Survey Finds Healthcare Workers Understand Security Measures But Still Share Sensitive Information Through Non-Secure Email

According to reports on a recent survey, the vast majority of healthcare workers share sensitive medical information using non-secure email. The survey, conducted by Kickstand Communications, reportedly found that 87% of healthcare workers surveyed admitted to this practice. These results echo other reports finding that employees and others with access to an organization’s confidential information may pose the greatest risk to data security.

As reported by HealthITSecurity.com, key findings from the survey include:

  • Healthcare workers are 36 percent more likely to share regulated data such as patient information and credit card information via non-secure methods such as email than those working in financial services;
  • 10 percent of healthcare employees admit they do not abide by their employer’s security rules;
  • More than one-quarter of respondents share sensitive data, documents, and information externally using personal sync and share services like Dropbox;
  • Across industries, 29 percent of respondents admit sharing intellectual property via non-secure email externally; and
  • When deciding how to send sensitive documents, 60 percent of respondents across industries said they simply do what is easiest.

The survey reportedly also found that an overwhelming number of healthcare employees understand their employers’ information security policies and how to use the secure communications tools provided to them. Yet, a majority reportedly indicated that they do whatever is easiest when they need to transfer data and 64 percent said when it comes to sharing data, email is the easiest tool.

The survey results suggest that healthcare providers’ data security efforts cannot end at training employees to use their communications tools. Rather, these efforts must include programs to create a culture of information security. This can include elements such as:

  • Reminders of the reasons the security measures have been put in place;
  • Exploring ways to make secure communications systems easier to use;
  • Soliciting employee feedback on ways to make secure communications more efficient; and
  • Auditing the use of non-secure methods of communication.

As scrutiny from regulators increases and plaintiffs’ lawyers bring new claims based on data breaches, healthcare employers and employers across all industries need to be sure they walking the walk and not just talking the talk on information security.

It is critical that businesses ensure their employees have greater awareness of the sensitivity of the personal information they acquire, handle and transport, and receive training about how to be more cautious handling it. The Jackson Lewis Privacy, e-Communications and Data Security team can help your organization with employee training and implementing appropriate procedures to address these types of risks.

Below are additional Jackson Lewis resources that address employee handling of sensitive personal information in the healthcare industry:

The Supreme Court Will Rule on Data Breach Class Arbitration Suit

The U.S. Supreme Court recently granted a petition for review of a data breach lawsuit addressing the issue of whether parties can pursue a class arbitration when the language in the arbitration agreement does not explicitly allow for such, Lamps Plus, Inc. v. Varela , No. 17-988, certiorari granted April 30, 2018. The Court will have the opportunity to clarify its 2010 decision in Stolt-Nielsen v. AnimalFeeds International Corp., 559 U.S. 662 (2010) in which the Court ruled that parties cannot be forced into class arbitration, “unless there is contractual basis for concluding [they] agreed to do so”.

The petition for a writ of certiorari brought by Lamps Plus, a lighting retailer, presented the issue, “[w]hether the Federal Arbitration Act (FAA) forecloses a state-law interpretation of an arbitration agreement that would authorize class arbitration based solely on general language commonly used in arbitration agreements.” Lamps Plus argues that the 9th Circuit panel erred in ruling that the company must participate in a class arbitration of an employee’s claims when the employment agreement did not state that class arbitration was available. The employee’s claims arise from an incident of identity theft, as the result of a phishing attack, in which a third party impersonating a Lamps Plus employee convinced a fellow Lamps Plus colleague to send copies of W-2 forms for multiple Lamps Plus employees.

The employment agreement between the named plaintiff, Frank Varela, and his employer, Lamps Plus, included an arbitration clause, however it was silent on whether the clause also allowed for class arbitration. The 9th Circuit majority ruling stated that “perhaps the most reasonable” interpretation of that agreement allows for class arbitration. The circuit court analogized how Varela waiving his “right…to file a lawsuit or other civil action or proceeding” and “any right…to resolve employment disputes through trial by judge or jury,” clearly also includes waiving his right to class action lawsuits, even though the agreement does not explicitly state such.

