RSS Feed LinkedIn Twitter Facebook
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Equifax and SEC are Latest Victims of Cyber Attacks

Posted on: September 25th, 2017

By: Amy C. Bender

Two more powerhouses have fallen victim to a data breach.

News of the cyber attack on Equifax spread like wildfire, causing fear in the minds of credit holders everywhere as well as an almost immediate wave of individual and class action lawsuits. The breach – dubbed “absolutely the worst data breach in the history of the modern era” by consumer expert Clark Howard – compromised the personal information (name, Social Security number, date of birth, addresses, and, in some cases, driver’s license numbers) of more than 143 million consumers. As if the scope of the attack was not bad enough, Equifax’s response to the attack has come under criticism on several fronts. For example, many critics believe Equifax’s offer of free credit monitoring to affected consumers did not go far enough since the hackers already have access to consumers’ personal information (and potentially can use it for years to come). Also, Equifax’s dedicated breach website was a separate domain that required users to provide their name and a portion of their Social Security number – the very same information that was hacked in the first place – to determine whether they had been impacted by the breach, often without coming away with a clear answer. Further, the company’s official Twitter account, in response to inquiries, directed consumers to a fake phishing website. This apparently was done intentionally to educate consumers on the dangers of phishing sites, but understandably did not go over well, leading Equifax to apologize and remove the website.

The Securities and Exchange Commission also has been the subject of an unauthorized intrusion into its online system for company financial filings, EDGAR. Although the attack occurred and was discovered last year, the SEC only recently discovered that the attack may have resulted in incidents of insider trading. Moreover, word now is out that the U.S. Department of Homeland Security noted “critical” weaknesses in the SEC’s cybersecurity back in January. One silver lining is that the SEC does not believe any personally identifiable information was accessed due to the breach.

There are many lessons to be learned from this latest round of cyber attacks:

  • Even the most sophisticated organizations are not immune from a cyber attack.
  • Planning, implementation, and monitoring of cyber security is essential.
  • How your organization responds to a cyber attack is critical and will be scrutinized closely by government agencies, your clientele, and the public.
  • Be vigilant about checking your personal and financial accounts.

FMG’s Data Security, Privacy & Technology team has served as breach counsel in hundreds of successful incidents and is available to advise organizations on proactive measures to prepare for and protect against a data breach as well as to help respond effectively if and when an incident occurs.

If you have any questions or would like more information, please contact Amy C. Bender at [email protected].



Computer System Fraud and Funds Transfer Fraud Coverages Extended to “Spoofing”

Posted on: September 8th, 2017

By: Richard E. Wirick


Computer theft insurance takes many forms. Under traditional commercial criminal theft products, coverage only applies if there is a “fraudulent (a) entry into…a Computer; [and] (b) a change to Data elements or program logic of a Computer System.”

Let’s take two examples of claims, one covered and one proving problematic. In the first scenario, a third party hacker hacks into an insured’s computer system, causing it to transfer the funds from the insured’s account into the hacker’s bank account. In the second scenario, a hacker “spoofs” the same result. That is, he emails the insured, fraudulently misrepresenting that he is one of the insured’s clients, and urges the insured to make a transfer to an offshore lender. Note that “spoofing” works because it tricks the insured’s email server into recognizing the fraudulent email as one that originated from the insured client or an agent of the insured’s client.

While coverage has often been found for scenario one, recognizing that the hacker had in fact gained access to and hence “used the [insured’s] computer to…fraudulently cause a transfer from inside [the insured’s premises] to an… outside person,” the second scenario has proven more difficult for policyholders to argue for coverage because it is typically not recognized as the “use of a computer” to “cause a transfer” of money from within an insured’s premises to an outside destination. “To interpret the computer -fraud provision as reaching any fraudulent scheme in which [a computer] communication was part of the process would convert [that] provision into one for general fraud.” Apache Corp. v. Great American Ins. Co., 662 F. App’x. 252, 258 (5th Cir. 2016); see also Taylor & Lieberman v. Fed. Ins. Co., 681 F. App’x 627, 629 (9th Cir. 2017).

