Header graphic for print

Workplace Privacy, Data Management & Security Report

Courts Restrict Ability of Customers and Employees to Sue Companies Following a Data Breach, But Risks of Other Liabilities Remain

Among the multitude of unpleasant issues facing a company whose network has been breached is potential liability to customers and employees whose personal information has been compromised.  However, recent district court decisions from around the country continue to limit the opportunity of those customers and employees to have their day in court.  Specifically, these cases have held that, in order for a customer or employee whose data has been stolen to gain standing to sue the company that experienced the breach, the customer or employee must show that the stolen data was, in fact, used to the customer or employee’s financial detriment.  And such financial detriment must be “concrete.”  Increased risk of future harm does not suffice, damages are not recoverable for “mitigation” measures – such as the purchase of credit monitoring services – taken to protect against speculative future harm, and an individual’s allegations that he fears such future harm will generally not be enough to establish a claim for emotional distress.

In Green v. eBay Inc., the U.S. District Court for the Eastern District of Louisiana dismissed a putative class action brought on behalf of eBay customers whose data was stolen when eBay user information was hacked.  The suit alleged that, as a result of eBay’s security failure, Plaintiffs suffered (a) actual identity theft, (b) improper disclosure of their personal information, (c) out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or identify fraud, (d) the value of the time they had spent mitigating identity theft and/or identity fraud, and (e) the deprivation of the value of their personal information.  eBay’s failure, Plaintiffs alleged, violated the Federal Stored Communications Act, the Fair Credit Reporting Act, the Gramm-Leach-Billey Act, and several state laws.  The Court disagreed.  Noting that the “mere increased risk of identity theft or identify fraud alone does not constitute a cognizable injury[,] unless the harm alleged is certainly impending,” the Court dismissed the suit in its entirety.

Similarly, in Strautins v. Trustwave Holdings, Inc., the U.S. District Court for the Northern District of Illinois granted Defendant’s motion to dismiss Plaintiffs’ class action lawsuit seeking damages stemming from the hacking of the South Carolina Department of Revenue.  The data breach had exposed in excess of 3.5 million social security numbers, 380,000 credit and debit card numbers, and the tax records of more than 650,000 businesses.  Plaintiffs alleged that they had not received timely and adequate notification of this breach, and that the breach had resulted in the improper disclosure of their personal information, loss of privacy, the need to incur out-of-pocket mitigation expenses (relating both to dollars spent and time expended), and deprivation of the value of their personal identifying information.  They also alleged that Defendant, by failing to protect their data, had violated their rights under the Fair Credit Reporting Act.  The Court, however, found that Plaintiffs’ “claims of injury . . . [were] too speculative to permit the complaint to go forward.” “Allegations of possible future injury are not sufficient to establish standing,” the Court held. Instead, the “threatened injury must be certainly impending.”  (Emphasis in original.)

Even if a plaintiff can show that a hacker used the data it stole from plaintiff’s employer or merchant, such use may not suffice to confer standing on the plaintiff, unless he can also show that he suffered financial harm as a result.  In Peters v. St. Joseph Services Corp., for example, hackers infiltrated a health care system provider’s network and accessed personal information of patients and employees, including names, social security numbers, birthdates, addresses, medical records, and bank account information.  Even though there was an attempted purchase on Plaintiff’s credit card, which she declined when she received a fraud alert, the U.S. District Court for the Southern District of Texas held that Plaintiff did not have standing to bring suit.  The basis for the Court’s holding was that Plaintiff’s allegation that the breach exposed her to certainly impending or substantial risk of identity fraud/theft was too speculative and attenuated to constitute injury-in-fact.  Notably, she was unable to “describe how [she would] be injured without beginning the explanation with the word ‘if.’”

Notwithstanding the above decisions, companies should continue striving to establish legal and technological protections against data breaches and exposure to related liability.  Even where class actions and other litigations fail, federal agencies and state attorneys general may continue to investigate data breaches and take enforcement actions.  (Many have, the Massachusetts Attorney General being one example.)  These actions can include, among other things, significant fines and increased oversight of the company’s data privacy and security compliance.  And, of course, the potential consequences of data breaches do not end there.  Companies that experience a breach may also suffer damage to their brand and to employee morale.