In its petition to the Supreme Court, Lamps Plus emphasized that, “This court could not have been clearer that, in light of the fundamental differences between class and individual arbitration, the FAA prohibits exactly what the panel below did here: inferring ‘[a]n implicit agreement to authorize class action arbitration from the fact of the parties’ agreement to arbitrate,”.

Varela, on the other hand, relying on the 9th Circuit analysis, argued that the circuit court decision is consistent with the high court’s decision in Stolt-Nielsen, the FAA, and California contract law principles. “The decision creates no inter-circuit conflict and does not threaten to impose class arbitration wholesale on parties who did not agree to it. It offers only a reasonable interpretation of a single contract to determine the parties’ intent in light of background principles of state contract law,” Varela stated.

The Supreme Court will now clarify its decision in Stolt-Nielsen, and will settle an ongoing circuit split over whether, irrespective of state contract law, an agreement that does not explicitly include class arbitration can nonetheless authorize it. The Court’s decision will have major implications for employers, well beyond the data breach context. Regardless of how the Court ultimately rules, companies are advised to include unambiguous language in their employment agreements on whether class arbitration is available. For additional insight regarding class actions, including class arbitration and waivers, please visit the Class and Collective Action Update.

Colorado Strengthens its Consumer Data Protection Law

Back in January, Colorado lawmakers on both sides of the aisle introduced a groundbreaking new bill requiring “reasonable security procedures and practices” for protecting personal identifying information, limiting the time frame to notify affected Colorado residents and the Attorney General of a data breach, and imposing data disposal rules, HB 1128. Now, Colorado Governor John Hickenlooper has signed the bill into law, marking Colorado as a leader in data protection. The new law will take effect September 1, 2018, and has significant implications for certain private and public sector entities in Colorado.

HB 1128 was sponsored by Rep. Cole Wist (R), Rep. Jeff Bridges (D), Senator Kent Lambert (R) and Senator Lois Court (D), and was passed unanimously by the Legislature, signifying the bipartisan understanding that, in today’s climate, data security is a key issue that must be addressed. Nonetheless, the bill was initially met with opposition by large businesses that argued the certain heightened requirements were already obligatory under federal law, and that notification to the Attorney General within 7 days, was too short a timeframe to determine if misuse of data had occurred, which could result in fear over identity theft even when not present. The bill was then given an overhaul, taking into consideration the businesses’ concerns.

Key updates to Colorado’s new law include:

  • Expansion of breach notification requirements.

The bill expands the definition of information that, if breached, would require notification to affected Colorado residents. Under the new law, “personal information” (PI) means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: social security number; student, military, or passport identification number; driver’s license number of identification card number; medical information; health insurance identification number; or biometric data. PI also includes a Colorado resident’s username or e-mail address, in combination with a password or security questions and answers that would permit access to an online account. Finally, PI includes a Colorado resident’s account number or credit/debit card number in combination with any required security code, access code or password that would permit access to the account.

In addition, businesses that have to report a data breach affecting Colorado residents will have to notify affected residents and, if more than 500 Colorado residents are affected by the incident, the state’s Attorney General not later than 30 days after the date of determination that a security breach occurred. Currently, this is the shortest time frame of any U.S. state (Florida also has 30-day notification period, but allows an additional 15 days under certain circumstances). Specific content requirements also were added to the state’s existing data breach notification law. Of note, the law does not create exemptions for entities subject to reporting requirements under HIPAA or the Gramm-Leach-Bliley Act, and if a conflict exists between the 30-day notice period and a time period under another state or federal law, the shortest notice period applies.

  • Requirements for reasonable security procedures and data disposal.

The new law adds requirements for businesses to implement reasonable safeguards to protect personal identifying information (PII), as well as to have procedures for disposing of PII that is no longer needed.

