Lenovo-FTC Consent Order Calls For 20-Year Monitoring Period

Laptop-maker Lenovo (United States), Inc. agreed to a no-fault settlement with the Federal Trade Commission and 32 states over allegations that it installed ad software that compromised customers’ web security and invaded users’ privacy.

As part of the Consent Order, Lenovo agreed that it would:

  • Not misrepresent any feature of installed software related to consumer internet browsing-based advertising
  • Obtain affirmative user consent before installing such software on computers
  • Provide instructions for how the consumer may revoke consent to the covered software’s operation, which can include uninstalling the covered software; and
  • Provide a reasonable and effective means for consumers to opt out, disable or remove all of the covered software’s operations, which can include uninstalling the covered software.

The company also must implement and maintain a comprehensive data security software program that is reasonably designed to (1) address software security risks related to the development and management of new and existing application software, and (2) protect the security, confidentiality, and integrity of covered information. Lenovo is required to report to the FTC regarding biennial assessments for the next 20 years.

Lenovo agreed to pay 32 state attorneys general $3.5 million under a separate state agreement. The FTC may seek civil fines if the company fails to abide by the Consent Order.

According to Acting FTC Chairman Maureen K. Ohlhausen, the settlement “sends a very important message” to companies that “everyone in the chain really needs to pay attention” to data security and collection, use, and promises made regarding the data.

The settlement with Lenovo comes on the heels of two other notable FTC settlements within the past month involving Uber Inc. and TaxSlayer LLC.

A copy of the Lenovo Consent Order can be viewed here.

These recent FTC settlements are an important reminder to all businesses that privacy and security obligations should not be taken lightly.

 

Data Breach Preparedness: A critical risk management priority for small and mid-sized businesses

After hearing a lot lately about big companies suffering data breaches, it is important to remember that, according to inc.com, half of all cyberattacks target small to mid-sized businesses (SMBs). Based on a 2016 State of SMB Cybersecurity Report, CNBC reported that in the prior 12 months half of all SMBs in the U.S. had been hacked. This makes sense when one considers FBI reporting (pdf) that an average of 4,000 ransomware attacks happen every day in the U.S., as observed in statements from SEC Commissioner Luis A. Aguilar, who in October 2015 said that:

Cybersecurity is clearly a concern that the entire business community shares, but it represents an especially pernicious threat to smaller businesses. The reason is simple: Small and midsize businesses are not just targets of cybercrime; they are its principal target.

Clearly, SMBs need to address this significant risk to their businesses. Strong IT safeguards are part of the solution, but not a silver bullet. Administrative and physical safeguards also are needed, such as access management policies, awareness training, equipment inventory, and vendor assessment and management programs. But even the best safeguards cannot prevent all breaches. Thus, SMBs need to be prepared for responding to the inevitable – that they will experience a data breach of some kind. Below are three key steps SMBs should take to improve their level of breach response preparedness.

Understand your risks and vulnerabilities

 

  • Not all SMBs are created equal, at least with respect to inherent business risk of a cyber breach. Factors such as the type of business, jurisdictions in which business is conducted, and the amount and nature of the personal information involved in the business (payment card data, health data, SSNs, etc.) drive this risk.
  • Core competencies may be lacking. That is, members of the organization’s IT staff may be very adept at systems management, but significantly lacking when it comes to the latest cybersecurity tools and attack methodologies to provide competent leadership and execution.

Develop and practice an “Incident Response Plan”

 

  • Identify the internal team (e.g., leadership, IT, in-house counsel, and HR). These are the persons in the business who will direct the response to the incident. They will need to make quick, informed and prudent decisions that likely will be critical to the success of the response process, and possibly the future of the business.
  • Identify the external team (e.g., outside legal counsel, forensic investigator, and public relations). Having external members of the team identified ahead of time can be vital to the success of any preparedness plan. When a breach happens, valuable time can be lost trying to identify, evaluate, and engage third-party service providers necessary for the response.
  • Take into account all legal and contractual obligations that may affect the response process.
  • Clarify the roles and responsibilities of the team members at key points in the response process – discovering the incident, investigation, coordination with law enforcement, remediation, notification, third party inquiries, compliance, and reevaluation. This should include a well-defined decision making process to facilitate good choices and avoid delays.
  • Practice, practice, practice. It is likely that members added to the response team do not have first-hand experience with helping to coordinate a breach response. And, even a well-drafted plan does not give persons charged with implementing the plan a feel for what is involved. Once an SMB creates its plan, it should gather its internal and external breach response team members to simulate a breach in action in order to help members gain valuable experience with navigating the issues in a breach response, as well as working with each other.

