CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Bold New Changes to Massachusetts’ Data Breach Notification Law

Posted on: March 15th, 2019

By: Michael Kouskoutis

Effective April 11, 2019, Massachusetts’ data breach notification law will compel notifying entities to follow several additional and unprecedented requirements when responding to a data breach.

First, the notifying entity must report to the state’s Attorney General whether it has implemented a written information security program (WISP). In the event the entity has no WISP in place, follow up inquiries and perhaps even penalties may result.

If applicable, notifying entities will also have to inform affected individuals of the name of their parent corporation or affiliated companies, which could generate negative publicity for companies whose subsidiaries suffer a data breach. Notably, the statute provides no threshold level of ownership before triggering this provision.

Further, the entity will not be permitted to delay notifications on the ground that the total number of residents has not yet been determined. In effect, the entity may have to issue breach notifications on a rolling basis instead of waiting for the investigation to conclude.

Lastly, Massachusetts’ Office of Consumer Affairs and Business Regulation will publish on its website the entity’s individual notification letter in addition to other details about the breach. It will also assist Massachusetts residents in filing public records requests to the Attorney General to obtain state agency notification letters.

These changes are not the type we have seen other states make in recent years; Massachusetts is taking a very bold step towards a more involved notification procedure. We will be monitoring changes to other data breach notification laws to see whether other states follow Massachusetts’ lead. If you have any questions or would like more information, please contact Michael Kouskoutis at [email protected].

What Constitutes a Reasonable and Defensible Process?

Posted on: February 27th, 2019

By: John Goselin

Society has coalesced around the general principle that businesses, governments or individuals in possession of personal confidential information (whether medical or financial) or personal identifiable information have a duty to protect that information from cyber bad guys stealing it. The reputational damage and financial costs associated with a cyber incident cannot be ignored.

But how much protection is enough? How many safeguards is it realistic to expect those in possession of information to put in place to protect that information? In other words, is there a recognized standard of care where the possessor of confidential information can feel comfortable that the protections/safeguards they have put in place are consistent with what the rest of the world is doing? Can you feel comfortable as a business owner, officer, director or IT specialist that what you are doing is reasonable and defensible in front of regulators, judges and potentially a jury?

Five years ago, the U.S Department of Commerce’s National Institute of Standards and Technology rolled out the “Framework for Improving Critical Infrastructure Cybersecurity.” The NIST’s Cyber Security Framework was last updated on April 18, 2018, and is a 48-page process outline that businesses should consider adopting as they assess the appropriate cyber security safeguards for their specific circumstance. According to the NIST, the Framework has been downloaded more than 500,000 times. The NIST Framework is not a definitive list of precisely what steps you should undertake, but it outlines a process for addressing this extremely complex issue. With a vetted, federally-endorsed process, you and your business can credibly state that you took reasonable steps to address a known problem and that the security measures you implemented were the result of a reasonable and defensible process. You will have something to say in your defense! That is a lot better than simply having your head in the sand.

In November 2018, the state of Ohio passed legislation that included a “safe harbor” against cyber liability for covered businesses that have adopted one of fourteen (14) recognized cyber-security process frameworks. In layman’s terms, if a business can show that they followed one of the approved “frameworks,” the business can avoid liability after the bad guys steal the data. The NIST Cyber Security Framework is one of the recognized industry frameworks. More states are likely to follow Ohio’s lead.

There is plenty of information available to help businesses develop a legally defensible process for handling cyber threats. Buckle down, adopt a process, get some help and put your business in a more defensible position vis-à-vis an unfortunate cyber incident.

If you have any questions or would like more information, please contact John Goselin at [email protected].

