As we’ve noted previously, President-elect Trump’s campaign was light on details about his plans to address cybersecurity. However, his announcement yesterday that Thomas P. Bossert will serve as his assistant for homeland security and counterterrorism, a position equal in status to national security advisor according to the transition team, may offer greater insight into the President-elect’s intentions and plans for cybersecurity and related issues.

BossartMr. Bossert, who served as a top homeland security advisor to the latter President Bush, and who is currently the president of a risk management consulting firm that provides services to companies and governments, noted in the statement announcing his appointment:

We must work toward cyberdoctrine that reflects the wisdom of free markets, private competition and the important but limited role of government in establishing and enforcing the rule of law, honoring the rights of personal property, the benefits of free and fair trade, and the fundamental principles of liberty.

Mr. Bossert’s statement – in particular the portion regarding the “limited role of government” – suggests that the Trump Administration may be slow to pursue new federal cybersecurity statutes and regulations, and that it may give federal agencies, such as the FTC, FBI, and DHS, shorter leashes to enforce existing cybersecurity laws. This statement is consistent with Mr. Bossert’s past advocacy of utilizing a free market approach to cyber insurance, instead of a government-backed program.

That said, given the prominent role cybersecurity issues have played in the lead-up to and wake of the presidential election, and the increased incidence in recent years of cyberattacks against high-profile businesses and government entities, the Trump Administration could face enormous political pressure to take action on the cybersecurity front. One way Mr. Trump may respond to that pressure is by investing heavily in measures designed to protect public and private organizations in the U.S., including private businesses, from cyber conduct perpetuated by foreign actors.  Mr. Bossert, who has warned that businesses “don’t have enough money to compete with a motivated Chinese intelligence community data collection apparatus that can spend billions when [businesses] can only spend millions,” would likely agree with such an approach. The business community should bear in mind, though, that an effective plan for disrupting international interference with U.S. business affairs will likely require some degree of domestic regulation.

Additionally, it is worth noting state and local governments have not waited for the federal government to act, and have legislated in a number of areas concerning cybersecurity. Examples include stringent regulations in California and Massachusetts designed to safeguard information systems and personal data. More recently, New York State is poised to finalize new, stringent cybersecurity regulations, potentially prompting other states to do the same. Indeed, other states and cities have already signaled their intent to pursue activist immigration and climate change agendas in response to what they believe the Trump Administration’s agenda will be.

We will keep you posted as Mr. Trump’s cybersecurity policies, and state and local responses thereto, come into clearer view.

The New York State Assembly Committee on Banks held a public hearing on December 19, 2016, receiving testimony about both the benefits and challenges of a recently proposed regulation to address the growing threat posed by cyber-attacks on banks, insurance companies and most other entities which are regulated by the Department of Financial Services (DFS). The proposed regulation was initially published by DFS on September 28, 2016 and since that time has been subject to a public comment period before final issuance.

The proposed regulation, if adopted, is likely to require most DFS-regulated organizations to establish a cybersecurity program, including the adoption of policies and procedures, the reporting to DFS of all successful and unsuccessful cybersecurity attacks, the appointment of a chief information security officer to oversee cybersecurity plans, and the inclusion of certain required provisions in third-party service provider agreements. We have outlined the proposed regulation in more detail here.

Representatives from community banking and other relatively small DFS-regulated entities testified during the hearing that the proposed regulation is a “one size fits all” solution that are too onerous for small to mid-sized entities, fail to coordinate with existing federal cyber requirements, and seek to focus on a national security threat that should be addressed exclusively at the federal level. They also noted that the reporting requirements under the proposed regulation are particularly onerous in that reporting would be required for successful and unsuccessful cybersecurity attacks, which will further contribute to additional regulatory compliance costs that will be passed on to the consumer, resulting in higher consumer prices and possibly reduced consumer choice in some markets. Other witnesses claimed the proposed regulation does not go far enough, calling for more comprehensive and prescriptive requirements.  DFS did not testify at the hearing.

Meanwhile, DFS has indicated informally that it intends to publish a revised regulation in the coming weeks, and that, in so proceeding, will among other things extend the proposed regulation’s January 1, 2017 effective date. DFS has not signaled — either informally or formally – what other changes it intends to make the in the revised regulation.   It is possible the testimony from today’s public hearing could influence some of the changes.

We will report on this blog once DFS publishes its revised regulation. We continue to urge DFS-regulated companies to carefully review their current programs, policies, and procedures to understand their current cyber footing and evaluate what action, if any, they will need to take once the revised regulation is adopted.