Create awareness throughout the organization.

 

  • Educate employees on how to recognize attacks and other forms of data breach.
  • Instruct employees on what to do immediately if they believe an attack has occurred (e.g., who to notify IT, how to disconnect from the network).
  • Instruct employees on what not to do (e.g., deleting system files, attempting to restore the system to an earlier date).

All breach notification laws mandate that notification, if required, must be made without unreasonable delay. In some cases, notification can be required in as few as 15 days or even 72 hours. Thus, in all cases, SMBs have to act fast, sometimes very fast, making decisions that can have significant reputational implications for the business, as well as shape compliance and legal risks. Preparedness can make all the difference in the success of an SMB’s response to a data breach.

Not So Entertaining: Cybercrime in the Entertainment Industry

Although certain industries are known targets for cyber attacks – healthcare, financial, government – cyber attacks pose a threat to all sectors. Organizations in the entertainment industry have increasingly become targets of cybercrime. Over the past several years, a number of large entertainment companies have fallen victim to cybercriminals, resulting in the threatened and actual leaking of sensitive information including such things as internal emails, passwords, compensation information, and unreleased programming. Unlike a “traditional” cyber attack which poses a threat to credit card numbers or social security numbers, the biggest risk of an entertainment industry cyber attack is the publicity that can result from compromising communication and other information about high-profile individuals, and their associated businesses. For example, in the weeks leading up to the Game of Thrones final episode, HBO was hit with hacks, leaked episodes, and ransomware attacks, all stemming from a breach of online security. Such can cause harm to the financial success and reputation of both the show and the network. In addition, a company’s failure to adequately safeguard the confidential information of individuals or affiliated parties may result in costly legal review, security remediation, forensic investigation, and litigation, all which can negatively impact public relations.

As cybercriminals become more sophisticated with their attacks, and with the increasing awareness that the entertainment industry has become a prime target for hacking, it is important for companies in the industry to be proactive in making sure proper safeguards are in place before an attack occurs. Entertainment companies should ensure that they have qualified personnel with adequate resources who are capable of implementing necessary preemptive security measures. In addition, employees at all levels should receive training on what to do (and what not to do) to minimize the risk of a security breach. And companies should be prepared to respond quickly and effectively in the event that cybercriminals manage to circumvent preventive security measures.

Cyber attacks spiked 6,000 % in 2016, and show no sign of slowing in 2017. Several months ago we reported on the increase of ransomware attacks in higher education, another “less known” target for cybercrime. No industry is immune to cyber attacks, and any organization that holds sensitive information, must take steps to plan for and respond to such attacks appropriately in the unfortunate event that they occur. Jackson Lewis’s guide “Ransomware Attacks: Prevention and Preparedness” is a great starting point for any organization.

Jackson Lewis has a 24/7 Data Incident Response Team to assist with a ransomware attack, data incident, or data breach.

Enhanced HHS HIPAA Breach Reporting Tool May Aid Health Care Industry Data Security Efforts

Secretary Tom Price of the U.S. Department of Health and Human Services (HHS) announced his agency needs “to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches.” Accordingly, HHS’ Office of Civil Rights has launched a revised web tool providing information about HIPAA breaches. The tool, the HIPAA Breach Reporting Tool (HBRT), features improved navigation helping those looking for information on breaches and ease-of-use for organizations reporting incidents. It also gives health care providers, health plans and business associates easy access to a database from which they can gain a better sense of the common types of breaches and the steps HHS is calling for in order to resolve HIPAA breach cases.

