An Illinois nursing home is facing a putative class action lawsuit filed by a worker who argues that the facility’s required fingerprint scan for timekeeping poses a threat to their privacy, and violates Illinois’s Biometric Information Privacy Act (“BIPA”). From July 2017 to October 2017, at least 26 employment class actions based on the BIPA have been filed in Illinois state court and show no sign of slowing.

Although some consider Illinois the leader in biometric data protection, other states have enacted laws similar to the BIPA, and still others are considering such legislation. Companies that want to implement technology that uses employee or customer biometric information (for timekeeping, physical security, validating transactions, or other purposes) need to be prepared. For more information on the nursing home case and advise on how to prepare when collecting biometric information, our comprehensive article is available here.

Below are additional resources to help navigate biometric information protection laws:

The European Commission recently issued an overall positive review in its first annual report on the E.U. – U.S. Privacy Shield (“Privacy Shield”),  after evaluating the Privacy Shield in its joint review with the US last month.

The Privacy Shield took effect in August 2016 replacing the EU – US Safeharbor that was invalidated by the EU High Court of Justice. Over 2,500 companies and tens of thousands of EU companies rely on the Privacy Shield to transfer data between the EU and US.

First Joint Review

In September, the E.U. Justice Commissioner Vĕra Jourová and US Secretary of Commerce Wilbur Ross, launched the first annual joint review of the E.U. – U.S. Privacy Shield (“Privacy Shield”), a built-in requirement of the agreement. E.U. Commissioner Jourová anticipated “some proposals for improvement” but didn’t expect that it “will reopen negotiations again.” On the U.S. end, the White House firmly believed that the review would “demonstrate the strength of the American promise to protect the personal data on citizens of both sides of the Atlantic,” stated White House press secretary Sarah Sanders.

The review examined all aspects of the Privacy Shield administration and enforcement, including commercial and national security related matters, broader US legal developments and communication between E.U. and U.S. authorities.

EU Commission Report

After evaluating the results of the joint-review, the EU Commission published its first annual report on the functioning of the EU-US Privacy Shield (“the Report”) confirming that the Privacy Shield framework provides an adequate level of protection for personal information transferred from the EU to the US. The Report provides a green light for companies that rely on the Privacy Shield for their transatlantic data flow.  Nonetheless, the Report did have concern over US surveillance practices, and Privacy Shield oversight.

The EU Commission provided ten recommendations in the Report to help improve Privacy Shield framework implementation. Key recommendations include:

  • Greater cooperation between all enforcement entities – U.S. Department of Commerce, Federal Trade Commission and EU Data Protection Authorities.
  • More proactive and regular monitoring of corporate compliance by the US Department of Commerce (“DoC”). This includes that self-certified companies should be required to respond to compliance review questionnaires or file annual compliance reports with the DoC. 
  • Reform/Review of US surveillance practices – in particular those associated with the Foreign Intelligence Surveillance Act and privacy protections for non-US citizens.
  • Immediate appointment of the Privacy Shield Ombudsperson, and filling key positions in the Privacy and Civil Liberties Oversight Board.

Commenting on the Review, EU Justice Commissioner Jourová stated that, “Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation. The Privacy Shield is not a document lying in a drawer. It’s a living arrangement that both the EU and U.S. must actively monitor to ensure we keep guard over our high data protection standards.”

For more information on the Privacy Shield compliance requirements and assessing whether the Privacy Shield is the proper mechanism for your company to use when transferring data outside of the EU to the US, we have prepared a Comprehensive EU – US Privacy Shield Q & A.

A coalition of the Information Technology Industry Council, the Semiconductor Industry Association, the U.S. Chamber of Commerce Technology Engagement Center, Intel, and Samsung, recently released a report that puts out a call for the creation and implementation of a national strategy to invest, innovate and accelerate development and deployment of the Internet of Things (“IoT”). The report recognizes that IoT is an extremely valuable part of our nation’s fabric, as it will facilitate a fundamental transformation in society through safety improvement, greater private and public sector efficiency, and significant economic growth in all sectors.

According to the report, the launch of the coalition’s IoT initiative was fueled by a “call of a chorus of technology leaders seeking a forum to proactively coordinate and drive industry’s trusted advisor role in helping the United States to fully realize the vast benefits of IoT for economic and societal good.” Through a series of analytical recommendations, the report, among other things, sets forth a definition for the IoT, the importance of having the federal government involved as a leader in the development of a national IoT strategy, and steps for approaching security within the IoT.

