European Union and U.S. officials announced final approval of the EU-U.S. Privacy Shield (Privacy Shield), replacing the Safe Harbor which was invalidated by the Court of Justice of the European Union in October 2015.  Like it predecessor, the Privacy Shield will allow organizations based in the United States to self-certify compliance with the Privacy Shield’s requirements permitting personal data of EU subjects to be transferred to the U.S., but with an enhanced enforcement regime, among other things.

In conjunction with our International Employment Practice Group, we have prepared a comprehensive EU-U.S. Privacy Shield Q&A.  Our EU-U.S. Privacy Shield Q&A will provide you with key features about the Privacy Shield to assist you in determining if this is the proper mechanism to use when transferring data outside of the EU to the U.S., as well as information to help you comply with the Privacy Shield’s requirements.

 

 

 

Pokémon GO – Next Stop: Regulation & Litigation

As everyone is aware, the Pokémon GO craze has taken the world by storm in the past month. Reports estimate there have been over 75 million downloads of the digital game since the program became available on July 6.  Apple has not issued any concrete numbers, but has confirmed that it was the most downloaded app ever in its first week of availability.

When the game was first offered, users were required to grant permission not only to use a player’s smartphone camera and location data but also to gain full access to the user’s Google accounts — including email, calendars, photos, stored documents and any other data associated with the login. The game’s creator, Niantic, responded to a public outcry – including a letter from Minnesota Senator Al Franken – stating that the expansive permission requests were “erroneous” and that Pokémon GO did not use anything from players’ accounts other than basic Google profile information.  The company has since issued a fix to reduce access only to users’ basic Google account profile information.

As is often the case, remarkable success naturally attracts critics who take aim. In a letter dated July 22, 2016, the Electronic Privacy Information Center (EPIC) wrote to the Federal Trade Commission (FTC) requesting government oversight on Niantic’s data collection practices. EPIC is a non-profit public interest research center in Washington, D.C., focusing public attention on privacy and civil liberties issues.

Niantic’s Privacy Policy

EPIC’s letter highlighted a number of alleged issues with Niantic’s privacy policy:

  1. Niantic does not explain the scope of information gathered from Google profiles or why this is necessary to the function of the Pokémon GO app.
  2. Niantic collects users’ precise location information through “cell/mobile tower triangulation, wifi triangulation, and/or GPS.” The Company’s Privacy Policy states Niantic will “store” location information and “some of that location information, along with your … user name, may be shared through the App.” The Privacy Policy does not indicate any limitations on how long Niantic will retain location data or explain how indefinite retention of location data is necessary to the functionality of the Pokémon GO app.
  3. With Pokémon GO, Niantic has access to users’ mobile device camera. The Terms of Service for Pokémon GO grant Niantic a “nonexclusive, perpetual, irrevocable, transferable, sublicensable, worldwide, royalty-free license” to “User Content.” The Terms do not define “User Content” or specify whether this includes photos taken through the in-app camera function.
  4. The Pokémon GO Privacy Policy grants Niantic wide latitude to disclose user data to “third-party service providers,” “third parties,” and “to government or law enforcement officials or private parties as [Niantic], in [its] sole discretion, believe necessary or appropriate.” Niantic also deems user data, including personally identifiable information, to be a “business asset” that it can transfer to a third party in the event the company is sold. This issue has been identified as a particular concern to another non-profit organization – Common Sense Media, an independent non-profit organization focusing on children and technology. According to Common Sense Media, location information and history of children should not be considered a “business asset.”

EPIC’s Request to the FTC

Based on the issues highlighted above, EPIC requested that the FTC use its authority to regulate unfair competition under the Federal Trade Commission Act (15 U.S.C. § 45) to prohibit practices by Niantic and other similar apps that fail to conform with FTC’s Fair Information Practices and the principles set forth in The White House 2012 report, “Consumer Data Privacy In A Networked World.”

According to EPIC, Niantic’s unlimited collection and indefinite retention of detailed location data, violates 15 U.S.C. § 45(n) because it is “likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

EPIC also contends that the unlimited collection and indefinite retention of detailed location data violate the data minimization requirements under the Children’s Online Privacy Protection Act (COPPA), which requires providers to “retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” 16 C.F.R. § 312.10.

Private Lawsuit Filed Against Niantic

Subsequently, a Pokémon GO user has filed suit in Florida State Court alleging that the terms of service and privacy policy are deceptive and unfair, which violates the Florida Deceptive and Unfair Trade Practices Act. Beckman v. Niantic Inc., case number 50-2016-CA-008330, Fifteenth Judicial Circuit for Palm Beach County, Florida.

Practice Pointer

The issue of consumer privacy continues to garner significant attention. Whether you are an app developer or any other company that collects and retains personal information, it is time to review your applicable policies and take appropriate steps to ensure that your company is not the subject of government agency inquiry, litigation, or a data breach.

For employers whose employees may be bumping into each other in the hallway while playing the game, consideration should be given to ban or otherwise regulate employee involvement. Certainly a drop in productively is a concern. However, even if accessing the game during work time is barred, employers should be concerned about the potential compromise to proprietary and confidential information that could occur as the result of data breaches or through counterfeit games that are designed to allow hackers access to your protected information.