More specifically, covered entities in Colorado that maintain paper or electronic documents that contain personal identifying information must to develop and maintain a written policy for the destruction and proper disposal of those documents. Additionally, covered entities that maintain, own, or license personal information, including those that use a nonaffiliated third party as a service provider, shall implement and maintain reasonable security procedures and practices to protect PII that are appropriate to the nature of the PII and the nature and size of the business and its operations. Moreover, unless the covered entity agrees to provide its own security protection for the information it discloses to a third party, the covered entity “shall require” the third party service provider to implement and maintain reasonable security procedures and practices as appropriate. Thus, as required in other states such as Massachusetts and California, businesses need to be reviewing services agreements with their third party vendors to ensure they include appropriate language to meet these requirements.

Note that with respect to the reasonable safeguard and data disposal requirements, PII is defined to include a social security number; personal identification number; password; passcode; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device. This definition is not the same as the definition of “personal information” or “PI” with respect to the law’s breach notification requirement.

The Attorney General’s office has authority to enforce the new requirements, and may bring an action in law or equity to address violations of the law, and for other relief that may be appropriate to ensure compliance with the law or to recover direct economic damages resulting from the violation, or both.

This is a significant expansion of Colorado’s data breach notification law and the state’s rules for safeguarding personal data. Covered entities are advised to develop and implement practices and procedures appropriate for the PII and PI they own, license, or maintain including administrative, technical and physical safeguards.

For more information on data breach notification law developments, see our recent articles:

Arizona Updates Its Data Breach Notification Law

Last month, South Dakota and Alabama became the final two states to enact a data breach notification law. In addition, many other states, in response to trends, heightened public awareness, and a string of large-scale data breaches, have continued amending their existing laws. Arizona is the latest state to update its data breach notification law to reflect recent trends.

Introduced in January and signed into law recently by Arizona Governor Doug Ducey, the new law has several key updates, including:

  • Expands the definition of personal information to encompass:
    • information about an individual’s medical or mental health treatment or diagnosis by a healthcare professional;
    • a private key that is unique to an individual and is used to authenticate or sign an electronic record;
    • an individual health insurance identification number;
    • a passport number;
    • a taxpayer identification number or an identity protection personal identification number issued by the IRS;
    • unique biometric data used for online authentication purposes; or
    • an individual’s username or email address, in combination with password or security question and answer, that allows access to an online account.
  • Sets a 45-day notification requirement for consumers affected by the breach.
  • Risk of harm analysis: notification not required if a third-party forensic investigator or law enforcement agency determines that the “breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.”
  • Types of notice: notice may be accomplished via email if the entity providing notice has email addresses for individuals subject to notification.
  • Notification content requirement: notice must contain the date of the breach, a brief description of the information disclosed, and contact information for the three largest consumer credit reporting agencies, and the Federal Trade Commission.
  • If the breach affects more than 1,000 people, notice must be provided to the consumer credit reporting agencies and the state Attorney General.
  • The Attorney General can impose civil penalties on violators of $10,000 per affected individual or the total economic loss sustained by affected individuals up to a max of $500,000.

Today’s nationwide patchwork of state breach notification laws continues to evolve, and requires data holders operating in multiple states or maintaining personal information of residents of multiple states to keep up with the requirements across many jurisdictions. Our recently published State Data Breach Notification Laws: Overview of the Patchwork is a great resource for understanding common provisions, and trends in state statutory amendments. Please contact your Jackson Lewis attorney to discuss these developments and specific state breach notification laws and reasonable safeguard requirements.

Are You Covered?

 

The New Jersey State Bar Association recently met to discuss, among other things, our favorite topic: Cybersecurity. (Perhaps our esteemed Privacy, e-Communication and Data Security Practice Group chair was there….) We wanted to briefly mention two critical points discussed:

  • Critical Point #1: The biggest risk out there is employees. We employees click on all sorts of attractive nuisances (we love those W-2 phishing scams), share our passwords with our colleagues, lose thumb drives, and leave our laptops in our cars, ripe for theft. We (generally) mean well – we just need training! Training is a critical element of an information security plan, so be sure to train your employees. But don’t just train them once – as is evident from the fact that employees are consistently at the top of the list of cybersecurity risk factors, we need to have security details reinforced (perhaps repeatedly). Therefore, it is important to periodically refresh that training.  (Yes, we can help you with that – here is information on the resources our practice group offers.)

