Study Finds Companies May Do Too Much For Data Breach Victims

A recent study at the University of Arkansas suggests that organizations should avoid doing too much for individuals affected by a data breach. That is, when organizations provide compensation to breach victims that exceeds the victims’ expectations it could backfire. Those victims may become suspicious, thinking the organization has something to hide, which could have an adverse impact on the victims’ willingness to continue doing business with the organization.

If you have gone through a data breach, then you know the anxiety organizations experience throughout the process. Among other things, they have to quickly secure their information systems, investigate how the incident happened, and coordinate with law enforcement and other agencies. But perhaps the biggest concern is what to do for the individuals affected by the breach beyond providing breach notification.

Except for California and Connecticut which require credit monitoring and related services be provided following breaches involving certain personal information, most state data breach notification statutes only require that affected persons be given notice of the breach. Yet, when considering their breach response, many organizations think about what to do for affected persons regardless of state law requirements. In many cases, companies wind up offering credit monitoring and related remediation services, but some companies also will provide compensation of some kind.

The study found, however, that when compensation (e.g., gifts, discounts, free memberships, etc.) exceeds what the affected persons expected would be provided, those persons are more likely to become suspicious, rather than appreciative. If affected persons are suspicious they may not only be less likely to associate with the organization or continue to buy its products or services, they may be more likely to inquire more deeply about the incident or take legal action.

When considering breach response strategies, therefore, organizations should think more carefully about the kinds of benefits or compensation to offer to persons affected by the breach. We have emphasized here many times the importance of developing a breach response plan and practicing that plan. That process should include thinking through different remediation strategies, including what, if any, credit monitoring services or compensation the organization would be prepared to offer in the event of a breach. A rash decision to provide robust compensation to affected persons, made in the heat of an actual breach, could be the wrong one, according to the study.

FTC Joins Other Agencies In Warning Organizations About Ransomware

Earlier this month, the Federal Trade Commission (FTC) blogged about How to defend against ransomware, and published Ransomware – A Closer Look in the “Tips and Advice” section of its website. This follows warnings from other federal agencies and law enforcement concerning this serious online threat to organizations, such as Dept. of Health and Human Services and the Federal Bureau of Investigation. The FTC’s guidance also follows a ransomware attack on a union pension plan and came at the same time as recommendations to the Department of Labor concerning cybersecurity. Organizations in all industries are exposed to this threat, particularly organizations that need data all the time to function, such as healthcare providers, professional service providers (e.g., legal and accounting services), financial service providers and others. From an FTC perspective, failing to take appropriate steps to prevent and address ransomware attacks could violate Section 5 of the FTC Act.

What is “ransomware” and how can we be attacked?

Ransomware is a type of malware that denies the affected organization access to its data, typically by encrypting it. Once the data is encrypted, the hacker who launched the ransomware attack notifies the organization that, in order to obtain a key to decrypt the data, it must pay a ransom, often in a cryptocurrency, such as Bitcoin.

According to the FTC’s article, most ransomware arrives through email phishing attacks that are carried out when someone at the organization clicks on a link or downloads a malicious attachment, allowing the malware to infect the system or device. Ransomware also can get on to an organization’s computer if a user visits a malicious or compromised website.

How can a ransomware attack affect our business?

Some of the effects will be obvious and others not so much. Ransomware locks your data while bad actors look to extract money from you in order to regain access. Such an attack can disrupt services to your customers and be costly to remediate. However, the attack also may have resulted in a breach of the security of your system triggering notification obligations to individuals whose personal information was accessed or acquired, or to your business partners for whom you maintain confidential information. If the malware is not competently and completely remediated, it can spread to other systems and equipment causing future attacks.

What should we be doing?

Prepare. Prepare. Prepare.

Confirm you have the right team. A key component of your team will be either your internal IT department or a third party vendor that provides IT services. However, these professionals are not always well versed in data security or the latest techniques used by the bad guys to access your systems. The IT department/third party may be saying “We got this.” But, while it is OK to trust, you should verify. And, if you are not sure, get help.