We know that data analytics is being used to influence a wide range of things such as the pair of shoes one might want to buy or what news is “trending” on Facebook. Similar tools are being applied to employer-sponsored group health plans. According to a recent HealthcareITnews article, vendors such as Advanced Plan for Health (APH) are using predictive modeling functionality to support population health management. The ability to better anticipate and manage plan costs while shaping plan design to meet the needs of plan participants likely will be very appealing to plan sponsors, but employers should think through implementation carefully.

According to the article, these products (APH calls its product “Poindexter”) can make predictions about when certain health events are likely to occur (such as an ER visit), or forecast the nature of the services to be provided (such as the length of the participant’s hospital stay). We will leave to the data scientists to describe how this sausage is actually made, but here is how it is summarized in the article:

Currently, the Poindexter engine calculates care gaps and predicts the likelihood of hospital admissions, as well as readmissions, 6 to 12 months in advance for any given patient population — typically covered lives in a self-insured employer’s health plan. The tool also examines data from claims, pharmacy and clinical sources, benchmarking against real-world health data adjusted for comparable demographics, geography and industry of the employer.

Poindexter assigns risk scores to individuals within that population – identifying people whose health profile suggests elevated risk. With this information, case managers can improve outcomes and lower costs when they help patients avoid catastrophic events by improving their health through timely interventions.

One thing seems clear about this process – there’s a lot of data, a lot of very sensitive data, involved that is coming from a number of different sources. Certainly, data privacy and security compliance, yes this means HIPAA, must be taken into account by employers when considering whether and how to apply these analytical tools to their group health plans. Employer-sponsored wellness programs have raised similar issues as participants often must tender personal health information about themselves to take advantage of incentives under those programs.

Speaking of wellness programs, if analytics can predict and help employers better design their health plans, couldn’t the technology also be used to help prevent or put off more adverse and expensive health events. That is, in the course of “population health management,” would it be unreasonable to expect that a health plan that can reasonably anticipate or predict a significant health event would take some steps to try to prevent it from happening? Coupling analytics with traditional wellness programs, incentives perhaps could be more targeted to better steer participants toward healthier behaviors or to get care sooner and less expensively.

In the course of administering benefit plans with features like these, keeping protected health information anonymous may be easier said than done. Additionally, providing inducements can raise issues under HIPAA, the ACA, and the Equal Employment Opportunity Commission’s ADA and GINA regulations, which also have confidentiality protections. So, as technologies like analytics emerge to power employee benefit plans, particularly health plans, they need to be run through the array of law and regulations that apply to those plans.

A motion to dismiss has been filed in a California case filed by a New York woman who claims that the National Basketball Association’s Golden State Warriors violated the Electronic Communications Privacy Act (the “Wiretap Act”), 18 U.S.C. § 2510, et seq., by distributing a mobile content app that invades users’ privacy by turning on a device’s microphone and eavesdropping on the audio it picks up. Satchell v. Sonic Notify Inc., et al., 16-c v-04961 (N.D. Cal.)

The app uses the phone’s microphone to track the user’s location by picking up on sonic beacons but fails to warn users that it is doing so and that it is picking up nearby conversations in the process.  The beacons then trigger the delivery of custom-tailored content, promotions, and advertisements directly to users’ smartphones.

The motion, filed by the Warriors and the company that operates the beacons, claims that Plaintiff has not alleged an injury in fact, as required by the Supreme Court’s recent decision in Spokeo v. Robins, 136 S. Ct. 1540 (2016).  According to defendants, Plaintiff’s sole allegation of injury is that there was wear and tear on her phone and that her phone lost battery power.

Defendants also assert that Plaintiff misunderstands how the app operates stating that the beacon technology does not “record” or “intercept” anyone’s communications in that any such recordings remain on the user’s phone and are never transmitted beyond the device to any Defendant. Thus, Defendants could not have committed an illegal “intercept[ion]” within the meaning of the Wiretap Act, which requires an “acquisition of the contents” of an “oral communication.”

Plaintiff responded to the motion by arguing that Defendants misapply Spokeo.  Plaintiff contends that she alleges a substantive (rather than merely procedural) violation of the Wiretap Act, stating that the Wiretap Act guards against intangible harms that are firmly rooted in common-law privacy torts and protects substantive privacy interests that Congress explicitly sought to protect in enacting the Wiretap Act. Thus, taking the position that history and the judgment of Congress establish that the invasion of privacy Plaintiff suffered is a concrete injury sufficient to confer Article III standing, Plaintiff argues the Defendants’ motion should be denied.

We will continue to keep our eye on the ball in this case and report back once the court rules on Defendants’ motion.