Ninth Circuit Tightens FCRA Disclosure Requirements

Posted on: February 12th, 2019

By: Matthew Foree

Ninth Circuit Holds Combining State and Federal Disclosures Violates FCRA’s Standalone and Clarity Requirements

The Court of Appeals for the Ninth Circuit recently issued a decision regarding the disclosure requirements under the Fair Credit Reporting Act (“FCRA”).  The FCRA includes certain requirements for employers prior to obtaining a consumer report on a job applicant. For example, employers must provide the applicant a “clear and conspicuous disclosure” that they may obtain such a report “in a document that consists solely of the disclosure.”

The Ninth Circuit took the FCRA’s language literally, prohibiting the employer from including any superfluous information in the disclosure document.  The case at issue, Gilberg v. California Check Cashing Stores, LLC, involved a class action filed by Desiree Gilberg, a former employee of CheckSmart Financial, LLC (“CheckSmart”). Before she began working with CheckSmart, Gilbert signed a disclosure regarding background information, which provided that CheckSmart could obtain her background report and that she had the right to request a copy of the report. The form also included information regarding her right to obtain a copy of the report under various state laws. Gilberg alleged that the disclosure violated the FCRA and California’s state law disclosure statute. The Ninth Circuit agreed and reversed the District Court’s grant of summary judgment to CheckSmart.

The Ninth Circuit interpreted the statute literally by holding that providing other state disclosure information in the disclosure form violated the FCRA’s stand-alone document requirement. The Court held that such “extraneous information is as likely to confuse as it is to inform” and, therefore, does not further the FCRA’s purpose.

The court also held that the disclosure, although conspicuous, was not clear. The court focused on the following language of the disclosure at issue:

The scope of this notice and authorization is all-encompassing; however, allowing CheckSmart financial, LLC to obtain from any outside organization all manner of consumer reports and investigative consumer reports now and, if you are hired, throughout the course of your employment to the extent permitted by law.

Among other things, the court recognized the lack of clarity in the first part of the sentence and the typographical error in the second part of the sentence, which lacked a subject and was incomplete. Therefore, it determined that this provision contained “language that a reasonable person would not understand.” The court also held that the disclosure would confuse a reasonable reader because it combined federal and state disclosures.

According to the Gilberg decision, employers in the Ninth Circuit cannot include disclosures required by other state laws in the same document that contains the FCRA disclosure. The obvious result of the decision will be the increase in documentation driven by separate disclosure statements. Although it is unclear whether other courts will adopt the Ninth Circuit’s holdings, employers would do well to revisit their forms to ensure compliance. Given the court’s position that language that would confuse a “reasonable person” would violate the clear and conspicuous requirement, employers should also ensure that their disclosures are clear.

If you have any questions or would like more information, please contact Matthew Foree at (770) 818-4245 or [email protected].

City Hacks – Atlanta’s 2018 Cyberattack and the Growing Need for Cyber Liability Insurance

Posted on: February 12th, 2019

By: Matthew Weiss

Already a growing area of liability insurance for businesses, the importance of cyber insurance for local governments came to the forefront last March when the City of Atlanta suffered a malware attack in which its computer networks were hijacked by hackers seeking a ransom equal to $51,000 in bitcoin. The cyberattack left the City unable to perform basic services, including processing tickets in municipal court and providing Wi-Fi service at Hartsfield-Jackson International Airport. At one point, city employees were advised not to even turn on their computers.

While Atlanta’s cyberattack made national headlines, the role that cyber insurance played in its response has been largely undocumented. The City holds a cyber insurance policy with AIG, and the total cost associated with the cyberattack is believed to have approached $5 million.

Although Atlanta redacted key details of its cyber insurance policy, including its coverage limits, in response to press inquiries, the State of Georgia has acknowledged that it holds a $100 million cyber insurance policy, the largest of any state, covering more than 100 state agencies including every branch of state government except higher education. The policy was put to use when the Georgia Department of Agriculture’s computer system was infected by malware in December 2017, compromising the department’s computer system, including employee email and internal operation servers. The cost of the state’s response to the malware attack exceeded its self-insured retention of $250,000.