Secure your systems.  With the right team in place, there are a number of steps that should be taken to stop an attack before it happens:

  • Conduct a risk assessment and penetration test to understand your potential for exposure to malware. This includes understanding the websites visited by users on your systems and their other activities online.
  • Implement technical measures and policies that can prevent an attack, such as endpoint security, email authentication, regular updates to virus and malware protections, intrusion prevention software and web browser protection, and monitor user activity for unauthorized and high risk activities.

Make your workforce aware of the risks and steps they need to take in case of an attack. In many cases, users of an organization’s systems are unaware of these kinds of attacks and how they can occur. Education can be critical prevention tool:

  • Help users recognize phishing attacks and dangerous sits – don’t just say it, show them and do it regularly. It may help if you also explain that they can be victims too.
  • Instruct them on what to do immediately if they believe there may be an attack. This might include notifying the IT department, disconnecting their computer from the organization’s network, and other measures.
  • Also instruct them on what not to do. For example, deleting system files may make it more difficult if not impossible later on to forensically determine the source of the problem and what happened.

Maintain backups. The FTC advises, back up your data early and often, and keep backup files disconnected from your network. Organizations that can rely on backups to be up and running quickly without being forced to cooperate with (or pay) the ransomware attacker, are in a much better position to remediate the attack.

Develop and practice a “Ransomware Game Plan.”  Organizations should already have incident response plans that address a number of issues, including breaches of personal information. Some of the key components in such a plan may include the following:

  • Identify the internal team (e.g., CIO/CISO, General Counsel, CFO) and the allocation of responsibilities.
  • Identify the external team (e.g., insurance carrier, outside counsel, forensic investigator, public relations) and involve them in your planning processes before an attack happens.
  • Outline steps for business continuity during the attack, including use of backup files and new equipment, safeguarding systems, and communication to customers, employees and business partners, as necessary.
  • Strategy for involvement of law enforcement and other agencies as applicable, such as the FBI, Internal Revenue Service, or Office for Civil Rights. This includes making contacts before an attack, which may help expedite access to assistance in the event of an attack.
  • Assessment of and compliance with legal and contractual obligations, including notification obligations based on the nature and extent of the access to information.
  • Process for (i) practicing the plan with internal and external teams, and (ii) reviewing and updating the game plan, including after an incident to improve performance

Ransomware and similar forms of attacks on information systems are not going away. Organizations need to be prepared.

Pension Plan Suffers Cybersecurity Attack, ERISA Advisory Council Offers Cybersecurity Recommendations to DOL

Image resultIt has been reported that infamous bank robber, Slick Willie Sutton, once said, “I rob banks because that’s where the money is.” Data thieves, understandably, have a similar strategy – go where the data is. The retail industry knows this as it has been a popular target for payment card data. The healthcare and certain other industries do as well considering ransomware attacks have increased four-fold since 2015. But the retirement plan industry must also see that it too is a significant target – that’s where a lot of data is!

PR Newswire reported yesterday that the UFCW Local 655 Food Employers Joint Pension Plan is notifying participants that it suffered a ransomware attack. In general, a “ransomware” attack occurs when a hacker takes control of the victim’s information systems and encrypts its data, preventing the owner from accessing it unless the victim pays a sum of money, usually in the form of bitcoins. The data at risk in the UFCW Local 655 case included individuals’ names, dates of birth, Social Security numbers, and bank account information. Every retirement plan, including pension and 401(k) plans, maintains this and other data about current and former participating employees, and their surviving spouses and designated beneficiaries, as applicable.

The question is whether plan sponsors and third party service providers are doing enough to safeguard the treasure troves of data they maintain.

On November 10, the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to provide guidance on employee benefit plans, shared with the federal Department of Labor some considerations concerning cybersecurity. The Council noted that it is not seeking to be prescriptive, nor is it providing an opinion on fiduciary duties concerning protection of data. However, it is hoping its considerations will be publicized and “provide information to the employee benefit plan community to educate them on cybersecurity risks and potential approaches for managing those risks.”