FCC Strengthens Consumer Protections Under TCPA

Yesterday, the Federal Communications Commission (FCC) adopted a package of declaratory ruling which is meant to provide clarity to the Telephone Consumer Protection Act (TCPA).  This ruling was previously proposed by FCC Chairman Tom Wheeler on May 27, 2015.

According to the FCC, the declaratory ruling is meant to protect consumers against unwanted robocalls and spam texts.  As we have previously discussed, complaints related to unwanted calls are the largest category of complaints received by the FCC.  The declaratory ruling was influenced by those complaints and is focused on addressing 23 petitions and requests for clarity on the FCC’s interpretations of the TCPA.

Key provisions of the ruling for consumers who use either landline or wireless phones include:

  • Green Light for ‘Do Not Disturb’ Technology – Service providers can offer robocall blocking technologies to consumers and implement market-based solutions that consumers can use to stop unwanted robocalls.
  • Empowering Consumers to Say ‘Stop’ – Consumers have the right to revoke their consent to receive robocalls and robotexts in any reasonable way at any time.
  • Reassigned Numbers Are Not Loopholes – If a phone number has been reassigned, companies must stop calling the number after one call.
  • Third-Party Consent – A consumer whose name is in the contacts list of an acquaintance’s phone does not consent to receive robocalls from third-party applications downloaded by the acquaintance.

Additional highlights for wireless consumers include:

  • Affirming the TCPA’ Definition of Autodialer – “Autodialer” is defined in the TCPA as any technology with the capacity to dial random or sequential numbers. This definition ensures that robocallers cannot avoid consumer consent requirements through changes in calling technology design or by calling from a list of numbers.
  • Text Messages as Calls – The FCC reaffirmed that consumers are entitled to the same consent-based protections for texts as they are for voice calls to wireless numbers.
  • Internet-to-Phone Text Messages – Equipment used to send Internet-to-phone text messages is an autodialer, so the caller must have consumer consent before calling.
  • Very Limited/Specific Exemptions for Urgent Circumstances – Free calls or texts to alert consumers to possible fraud on their bank accounts or remind them of important medication refills, among other financial alerts or healthcare messages, are allowed without prior consent, but other types of financial or healthcare calls, such as marketing or debt collection calls, are not allowed under these limited and very specific exemptions. Also, consumers have the right to opt out from these permitted calls and texts at any time.

While the ruling provides clarity as to the FCC’s interpretation of the TCPA, it also makes it clear that the FCC intends to interpret the provisions of the TCPA very broadly in an effort to afford the greatest protections to consumers – often at the expense of legitimate businesses.  Declaratory Ruling and Order (FCC 15-72) was approved by a 3-2 vote, with Chairman Wheeler and Commissioner Clyburn, Commissioners Rosenworcel and O’Rielly approving and dissenting in part and Commissioner Pai dissenting.   The ruling takes effect immediately upon release of the full text.  For additional information concerning the TCPA and its potential impact on you or your business, please see our TCPA FAQs.


Connecticut Enacts SB 949 Requiring One Year of Free Identity Theft Protection Services For Certain Data Breaches

Senate Bill 949 is now law in Connecticut, after being signed by Governor Malloy on June 11. As we reported, this law amends the state’s current breach notification mandate to require that for breaches of certain personal information covered business must provide one year of free identity-theft protection for affected persons. So, beginning October 1, 2015, covered companies that experience a data breach affecting a Connecticut resident – one that includes the resident’s name and Social Security number (SSN) – must offer that individual free identity theft prevention services and, if applicable, identity theft mitigation services for at least one year.

Identity Theft Protection Services: Requirements and Implications

As noted, the one-year requirement to provide identity theft protection services applies only when the breach involves a Connecticut resident’s name and SSN. Also, SB 949 requires that if such services have to be provided, the notification to the resident(s) must inform the recipient(s) on how to enroll in the services, and how to place a credit freeze on their credit file. The law also tightens the timeframe for providing all breach notifications (not just those involving free theft protection services). Breach notifications must continue to be made without unreasonable delay, but effective October 1, 2015, may not be made later than ninety days after the discovery of the breach, unless a shorter time is required under federal law.