 

  • Critical Point #2: As noted in a blog post from earlier this year, employers can have vicarious liability for data breaches by employees. When that breach occurs, companies should be sure to have appropriate insurance in place to cover the resulting expenses. Talk to your insurance agent and be sure your company has insurance to cover the potential incidents that may arise in connection with your operations, and which provides the company with assistance with the different costs it may incur, such as investigation, mitigation, public relations, breach reporting and compliance, and possible business interruption.

Oh, one more thing….Rapid7 issued its Quarterly Threat Report earlier this week. While health care has always been among the top threat sectors, this Quarterly Threat Report indicates that health care is now bumping up to the top spot, eclipsing the financial industry as a cybersecurity target. This is due to both the rich nature of the data that health care entities maintain, and to the vulnerable nature of their systems. The Report notes that “healthcare organizations often have a complex, distributed IT infrastructure with difficult-to-patch legacy systems and proprietary medical devices, making them challenging to secure quickly. They also rely on system availability to keep operations running when lives are on the line, and adversaries have frequently targeted that availability using tactics such as ransomware or telephonic denial of service attacks (TDoS) to overwhelm critical phone lines. “

The Jackson Lewis Privacy, e-Communication and Data Security team can help your organization with a Data Breach Readiness Assessment.  More information about our Data Incident Response Team is available here.

The FTC Announces a National Cybersecurity Education Campaign for Small Businesses

The Federal Trade Commission (FTC) recently announced that it will launch a national education campaign to aid the small business sector in strengthening its cybersecurity and protecting its sensitive and personal data.

The national education campaign builds on the FTC’s 2017 Small Business Initiative which included the creation of a new website: FTC.gov/SmallBusiness aimed at helping small businesses protect their networks and data and avoid scams, and the Small Business and Cybersecurity Roundtables that included five roundtable discussions with small businesses to learn from the challenges they face dealing with cyber threats and cybersecurity and hear ideas on how the government can help them. The FTC developed the national cybersecurity education campaign based on lessons learned from the roundtables.

In the FTC’s announcement of the national education campaign, Tom Pahl, Acting Director of the FTC’s Bureau of Consumer Protection highlighted that, “Small businesses understand the importance of cybersecurity and the need to protect their networks and data, but many feel overwhelmed about how to address the myriad of cyber threats they face… Our new campaign aims to help these small businesses with targeted, plain-language advice on everything from protecting against phishing scams to tips on what to look for when choosing a cybersecurity vendor.”

An FTC staff report released together with the announcement, Engage, Connect, Protect: The FTC’s Projects and Plans to Foster Small Business Cybersecurity – The Federal Trade Commission Staff Perspective includes an outline for the reader friendly materials the national education campaign will provide for small businesses looking to better protect themselves from cyber incidents, including:

  • Creating a suite of training materials for small businesses and their employees – 10 – 12 modules that will each include a cybersecurity challenge and advice for dealing with it accompanied by short videos, presentations, and other materials. These materials will be appropriate for small business owners and managers to share with employees.
  • Developing consistent messages from the federal government – this includes working together with the government’s Cybersecurity Forum, the National Cybersecurity Alliance’s (NCSA) federal partners working group, and other working groups FTC staff belong to, to create consistent messages regarding cybersecurity across other key federal agencies that interact regularly with small businesses.
  • Partner with the private sector – The FTC will continue to work together with private sector partners including the NCSA, the Better Business Bureau, and the U.S. Chamber of Commerce to ensure small businesses across all industries are aware of and have access to campaign materials. Materials will also be available online.

Although the media’s attention of late has been on large companies suffering data breaches, it is important to remember that, according to a recent study, half of all cyberattacks target small and mid-sized businesses. Small businesses are particularly at risk for identity theft and need to act promptly and aggressively to minimize their legal and monetary exposure.