According to the Council, there are four major areas for effective practices and policies:

  • Data management.
  • Technology management.
  • Service provider management.
  • People issues.

This is a good list to work from. Consider, for example, the wide range of service providers that perform various services to retirement plans – record keepers, auditors, law firms, accountants, actuaries, investment managers, brokers, etc. These organizations access, use, maintain, and disclose vast amounts of personal information in the course of servicing their retirement plan customers. Do these organizations have sufficient safeguards in place? Do you know if they do? What does the services agreement say?

Obviously, services providers are not the only source of risk to retirement plan data. As the Council points out, there are other considerations for plans concerning cybersecurity, such as:

  • Know your data and assess your risk (how it is accessed, shared, stored, controlled, transmitted, secured and maintained).
  • Think of how you could and should protect it (e.g., applicable federal and state laws, NIST, HITRUST, SAFETY Act, and industry-based initiatives).
  • Protect it with appropriate policies and procedures and an overall strategy taking into account available resources, cost, size, complexity, risk tolerance, insurance, etc.

In most discussions about data security and employee benefit plans, HIPAA tends to loom large. While important, with respect to employee benefit plans, the HIPAA privacy and security regulations only reach health plans, not retirement plans. But, as noted above, data thieves want to go where the data is, and that includes retirement plans.

California Amends Its Data Breach Notification Law…Again

Under this most recent change to California’s breach notification laws (California Civil Code sections 1798.29 and 1798.82), which takes effect January 1, 2017, businesses and agencies subject to the laws can no longer assume that notification is not required when the personal information involved in the breach is encrypted.

Under current California law, notification of a breach is required when a California resident’s personal information was, or is reasonably believed to have been, acquired by an unauthorized person, and that personal information was unencrypted. Thus, before the change made by AB 2828, if an unauthorized person acquires encrypted personal information of California residents, notification is not required.

Beginning in 2017, notification will be required for breaches of encrypted personal information of California residents under the following conditions:

  • encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person,
  • the encryption key (confidential key or process designed to render the data readable) or security credential was, or is reasonably believed to have been, acquired by an unauthorized person, and
  • there is a reasonable belief that the encryption key or security credential could render that personal information readable or useable.

You should also remember there was a change to these laws that became effective in 2016 which addressed encryption. On October 6, 2015, California Governor Jerry Brown signed three laws which substantially altered and expanded the state’s security breach notification requirements. Among those changes, Assembly Bill 964 added a definition for encryption:

rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.

This language seems to allow for flexibility in the types of encryption that can be applied, as well as for future changes in encryption technology. For more information on encryption technologies, click here. But, with the more recent change, a breach involving personal information protected under a standard meeting the definition above still may trigger the statute’s notification requirements if the encryption key or security credentials also are involved and there is a reasonable belief that as a result the personal information will be readable or useable.

President Donald J. Trump – What Lies Ahead for Privacy, Cybersecurity, e-Communication?

Following a brutal campaign – one laced with Wikileaks’ email dumps, confidential Clinton emails left unprotected, flurries of Twitter and other social media activity – it will be interesting to see how a Trump Administration will address the serious issues of privacy, cybersecurity and electronic communications, including in social media.

Mr. Trump had not been too specific with many of his positions while campaigning, so it is difficult to have a sense of where his administration might focus. But, one place to look is his campaign website where the now President-elect outlined a vision, summarized as follows:

  • Order an immediate review of all U.S. cyber defenses and vulnerabilities by individuals from the military, law enforcement, and the private sector, the “Cyber Review Team.”
  • The Cyber Review Team will provide specific recommendations for safeguarding with the best defense technologies tailored to the likely threats.
  • The Cyber Review Team will establish detailed protocols and mandatory cyber awareness training for all government employees.
  • Instruct the U.S. Department of Justice to coordinate responses to cyber threats.
  • Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.