HIPAA and $15 Million in 2016

For years, many questioned whether the HIPAA privacy and security rules would be enforced. The agency responsible for enforcement, Health and Human Services’ Office for Civil Rights (OCR), promised it would enforce the rules, but just after a period “soft” enforcement and compliance assistance. That period appears to be ending. During the first seven months of 2016, OCR has announced nearly $15,000,000 in settlement payments to the agency relating to a wide range of compliance failures alleged against covered entities and business associates. At the same time, OCR is conducting audits of covered entities around the country, and plans similar audits of business associates later this year. If you have been waiting to tackle HIPAA compliance, it is probably a good time to get it done.

Below is a summary of the circumstances that led to some of the settlements and civil monetary penalties:

  • Stolen laptop, vulnerable wireless access. Following notification to OCR of a breach involving a stolen laptop (not an uncommon occurrence!), OCR investigated and reported discovering that electronic protected health information (ePHI) on the covered entity’s network drive was vulnerable to unauthorized access via its wireless network – users could access 67,000 files after entering a generic username and password. OCR also cited among other things failures to implement policies and procedures to prevent, detect, contain, and correct security violations, to implement certain physical safeguards. Settlement $2.75M
  • Vulnerabilities identified must be timely addressed. In another case, a covered entity had conducted a number of risk analyses since 2003, but the OCR claimed these analyses did not cover all ePHI at the entity. OCR also reported that the covered entity did not act timely to implement measures to address documented risks and vulnerabilities, nor did it implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure, despite having identified this lack of encryption as a risk. Settlement $2.7M.
  • Not-for-profits serving underserved communities not immune. A data breach affecting just over 400 persons caused by the theft of a company-issued iPhone triggered an OCR investigation. The iPhone was unencrypted and was not password protected, and contained extensive ePHI including SSNs, medical diagnosis, and names of family members and legal guardians. According to OCR, among other things, the covered entity had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident. In its public announcement, OCR acknowledged that the $650,000 settlement was after considering that the covered entity provides unique and much-needed services to elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.
  • No business associate agreement. When a covered entity’s business associate experienced a breach affecting over 17,000 patients, OCR again investigated. It claimed no business associate agreement was in place, leaving PHI without safeguards and vulnerable to misuse or improper disclosure. Settlement $750,000.
  • Civil monetary penalties against home care provider. In only the second time OCR has sought civil penalties under HIPAA, a judge awarded $239,800 in penalties due to privacy and security compliance failures. In this case, a patient complaint led to an OCR investigation – the patient complained that an employee of the covered entity left PHI in places where an unauthorized persons had access and in some cases abandoned the information altogether. Other compliance issues included covered entity’s maintaining inadequate policies and procedures to safeguard PHI taken offsite, and storing PHI in employee vehicles for extended periods of time.

It is true that these are only a handful of cases with large settlement amounts. But the agency does seem to be sending a message – that is, it wants to see compliance and it is not afraid to seek significant settlement amounts from covered entities or business associates, large or small. In some cases, relatively simple steps such as making sure to have business associate agreements in place, can help avoid these kinds of enforcement actions.

The Privacy Shield Is Finally Here

Earlier today the European Union and U.S. officials announced the final approval of the EU-U.S. Privacy Shield data transfer agreement (“the Privacy Shield”).  Beginning August 1, 2016, organizations based in the U.S. will be able to self-certify their compliance with the Privacy Shield.

The Privacy Shield is meant to replace the EU-U.S. Safe Harbour agreement which was invalidated on October 6, 2015, by the Court of Justice of the European Union’s (CJEU) ruling in Schrems v. Data Protection Commissioner. Post Schrems, U.S. companies have been unclear what to do to transfer data out of the EU in a compliant manner.  The final approval of the Privacy Shield should provide some measure of comfort to the 4,400 U.S. companies who previously relied on the Safe Harbour agreement.

Today’s announcement was not unexpected as the EU and U.S. had previously agreed on changes to address many of the concerns expressed with the original draft of the Privacy Shield.  Following the announcement, the European Commission also made public the final amended text of the agreement, as well as annexes and a fact sheet on the Privacy Shield.

The European Commission’s decision takes immediate effect, but companies will be given until August 1 to review the Privacy Shield to enable a “smooth transition” according to the U.S. Secretary of Commerce, Penny Pritzker.

Colorado Law Grants Employees Right to Access Personnel Files

Beginning January 1, 2017, employees in Colorado will now have a right to inspect and copy their personnel files.  Prior to this law, Colorado had no law granting private-sector employees access to their personnel records.

Under the new law, upon a current employee’s request, an employer must allow that employee to inspect and obtain a copy of any part of the employee’s personnel file at least once annually. A former employee, however, may make only one inspection of his or her personnel file after termination of employment.  The new law also permits an employer to restrict an employee’s review of his or her personnel file to be only in the presence of an individual designated by the employer and the employer may require the employee or former employee to pay the reasonable cost of duplication of documents.

The new law does not require employers to create, maintain, or retain a personnel file on an employee or former employee nor does it require an employer to retain for a specific period of time documents that are or were contained in an employee’s personnel file.  Importantly, the law also does not create a private right of action for employees alleging violations of the law.

For additional details regarding this new law, please see the related article authored by our colleagues in Denver.

LexBlog