For more information on small businesses and cybersecurity, below are several of our helpful materials:

 

Health Apps: Convenience vs. Security Risks

The pace of innovation in healthcare today has produced an amazing increase in the number of available mobile apps for health-related information. More than 300,000 healthcare apps are available online. These apps are developed and designed to fit within the “connected health model” which attempts to provide flexible and efficient healthcare services by using connected technology that offers better communication, access and diagnostic capabilities. Many healthcare professionals use mobile apps for immediate communication with their patients and more responsive healthcare management. In a nutshell, there is a “mad dash” to address the demand of providing more “real time” health data. In response to this innovation, the question then becomes whether healthcare providers can tap into the available technology of “connectivity” and still protect health and personally identifiable information.

The U.S government has acknowledged the dilemma associated with medical apps and devices, when attempting to balance innovation with privacy and security. The Food and Drug Administration (FDA) over the past several years has instituted various initiatives to protect the public health from cybersecurity vulnerabilities of medical apps and devices. In particular, in late 2016 the FDA released final guidance, “Postmarket Management of Cybersecurity in Medical Devices”, which has been followed up with webinars and workshops to assist the public in guideline implementation. The FDA has also recently released its Medical Device Safety Action Plan which outline’s the FDA’s plan to balance the security concerns associated with medical devices while still promoting innovation in this important field. In addition, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, 45 C.F.R. §§ 164.302 – 318, requires covered entities to conduct a Security Risk Assessment (SDA) on medical devices and apps that contain electronic protected health information to determine cybersecurity vulnerabilities and deal with such as appropriate.

A recent study conducted by the University of Piraeus published in the Institute of Electrical and Electronics Engineering Access Journal (29 January 2018) indicates that many popular mobile health apps fall down when it comes to adequate privacy and cyber security protections. Many of these apps do not follow standard practices or do not comply with the impending General Data Protection Regulation (GDPR). Consequently, the privacy risk to millions of healthcare consumers and related healthcare institutions is significant.

The comprehensive study analyzed 20 mobile health apps from the top 1,080 of the medical and health and fitness sections of the Google Play Store. To qualify for the study each had to be in English, have at least 100,000 downloads, and be free.

Researchers identified a large number of potential security flaws including unsecure programming practices, lack of protection of sensitive data transmission and lack of adequate encryption for protection of this data. Oftentimes, the apps were not in compliance with GDPR requirements, including the requirement to obtain data subject to consent and the right to withdraw consent. The study indicated that a significant percentage of available health apps do not adequately protect confidential information. Consequently, it is recommended that health care providers establish a detailed compliance protocol requiring strict self-assessment before integrating with any mobile apps. All healthcare providers considering using apps need to strongly evaluate security protections prior to allowing mobile health apps to access medical information. The cost of evaluating security risks and identifying proactive solutions may be significant. Consequently, the cost to insure privacy protection could significantly limit the type and number of mobile apps that should be “connected.” The bottom line takeaway for market competitive healthcare providers is clearly to be proactive and engage in a “deep dive” audit practice before allowing protected medical information to become at risk through the use of unvetted apps.

What’s Been Going on in New York Cyber Regulation since New York’s “first-of-their-kind” DFS regulations?

Co-Author: Thomas Buchan

As reported in our blog post from November 6, 2017, the New York State Attorney General announced the release of the proposed Shield Act in early November, 2017. This new legislation (we have some links for you below) would make significant changes to New York’s cybersecurity provisions (primarily under General Business Law §899-aa and its sequential provisions), including the following:

  • Expanding the coverage of New York’s data security protections to include any business that holds sensitive data of New York residents.
  • Imposing obligations on all such businesses to have “reasonable” safeguards in place to protect that sensitive data (though small businesses would have more flexible standards).
  • Changing the notification obligations under the law so that they would apply not only to the acquisition of sensitive information, but also to access to that sensitive information.
  • Increasing civil penalties in actions brought by the Attorney General’s office.

This much heralded, proposed legislation was in response to several large data breaches and ransomware attacks impacting New York residents and was often referenced by Attorney General Schneiderman as a critical measure to increase the data security of New York residents.