The HBRT was originally launched in 2009, as required by the HITECH Act, providing information regarding HIPAA breaches involving 500 or more individuals. HHS announced that the HBRT’s new features include:

  • Enhanced functionality and search capabilities allowing users to learn more about breaches currently under investigation and reported within the last 24 months;
  • New archive that includes all older breaches and information about how breaches were resolved;
  • Improved navigation to additional breach information; and
  • Tips for consumers.

The HBRT provides information such as: the name of the entity; state where the entity is located; number of individuals affected by the breach; the date of the breach; type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure); and location of the breached information (e.g., laptop, paper records, desktop computer). Additional enhancements are expected in the future.

HIPAA covered entities and business associates may find the HBRT helpful for identifying areas in which to focus their information security efforts. In recent months, there have been several high profile data breaches involving the unauthorized disclosure of the protected health information of several hundred thousand individuals. In this environment of increasing security threats and regulator scrutiny, it would be prudent for entities in possession of individually identifiable health information of patients to take active steps to review and, where appropriate, enhance their security measures. The HBRT could be a helpful tool for assisting in those efforts.

Harvey and Irma – Reminders to Adopt/Reevaluate Your Disaster Recovery Plan

The effects of hurricanes like Harvey and the approaching Irma should be a reminder to all businesses of the importance of disaster recovery planning. When a storm approaches, a business’s first concern is how to protect its employees and physical property. However, we shouldn’t forget that a natural disaster can also destroy a business’s information and technology assets critical to its success and continuity. Key steps to prepare and respond to a natural disaster can help minimize the blow. There are many aspects to comprehensive disaster recovery planning.

Below are some recommended best practices for an effective disaster recovery plan:

  1. Build the Right Team. Companies should be clear about what they are setting out to do and involve the appropriate segments of their organizations. Disasters do not just affect IT departments, they also affect the sales force, human resources, legal, finance, and management. Leadership from these and other business segments need to be at the table to ensure, among other things, appropriate coordination among the segments and an awareness of all available company resources. Excluding critical segments from the process will make it difficult to carry out the next critical step – assessing the risks. The IT department, whether internal or through a third-party vendor, must be well versed in disaster response.
  2. Conduct a Risk Assessment. Before a company can develop a disaster recovery plan, it must first identify the information and technology assets it needs to protect, their locations, their role to the success of the business, their associated costs and the overall and specific risks that apply to those assets. Different disasters pose different risks and require different safeguards. It also is important to analyze how the businesses’ operations would be affected upon the loss of vital components and assets, including identifying what information and technology systems are needed to safely keep the doors open.
  3. Employee Safety. Information and technology assets are critically important, but not at the expense of human life. Employees should be provided with guidelines on how to ensure their safety, and be reminded that their safety comes first.
  4. Develop a Plan. Having involved key personnel and assessed the risks, the business is in a position to develop an enterprise-wide disaster recovery plan. The disaster recovery plan should be in writing and include the following:
    • Keep backups off site, in a safe location. If a data center in lower Manhattan is underwater, being able to switch to another in California, Texas or the cloud will be essential to business continuity. The same is true for voice and electronic communications systems. Having critical business data replicated and stored off-site is a good “insurance policy” for any organization.
    • Regular backups. Frequent and regular backups are critical to ensuring the preservation of important company data, as well as the data it may maintain for others.
    • Data Encryption. Encryption of sensitive and/or critical business data will prevent unauthorized users from gaining access and limit exposure.
    • Don’t neglect laptops/mobile devices. Recovery plans tend to focus on the data center, however approximately two/thirds of corporate data exists outside the data center. Moreover, laptops/mobile devices are far less resilient, for example, than data center servers.
    • Employee Training. No one likes fire drills, but they serve a valuable purpose. Make your employees aware of the risks and steps they must take in case of a disaster.
    • Test for recovery. Perform random recovery tests periodically. Audit the test, and confirm that all your data is recovered.
  5. Update the Plan. As your business changes, grows, and adds locations and new people, the disaster recovery plan also may need to change to address those changes. A regular review of the plan is critical.