This new mandate has significant implications for companies that have breaches involving SSNs and affecting individuals in many states including Connecticut. In such cases, the companies might feel compelled to offer identity theft protection services to all affected individuals, even though it may only be required for Connecticut residents. Of course, many businesses provide similar services already, but not in all cases.

In addition, businesses should consider evaluating potential providers of these services ahead of time so they will be ready to move quickly in the event of a breach that triggers this new mandate. Not as clear as the Connecticut requirement, some have read the California breach notification law to have a similar mandate to extend one-year of free identity theft protection services.

Another issue for businesses is determining the scope of services that needs to be offered. A cottage industry of credit monitoring, identity theft protection and remediation services has emerged. Like with most service offerings, some companies provide more extensive and thorough services than others, at varying costs. While SB 949 contains no minimum requirements for the identity theft prevention or mitigation services it requires, companies should consider the different service providers and levels of service in the marketplace to ensure their needs will be met.

As a reminder, during the legislative process for SB 949, Connecticut’s Attorney General, George Jepsen acknowledged that the law would only set “a floor for the duration of the protection” and his office may continue to “seek broader kinds of protection.” In particular, in cases where the breach involves more sensitive personal information, the AG stated he would continue this practice of seeking two years of identity theft prevention or mitigation services, even though the statute requires only one year.

Connecticut May Require Businesses to Offer One Year of Identity Theft Protection Services Following a Data Breach, Joining Other States in Strengthening Notification Laws

Following a string of states across the country that have strengthened their data breach notification laws in recent months, Connecticut is about to amend its law to require, among other things, that businesses provide one year of identity-theft protection for persons affected by the breach. Many businesses already extend such services to breach victims, but, if enacted, Senate Bill 949 would mandate covered business incur this expense. According to Connecticut’s Attorney General, George Jepsen, this change would only set “a floor for the duration of the protection” and his office may continue to “seek broader kinds of protection,” reports the Hartford Courant.

Specifically, the bill would require businesses that conduct business in the state and who own or license certain personal information of a Connecticut resident that is breached to

offer to each resident…appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than twelve months. Such person shall provide all information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident’s credit file.

Anticipated to become effective October 1, 2015, the bill also would require notice be provided not later than ninety days from discovering the breach, even though the current law already requires notification without unreasonable delay. Other provisions of the bill would add data security requirements applicable to state agencies and companies that contract with the state.

If signed into law by Governor Malloy, this bill would add to the matrix of state laws that businesses contend with when they experience multi-state data breaches. This frequently changing matrix, as highlighted by this possible change and those summarized below, highlights the need for companies to have a plan for responding to data breaches. According to InfoSecurity Magazine, about 86% of IT executives “feel prepared” for a data breach, but only 40% have a response plan. A company’s IT Director may feel she is prepared from an information security perspective, but may not have considered all of the steps the company would have to take in the event of a breach – these include without limitation: investigation, notification, legal compliance, media relations, coordination with law enforcement, arranging for identity theft protection services, setting up a call center, etc.

So what has been going on in other states?

As discussed below, a number of states have strengthened their generally applicable breach notification laws. Some states added provisions specifically for states agencies, while others revised data security mandates concerning student data. For example, Virginia’s Governor signed H.B. 2350 into law which directs the state’s Department of Education to develop a model data security plan that may be used by school divisions to implement policies and procedures related to the protection of student data and data systems.

Montana: Beginning in October, the definition of personal information that could trigger a data breach was expanded from first name or initial and last name together with social security number, driver license number, or certain financial account numbers, to include certain medical information. The law change also requires notification to the States Attorney General’s office, as well as the affected individuals.

Nevada: Effective July 1, 2015, the personal information that will trigger a notification requirement if breached now includes (i) a medical identification number or a health insurance identification number, and (ii) a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.

North Dakota: According to the amendment to this state’s law, businesses no longer have to be doing business in the state to be subject to the law, they simply have to own or license personal information that belongs to a resident of the state. The law also adds a notification requirement to the state’s Attorney General if more than 250 residents are affected by the breach. These and other changes made by the amendment become effective on and after August 1, 2015.

Washington: On April 23, 2015, Washington made a number of changes to its breach notification law. These include: (i) 45-day deadline for providing notification; (ii) adding a state Attorney General notification requirement; (iii) addition of specific notice content requirements, such as the name and contact information of the business reporting the breach; and (iv) expanding the application of the law to personal information in paper format. The law becomes effective July 24, 2015.