There is nothing new here as these positions appear generally to continue the work of prior administrations in the area of cybersecurity. Perhaps insight into President-elect Trump’s direction in these areas will be influenced by his campaign experiences.

Should we expect a tightening of cybersecurity requirements through new statutes and regulations?

Mr. Trump has expressed a desire to reduce regulation, not increase it. However, political party hackings and unfavorable email dumps from Wikileaks, coupled with continued data breaches affecting private and public sector entities, may prompt his administration and Congress to do more. Politics aside, cybersecurity clearly is a top national security threat, and it is having a significant impact on private sector risk management strategies and individual security. Some additional regulation may be coming.

An important question for many, especially for organizations that have suffered a multi-state data breach, is whether we will see a federal data breach notification standard, one that would “trump” the current patchwork of state laws. With Republicans in control of the executive and legislative branches, at least for the next two years, and considering the past legislative activity in this area, a federal law on data breach notification that supersedes state law does not seem likely.

Should we expect an expansion of privacy rights or other protections for electronic communication such as email or social media communication?

Again, much has been made of the disclosure of private email during the campaign, and President-elect Trump is famous (or infamous) for his use of social media, particularly his Twitter account. For some time, however, many have expressed concern that federal laws such as the Electronic Communications Privacy Act and the Stored Communications Act are in need of significant updates to address new technologies and usage, while others continue to have questions about the application of the Communications Decency Act. We also have seen an increase in scrutiny over the content of electronic communications by the National Labor Relations Board, and more than twenty states have passed laws concerning the privacy of social media and online personal accounts. Meanwhile, the emergence of Big Data, artificial intelligence, IoT, cognitive computing and other technologies continue to spur significant privacy questions about the collection and use of data.

While there may be a tightening of the rules concerning how certain federal employees handle work emails, based on what we have seen, it does not appear at this point that a Trump Administration will make these issues a priority for the private sector.

We’ll just have to wait and see.

FCC Adopts New Privacy Rules

Late last month, the Federal Communications Commission adopted new privacy rules for broadband Internet service providers (ISPs).  We first discussed this topic in March when the proposal was introduced by the FCC Chairman.  The rules are intended to protect the privacy of consumers and to provide customers with meaningful choice, greater transparency, and strong security protections for personal information collected by ISPs.


Cyber Security Awareness Needs To Last Beyond October

The U.S. Department of Homeland Security (DHS) has designed October as National Cyber Security Awareness Month. But as we leave October, remember that data security is an ongoing challenge that requires continued vigilance not just from information system hacking, but also from employee error and other threats. Setting up a comprehensive training and awareness program is critical – and this outline can help you continue keeping your organization aware of cyber security throughout the year.

DHS’ purpose is to engage and educate public and private sectors through events and initiatives that raise awareness about cybersecurity, make certain tools and resources available, and increase our resiliency in the event of a cyber incident. This is a great effort and DHS collects helpful information and a number of resources for visitors to its site. But by selecting October to draw attention to cyber security, surely DHS did not intend that October be the only month that we think about this important area.

Earlier this year, the FBI reported a significant increase in ransomware attacks. Late last year, the Wall Street Journal reported on a survey by the Association of Corporate Counsel (“ACC”) that found “employee error” is the most common reason for a data breach. Training and creating awareness to deal with these continued and growing risks is critical. In fact, for many organizations, doing so will help satisfy legal requirements for securing data. And, it is a mistake to believe that only organizations in certain industries like healthcare, financial services, retail, education and other regulated sectors have obligations to train employees about data security. A growing body of law coupled with the vast amounts of data most organizations maintain should prompt all organizations to assess their data privacy and security risks, and implement appropriate awareness and training programs.

Here are some questions to ask when setting up your own program, which are briefly discussed in the report at the link above:

  • Who should design and implement the program?
  • Who should be trained?
  • Who should conduct the training?
  • What should the training cover?
  • How often should training be provided to build awareness?
  • How should training be delivered?
  • Do we need to document the training?