Starting with the basics, the report recommends an adoption of a “broad-based” definition for future IoT strategy and policy. To allow for all forms of IoT to be recognized, the report’s definition simply states, “[t]he IoT consists of ‘things’ (devices) connected through a network to the cloud (datacenter) from which data can be shared and analyzed to create value (solve problems or enable new capabilities).” This definition captures billions of existing devices and importantly leaves room for the inclusion of technologies and devices that might be invented one day in the future.

On developing a workable national IoT strategy, the report stressed the need to enact the Developing Innovation and Growing the Internet of Things Act, legislation which would, according to the report, ensure that a “national IoT strategy” becomes a priority and provide a clear “national IoT vision.” IoT industry experts have found that a “[n]ational IoT Strategy is a much-needed first step to drive U.S. IoT leadership, and some of the most important elements of a national strategy will require affirmative action from Congress and the administration.” Going a step further, the report makes “strategic recommendations for the U.S. government to work with the industry to drive American IoT leadership” by creating “a policy and regulatory environment that will attract unparalleled private sector investment and innovation in the IoT, thereby modernizing the nation’s infrastructure, improving American manufacturing, and growing [gross domestic product].”

Security is another important area addressed by the report. According to the report, a “government-industry” collaboration is critical to improving the security of devices, data, networks and systems. IoT and security must be viewed in a “comprehensive manner,” the report notes, because security is an endless and evolving challenge to technology and “[t]here is no single ‘silver bullet’ in risk management and mitigation.” The “best” security policy would focus on the outcome rather than specific technologies or techniques because a specific requirement can “quickly become obsolete,” the report points out. Implementing this kind of security policy would be a “win-win proposition for makers, providers, and purchasers.” Therefore, the report concludes that future federal policies should be “flexible” as to encourage “ongoing innovation and best practices” for security.

On a related note, increasingly common security breaches can bring about the issue of liability. In fact, class action data breach litigation has increased significantly in recent years. In these actions, plaintiffs seek damages from the businesses that “failed” to provide sufficient data security. But, with the IoT, who should really be held liable? Many plaintiffs’ attorneys argue that all IoT businesses within the IoT “supply chain” should be held liable for damages arising from data breach and lack of security. Yet identifying and understanding exactly who is in the “supply chain” can be extremely challenging.

All in all, a nationally recognized, flexible and multi-stakeholder IoT policy can provide a “smart” solution to cybersecurity issues because “IoT risk mitigation is a constantly evolving, shared responsibility between government and the private sector.” Threat of IoT cyber attacks are not speculative, as we have seen a major wave of cyber attacks due to “vulnerable” devices that did not have sufficient security.

The coalition’s report is a critical framework for advancing the development of IoT in the United States. It is now incumbent on private industry as well as the federal government to implement many – if not all – of the report’s recommendations.

 

We are proud to once again announce that the Workplace Privacy Report has been nominated for The Expert Institute’s Best Legal Blog Competition.

From a field of thousands of nominees, the Workplace Privacy Report has received enough nominations to join one of the largest competitions for legal blog writing online today.  If you enjoy the Workplace Privacy Report, it is up to you, our readers, to follow the link below and vote!

To vote, simply click here!

We appreciate your readership and will continue to provide new and exciting content for you in the future.

New York State Governor Andrew Cuomo and the New York State Department of Financial Services (“DFS”) have been busy on the cybersecurity front. In a press release on September 18, 2017, building upon the state’s pride in its “first-in-the-nation” cybersecurity regulations that were passed earlier this year, (which we previously discussed on our blog and in our articles Getting Prepared for the New York Department of Financial Services’ Proposed Cybersecurity Regulations, and New York Releases Revised Proposed Cybersecurity Regulations) the Governor directed that new regulations be put in place to require consumer credit reporting agencies to register with DFS (thus making them an entity subject to the DFS cybersecurity regulations). The Governor’s press release stated “[o]versight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world.”

The proposed regulations are entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies” and would be codified in a new Part 201 to Title 23 of the New York Code of Rules and Regulations (the “NYCRR” as it is commonly known). As noted in the introduction to proposed Part 201, the regulations would address not only safeguarding data, but also failures to maintain accurate data and to investigate a complaint made by a consumer about allegedly incorrect information in a credit report.

Under the proposed regulations, consumer credit reporting agencies (those entities that regularly provide information pertaining to a consumer’s credit, or public record information and credit account information – defined as “consumer credit reports”) must register with DFS no later than February 1, 2018 (and earlier if they will provide consumer credit reports prior to February 1, 2018), and then renew on an annual basis by each February 1st.   Unregistered entities are not authorized to assemble or maintain a consumer credit report – and other entities that are regulated by DFS (such as banks or insurance companies) cannot provide information to unregistered entities nor pay them any fees.