Recently, the U.S. District Court for the Southern District of New York issued an opinion that will be argued by policyholders seeking coverage for scenario two. Medidata Sols., Inc. v. Fed. Ins. Co. No. CV-00907, 2017 U.S. Dist. LEXIS 122210 (S.D.N.Y. July 21, 2017). Medidata’s accounting department received a phony email, purportedly from the company’s president, stating that an attorney would be contacting them.  Although the email contained the president’s correct email address on the “from” line (and his picture), it was a “spoof.”  After a phone call and a second email by the hacker to accounting and high level executives, Medidata wired $4.7 million to an offshore bank, and into the hacker’s hands.

The insurer argued no coverage under the Computer Fraud Coverage in the “Crime Coverage Section” of an “Executive Protection” policy because there was no “fraudulent entry of Data into [a] computer system,” because the information instructing the transfer went to an “inbox…open to…any member of the public.” The Medidata court disagreed. It held that the president’s address in the “from” line constituted “data”, entered by the hacker, posing as the company’s president. This satisfied the requirements that the third party “entered the insured’s computer system and “used” it to effectuate a fraudulent transfer.”

On the Funds Transfer Fraud Coverage of the “Crime Coverage Section”  the issue was whether the transfer was “without Medidata’s knowledge or consent.”  The Court held that the fact that the accounts payable employee willingly pressed the “send” icon does not transform the bank wire into a valid transaction. Since the validity of the wire transfer depended upon several high level employees’ knowledge and consent which was only obtained by “larceny by trick.”

The decision can be expected to be appealed by the insurer.   The Medidata decision extension of the concept of “use” or “violation” in computer fraud coverage parts to the ever-increasing practice of “spoofing” is a novel interpretation of the coverage that was at issue and an area that we anticipate will continue to be reviewed by the courts.   

If you have any questions or would like more information, please contact Rick Wirick at [email protected], or John Moura at [email protected].

Delaware Amends Data Breach Notification Law

Posted on: August 29th, 2017

By: Kacie L. Manisco

On August 17, 2017 Delaware Governor John Carney signed into law a bill amending the state’s Date Breach Notification Statute, marking the first significant change to Delaware’s data breach notification law since 2005. The amendments, which will go into effect on April 14, 2018, bring significant changes to how covered entities must prepare for and respond to data breaches.

Reasonable Data Security: Any “person” that conducts business in Delaware and “owns, licenses, or maintains” personal information shall “implement and maintain reasonable procedures and practices” for the protection of personal information collected or maintained in the course of business. The definition of “person” has been expanded to include any business form, governmental entity, “or any other legal or commercial entity.”

Definition of Personal Information: The amendment expands the definition of “personal information” to include a Delaware resident’s first name or first initial and last name in combination with any one or more of the following that relate to the individual: (1) Social Security number; (2) driver’s license number or state or federal identification card number; (3) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a resident’s financial account; (4) passport number; (5) a username or email address, in combination with a password or a security question and an answer that would permit access to an online account; (6) medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional, or DNA profile; (7) health insurance policy number, subscriber identification number or any other unique identifier used by a health insurer to identify the person; (8) unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; and (9) an individual taxpayer identification number.

Breach Notification: Delaware’s amended data breach law also now requires that notification be provided to residents affected within 60-days of discovery of the breach, unless a shorter time is required under federal law or a law enforcement agency has made a request that notice be delayed. Prior to this amendment, Delaware’s statute, similar to the data breach statutes of a majority of states, only mandated that disclosure of a data breach be made in the “most expedient time possible” and “without unreasonable delay.”

The amendment further clarifies that covered entities are not required to provide notice if an investigation reveals the breach was unlikely to result in harm to the affected residents. The amended law also does not require notification for the breach of encrypted data, unless the breach includes an encryption key that the organization reasonably believes could render the encrypted information readable or useable.