Wyoming: In Wyoming, two bills were passed to change the law in that state – S.F. 35 and S.F. 36. The changes that become effective July 1, 2015, include expanding the elements of personal information that would trigger a breach, and the information that must be included in the notification letters. Under the law as amended, personal information now also includes personal data such as (i) Federal- or state-government issued identification card; (ii) shared login secrets or security tokens known to be used for data based authentication; (iii) username or email address, in combination with a required password or security question and answer; (iv) a birth or marriage certificate; and (v) certain medical and health insurance information.

Also, notifications must provide breach victims specific information such as: (i) the types of personal identifying information believed to have been the subject of the breach; (ii) a general description of the breach and approximate date of the breach, if reasonably possible to determine at the time of the notice; (iii) actions taken to protect the system from further breaches; and (iv) advice directing affected persons to remain vigilant by reviewing account statements and monitoring credit reports.

FCC Chairman Circulates Proposal to Address TCPA Violations

Last week, Federal Communications Commission (FCC) Chairman Tom Wheeler circulated proposed declaratory rulings to provide clarity for consumers and businesses regarding the Telephone Consumer Protection Act (TCPA).  The proposal addresses two dozen petitions that sought clarity on how the FCC enforced the TCPA.  In addition to circulating his proposal to the other FCC commissioners for their consideration, Chairman Wheeler also issued a fact sheet to the public concerning the proposal.

As highlighted by Chairman Wheeler, unwanted calls and texts are the number one consumer complaint to the FCC, including 215,000 TCPA complaints in 2014.

The proposed rulings would include:

  • Giving consumers the right to revoke their consent to receive robocalls and robotexts in any way at any time.
  • Allowing carriers to implement market-based solutions to block robocalls.
  • Making clear that a reassigned number would not permit a barrage of robocalls which the previous subscriber consented to, and instead require calls to stops after one call.
  • Defining an “autodialer” as any technology with the capacity to dial random or sequential numbers.
  • Allowing very limited and specific exceptions to urgent circumstances which would be exempt from TCPA liability and permitting consumers to opt out of these calls and texts as well.

In addition, the proposal would leave in place many existing protections which exist under the TCPA including, but not limited to, the Do-Not-Call List, limits on Telemarketing Robocalls, and no exception for Political Calls.  Notably, the proposal would also stress the FCC’s strong enforcement of the TCPA.

The proposal will be voted on at the FCC’s Open Meeting on June 18, 2015 and if approved, would be considered in effect immediately upon release.

For more information concerning the TCPA and its potential impact on you or your business, please see our TCPA FAQs.


States Continue to Protect the Personal Social Media Accounts of Employees, with Oregon Likely to Add an Interesting Twist

Over the past few years, states around the country have enacted laws limiting an employer’s ability to access the personal social media accounts of applicants and employees. Earlier this year, Montana’s Governor Steve Bullock signed HB 342 into law. Before that, Virginia enacted a similar measure. On May 19, Connecticut’s Governor added the Nutmeg state to the list, signing S.B. 426 into law, becoming effective October 1, 2015. Taking the protection of employee social media accounts a step further, a measure in Oregon, S.B. 185 A, would amend its existing law to prohibit employers from requiring employees or applicants (i) to establish or maintain personal social media accounts or (ii) to authorize the employer to advertise on their personal social media accounts. That bill, unanimously passed by the State’s legislature, awaits consideration by the Governor.

Similar to the social media privacy laws passed in other states, Connecticut’s law prohibits employers from requesting or requiring an employee or applicant to provide a user name and password, password or any other authentication means for accessing a personal online account. Under the law, employers also cannot require employees or applicants to authenticate or access a personal online account in front of the employer, nor can employers require employees or applicants to invite the employer or accept an invitation from the employer to join a group affiliated with the employee’s or applicant’s account. Like some of the laws in other states, a personal online account is one that is used by the employee or applicant “exclusively for personal purposes and unrelated to any business purpose of such employee’s or applicant’s employer or prospective employer, including, but not limited to, electronic mail, social media and retail-based Internet web sites.”