The proposed regulations have fairly broad information reporting requirements, requiring the consumer credit reporting agency to provide a sworn report with “the information requested by the Superintendent” and to allow DFS to make “any inquiry in relation to the assembly, evaluation, or maintenance of any consumer credit report on any consumers located in New York.” If a consumer credit reporting agency violates any insurance, financial services or banking laws, DFS regulations (or those of other states), provides materially incorrect information or commits similar nefarious acts, the agency’s registration may be revoked or suspended. Finally, the proposed regulations deem consumer credit reporting agencies “Covered Entities” and expressly subject to the DFS cybersecurity regulations.

The principal consumer credit bureaus are not based in New York – so it will be interesting to see if they oppose the proposed regulations.

In its press release on the same day, DFS announced guidance to its regulated institutions with respect to cybersecurity measures. DFS recommended that entities implement several steps, including installing all IT and information security patches and following up on ID theft and fraud prevention measures. The Department also provided a reminder about the provisions in the DFS cybersecurity regulations which apply to third-party service providers.

Are you worried about the impact of these proposed regulations on you? Jackson Lewis’ Privacy, e-Communications and Data Security Practice Group and New York-based Government Relations Practice Group can help with that!

And always remember: The Jackson Lewis 24/7 Data Incident Response Team is ready to assist with your cybersecurity planning and available to help if (when?) a breach occurs. Our data breach hotline is: 844-544-5296.

Laptop-maker Lenovo (United States), Inc. agreed to a no-fault settlement with the Federal Trade Commission and 32 states over allegations that it installed ad software that compromised customers’ web security and invaded users’ privacy.

As part of the Consent Order, Lenovo agreed that it would:

  • Not misrepresent any feature of installed software related to consumer internet browsing-based advertising
  • Obtain affirmative user consent before installing such software on computers
  • Provide instructions for how the consumer may revoke consent to the covered software’s operation, which can include uninstalling the covered software; and
  • Provide a reasonable and effective means for consumers to opt out, disable or remove all of the covered software’s operations, which can include uninstalling the covered software.

The company also must implement and maintain a comprehensive data security software program that is reasonably designed to (1) address software security risks related to the development and management of new and existing application software, and (2) protect the security, confidentiality, and integrity of covered information. Lenovo is required to report to the FTC regarding biennial assessments for the next 20 years.

Lenovo agreed to pay 32 state attorneys general $3.5 million under a separate state agreement. The FTC may seek civil fines if the company fails to abide by the Consent Order.

According to Acting FTC Chairman Maureen K. Ohlhausen, the settlement “sends a very important message” to companies that “everyone in the chain really needs to pay attention” to data security and collection, use, and promises made regarding the data.

The settlement with Lenovo comes on the heels of two other notable FTC settlements within the past month involving Uber Inc. and TaxSlayer LLC.

A copy of the Lenovo Consent Order can be viewed here.

These recent FTC settlements are an important reminder to all businesses that privacy and security obligations should not be taken lightly.

 

After hearing a lot lately about big companies suffering data breaches, it is important to remember that, according to inc.com, half of all cyberattacks target small to mid-sized businesses (SMBs). Based on a 2016 State of SMB Cybersecurity Report, CNBC reported that in the prior 12 months half of all SMBs in the U.S. had been hacked. This makes sense when one considers FBI reporting (pdf) that an average of 4,000 ransomware attacks happen every day in the U.S., as observed in statements from SEC Commissioner Luis A. Aguilar, who in October 2015 said that:

Cybersecurity is clearly a concern that the entire business community shares, but it represents an especially pernicious threat to smaller businesses. The reason is simple: Small and midsize businesses are not just targets of cybercrime; they are its principal target.

Clearly, SMBs need to address this significant risk to their businesses. Strong IT safeguards are part of the solution, but not a silver bullet. Administrative and physical safeguards also are needed, such as access management policies, awareness training, equipment inventory, and vendor assessment and management programs. But even the best safeguards cannot prevent all breaches. Thus, SMBs need to be prepared for responding to the inevitable – that they will experience a data breach of some kind. Below are three key steps SMBs should take to improve their level of breach response preparedness.

