On December 19, 2014, the FCC published Chairman Thomas Wheeler‘s response to Senator Bill Nelson’s (D-FL) letter regarding the FCC’s recent proposed $10 million fine against two telecom companies.

In the response, Chairman Wheeler reiterated the need for FCC action in this area and explained that consumers regularly entrust their most personal, confidential, and sensitive information to communication networks and service providers.  The Chairman went on to state that the FCC has a responsibility to ensure that service providers and network operators are taking reasonable steps to “honor the public trust, and to protect consumers from harm caused by violations of the Communications Act.”

With some of the strongest language to date concerning the FCC’s role in this area, the Chairman said:

As the nation’s expert agency on communications networks, the Commission cannot – and will not – stand idly by when a service provider’s lax security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud.  I assure you that the Commission will exercise its full authority against companies that fail to meet their statutory requirements of safeguarding the personal information of consumers.

In light of the prior FCC action and the Chairman’s most recent statements, service providers and network operators must ensure their data security practices are up to date and they are appropriately safeguarding the personal information of consumers with which they are entrusted.

As we reported, there are a number of signs pointing to a significant tightening of regulation and increased enforcement of data security mandates. Following efforts in New Jersey, New York and Oregon, Indiana Attorney General Greg Zoeller announced his office is seeking legislation that would better protect the online personal and financial information of Indiana residents. Indiana State Sen. Jim Merritt plans to sponsor the legislation during the 2015 session of the Indiana General Assembly.

The Attorney General proposes a three-pronged approach to increasing security – (i) stricter requirements for the safe storage of sensitive data, (ii) reducing harm to consumers following a data breach, and (iii) increasing transparency of online privacy policies. In proposing stricter requirements for storing sensitive data, Attorney General Zoeller’s approach would include a requirement to delete and not retain the data beyond what is necessary for business purposes. Effective and efficient record retention and destruction policies and procedures present significant challenges for businesses, but as new laws like this emerge, companies will need to get better about keeping only what they need, and making sure what is deleted is really deleted.  The proposal also includes requirements for businesses to share or sell information only when authorized by law or when consumers are informed in advance, and to inform consumers by conspicuous notice when data must be collected and how long it will be stored.

The Hoosier state already has a data breach notification law, however, the Attorney General wants to make notice under the law more timely and informative. Additionally, his proposal would extend the notification mandate to breaches of paper and handwritten records. Like the breach notification laws in many other states, the Indiana law applies only to electronically generated or computerized records.

If the third item in the proposal becomes law, Indiana would join California in requiring website operators and online entities that collect personal or financial information from state residents to conspicuously post their privacy policies online. The policies would need to identify what personal information the site collects from site visitors and whether the operator of the site shares or sells any of that information, and with whom.

We will be following this and other developments of this kind in the year ahead. However, we recommend businesses be more proactive in taking steps to safeguard and management personal information. These steps should go beyond the IT department and include administrative and physical safeguards to protect data in all forms, including paper documents. Additionally, data security is only one of a number of important reasons for a rigorous record retention and destruction policy. These include the development of more efficient data management practices, keeping data storage costs down, and controlling e-discovery costs.

The New Jersey Assembly on December 15 unanimously approved, by a vote of 75-0, a bill designed to better protect consumers from identify theft.  Bill A3146, if approved by the Senate, would expand the state’s law to include disclosure of a breach of security of online accounts.

Per the Identity Theft Resource Center, between 2005 and 2014, there have been 4,695 breaches exposing 633 million records. with the cost of a breach to an organization averaging an estimated $3.5 million.

Under the NJ bill, the definition of “personal information” set forth in Section 10 of P.L.2005, c.226 (C.56:8-161) would be amended and expanded to include a combination of user name or email address with any password or security question and answer that would permit access to an online account.  Currently, the law covers breaches involving a combination of a Social Security number, driver’s license number or State identification card number, or account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.  The expansion would allow consumers, upon notice of a breach, “to change their online account information quickly following a breach and put consumers on notice to monitor for potential identity theft,” said one of the bill’s sponsors.

Notably, the New York assembly earlier introduced Bill A10190 which would amend New York’s data breach notification law (NY Gen. Bus. Law 899-aa).  The proposed amendment would require entities which conduct business in New York State, and which own or license  computerized  data  which  includes  private information to develop, implement, and maintain a comprehensive information security program which must be consistent with the safeguards for protection of personal information.  The New York amendment would impose requirements nearly identical to those required under Massachusetts law.