However, the Connecticut law does not prohibit employers from conducting certain investigations, such as to ensure compliance with state or federal laws, regulatory requirements or prohibitions against work-related employee misconduct based on the receipt of specific information about activity on an employee or applicant’s personal online account. Employers also may monitor, review, access or block electronic data stored on an electronic communications device paid for, in whole or in part, by the employer, or traveling through or stored on the employer’s network. The law also does not “prevent an employer from complying with the requirements of state or federal statutes, rules or regulations, case law or rules of self-regulatory organizations.”

This last point may be helpful for those employers that may have a duty to monitor certain employee communications. For example, in expressing concerns over the effects of these state laws, the Financial Industry Regulatory Authority (FINRA) noted that its Regulatory Notices 10-06 and 11-39 provide that securities firms must establish procedures to review registered representatives’ written and electronic business correspondence, including interactive electronic communications that the firm or its personnel send through social media sites. In addition, firms must adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are reasonably supervised to ensure that their communications are fair and balanced. Of course, employers in these regulated businesses and generally will have to carefully review what is prohibited under these state laws, but also the exceptions, in order to shape a strategy for compliance.

As a way of enhancing their exposure and reach in social media, some employers are looking to leverage their employees’ social media presence to more broadly promote the companies’ products and services. Putting aside potential labor, wage and hour, and other employment issues, the bill in Oregon would address potential privacy issues resulting from the practice of compelling employees to allow employers to use employees’ personal social media accounts to advertise. One effect of the law may be that employees will not allow their personal accounts to be used for business purposes. That, of course, may address some of the concerns FINRA and others raise about being able to monitoring business communications by employees in their personal social medical accounts. Another effect of the law may be the difficulty created in determining whether the employer required, or the employee permitted, the personal online account to be used for advertising the company’s products or services. For certain categories of employment, increased exposure and sales of the company’s products and services result in direct benefits to the employee, as well as the employer.

If passed, employers subject to the Oregon law will have to exercise caution in their approach to employees about using their personal accounts for business purposes. Also, like the popularity of the social media account protection laws themselves (21 states have now enacted these in one form or another), this twist in Oregon may be followed elsewhere.

Supreme Court Will Address Impact of Offer of Judgment in TCPA Class Actions

On May 18, 2015, the United States Supreme Court granted a petition for a writ of certiorari to address (1) whether a case becomes moot when the plaintiff receives an offer of complete relief on his claim and (2) whether the answer to the first question is any different when the plaintiff has asserted a class claim under Federal Rule of Civil Procedure 23, but receives an offer of complete relief before any class is certified.   The Court will also address the applicability of the doctrine of derivative sovereign immunity.

The case, Campbell-Ewald Co. v. Gomez, No. 14-857, comes before the Court on the petition of Campbell-Ewald after the Ninth Circuit ruled on September 9, 2014, that Campbell-Ewald could be held liable under the Telephone Consumer Protection Act (TCPA) for text messages it sent to approximately 100,000 individuals in connection with Navy recruitment.

In the underlying case, Campbell-Ewald offered the plaintiff, Jose Gomez, $1503 per violation of the TCPA.  The TCPA permits statutory damages ranging from $500 to $1500 per violation.  Accordingly, Campbell-Ewald’s offer would have afforded Gomez his full measure of damages available.  Gomez subsequently rejected the offer by allowing it to lapse in accordance with its terms.  Campbell-Ewald then moved to dismiss the case under Rule 12(b)(1), arguing that Gomez’s rejection of the offer mooted the personal and putative class claims.  In denying Campbell-Ewald’s motion, the Ninth Circuit held that the plaintiff’s individual claim was not mooted by the plaintiff’s refusal to accept a settlement offer under Federal Rule of Civil Procedure 68 – commonly known as the Offer of Judgment Rule.  Additionally, the Ninth Circuit held the putative class claims are not moot because an unaccepted offer of judgment – for the full amount of the named plaintiff’s individual claim and made before the named plaintiff files a motion for class certification – does not moot a class action.  In support of its motion, Campbell-Ewald argued that the Supreme Court’s holding in Genesis Healthcare Corp. v. Symczyk was controlling.  The Ninth Circuit rejected Campbell-Ewald’s assertion finding that the Genesis holding, which involved a collection action brought pursuant to the Fair Labor Standards Act, does not apply to class actions brought under Rule 23 – such as claims for violations of the TCPA.