Understand your risks and vulnerabilities

 

  • Not all SMBs are created equal, at least with respect to inherent business risk of a cyber breach. Factors such as the type of business, jurisdictions in which business is conducted, and the amount and nature of the personal information involved in the business (payment card data, health data, SSNs, etc.) drive this risk.
  • Core competencies may be lacking. That is, members of the organization’s IT staff may be very adept at systems management, but significantly lacking when it comes to the latest cybersecurity tools and attack methodologies to provide competent leadership and execution.

Develop and practice an “Incident Response Plan”

 

  • Identify the internal team (e.g., leadership, IT, in-house counsel, and HR). These are the persons in the business who will direct the response to the incident. They will need to make quick, informed and prudent decisions that likely will be critical to the success of the response process, and possibly the future of the business.
  • Identify the external team (e.g., outside legal counsel, forensic investigator, and public relations). Having external members of the team identified ahead of time can be vital to the success of any preparedness plan. When a breach happens, valuable time can be lost trying to identify, evaluate, and engage third-party service providers necessary for the response.
  • Take into account all legal and contractual obligations that may affect the response process.
  • Clarify the roles and responsibilities of the team members at key points in the response process – discovering the incident, investigation, coordination with law enforcement, remediation, notification, third party inquiries, compliance, and reevaluation. This should include a well-defined decision making process to facilitate good choices and avoid delays.
  • Practice, practice, practice. It is likely that members added to the response team do not have first-hand experience with helping to coordinate a breach response. And, even a well-drafted plan does not give persons charged with implementing the plan a feel for what is involved. Once an SMB creates its plan, it should gather its internal and external breach response team members to simulate a breach in action in order to help members gain valuable experience with navigating the issues in a breach response, as well as working with each other.

Create awareness throughout the organization.

 

  • Educate employees on how to recognize attacks and other forms of data breach.
  • Instruct employees on what to do immediately if they believe an attack has occurred (e.g., who to notify IT, how to disconnect from the network).
  • Instruct employees on what not to do (e.g., deleting system files, attempting to restore the system to an earlier date).

All breach notification laws mandate that notification, if required, must be made without unreasonable delay. In some cases, notification can be required in as few as 15 days or even 72 hours. Thus, in all cases, SMBs have to act fast, sometimes very fast, making decisions that can have significant reputational implications for the business, as well as shape compliance and legal risks. Preparedness can make all the difference in the success of an SMB’s response to a data breach.

Although certain industries are known targets for cyber attacks – healthcare, financial, government – cyber attacks pose a threat to all sectors. Organizations in the entertainment industry have increasingly become targets of cybercrime. Over the past several years, a number of large entertainment companies have fallen victim to cybercriminals, resulting in the threatened and actual leaking of sensitive information including such things as internal emails, passwords, compensation information, and unreleased programming. Unlike a “traditional” cyber attack which poses a threat to credit card numbers or social security numbers, the biggest risk of an entertainment industry cyber attack is the publicity that can result from compromising communication and other information about high-profile individuals, and their associated businesses. For example, in the weeks leading up to the Game of Thrones final episode, HBO was hit with hacks, leaked episodes, and ransomware attacks, all stemming from a breach of online security. Such can cause harm to the financial success and reputation of both the show and the network. In addition, a company’s failure to adequately safeguard the confidential information of individuals or affiliated parties may result in costly legal review, security remediation, forensic investigation, and litigation, all which can negatively impact public relations.

As cybercriminals become more sophisticated with their attacks, and with the increasing awareness that the entertainment industry has become a prime target for hacking, it is important for companies in the industry to be proactive in making sure proper safeguards are in place before an attack occurs. Entertainment companies should ensure that they have qualified personnel with adequate resources who are capable of implementing necessary preemptive security measures. In addition, employees at all levels should receive training on what to do (and what not to do) to minimize the risk of a security breach. And companies should be prepared to respond quickly and effectively in the event that cybercriminals manage to circumvent preventive security measures.

Cyber attacks spiked 6,000 % in 2016, and show no sign of slowing in 2017. Several months ago we reported on the increase of ransomware attacks in higher education, another “less known” target for cybercrime. No industry is immune to cyber attacks, and any organization that holds sensitive information, must take steps to plan for and respond to such attacks appropriately in the unfortunate event that they occur. Jackson Lewis’s guide “Ransomware Attacks: Prevention and Preparedness” is a great starting point for any organization.

Jackson Lewis has a 24/7 Data Incident Response Team to assist with a ransomware attack, data incident, or data breach.