Each of these developments should be closely monitored so that companies can ensure compliance.

On December 9, Oregon’s Attorney General, Ellen Rosenblum, announced to the Oregon House and Senate Judiciary Committee that she would be introducing legislation to expand existing personal data protections for Oregon consumers while implementing additional enforcement measures to combat non-compliance.

According to Ms. Rosenblum, Oregon’s laws have not kept up with the rapid increase in the use and maintenance of consumer data.  As stated to reporters:  “We essentially need a consumer bill of rights so that people know what their rights are online . . . There’s great things about technology, but we have to inform the people, we have to inform parents and the kids so we can be protected better online as well as offline.”

Ms. Rosenblum’s proposal would allow the state Department of Justice to more broadly enforce civil penalties against non-compliance with enhanced data privacy standards.  Oregon’s present identity theft statutes ORS 646A.600‐628, vest the Director of the Department of Consumer and Business Services with enforcement authority.

Oregon’s push towards additional privacy protections follows a large data breach at the Oregon Employment Department and Secretary of State’s Office, which compromised the personal information of more than a million people.

According to the Oregon AG, retail data breaches have also compromised the personal information of 70 million customers worldwide, including 800,000 in Oregon.

 

Some have called 2014 the “Year of the Data Breach.” That may be true given the steady stream of large-scale data breaches affecting tens of millions of individuals. We do not know if this time next year commentators will be saying the same thing about 2015, but there are signs pointing to a significant tightening of regulation and increased enforcement of data security mandates – some are discussed below. No matter a company’s size or industry, maintaining personal data can be a risky business, more so for companies that are not prepared and that have not taken reasonable steps to safeguard personal data.

New York regulators announce new cyber security preparedness assessments for banks. Following an announcement in October concerning third-party vendors, Benjamin M. Lawsky, Superintendent of Financial Services, issued an industry guidance letter on December 10 to all New York State Department of Financial Services (DFS)-regulated banks outlining enhanced examinations as part of “new targeted, DFS cyber security preparedness assessments.” According to the announcement, and in the letter to banks, DFS examinations will be looking at safeguards such as protocols for detection of cyber breaches and penetration testing; corporate governance related to cyber security; defenses against breaches, including multi-factor authentication; and security of their third-party vendors. This is not just an issue for the banks because as part of their efforts to be ready for these increased examinations and assessments, they will need to be looking at the practices of their third-party vendors.

Another HIPAA settlement and Phase 2 audits expected to commence soon. Earlier this month, the Office for Civil Rights announced it reached a resolution agreement with Anchorage Community Mental Health Services (ACMHS) to settle potential HIPAA violations. Under the agreement, ACMHS will pay $150,000 and adopt a corrective action plan with regard to its HIPAA compliance program. Like a number of prior OCR investigations, this one was opened when ACMHS, a nonprofit organization providing behavioral health care services, informed OCR of a breach of unsecured electronic protected health information affecting 2,743 individuals. The breach resulted due to malware compromising the security of its information technology resources. According to OCR, ACMHS had adopted sample policies and procedures, but was not following them. In addition, OCR alleged that ACMHS failed to identify and address basic risks, such as not regularly installing updates and security patches for its software. Again, as with financial institutions, healthcare providers and health plans are not the only entities under OCR’s scrutiny. Under HIPAA, and as clarified by HITECH, the privacy and security obligations extend downstream to business associates and subcontractors, and possibly others. If your business is in the healthcare industry, there is a likelihood you will be affected by these requirements.

In addition to continued enforcement, OCR also is preparing to commence Phase 2 of its audit program. OCR representatives have been reported as stating unofficially that OCR hopes to start Phase 2 by the end of 2014, or the beginning of 2015. Those audits are expected to focus on (i) risk analysis and risk management, a fundamental requirement under the HIPAA Security Rule, (ii) breach notification compliance, and (iii) compliance with notice of privacy practices requirements. The audits are expected to reach both covered entities and business associates.

States enhancing breach notification laws and enforcement. During 2014, a number of states enhanced their existing breach notification laws (e.g., CA and FL) and Kentucky became the 47th state to enact such a law. Other states, such as Oregon, have announced a desire to enhance their own laws. Additionally, states like Massachusetts continue to announce fines for companies violating that state’s data security mandates.