No system is perfect, however, and even a good training and awareness program will not prevent data incidents from occurring. But in the absence of such a program, the question you will have to answer for your organizations likely will not be why didn’t the organization have a system in place to prevent all breaches. Instead, the question will be whether the organization had safeguards that were compliant and reasonable under the circumstances.

EU Top Court Rules IP Addresses Maybe Protected Personal Data

In a decision that could have significant impact for online companies that have European operations, the European Union’s (EU) top court ruled that Internet Protocol addresses (IP addresses) could, under certain circumstances, constitute protected data under EU data protection law (Breyer v. Bundesrepublik Deutschland, E.C.J., No. C-582/14, 10/19/16).  As most of us know, the IP address is a series of numbers that is allocated to a specific device (i.e., computer or smart phone) by an Internet service provider. A device is identified through the IP address and allows it access to the Internet.  IP addresses can either be static or dynamic.  Dynamic IP addresses change every time an electronic device connects to the Internet, and are the more common of the two.

Directive 95/46/EC, commonly known as the “Directive,” sets out certain standards EU members must legally adopt as law in order to protect personal data. Consequently, if IP addresses are considered “personal data” online companies (Facebook and Google, for example) would have to treat them in accordance with potentially restrictive data handling requirements.  Under the Directive, the processing of personal data (e.g., marketing or profiling) is only lawful if it is necessary “to achieve a legitimate objective pursued by the controller, or by the third party to which the data are transmitted, provided that the interest or the fundamental rights and freedom of the data subject does not override the objective.”

This specific case involves websites operated by the Federal Republic of Germany (“BRD”) which, like most website operators, records the IP addresses of visitors of its websites. Patrick Breyer sued the BRD claiming that if the IP addresses qualify as personal data under EU data protection law, then the BRD would be mandated to require consent before processing such data.  Breyer alleged the retention of IP addresses by the Republic of Germany could enable profiling of website users and other non-legitimate objectives.

The EU’s top court, the Court of Justice of the European Union (the “CJEU”), held that dynamic IP addresses could be considered personal data provided the website “has the legal means to identify the visitor with the help of additional information that the visitors’ internet service provider has. Since this is generally the case with most providers, the Court held dynamic addresses could potentially be considered protected personal data. While this case was decided under the Directive, it is important to note that the decision is consistent with the expanding concept of personal data under the General Data Protection Regulations which will take effect in May 2018.

However, in a material caveat, the high court here stated that the federal German institutions running the websites in question “may have a legitimate interest in ensuring the continued functioning of their websites which goes beyond each specific use of their publicly accessible websites” when protecting their sites against online attack. The case now will be returned to the German Federal Court of Justice, which will decide the case based on the CJEU’s holding.


Defining IP addresses as personal data could, in certain circumstances, impose significant limitations on the storage and use of that information. Companies that seek to identify users through their IP addresses for marketing or other purposes should closely monitor continuing developments in this area and be prepared to address not only how they safeguard this data, but also what legitimate business reason they have for its collection.


Yelling at Your Smartphone Could Get You Fired!

Michael Schrage at Harvard Business Review warns his readers, “Stop swearing at Siri. Quit cursing Cortana,” arguing such behavior could soon be seen just as destructive to an organization as ridiculing a subordinate. In the 1993 film, Demolition Man, Sylvester Stallone’s character, John Spartan, received multiple tickets from a wall box that overheard him violate the “Verbal Morality Statute” during a conversation with a colleague. [mature ears only please!] Spartan, who had been awoken from his cryogenic sleep, was not aware of the dramatic changes in technology that had taken place while he had been asleep. We see technological change every day, but we may not be ready for the far-reaching implications machine learning and artificial intelligence (AI) will have on society and the workplace.

Schrage describes how adaptive bots enable devices to learn from each encounter they have with humans, including negative ones, such as cursing at Siri or slamming a smartphone down when it reports about one restaurant, though the user was searching for a different eating place. Faced with repeated interactions like this, the bot is likely to be adversely affected by the bad behavior, and will fail to perform as intended. As companies leverage more of this technology to enhance worker productivity and customer interactions, employee abuse of bots will frustrate the company’s efforts and investment. That can lead to reduced profits and employee discipline.