So, what’s the status of the SHIELD Act? First, we note that New York has been working on changing GBL §899-aa and its sequential provisions for a while. Legislation amending the law (but with different provisions) was proposed by the New York State Department of Law in the 2015 legislative session, but not passed (its last status was in Assembly and Senate committees). The SHIELD Act legislation was proposed by the Attorney General in late October, 2017, with the Assembly version sponsored by then-Assemblyman Kavanagh. Subsequently, he became Senator Kavanagh, and so the Assembly version of the legislation needed a new sponsor, and the bill was picked up by Assemblyman Titone (with nearly identical provisions, save for an amendment to provide for a “rolling” effective date based on when the legislation was passed). The (slightly) amended Assembly bill remains in the Assembly Consumer Protection Committee. The Senate version of the bill, sponsored by Senator Carlucci, was introduced to the Senate Consumer Protection Committee, and was subsequently sent to the Senate Finance Committee. As of this writing, the Assembly and Senate SHIELD Act bills have yet to move out of committee to the floor for a vote, and, therefore, the SHIELD Act is not yet a law. Jackson Lewis’ Government Relations team continues to monitor this legislation.

New York continues to focus on cyber security, however. Some examples of other laws and regulations in process are:

  • The Department of Financial Services proposed regulations impacting credit reporting agencies: These proposed regulations would impose registration requirements and detail prohibited practices for credit reporting agencies – and would require credit reporting agencies to comply with DFS’ (first-of-their-kind) cybersecurity regulations for financial institutions.
  • The New York Department of State emergency regulations on identity theft prevention and mitigation: These regulations were also implemented on an emergency basis, and would place requirements on consumer credit reporting agencies with respect to marketing identity theft prevention products. They would also empower the Division of Consumer Protection to obtain information from consumer credit reporting agencies, and inform and educate consumers with respect to protecting personal information, preventing identity theft and addressing identity theft when it does occur. These emergency regulations are still active, and expire on May 5, 2018.
  • Proposed legislation relating to the New York State Cyber Security Advisory Board, a New York State Cyber Security Action Plan and Periodic Cyber Security Reports: The first bill would establish a cyber security advisory board to be operated within the New York State Department of Homeland Security and Emergency Services (DHSES), to advise the Governor and Legislation on cyber security development, and recommend protective measures. The second bill would have several agencies working together to develop a cyber security action plan for New York. The final bill would have DHSES work with the Office of Information Technology Services, the New York State Police and the President of the Center for Internet Security (which is a private, not-for-profit organization) to do a comprehensive report of all cyber security services in New York State, every five years.   These bills are in committee, in committee and in committee, respectively.

In case you would like some more information, below are links to some of our previous blog posts dealing with cyber regulation in New York, and a link to our archived webinar on DFS regulation compliance (helpful to keep up with the continuing obligations under the regulations):

Our thanks to our Government Relations Practice Group colleagues for their assistance in preparing this blog post, and for keeping us up-to-date on these legislative and regulatory initiatives.

If you need help meeting privacy requirements, are looking for assistance with compliance, policies and procedures or training, or if you have any questions, please let the Jackson Lewis Privacy, e-Communications and Data Security Practice Group know.

 

NIST Releases Updated Version of Its Cybersecurity Framework

On April 17th, the National Institute of Standards and Technology (“NIST”), a component of the U.S. Commerce Department, released Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework Version 1.1”), which incorporates feedback from NIST-led workshops, public comments, and questions received by NIST team members over the last two years.

The Cybersecurity Framework development process was initiated by President Barak Obama’s Executive Order 13636, released on February 12th 2013. In the Executive Order, NIST was tasked with the development of a framework that would introduce efforts for sharing cybersecurity threat information and creating a set of current and successful approaches that would reduce cybersecurity risks to critical infrastructure. The original Cybersecurity Framework Version 1.0 was released on February 12, 2014 providing a systematic methodology for managing cybersecurity risk. It was intended to compliment, not replace, an organization’s cybersecurity and risk management program providing frameworks for industries vital to national and economic security including energy, communications, banking and defense. Nonetheless, it has since demonstrated that it is adaptable for both small and large businesses across all industries.