Cyber insurance offerings to small business grow. In July 2014, CNBC explained “Why cyber-insurance will be the next big thing.” But it also is worth noting that during 2014 a number of carriers, syndicates have announced cyber products with a focus on small and mid-sized businesses. One example is an announcement that former Pennsylvania Governor and the first U.S. Secretary of Homeland Security, Tom Ridge, formed Ridge Insurance Solutions Company which seeks to close “a dangerous cyber insurance gap… particularly [for] small- and mid-cap firms”. Also, in November, Nationwide announced that it will be joining with Hartford Steam Boiler “to offer cyber insurance coverage for small business owners.”  The insurance market’s movement in this direction is one indicator of higher data risks for businesses beyond large organizations in the financial services industry and retail.

 

These are just a few of the signs in 2014 that point to more regulatory and enforcement activity ahead in 2015. Businesses large and small need to focus on their data privacy and security practices, which starts with assessing their risks across their organizations.

We reported earlier that the National Labor Relations Board had been considering changing its previous position that  “employees have no statutory right to use the[ir] Employer’s e-mail system for Section 7 purposes.”  The NLRB’s position in this regard was established in 2007, under the NLRB’s ruling in Register Guard.  Today, in Purple Communications Inc. and Communications Workers of America, AFL-CIO, the NLRB overruled the Register Guard decision as “clearly incorrect” and held that employees have a right to use their employers’ email systems for nonbusiness purposes, including communicating about union organizing.  Specifically, the NLRB held “employee use of email for statutorily protected communications on nonworking time must presumptively be permitted by employers who have chosen to give employees access to their email systems.  [The NLRB] therefore overrule[s] the Board’s divided 2007 decision in Register Guard to the extent it holds that employees can have no statutory right to use their employer’s email systems for Section 7 purposes.” It is important to remember that this ruling applies to employers whether or not they have union employees.

At issue in Purple Communications and Communications Workers of America, AFL-CIO, was the right of employees under Section 7 of the National Labor Relations Act to effectively communicate with one another at work regarding self-organization and other terms and conditions of employment.  In deciding the case, the NLRB said the workplace is “uniquely appropriate” and “the natural gathering place” for such communications, and the use of email as a common form of workplace communication has expanded dramatically in recent years.

The NLRB was careful to limit its holding as follows:

  • Only applies to employee who have already been granted access to the employer’s email system in the course of their work and does not require an employer to provide such access;
  • An employer may justify a total ban on nonwork use of email by demonstrating that special circumstances make the ban necessary to maintain production or discipline;
  • Absent justification for a total ban, the employer may apply uniform and con­sistently enforced controls over its email system to the extent such controls are necessary to maintain production and discipline;
  • The ruling does not address email access by nonemployees;
  • The ruling does not address any other type of electronic communications systems.

Our Labor Group plans a more thorough analysis of the NLRA issues, as employers must now take certain steps or risk potential Board action.

In light of this decision, employers must reexamine their existing electronic communication, bring your own device (BYOD), and social media policies which may have been adopted post 2007.  This is especially true if any of those policies do not permit, or prohibit, an employee’s use of company-provided communication systems for nonwork-related purposes, such as to fulfill certain union-related purposes or other “protected concerted activities” under Section 7 of the National Labor Relations Act.  Similarly, employers will now need to exercise caution in monitoring company email and what actions are taken in connection with employee use of the company’s email systems.

 

In what may be considered a blow to class action defense, this week the U.S. Court of Appeals for the Eleventh Circuit ruled that an offer of judgment to the named plaintiffs did not moot a proposed class action.  This was a case of first impression before the Eleventh Circuit.

The putative class action,  Stein v. Buccaneers LP, alleges that owners of the Tampa Bay Buccaneers sent unsolicited faxes advertising ticket sales to the plaintiff and more than 100,000 others nationwide in violation of the Telephone Consumer Protection Act (TCPA).   After removing the matter to federal court, the defendant, Buccaneers LP, made offers of judgment under Fed. R. Civ. P. 68 to each of the six named plaintiffs based on the alleged number of faxes each received.   In what courts have sometimes called a “pick-off,” two days after making the offers of judgment, Buccaneers LP moved to dismiss the case for lack of jurisdiction.  Specifically, Buccaneers LP argued that the unaccepted offers of judgment, which provided each named plaintiff with the full relief they were entitled to under the TCPA, rendered the case moot.  Thereafter, the plaintiffs filed a motion for class certification.  The district court denied the motion for class certification and after the plaintiffs failed to accept the offers of judgment within the 14 day deadline, the district court held that the action was moot and dismissed the case.