Employees are seeing some of this already with the use of telematics in company vehicles. Telematics and related technologies provide employers with a much more detailed view of their employees’ use of company vehicles including location, movement, status and behavior of the vehicle and the employees. That detailed view results from the extensive and real time reports employers receive concerning employees’ use of company vehicles. Employers can see, for example, when their employees are speeding, braking too abruptly, or swerving to strongly. With some applications, employers also can continually record the activity and conversations inside the vehicle, including when vehicle sensors indicate there has been an accident. It is not hard to see that increased use of these technologies can result in more employee discipline, but also make employees drive more carefully.

Just as employers can generate records of nearly all aspects of the use of their vehicles by employees, there surely are records being maintained about the manner in which individuals interact with Siri and similar applications. While those records likely are currently being held and examined by the providers of the technology, that may soon change as organizations want to collect this data for their own purposes. Employers having such information could be significant.

As Mr. Schrage argues, making the most of new AI and machine learning technologies requires that the users of those technologies be good actors. In short, workers will need to be “good” people when interacting with machines that learn, otherwise, it will be more difficult for the machines to perform as intended. Perhaps this will have a positive impact on the bottom line as well as human interactions generally. But it also will raise interesting challenges for human resource professionals as they likely will need to develop and enforce policies designed to improve interactions between human employees and company machines.

We’ll have to see. But in the meantime, be nice to Siri!

How Much Do You Spend on Cybersecurity…and on What? reported that according to an International Data Corporation (IDC) forecast, by 2020, spending on security-related hardware, software, and services will eclipse $100 billion. However, consulting company NTT Com Security recently surveyed 1,000 executives and found only about half of them reported having a formal plan to respond to a data breach. Franklin wisely noted that “an ounce of prevention is worth a pound of cure,” but he also reminded us that “by failing to prepare, you are preparing to fail.”

According to the IDC report, the banking industry is forecast to make the largest investment in security for 2016. This makes some sense – that is where the money is. But there is significant value and opportunity in other data that companies should consider when evaluating their data security spend.

For some, value is in access to data, not necessarily the data itself. According to a recent post by my colleague, Damon Silver, ransomware attacks have increased four-fold from just a year ago – now estimated to be 4,000 attacks reported per day. These criminals often do not want the business’ data, but prefer to extract significant dollars from companies by preventing the businesses from accessing their own data.

Of course, there are steps companies can take to help prevent these incidents. But if reports about the number of these attacks are true, it seems few businesses have taken those steps and those that have are not having much success.

For those that have been attacked, there are a range of things they have to address, and quickly – what should be done first, how can the business continue to operate, what vendors and who in law enforcement can help, is there insurance coverage, do the criminals possess the company’s information and how much, what are the legal obligations, including notification.

Data is power and can be used to influence. It is neither identity theft nor the desire to extract a few Bitcoins that is behind the hacking and release of emails about Hillary Clinton. Obviously these bad actors want to harm the presidential candidate, and have been somewhat successful influencing the election. If there is one thing we can learn from the current presidential election, it is that data breach prevention and preparedness is not just about credit cards and Social Security numbers.

Though on a different scale, breaches exposing insensitive email or other communications such as high-level strategy discussions among C-suite members, or that suggest systemic discriminatory practices, or that outline detailed labor management strategies can have significant implications for a company’s market position and profitability. Consider that the Ashley Madison breach did not just result in exposing potential cheaters. The hackers also disclosed company emails (at least 12.7 gigabytes of emails) which included sensitive computer code and worker salary data, furthering the efforts to bring the company down.

Increased investment and vigilance in preventing attacks and releases of sensitive data are coming. But, a steady drumbeat of security professionals and others continue to warn businesses that cyber attacks are not a matter of if, but when. Recognizing that no system of security is perfect, and as spending on data security continues to rise, a significant item of that spending ought to include breach preparedness and response planning.