Attorney General Notification and Enforcement: Additionally, covered entities will now be required to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents. The prior version of the law did not require regulator notification.

Credit Monitoring: Delaware now joins California and Connecticut in mandating covered entities offer individuals affected by a breach of security involving Social Security numbers at least one year of free credit monitoring services unless.

As we have discussed before, these changes highlight the importance of being prepared ahead of time before a breach occurs, which includes having data breach response plan in place that will help you timely comply with notice obligations like these. We have created our FMG Cyber Toolkit to help our clients for this very reason. Please contact one of our Cyber, Data Security, and Privacy practice group attorneys for more information about developing a plan for your organization.

If you have any questions or would like more information, please contact Kacie L. Manisco at [email protected].

Data Privacy-As the Spokeo Turns

Posted on: August 29th, 2017

By: Jonathan M. Romvary

Lock-on-Keyboard[1]As we all know, the data privacy industry has been paying close attention to ongoing saga of Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), including this firm’s blog, most recently here, here and here. That spotlight is shining a little brighter on the Ninth Circuit in connection with a ruling earlier this month.

Earlier this month, the Ninth Circuit issued its most recent Spokeo decision, holding, on remand, that the plaintiff, Thomas Robins, satisfied the harm requirement for Article III standing in his FCRA claim against Spokeo. Writing for the Court, Judge Diarmuid F. O’Scannlain set forth a two-step inquiry to determine whether a plaintiff satisfies Article III standing:

(1) Was the statute at issue established to protect the plaintiff’s concrete rights?
(2) Did the specific procedural violations cause or present a material risk of actual harm to plaintiff’s concrete rights?

In regards to the first step, the Court concluded that the FCRA was intended to protect consumers from the dissemination of false information regarding credit ratings, and as such the statute was protecting a concrete right. Judge O’Scannlain reasoned that the information that was allegedly falsely reported by Spokeo is of the type that would be important to those reviewing a consumer report. Next, the Court determined that the alleged FCRA violations presented a legitimate and material risk of actual harm to the Plaintiff. It is important to note that Judge O’Scannlain’s opinion is similar to Justice Ginsburg’s dissent to the Supreme Court’s recent majority opinion, focusing its analysis on the potential harm to the plaintiff’s financial prospects in the workforce as a result of the allegedly false information.

Plaintiffs in data breach litigations are likely rejoicing in the Ninth Circuit’s most recent ruling. Judge O’Scannlain’s opinion effectively dilutes the requirement that concrete harm requirement to standing, and making it easier to maintain their litigation. Relying upon the opinion, an affected individual may argue that, similar to Robins, the potential harm to their financial prospects as a result of a data breach involving credit information is sufficient to satisfy Article III standing. The mere prospect of a harm may now be sufficient to maintain standing, at least before the Ninth Circuit.

However, it is not all bad news for defendants in data breach litigations as it is likely that application of the Ninth Circuit’s ruling will be limited. The fact-intensive analysis by the Ninth Circuit suggests that it will be difficult if not impossible to apply the ruling in a class action context. Further, the Ninth Circuit’s opinion clearly distinguished between threat of harm and threat of the statutory violation itself: while a threatened statutory violation would not satisfy standing requirements, the court concluded that an actual violation accompanied by a threatened harm was sufficient. This likely limits data breach plaintiffs until they can show an actual statutory violation by the defendant company. Finally, this opinion does nothing to bridge the significant circuit split interpreting Spokeo (see In Re: Horizon Healthcare Services Inc. Data breach Litigation, No. 15-2309 (3d Cir. 2017) v. Gubala v. Time Warner Cable, Inc., No. 16-2613 (7th Cir. 2017)).

Unfortunately, we likely wait for the inevitable petition to the U.S. Supreme Court for more guidance.