In reversing the district’s court’s dismissal of the case, the Eleventh Circuit held that a defendant can’t moot a class action through an unaccepted offer of judgment made to the named plaintiffs before the plaintiffs have moved to certify the class.  While the Seventh Circuit has held otherwise, the Eleventh Circuit stated that the Third, Fifth, Ninth and Tenth Circuits have reached the same conclusion: “a Rule 68 offer of full relief to the named plaintiff does not moot a class action, even if the offer precedes a class-certification motion, so long as the named plaintiff has not failed to diligently pursue class certification.”

As we’ve discussed previously, medical identity information is worth more than ten (10) times that of financial information on the black market. This gives hackers a financial incentive to obtain such information that is maintained not only by medical providers and pharmacies but also by employers who provide medical insurance coverage to their employees. Employers may hold, in their human resources or other networking systems, not only the medical records of their employees obtained from managing workers compensation claims and other matters, but also, and more importantly, employers may maintain medical insurance registration forms and health insurance billing information on their employees. This is exactly the type of information that is at risk and which increasingly is breached.

Why is medical identity information so valuable on the black market?  As Fortune reports, medical identity theft is in demand on the black market. Employer data systems are a goldmine for would-be hackers. Within medical records hackers can find social security numbers, dates of birth, health insurance policy numbers, and other billing information that can be used for financial fraud, but also medical identity theft, where the billing information can be utilized to obtain medical services and prescriptions in the name of the individual whose identity has been compromised.

How can employers protect the medical identity information they hold?  The starting point is doing a risk and vulnerability assessment to gain an understanding of the business’ data privacy and security risks. There are a number of resources available to assist in designing and carrying out an assessment. If the medical information is subject to HIPAA, such as in the case of information maintained with respect to the company’s group health plan for employees, HHS has released a security assessment tool. Of course, much of an employee’s medical information maintained by an employer is NOT subject to HIPAA, such as leave of absence records and workers compensation records.

Another source is  the National Institute of Standards and Technology (NIST) which recently issued a draft update of its primary guide to assessing security and privacy controls. While the work NIST does, including this guide, is designed for federal information systems and networks, it is an excellent and comprehensive source for businesses to understand steps they too can take to safeguard their systems and data. For many employers, these tools may be too extensive and simply not practical. This is where a qualified data privacy expert counselor can add value in helping you to appropriately assess your administrative, physical and technical risks. Either way, a necessary and appropriate risk assessment will then lead to the development and implementation of a written information security program.

Of course, getting management, C-suite, support is essential. Data privacy and security is an enterprise-wide risk which requires an enterprise-wide solution. This is not something that should be left up to the IT Department to handle solo. Rather, the buy-in for the need for adequate safeguards and training has to come from the top and key stake holders have to be brought into the planning and assessment early in the process in order to obtain adequate support for building of data safety program and culture of data privacy and security.  Accordingly, the protection of all personally identifiable information, including medical information, takes buy-in and leadership from senior management, a careful understanding the organization’s risks and vulnerabilities, knowing what the law requires, coordination with key persons inside the organization and certain third parties outside the organization, frequent and regular security awareness and training, and regular re-evaluation of the organization’s approach for changed circumstances.

Data security is too often synonymous with the loss of consumer financial information. A recent report by a cybersecurity research firm reminds us, however, that a data breach can have an impact far beyond consumer privacy concerns.  On December 1, 2014, FireEye Inc. announced that a group called “FIN4” was duping executives, lawyers, and financial consultants into providing access to confidential and proprietary information at publically traded companies, and that FIN4 was using that information to gain an advantage in the stock market.  In other words, FIN4 was using data breaches to commit securities fraud on a massive scale.