So, as you clean up from Harvey and/or prepare for Irma, assess whether your disaster recovery plan meets your needs. If not, make appropriate changes. If you think your business could have benefited from such a plan, there is no time like the present to develop one.

Timeline for Compliance with New DFS Cybersecurity Regulations

The deadline to comply with the first set of requirements under the new DFS Cybersecurity Regulations (“the Regulations”) is here! By today, August 28, 2017, businesses subject to the Regulations must ensure that they:

  1. Designate a Chief Information Security Officer (“CISO”)
  2. Establish a Cybersecurity Program
  3. Develop a Written Cybersecurity Policy.

We have prepared an article and a webinar to help subject businesses gain a better understanding of this first set of requirements. 

As future compliance deadlines approach, we will prepare similar guidance materials. Below, to assist subject businesses to craft their long-term plans, are the future compliance deadlines that the Regulations impose.

Effective Date Requirement
8/28/2017 Cybersecurity Program
Cybersecurity Policy
Chief Information Security Officer (CISO)
2/15/2018 First Annual Certification by Senior Management or Board of Directors
3/1/2018 Penetration Testing and Vulnerability Assessments
  Multi-Factor Authentication
Risk Assessment
Training and Monitoring: Cybersecurity awareness training for all personnel
9/3/2018 Audit Trail
Application Security
Cybersecurity Personnel and Intelligence
Training and Monitoring: Policies that monitor authorized users/ detect unauthorized access or use of nonpublic information
Encryption of Nonpublic Information
Limitations on Data Retention
3/1/2019 Third Party Service Provider Security Policy

 

NOTE: Certain covered entities are exempt from some of the requirements listed above. Please contact the Jackson Lewis attorney with whom you work to confirm whether your business is exempt.

Delaware: The Latest State to Amend its Data Breach Notification Law

Delaware joins the growing number of states that recently amended their data breach notification law. On August 17th, Delaware amended its data breach notification law with House Bill 180, the first significant change since 2005, effective 240 days after enactment (on or about April 14, 2018). 

Delaware maintains the state law trend of requiring businesses to implement reasonable security measures, expanding the definition of personal information, increasing notification requirements, requiring a risk of harm trigger, and requiring mitigation.

Key aspects of Delaware’s amended data breach notification law include:

  • Maintain Reasonable Procedures and Practices to Protect Personal Information Any “person” subject to the amended law, is now required to implement and maintain reasonable security procedures and practices. The definition of “person” has now been expanded to include any business form, governmental entity, “or any other legal entity”.
  • Expanding the Definition of “Personal Information” – The definition of “Personal Information” was expanded to include: passport number; a username or email address, in combination with a password or security question and answer that would permit access to an online account; medical history, mental or physical condition, medical treatment or diagnosis by a health care professional, or deoxyribonucleic acid profile; health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person; unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; and an individual taxpayer identification number.
  • Data Breach Notification/Risk of Harm Trigger – Businesses affected by a data breach are now required to give notice to affected state residents “as soon as possible” following the conclusion of an investigation that “misuse of information about a Delaware resident has occurred or is likely to occur”. In addition, the new amendment requires notification within 60 days unless the investigation “reasonably determines that breach of security is unlikely to result in harm to the individuals whose personal information has been breached” or law enforcement has requested a delay in notification.
  • Attorney General Notice – If the affected number of Delaware residents to be notified exceeds 500 residents notice must also be provided to the Attorney General.
  • Credit Monitoring – If the breach of security includes a social security number, the business is now required to offer to each resident, whose personal information was breached or is reasonably believed to have been breached, reasonable identity theft prevention services and identity theft mitigation services at no cost to such resident for a period of 1 year. Both California and Connecticut have similar provisions.

While all states do not currently require reasonable safeguards or credit monitoring, there appears to be a growing trend (which we expect will continue) to include these requirements when breach notification laws are amended. As such, it is imperative for organizations facing a breach to ensure they are applying the most current law.

2-Year Statute of Limitations Applies to HIV Patient’s Privacy Suit

A New Jersey appeals court recently ruled that a two-year statute of limitations applies to a claim by an HIV-positive patient asserting one of his doctors improperly disclosed his medical status to a third party without consent.  The three-judge Appellate Division panel rejected arguments by the doctor that the suit should be dismissed as time-barred by the one-year statute of limitations typical of defamation claims.