The recent experiences of the City of Atlanta and the Georgia Department of Agriculture exemplify the growing importance of cyber insurance for state and local governments. Governments are frequently considered prime targets for cyberattacks due to a lack of synchronization of government systems, the lack of harmonization among third-party vendors rendering services to those governments, and a dearth of qualified professionals employed by governments due to the fact that more lucrative careers are available in the private sector. Indeed, governments frequently assign cybersecurity to their IT departments, which are already overburdened and under-resourced. At the same time, as local governments become more digital, the impact of a cyberattack can become highly disruptive to the city’s operations, as the City of Atlanta’s experience showed. In fact, Forbes has reported that Lloyd’s City Risk Index estimates that the risk of cyberattack is the third most consequential threat to Atlanta and other North American cities, with a collective potential impact of more than $93 billion. Given these substantial risks, Lloyd’s concludes that cities and states should better utilize cyber insurance, with a 1% increase in insurance penetration resulting in a corresponding 22% decrease in the risk to taxpayers.

The growing need for cyber insurance among cities, counties, and states melds both the areas of local government law and insurance coverage and is certain to be a major growth area in the near future. Hopefully, Atlanta’s painful learning experience will better prepare other local governments in the months and years to come.

If you have any questions or would like more information, please contact Matthew Weiss at (678) 399-6356 or [email protected].

New Cybersecurity Trend: Data Security and Disposal Laws

Posted on: February 7th, 2019

By: David Cole & Amy Bender

Tales of data breaches flood our news reports these days. By now, you hopefully are aware that all 50 states have laws requiring persons and organizations that own or maintain computerized data that includes personal information to notify affected individuals, and sometimes the government, in the event of a data breach involving their personal information. (You know those letters you’ve received from hospitals, retail stores, and other companies advising you that they experienced a data breach that may have exposed your personal information? They didn’t notify you out of the goodness of their hearts – it’s the law!)

In the past, these laws have focused solely on notifying affected individuals about compromises to their personal information. Outside of specific industries, such as healthcare or financial services, which are regulated by laws applicable only to them, such as HIPAA and the Gramm-Leach- Bliley Act, respectively, there have not been laws of general applicability regulating the standard of care required for protecting personal information in the first place. Recently, however, a trend has emerged among state legislatures to take this next step in cybersecurity legislation by setting standards for businesses’ protection of consumers’ personal information.

The majority of states now have enacted data security and/or data disposal laws that place affirmative obligations on entities (or, in some instances, certain types of industries) that own or use computer data containing personal information to safeguard and/or dispose of or encrypt that data. Below is a current list of states that have adopted these laws:

(Click here for our discussion of the significant and comprehensive data security law California passed last year.)

Unfortunately, there is not one universal standard for how to secure and destroy data containing personal information, but rather, the standard varies by state. Organizations that operate in multiple states thus may have to comply with multiple and differing requirements. In addition, many of these laws only provide general, and often vague, guidelines that do not specify particular technologies or data security measures that should be implemented. For instance, many laws only require that businesses implement “reasonable” administrative, physical, and/or technical safeguards to protect personal information from unauthorized use or disclosure, and then describe “reasonable” measures as those “appropriate based on the size of the business and the nature of information maintained.” That may be clear as mud, but at least it’s a start and enough to put businesses on notice that doing nothing is not an option.

For these reasons, we recommend that businesses work with legal counsel to understand the laws of the states where they do business and to conduct a security risk assessment to evaluate the information they maintain, the potential risks to it, and the current measures in place to protect it. Working with legal counsel, businesses should then work with an experienced cybersecurity provider to translate that risk assessment into an actionable plan for improving data security and privacy within their organization. The legal standards still might be vague, but going through a process like this will put businesses in the best position to demonstrate good faith and reasonable efforts to meet their legal obligations if and when an incident occurs or a claim is made by a third party.

Please contact David Cole, Amy Bender, or one of the other members of our Data Security, Privacy & Technology team at FMG for additional questions or to discuss conducting a risk assessment for your organization.