It is expected that the Supreme Court’s decision in this case will clarify a split among the Circuit Courts as to whether a full offer of relief to the named plaintiff ends the case or not.  As we previously discussed, the Eleventh Circuit, similar to the Ninth Circuit, has held that an unaccepted offer of judgment to a named plaintiff did not moot the named plaintiff’s claims.  In contrast, the Seventh Circuit, has held that an offer of judgment to the named plaintiff, made prior to the filing of a motion for class certification, can moot the class action.  As a plaintiff’s damages under the TCPA are specified by the statute and thus easily ascertainable, this split has likely affected the defense and prosecution of TCPA claims.  In particular, the plaintiffs’ bar may prefer to bring TCPA claims in a Circuit where an offer of judgment cannot render a class action moot; while the defense bar may seek to utilize the offer of judgment to eliminate potential class claims where a limited number of plaintiffs are actually named in the suit.

The Supreme Court’s decision in this case will likely have a significant impact on TCPA claims, as well as class actions brought pursuant to Rule 23.    Should the Court agree with Campbell-Ewald, a TCPA defendant will be permitted to address a specific plaintiff’s damages without concern for a theoretical class of plaintiffs.  By contract, should the court disagree with Campbell-Ewald, defendants will need to reconsider how they defend, and seek to resolve, class action complaints brought under the TCPA.

For additional insight, please see the related post from our Class and Collective Action group.

Will Your Cyber/Breach Insurance Be There When You Need It?

The answer to this question may depend on the actions that the insured takes when it applies for coverage and during the period the policy is in force. The demand for cyberinsurance that is intended to cover exposures from data breaches, among other things, has exploded in recent years, reports The Hill. This is due in large part to the many widely reported data breaches affecting large, well-known companies. Now that more claims are coming in, carriers are looking with more scrutiny at the representations made by their policyholders when they applied for the coverage, as well as their actions during the period of coverage. Carriers consider these representations and anticipated security practices to be critical to the underwriting process and conditions on which the coverage is based. In short, inaccurate representations and failing to make good on carrying out the data security practices promised, could leave a policyholder without coverage.

Business insurance reported last week that a cyber insurance carrier is asking a California court whether it has to pay out on a $4.1 million data breach settlement under a policy issued to one of its policyholders. The carrier’s reasoning – an exclusion in the policy that states it does not have to pay if the insured failed to meet the “minimum required practices” that the insured claimed it would follow when it completed its insurance application.

According to Business Insurance, the breach allegedly occurred when the insured (or one of its third party vendors) had “stored medical records on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect” the data. The class action lawsuit against the insured that followed the incident settled for $4.1 million, which the insured likely believed would be covered all or in part under the policy. However, the carrier is claiming the insured failed take the measures it promised to take in its insurance application, such as not implementing data security controls, failing to check and maintain security patches, not regularly assessing risks and not having systems in place to identify and address security incidents.

This certainly is not the first case involving a carrier’s challenge to the amount it has to pay under a data breach policy, and it will not be the last. But for companies that have purchased a policy, it is an important reminder that insurance policies are essentially contracts, and if the company seeking the coverage does not meet its end of the bargain (beyond just paying the premiums) the insurer may not have to meet its obligations, leaving the policyholder with an unexpected exposure.

Many companies that purchase data breach coverage often have to complete lengthy applications and questionnaires that delve into the companies’ data security practices and procedures. These applications and questionnaires need to be responded to carefully because as seen from the case above, they can be used by the carrier to deny coverage which is not an uncommon practice regardless of the type of coverage. Additionally, these applications and questionnaires often reflect not only a snapshot of a company’s data security risk and practices, but policies and procedures that carriers expect will continue to be in place as a condition of the coverage.

So, the message is clear, companies that purchase data breach insurance and expect to benefit under the policy should a breach occur will need to carefully review and abide by the conditions for coverage under the policy. In particular, when it comes to the applications and questionnaires that must be completed as part of the underwriting process, they should be reviewed and considered by various departments throughout the company in order to be sure the responses accurately reflect the data security practices in place at the time of underwriting. Additionally, steps need to be taken to ensure that these practices are being implemented during the policy period. The underlying message is that insurance cannot be the only thing that addresses an organization’s information risk. And, of course, this is important from a compliance perspective since many of the data security practices referenced in these questionnaires and applications are practices that are required to one degree or another by various federal or state laws.