This scheme reminds us that data breaches can be a vehicle to commit analog crimes. The FireEye report describes hackers using authentic Securities and Exchange Commission documents to deceive (presumably seasoned) finance sector workers into revealing their authentication information (username/password) to the fraudsters. Schemes like this one, that do not rely on hacking but, instead, trick users into disclosing passwords, are known as “spearphishing.” The term intentionally invokes images of a sportsman patiently waiting to catch a specific fish and stabbing it with a long spear, rather than casting a wide net and catching any fish that unwittingly swims into it.

FireEye believes that there may have been spearphishing attacks at as many as 100 publically traded U.S. companies. This means that for the affected companies, there may be fraudsters with prying eyes still inside their networks—operating on authentic credentials—following inside communications about revenues, costs, potential mergers and acquisitions—all things that move markets.

There are several lessons still to be learned from the FIN4 scheme, as the researchers continue to uncover its breadth. That said a few morals to this story are apparent. First, there are scarier fish in the sea than just malware and zombie bots. Companies simply must train employees how to recognize and respond to spearphishing and social engineering attacks—hackers use psychology as often as they use malicious code. There should almost never be an occasion that an employee must provide anyone else at his or her company with a password. Most business software provides an automatic password reset function using shared secret technology that sends an email to the user allowing him or her to reset forgotten passwords.

Second, this is the type of attack that a good cyber security and data privacy risk assessment can often spot and prevent. If your company doesn’t have technical systems in place that prevent employees from ever needing to share passwords with IT or management, then your company could fall prey to an attack like this. A good risk cybersecurity and data privacy risk assessment can spot this and other types of spearsphishing and social engineering risks and help your company eliminate them before they are exploited.

Finally, company business information must be protected as thoroughly as customer data.  This requires, among other things, a good data classification system. If your data is properly classified as confidential then your information technologists can segregate and protect it much better from attacks.

Hackers know their targets. Does your business know your hackers?

After being hit with a data breach, the last thing a company might want is the scrutiny of the union representing its employees affected by the incident. When the data breach potentially affecting hundreds of thousands of United States Postal Service employees was reported, it was not long after that the American Postal Workers Union filed an unfair labor practice with the National Labor Relations Board. The Union alleges that the Postal Service should have bargained with the union over the impact of the security breach. (Regarding impact, the Postal Service reportedly is offering employees a one-year of free credit monitoring through Equifax, but the union believes the Postal Service did not have the legal right to decide to offer the Equifax subscription without first offering to Bargain with the union.)

While none of the data breach notification statutes include an employee’s labor union as one of the parties entitled to notice of a breach, the APWU is making the argument that the National Labor Relations Act required the Postal Service to let it be involved in the discussions on how to address the breach and the negative consequences on employees. APWU President Mark Dimondstein acknowledged receiving a call from Postmaster General Patrick Donahoe concerning the breach, but apparently wanted to be more involved.

A primary purpose of most if not all data breach notification laws is to provide the required notice to individuals affected by the breach so they can take appropriate steps to protect their information and identity. All of the state data breach notification laws and HIPAA generally require notification be provided without unreasonable delay. Some laws provide an outside date by which notice must be provided – e.g., not more than 30, 45 or 60 days following discovery. But the rule is to provide notice as soon as possible, without unreasonable delay.

When a breach is discovered there are many steps companies must go through to be in a position to respond without unreasonable delay, a time frame that is not clearly defined and is influenced by a variety of circumstances. For instance, among many other steps, companies must immediately investigate the nature and scope of the incident which can involve a significant amount of forensics and research, stop the breach if it is continuing, determine who was affected, understand the applicable legal and compliance requirements, coordinate with law enforcement and state Attorneys General, as applicable, gather up to date contact information to the extent available, and coordinate with vendors regarding mailing letters, credit monitoring and other services for affected persons. Entering into negotiations with one or more representative unions about responding to such an incident before the notifications go out likely would be an involved process that would further delay the notice to affected persons.

However, depending on how the NLRB charge turns out, employers may have to interact more closely with their employees’ union representatives when employee personal information may have been breached. Of course, employers should expect that, as here, the union may make further the inquiry into the company’s data privacy and security practices in an effort to protect its members and seek additional leverage in negotiations. For these reasons, companies need to revisit (develop if they have not already) their data breach response plans and consider additional steps they might want to take, if any, to involve the union. Additionally, companies should take steps to ensure that employee personal data is safeguarded in accordance with applicable law and best practices.