Cybersecurity Framework Version 1.1 has evolved with the changes in cyber threats, technologies, and industries since the release of Version 1.0 in 2014. “The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan. Moreover, Matt Barrett, Program Manager for the Cybersecurity Framework, emphasized that in the updated version “We’re looking forward to reaching more industries, supporting federal agencies, and especially helping more small businesses across the U.S. benefit from the framework”.

A Factsheet for the Cybersecurity Framework Version 1.1 provided by NIST indicates several key points:

  • Refined for clarity, it’s fully compatible with Cybersecurity Framework Version 1.0 and remains flexible, voluntary, and cost-effective;
  • Declares applicability for “technology,” which is minimally composed of Information Technology, operational technology, cyber-physical systems, and Internet of Things;
  • Clarifies utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements;
  • Enhances guidance for applying the Cybersecurity Framework Version 1.1 to supply chain risk management;
  • Summarizes the relevance and utility of Cybersecurity Framework Version 1.1’s measurement for organizational self-assessment;
  • Better accounts for authorization, authentication, and identity proofing.

“This update refines, clarifies and enhances Version 1.0,” said Barrett. “It is still flexible [enough] to meet an individual organization’s business or mission needs and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”

In the coming months, NIST anticipates release of the Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1, a companion document to the Cybersecurity Framework Version 1.1 which will identify key areas of development, alignment and collaboration. In addition, NIST will host a public webcast on April 27, 2018 at 1p.m., EST to discuss updates to the Cybersecurity Framework, and plans to hold a Cybersecurity Risk Management Conference in November 2018. This set of NIST cybersecurity resources is flexible and user-friendly, and can benefit small and large businesses across a broad range of industries in their approach to cybersecurity and risk management policies and procedures.

Banks Cannot Skirt Contract Remedies in Data Breach Suit Against Retail Merchant

Attempting to advance a novel theory of law, several banks filed a class action in Illinois federal court against a grocery store chain arising out of a data breach that resulted in the theft of 2.4 million credit and debit cards. Community Bank of Trenton v. Schnuck Markets, Inc. After the breach, and based on the terms credit card user agreements, the banks were required to issue new cards and reimburse its customers as required by federal law for financial losses due to unauthorized purchases. In the suit, the financial institutions sought to recover some of their costs from the grocery store chain that was allegedly responsible for the loss of the data. The losses were estimated by the Plaintiffs to be in the tens of millions of dollars. As discussed below, the banks were not successful.

The core question in the case was whether any applicable law provided the cardholders’ banks with a remedy under tort law against a retail merchant who was the subject of a data breach.

Generally speaking the credit card issuing bank, here the Community Bank of Trenton, has a contractual relationships with the consumers to whom the cards are issued and the credit card network, e.g., Visa, Mastercard. The issuing bank does not have a direct relationship with the retail merchant, here Schnuck Markets. From the perspective of a bank such as Community Bank of Trenton, its remedies arise from (a) the contract between it and the consumer, (b) the contract between it and the credit card network, or (c) by operation of federal law that provides limited reimbursement.

Seeking an end around these relationships, the class of banks invoked common law tort theories to go directly against the retail merchant because there was no contractual remedy that would make them whole for their losses.

The banks claimed in part that the merchant was negligent – not in permitting the breach to occur – but in not recognizing that it had occurred for months thereafter. And, once the chain did learn of the breach, it was another two weeks before it was announced publicly. The Plaintiffs alleged that numerous security steps could have prevented the breach and that those steps were required by the credit card network rules (e.g., installing antivirus software, maintaining firewalls, encrypting sensitive data, and implementing two-factor authentication).

Despite seemingly compelling arguments, the Seventh Circuit ultimately upheld the lower court’s dismissal of the banks’ claims finding that they were bound by the contractual provisions of their agreements. Essentially, the court ruled, by joining the credit card system, the banks accepted some risk of not being fully reimbursed for the costs of another party’s mistakes.

With the increasing amount of data breaches occurring in every sector of the economy we can anticipate more and more litigation, including the attempts to assert novel theories to recover significant losses resulting from the breaches.

Below are additional resources on data breach litigation:

LexBlog