A recent study at the University of Arkansas suggests that organizations should avoid doing too much for individuals affected by a data breach. That is, when organizations provide compensation to breach victims that exceeds the victims’ expectations it could backfire. Those victims may become suspicious, thinking the organization has something to hide, which could have an adverse impact on the victims’ willingness to continue doing business with the organization.

If you have gone through a data breach, then you know the anxiety organizations experience throughout the process. Among other things, they have to quickly secure their information systems, investigate how the incident happened, and coordinate with law enforcement and other agencies. But perhaps the biggest concern is what to do for the individuals affected by the breach beyond providing breach notification.

Except for California and Connecticut which require credit monitoring and related services be provided following breaches involving certain personal information, most state data breach notification statutes only require that affected persons be given notice of the breach. Yet, when considering their breach response, many organizations think about what to do for affected persons regardless of state law requirements. In many cases, companies wind up offering credit monitoring and related remediation services, but some companies also will provide compensation of some kind.

The study found, however, that when compensation (e.g., gifts, discounts, free memberships, etc.) exceeds what the affected persons expected would be provided, those persons are more likely to become suspicious, rather than appreciative. If affected persons are suspicious they may not only be less likely to associate with the organization or continue to buy its products or services, they may be more likely to inquire more deeply about the incident or take legal action.

When considering breach response strategies, therefore, organizations should think more carefully about the kinds of benefits or compensation to offer to persons affected by the breach. We have emphasized here many times the importance of developing a breach response plan and practicing that plan. That process should include thinking through different remediation strategies, including what, if any, credit monitoring services or compensation the organization would be prepared to offer in the event of a breach. A rash decision to provide robust compensation to affected persons, made in the heat of an actual breach, could be the wrong one, according to the study.

Earlier this month, the Federal Trade Commission (FTC) blogged about How to defend against ransomware, and published Ransomware – A Closer Look in the “Tips and Advice” section of its website. This follows warnings from other federal agencies and law enforcement concerning this serious online threat to organizations, such as Dept. of Health and Human Services and the Federal Bureau of Investigation. The FTC’s guidance also follows a ransomware attack on a union pension plan and came at the same time as recommendations to the Department of Labor concerning cybersecurity. Organizations in all industries are exposed to this threat, particularly organizations that need data all the time to function, such as healthcare providers, professional service providers (e.g., legal and accounting services), financial service providers and others. From an FTC perspective, failing to take appropriate steps to prevent and address ransomware attacks could violate Section 5 of the FTC Act.

What is “ransomware” and how can we be attacked?

Ransomware is a type of malware that denies the affected organization access to its data, typically by encrypting it. Once the data is encrypted, the hacker who launched the ransomware attack notifies the organization that, in order to obtain a key to decrypt the data, it must pay a ransom, often in a cryptocurrency, such as Bitcoin.

According to the FTC’s article, most ransomware arrives through email phishing attacks that are carried out when someone at the organization clicks on a link or downloads a malicious attachment, allowing the malware to infect the system or device. Ransomware also can get on to an organization’s computer if a user visits a malicious or compromised website.

How can a ransomware attack affect our business?

Some of the effects will be obvious and others not so much. Ransomware locks your data while bad actors look to extract money from you in order to regain access. Such an attack can disrupt services to your customers and be costly to remediate. However, the attack also may have resulted in a breach of the security of your system triggering notification obligations to individuals whose personal information was accessed or acquired, or to your business partners for whom you maintain confidential information. If the malware is not competently and completely remediated, it can spread to other systems and equipment causing future attacks.

What should we be doing?

Prepare. Prepare. Prepare.

Confirm you have the right team. A key component of your team will be either your internal IT department or a third party vendor that provides IT services. However, these professionals are not always well versed in data security or the latest techniques used by the bad guys to access your systems. The IT department/third party may be saying “We got this.” But, while it is OK to trust, you should verify. And, if you are not sure, get help.

Secure your systems.  With the right team in place, there are a number of steps that should be taken to stop an attack before it happens:

  • Conduct a risk assessment and penetration test to understand your potential for exposure to malware. This includes understanding the websites visited by users on your systems and their other activities online.
  • Implement technical measures and policies that can prevent an attack, such as endpoint security, email authentication, regular updates to virus and malware protections, intrusion prevention software and web browser protection, and monitor user activity for unauthorized and high risk activities.