Remember, the Cyber, Data Security, and Privacy practice group attorneys are here to assist you in responding to data security incidents. Please contact Jonathan Romvary at [email protected] if you have any questions or would like more information on how this developing issue of standing may affect your company. 

SEC Issues Risk Alert on the Cybersecurity Practices of Registered Broker-Dealers, Investment Advisers, and Investment Funds.

Posted on: August 11th, 2017

By: Jennifer Lee


The U.S. Securities and Exchange Commission (“SEC”) is becoming increasingly focused on cybersecurity issues in recent years as data breaches and ransomware attacks become more frequent and wide-spread across all industries. The most recent Risk Alert, issued on August 7, 2016 by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”), shows that cybersecurity continues to be a high priority for the SEC in 2017.

The Risk Alert was based on an examination of the cybersecurity policies and practices of 75 broker-dealers, investment advisers, and investment funds over a nine-month period, from September 2015 to June 2016. The examinations focused on firms’ written policies and procedures regarding cybersecurity, including whether such policies were actually implemented and followed.

The 6-page report found that although most firms had cybersecurity policies in place, such policies were often too general and vague, as they did not articulate specific procedures for implementing the policies or examples of how employees can apply the policies in their daily work. In addition, even when firms had specific cybersecurity protocols in place, their actual practices were much more lax and did not reflect their stated policies and procedures. For example, firms often had policies requiring all employees to complete cybersecurity awareness training. However, they did not have a mechanism in place to enforce such requirements. The Risk Alert also pointed out that some firms were using outdated operating systems that were no longer supported by security patches and not taking measures to address the results of any penetrating testing.

In light of the findings, the report listed specific measures firms can take to ensure that their cybersecurity practice are “robust,” including:

  • Creating and maintaining an inventory of data and information, including classification of the risks of the disclosure of each category of data or information and business consequences in the event of such disclosures;
  • Tracking access and requests for access to data and information;
  • Following a regular schedule of system scans and updates, including security patches;
  • Establishing and enforcing controls concerning firm network and equipment, including protocols with respect to personal devices on firm networks; and
  • Requiring mandatory employee training on cybersecurity issues.

Cybersecurity incidents are a growing and costly problem for the financial services industry, and they do not appear to be going away anytime soon. The SEC has picked up on this and has begun to dedicate more resources to cybersecurity enforcement. In fact, last year, the SEC brought charges against Morgan Stanley Smith Barney LLC (“MSSB”) following a data breach involving customer data for failure to adopt written policies and procedures reasonably designed to protect customer records and information. MSSB, a dually registered broker-dealer and investment adviser, settled the matter by agreeing to a censure and a $1 million fine. With the release of the August 7, 2017 Risk Alert, it seems more likely now, more than ever, that firms will be held accountable for cybersecurity incidents, including data breaches and ransomware attacks, if they fail to implement the recommended measures and protocols contained in the Risk Alert.

However, SEC enforcement actions are not the only thing that broker-dealers and investment advisers need to worry about. As the public becomes more aware of cybersecurity issues, data breaches and ransomware incidents will result in the filing of customer claims. This may prove to be problematic as a single incident can affect thousands of customers, so a broker-dealer or an investment adviser may find itself trying to fight off thousands of individual actions or face a handful of actions involving a large number of customers, similar to a class action or a mass tort case.

To reduce the risk of an SEC enforcement action or customer actions based on cybersecurity incidents, broker-dealers and investment advisers should ensure that they are in compliance with SEC regulations and guidelines regarding cybersecurity, including but not limited to Regulation S-P, Exchange Act Rule 13n-6, and Exchange Act Rule 15c3-5—both on paper and in practice. Firms should also proactively implement any recommendations contained in OCIE’s Risk Alerts to the extent that they have not already.

If you have any questions regarding your firm’s compliance with SEC cybersecurity regulations or cybersecurity litigation in general, please contact the writer, Jennifer Lee, at [email protected].