SEC’s Division of Investment Management Issues Cybersecurity Guidance

In Guidance Update No. 2015-02, the Division of Investment Management (Division) of the Securities and Exchange Commission (SEC) issued some high-level suggestions concerning the importance of cybersecurity for registered investment companies and registered investment advisers. The guidance outlines a number of measures these entities should consider for addressing cybersecurity risks. Of course, while some of these and other measures may have specific application to certain sectors of the financial services industry, many of these measures can and should be applied in most organizations, regardless of industry.

Increasingly, companies are realizing the need to tighten their policies and practices concerning information risk, but not sure about where to start or what framework to follow. There are, for sure, industry specific rules and regulations, such as the HIPAA privacy and security regulations that apply to healthcare providers, healthcare clearinghouses, health plans and their respective business associates, as well as state law mandates, such as the data security regulations in Massachusetts. The endnotes in this Guidance discuss and provide helpful links to more specific SEC rules concerning the safeguarding of personal information, such as the Red Flag rules. But among these standards are a number of common threads, many of which are contained in the Division’s guidance referred to above. These include:

  • Conduct a risk assessment designed to help the company understand the “nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses” as well as the effectiveness of its governance structure to ensure appropriate controls are in place. This should be done regularly, perhaps annually. It also should be done when there are material changes in the business that are reasonably likely to alter the risks to sensitive data.
  • Develop access management policies. Not everyone in an organization should have access to all of its data. The first step is finding out who has access to what. See first bullet above…you might be surprised by what you find; scale back from there.
  • Prepare a written information security program that addresses necessary and appropriate administrative, physical and technical safeguards that you have implemented.
  • Strengthen perimeter defenses – maintain up-to-date firewalls, malware, and virus protections. The federal Office for Civil Rights claimed a healthcare provider failed to do this, and it cost the company $150,000.
  • Get control of mobile storage devices and consider whether a more formal “Bring Your Own Device” program is needed.
  • Address whether and under what circumstances encryption is warranted. Some applications may slow down operations, but that level of protection may help the company avoid a significant exposure.
  • Develop and practice an incident response plan. Writing down a plan for responding to a data breach is a good start, but for the members of your team that would be called upon to carry out the plan, a few dry runs would be beneficial.
  • Don’t leave your staff in the dark about what you have done – train your employees and create security awareness throughout the organization.
  • Make sure the third party service providers that the company relies upon are taking similar steps to safeguard data on your behalf.

Will following just these points mean you are 100% compliant with all of the company’s regulatory and contractual obligations pertaining to privacy and data security. Probably not. But they certainly will get you a lot closer and minimize a substantial amount of risk.

Supreme Court to Examine Standing Under FCRA

The U.S. Supreme Court recently decided to hear a case brought under the Fair Credit Reporting Act (“FCRA”) to determine whether individual consumers have standing to sue a consumer reporting agency for statutory violations of the FCRA when no “actual damages” were suffered by the consumer.

The FCRA, like other privacy laws, imposes monetary damages against consumer reporting agencies for statutory violations. When Congress enacted the FCRA, it also created a private cause of action for “consumers” against “consumer reporting agencies” for statutory violations, but it did not require a consumer to allege that the violation caused any harm as a result of the violation.

The Supreme Court will likely approach the issue within the context of analyzing Congressional authority to confer Article III standing. The resolution of this separation of powers argument could have significant consequences for companies and employers covered by the FCRA and other privacy laws.

In Spokeo, Inc. v. Robins, the plaintiff consumer alleged that Spokeo, a website that aggregates personal data from public records and other online sources, failed to maintain procedures to assure the “maximum possible accuracy” of any consumer report it creates. According to the complaint, the consumer report for the plaintiff that was produced by Spokeo was not accurate and interfered with the plaintiff’s ability to obtain employment. The Ninth Circuit determined that while there may not be any consequential damages resulting from the inaccurate information, the harm to the plaintiff is inferred by the FCRA’s creation of a private cause of action for such violation.

This case could have a significant impact on class action lawsuits because those plaintiffs who may have otherwise been excluded for failing to allege actual damages would be included as class members.