Make your workforce aware of the risks and steps they need to take in case of an attack. In many cases, users of an organization’s systems are unaware of these kinds of attacks and how they can occur. Education can be critical prevention tool:

  • Help users recognize phishing attacks and dangerous sits – don’t just say it, show them and do it regularly. It may help if you also explain that they can be victims too.
  • Instruct them on what to do immediately if they believe there may be an attack. This might include notifying the IT department, disconnecting their computer from the organization’s network, and other measures.
  • Also instruct them on what not to do. For example, deleting system files may make it more difficult if not impossible later on to forensically determine the source of the problem and what happened.

Maintain backups. The FTC advises, back up your data early and often, and keep backup files disconnected from your network. Organizations that can rely on backups to be up and running quickly without being forced to cooperate with (or pay) the ransomware attacker, are in a much better position to remediate the attack.

Develop and practice a “Ransomware Game Plan.”  Organizations should already have incident response plans that address a number of issues, including breaches of personal information. Some of the key components in such a plan may include the following:

  • Identify the internal team (e.g., CIO/CISO, General Counsel, CFO) and the allocation of responsibilities.
  • Identify the external team (e.g., insurance carrier, outside counsel, forensic investigator, public relations) and involve them in your planning processes before an attack happens.
  • Outline steps for business continuity during the attack, including use of backup files and new equipment, safeguarding systems, and communication to customers, employees and business partners, as necessary.
  • Strategy for involvement of law enforcement and other agencies as applicable, such as the FBI, Internal Revenue Service, or Office for Civil Rights. This includes making contacts before an attack, which may help expedite access to assistance in the event of an attack.
  • Assessment of and compliance with legal and contractual obligations, including notification obligations based on the nature and extent of the access to information.
  • Process for (i) practicing the plan with internal and external teams, and (ii) reviewing and updating the game plan, including after an incident to improve performance

Ransomware and similar forms of attacks on information systems are not going away. Organizations need to be prepared.

Image resultIt has been reported that infamous bank robber, Slick Willie Sutton, once said, “I rob banks because that’s where the money is.” Data thieves, understandably, have a similar strategy – go where the data is. The retail industry knows this as it has been a popular target for payment card data. The healthcare and certain other industries do as well considering ransomware attacks have increased four-fold since 2015. But the retirement plan industry must also see that it too is a significant target – that’s where a lot of data is!

PR Newswire reported yesterday that the UFCW Local 655 Food Employers Joint Pension Plan is notifying participants that it suffered a ransomware attack. In general, a “ransomware” attack occurs when a hacker takes control of the victim’s information systems and encrypts its data, preventing the owner from accessing it unless the victim pays a sum of money, usually in the form of bitcoins. The data at risk in the UFCW Local 655 case included individuals’ names, dates of birth, Social Security numbers, and bank account information. Every retirement plan, including pension and 401(k) plans, maintains this and other data about current and former participating employees, and their surviving spouses and designated beneficiaries, as applicable.

The question is whether plan sponsors and third party service providers are doing enough to safeguard the treasure troves of data they maintain.

On November 10, the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to provide guidance on employee benefit plans, shared with the federal Department of Labor some considerations concerning cybersecurity. The Council noted that it is not seeking to be prescriptive, nor is it providing an opinion on fiduciary duties concerning protection of data. However, it is hoping its considerations will be publicized and “provide information to the employee benefit plan community to educate them on cybersecurity risks and potential approaches for managing those risks.”

According to the Council, there are four major areas for effective practices and policies:

  • Data management.
  • Technology management.
  • Service provider management.
  • People issues.

This is a good list to work from. Consider, for example, the wide range of service providers that perform various services to retirement plans – record keepers, auditors, law firms, accountants, actuaries, investment managers, brokers, etc. These organizations access, use, maintain, and disclose vast amounts of personal information in the course of servicing their retirement plan customers. Do these organizations have sufficient safeguards in place? Do you know if they do? What does the services agreement say?

Obviously, services providers are not the only source of risk to retirement plan data. As the Council points out, there are other considerations for plans concerning cybersecurity, such as:

  • Know your data and assess your risk (how it is accessed, shared, stored, controlled, transmitted, secured and maintained).
  • Think of how you could and should protect it (e.g., applicable federal and state laws, NIST, HITRUST, SAFETY Act, and industry-based initiatives).
  • Protect it with appropriate policies and procedures and an overall strategy taking into account available resources, cost, size, complexity, risk tolerance, insurance, etc.

In most discussions about data security and employee benefit plans, HIPAA tends to loom large. While important, with respect to employee benefit plans, the HIPAA privacy and security regulations only reach health plans, not retirement plans. But, as noted above, data thieves want to go where the data is, and that includes retirement plans.