Secretary Tom Price of the U.S. Department of Health and Human Services (HHS) announced his agency needs “to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches.” Accordingly, HHS’ Office of Civil Rights has launched a revised web tool providing information about HIPAA breaches. The tool, the HIPAA Breach Reporting Tool (HBRT), features improved navigation helping those looking for information on breaches and ease-of-use for organizations reporting incidents. It also gives health care providers, health plans and business associates easy access to a database from which they can gain a better sense of the common types of breaches and the steps HHS is calling for in order to resolve HIPAA breach cases.

The HBRT was originally launched in 2009, as required by the HITECH Act, providing information regarding HIPAA breaches involving 500 or more individuals. HHS announced that the HBRT’s new features include:

  • Enhanced functionality and search capabilities allowing users to learn more about breaches currently under investigation and reported within the last 24 months;
  • New archive that includes all older breaches and information about how breaches were resolved;
  • Improved navigation to additional breach information; and
  • Tips for consumers.

The HBRT provides information such as: the name of the entity; state where the entity is located; number of individuals affected by the breach; the date of the breach; type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure); and location of the breached information (e.g., laptop, paper records, desktop computer). Additional enhancements are expected in the future.

HIPAA covered entities and business associates may find the HBRT helpful for identifying areas in which to focus their information security efforts. In recent months, there have been several high profile data breaches involving the unauthorized disclosure of the protected health information of several hundred thousand individuals. In this environment of increasing security threats and regulator scrutiny, it would be prudent for entities in possession of individually identifiable health information of patients to take active steps to review and, where appropriate, enhance their security measures. The HBRT could be a helpful tool for assisting in those efforts.

The effects of hurricanes like Harvey and the approaching Irma should be a reminder to all businesses of the importance of disaster recovery planning. When a storm approaches, a business’s first concern is how to protect its employees and physical property. However, we shouldn’t forget that a natural disaster can also destroy a business’s information and technology assets critical to its success and continuity. Key steps to prepare and respond to a natural disaster can help minimize the blow. There are many aspects to comprehensive disaster recovery planning.

Below are some recommended best practices for an effective disaster recovery plan:

  1. Build the Right Team. Companies should be clear about what they are setting out to do and involve the appropriate segments of their organizations. Disasters do not just affect IT departments, they also affect the sales force, human resources, legal, finance, and management. Leadership from these and other business segments need to be at the table to ensure, among other things, appropriate coordination among the segments and an awareness of all available company resources. Excluding critical segments from the process will make it difficult to carry out the next critical step – assessing the risks. The IT department, whether internal or through a third-party vendor, must be well versed in disaster response.
  2. Conduct a Risk Assessment. Before a company can develop a disaster recovery plan, it must first identify the information and technology assets it needs to protect, their locations, their role to the success of the business, their associated costs and the overall and specific risks that apply to those assets. Different disasters pose different risks and require different safeguards. It also is important to analyze how the businesses’ operations would be affected upon the loss of vital components and assets, including identifying what information and technology systems are needed to safely keep the doors open.
  3. Employee Safety. Information and technology assets are critically important, but not at the expense of human life. Employees should be provided with guidelines on how to ensure their safety, and be reminded that their safety comes first.
  4. Develop a Plan. Having involved key personnel and assessed the risks, the business is in a position to develop an enterprise-wide disaster recovery plan. The disaster recovery plan should be in writing and include the following:
    • Keep backups off site, in a safe location. If a data center in lower Manhattan is underwater, being able to switch to another in California, Texas or the cloud will be essential to business continuity. The same is true for voice and electronic communications systems. Having critical business data replicated and stored off-site is a good “insurance policy” for any organization.
    • Regular backups. Frequent and regular backups are critical to ensuring the preservation of important company data, as well as the data it may maintain for others.
    • Data Encryption. Encryption of sensitive and/or critical business data will prevent unauthorized users from gaining access and limit exposure.
    • Don’t neglect laptops/mobile devices. Recovery plans tend to focus on the data center, however approximately two/thirds of corporate data exists outside the data center. Moreover, laptops/mobile devices are far less resilient, for example, than data center servers.
    • Employee Training. No one likes fire drills, but they serve a valuable purpose. Make your employees aware of the risks and steps they must take in case of a disaster.
    • Test for recovery. Perform random recovery tests periodically. Audit the test, and confirm that all your data is recovered.
  5. Update the Plan. As your business changes, grows, and adds locations and new people, the disaster recovery plan also may need to change to address those changes. A regular review of the plan is critical.

So, as you clean up from Harvey and/or prepare for Irma, assess whether your disaster recovery plan meets your needs. If not, make appropriate changes. If you think your business could have benefited from such a plan, there is no time like the present to develop one.