The dispute arose out of a single incident on July 25, 2013, when the patient, given the fictitious name John Smith, was being treated for acute kidney failure by the defendant, who owns a kidney treatment center. Over the course of treatment, the defendant allegedly disclosed Smith’s HIV status to a third party, described as a long time friend of Smith, who was unaware that Smith was HIV-positive.

Nearly two years after the incident, Smith filed suit in Mercer County Superior Court in New Jersey, on July 1, 2015, alleging violations of his common law right to privacy, medical malpractice and wrongful disclosure of his medical status under the state’s AIDS Assistance Act.

The defendant, in his motion to dismiss, argued that the one-year statute of limitations, typical of defamation claims, should apply in this case. Conversely, Smith argued that his claim was more akin to a personal injury or discrimination claim, as opposed to defamation, and thus a two-year statute of limitations should apply.

Superior Court Judge Douglas Hurd agreed with Smith that the defamation statute of limitations was not applicable, and the two-year statute of limited should apply. The defendant appealed the decision.

On appeal, affirming the Superior Court’s ruling, Appellate Division Judge Richard Geiger stated, “Unlike a typical defamation claim, the confidential information allegedly disclosed by [defendant] to the third person was true, not false…The disclosed medical information did not place plaintiff in a false light.” Gieger went on to say, “Patients have a privacy right in their medical records and medical information…We find that the claims for unauthorized disclosure of a person’s HIV-positive status align more closely with discrimination claims.”

The AIDS Assistance Act was passed because the “effective identification, diagnosis, care and treatment of persons” with AIDS was declared by the New Jersey Legislature to be of “paramount public importance.”

Judge Geiger echoed the sentiments of the legislature in his decision stating that it was “strong public policy”, and an “important social goal” to maintain the privacy rights of individuals who are HIV-positive.

Artificial Intelligence Enabled Cybersecurity Systems

The use of artificial intelligence (AI) enabled cybersecurity systems is increasing dramatically. By 2018, sixty-two percent of all companies are projected to use AI technologies.

The use of AI cybersecurity systems provides greater efficiency through automation, the ability to evaluate larger data sets and, in many cases, a faster way to identify the “cyberattack needle in the big data haystack.” For example, some credit card companies use AI systems to scan large data banks for abnormal transactions and evaluate the gravity of a potential large scale cyber threat.

However, companies should not believe that AI systems alone provide a cybersecurity panacea. Cybersecurity solutions always require a human touch, such as risk analysis and case specific strategies for individual cyberattack responses. AI systems can identify potential risk situations, but the question of individual case evaluation and the proper individualized response still can only occur through the use of human analysis and participation.

AI cybersecurity systems should be used to act as a “safety net” in assessing potential large scale risks. In addition, AI systems can be adjusted based on human intervention to determine the differences between malicious attacks and normal behavior that has low risk. Also, it is undisputed that cybersecurity experts expect that criminals will inevitably utilize AI to automate their attacks as well. Because of this anticipated criminal use of AI, fully audited cybersecurity will never, by definition, be possible. AI systems can be well-equipped to increase detections rates, but will always need to be tweaked by human testers to find holes in programs and subsequently fortify AI defenses moving forward.

Bottom line, the use of AI enabled cybersecurity systems should be explored and evaluated, but always used in conjunction with individual human training and response strategies.

Maryland Amends Personal Information Protection Act

The Maryland General Assembly has recently amended its Maryland Personal Information Protection Act, House Bill 974, effective January 1, 2018. Notable amendments expand the definition of personal information, modify the definition of breach of the security of the system, provide a 45-day timeframe for notification, allow alternative notice for breaches that enable an individual’s email to be accessed, and expand the class of information subject to Maryland’s destruction of records laws.

The coming years likely will bring a variety of amendments to state data breach notifications laws. Review our comprehensive discussion of Maryland’s new law, and trends in other state data breach notification laws.

LexBlog