Under this most recent change to California’s breach notification laws (California Civil Code sections 1798.29 and 1798.82), which takes effect January 1, 2017, businesses and agencies subject to the laws can no longer assume that notification is not required when the personal information involved in the breach is encrypted.

Under current California law, notification of a breach is required when a California resident’s personal information was, or is reasonably believed to have been, acquired by an unauthorized person, and that personal information was unencrypted. Thus, before the change made by AB 2828, if an unauthorized person acquires encrypted personal information of California residents, notification is not required.

Beginning in 2017, notification will be required for breaches of encrypted personal information of California residents under the following conditions:

  • encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person,
  • the encryption key (confidential key or process designed to render the data readable) or security credential was, or is reasonably believed to have been, acquired by an unauthorized person, and
  • there is a reasonable belief that the encryption key or security credential could render that personal information readable or useable.

You should also remember there was a change to these laws that became effective in 2016 which addressed encryption. On October 6, 2015, California Governor Jerry Brown signed three laws which substantially altered and expanded the state’s security breach notification requirements. Among those changes, Assembly Bill 964 added a definition for encryption:

rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.

This language seems to allow for flexibility in the types of encryption that can be applied, as well as for future changes in encryption technology. For more information on encryption technologies, click here. But, with the more recent change, a breach involving personal information protected under a standard meeting the definition above still may trigger the statute’s notification requirements if the encryption key or security credentials also are involved and there is a reasonable belief that as a result the personal information will be readable or useable.

Following a brutal campaign – one laced with Wikileaks’ email dumps, confidential Clinton emails left unprotected, flurries of Twitter and other social media activity – it will be interesting to see how a Trump Administration will address the serious issues of privacy, cybersecurity and electronic communications, including in social media.

Mr. Trump had not been too specific with many of his positions while campaigning, so it is difficult to have a sense of where his administration might focus. But, one place to look is his campaign website where the now President-elect outlined a vision, summarized as follows:

  • Order an immediate review of all U.S. cyber defenses and vulnerabilities by individuals from the military, law enforcement, and the private sector, the “Cyber Review Team.”
  • The Cyber Review Team will provide specific recommendations for safeguarding with the best defense technologies tailored to the likely threats.
  • The Cyber Review Team will establish detailed protocols and mandatory cyber awareness training for all government employees.
  • Instruct the U.S. Department of Justice to coordinate responses to cyber threats.
  • Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.

There is nothing new here as these positions appear generally to continue the work of prior administrations in the area of cybersecurity. Perhaps insight into President-elect Trump’s direction in these areas will be influenced by his campaign experiences.

Should we expect a tightening of cybersecurity requirements through new statutes and regulations?

Mr. Trump has expressed a desire to reduce regulation, not increase it. However, political party hackings and unfavorable email dumps from Wikileaks, coupled with continued data breaches affecting private and public sector entities, may prompt his administration and Congress to do more. Politics aside, cybersecurity clearly is a top national security threat, and it is having a significant impact on private sector risk management strategies and individual security. Some additional regulation may be coming.

An important question for many, especially for organizations that have suffered a multi-state data breach, is whether we will see a federal data breach notification standard, one that would “trump” the current patchwork of state laws. With Republicans in control of the executive and legislative branches, at least for the next two years, and considering the past legislative activity in this area, a federal law on data breach notification that supersedes state law does not seem likely.

Should we expect an expansion of privacy rights or other protections for electronic communication such as email or social media communication?

Again, much has been made of the disclosure of private email during the campaign, and President-elect Trump is famous (or infamous) for his use of social media, particularly his Twitter account. For some time, however, many have expressed concern that federal laws such as the Electronic Communications Privacy Act and the Stored Communications Act are in need of significant updates to address new technologies and usage, while others continue to have questions about the application of the Communications Decency Act. We also have seen an increase in scrutiny over the content of electronic communications by the National Labor Relations Board, and more than twenty states have passed laws concerning the privacy of social media and online personal accounts. Meanwhile, the emergence of Big Data, artificial intelligence, IoT, cognitive computing and other technologies continue to spur significant privacy questions about the collection and use of data.

While there may be a tightening of the rules concerning how certain federal employees handle work emails, based on what we have seen, it does not appear at this point that a Trump Administration will make these issues a priority for the private sector.

We’ll just have to wait and see.

Late last month, the Federal Communications Commission adopted new privacy rules for broadband Internet service providers (ISPs).  We first discussed this topic in March when the proposal was introduced by the FCC Chairman.  The rules are intended to protect the privacy of consumers and to provide customers with meaningful choice, greater transparency, and strong security protections for personal information collected by ISPs.