CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Connecticut and Delaware Enact New Data Security Laws for the Insurance Industry

Posted on: August 8th, 2019

By: Ben N. Dunlap

Connecticut and Delaware have enacted new laws imposing data security obligations on the insurance industry, joining New York, South Carolina, Ohio, Michigan, and Mississippi.

Connecticut’s Insurance Data Security Law, signed by the Governor on July 26, 2019, creates new information security, risk management, and reporting requirements for carriers, producers, and other businesses licensed by the Connecticut Insurance Department.  Following the model of New York’s Department of Financial Services 2017 Cybersecurity Regulations, the Connecticut law requires licensees to maintain an information security program corresponding to the size and complexity of the licensee’s operations; perform regular risk assessments; and designate a responsible individual to oversee the information security program.  The law requires oversight by the licensee’s board of directors and annual certification of compliance to the Insurance Department.  The law also imposes a new reporting requirement: licensees will also have to report cybersecurity incidents to the Insurance Department within three business days.  The law becomes effective October 1, 2019, but licensees have until October 1, 2020 to prepare and implement programs compliant with the new requirements.

The Delaware Insurance Data Security Act, signed by the Governor on July 31, 2019, establishes a regulatory framework requiring insurers licensed to do business in Delaware to develop and implement a comprehensive data security program. Following the 2018 Model Act published by the National Association of Insurance Commissioners, the Delaware law requires insurers to report instances of data breaches to the Delaware Insurance Commissioner and consumers, and it authorizes the Department of Insurance to investigate violations of and impose penalties against insurance carriers.

The Delaware law requires licensees to (1) implement information security programs and conduct risk assessments to try to prevent data breaches and compromising of consumers’ nonpublic information and personal data; (2) conduct thorough investigations to determine if a cybersecurity event or data breach may have occurred and whose data may have been compromised; (3) notify the Insurance Commissioner within three business days of determining that a data breach or cybersecurity event has occurred; (4) notify all impacted consumers within 60 days of the determination that their data has or may have been compromised; and (5) offer free credit monitoring services for one year to consumers impacted by breaches.

If you have any questions or would like more information, please contact Ben Dunlap at [email protected].

Malware Incident in Philly Court that Downed Online Filing Highlights Concerns for Court Systems and Legal Community in the Future

Posted on: July 11th, 2019

By: Justin Boron

It’s back-to-normal for tech-dependent, legal professionals in the Philadelphia legal community. After a month with no access to online filing due to a malware incident in Philadelphia Court of Common Pleas, attorneys like me—who never knew a time where online filing didn’t exist—are again just a few keystrokes away from filing pleadings, motions, and briefs on time.

That means we can go back to filing mere minutes before the deadline, and it means an end to the anxiety from an uneasy dependence on staff and attorneys who still knew how to file it the ‘old-fashioned way’ — finalizing a paper brief enough in advance so that it can be mailed or walked-thru by a courier before the deadline. (It could have been worse: no one had to pull out the typewriter and white out).

But beyond the whiplash felt by tech-dependent professionals having their roles reversed with other more, tech-wary legal professionals, the malware incident announced May 21 illustrates how much online filing technology has changed the legal profession’s approach to deadlines, the need for local counsel or a reliable courier, and access to the hard copy record for court notices and pleading dockets—and how quickly its approach can regress if the system goes down.

It also exemplifies the increasing threat to public administration dependent on digital infrastructure.  The Emotet/Trickbot malware has evolved from mainly targeting banks to exposing flaws in the security of critical public infrastructure like courts, utilities, and local government facilities.[1]  In the last year, the City of Atlanta, the City of Baltimore, and other court systems have sustained similar incidents.

These security incidents can have serious consequences. Access to courts is a right that if deprived, can have dire consequences to criminal defendants.  It can also lead to paying expensive ransoms and could result in legal exposure if the threat actors are able to access and abscond with Personally Identifiable Information.

Fortunately, Philadelphia court officials believe there was no data removed from the system.  There was no reported ransom demanded, and court officials are shoring up the court’s digital security system to avoid a similar incident in the future.[2]

For other court and public administration systems tied to digital infrastructure, planning in advance of an incident will be key to how severely a security incident affects them.

As FMG has previously written on its Cyber, Privacy, and Security blog, the security incident within the City of Atlanta highlighted the importance of having adequate cyber insurance to cover the potentially high costs of breach response.[3]  Routine and pre-incident assessments as well as staying informed on the ever-changing landscape of threats also are important.  Likewise, it is advisable to retain breach counsel attorneys before an incident so they are familiar with the client’s systems and can move quickly to advise—within the protections of the attorney-client privilege—on steps to mitigate the harm from a security incident and to avoid legal exposure.

If you have questions or would like more information, please contact Justin Boron at [email protected].

[1] https://blog.malwarebytes.com/cybercrime/2019/03/emotet-revisited-this-pervasive-persistent-threat-is-still-a-danger-to-businesses/

[2] https://www.inquirer.com/news/philadelphia-courts-virus-hackers-russia-20190621.html?outputType=amp

[3] https://www.fmglaw.com/FMGBlogLine/insurance/city-hacks-atlantas-2018-cyberattack-and-the-growing-need-for-cyber-liability-insurance/.

 

The Standing Requirement Remains an Open Question But Still a Valid Defense to Cyber Claims

Posted on: June 26th, 2019

By: Jeff Alitz

In litigation proceeding in the Federal Courts, it has always been necessary for a successful plaintiff to in some manner establish that the harm sought to be remedied by a federal lawsuit falls within the authority of the courts to hear and decide such cases. Put another way, Article III of the Constitution limits the authority of Federal Courts to decide only those cases where the claimant has “standing” –  a cognizable interest in the dispute. That interest must be demonstrated by a showing of  1. A concrete injury, 2. The injury is attributable to the defendant’s actions and 3. The injury can in some way be addressed by a favorable decision in the case. Given the fact that in many cases claimants have demonstrated that a cyber breach has occurred for which a target defendant is responsible, only to be denied standing -and hence denied recovery- where no actual “harm” or loss has been established, just what constitutes that harm is an often-litigated issue that has been in many lawsuits a powerful defense to those parties alleged to have committed some type of cyber misstep. Several recent Supreme Court actions have both done little to clarify that issue – what type of “harm’ must be demonstrated for standing to be proven – but the actions have simultaneously served to preserve standing as a significant hurdle for cyber claim plaintiffs to clear in most states.

Specifically, on March 20, 2019, in reviewing the Frank v. Gaos decision decided by the Ninth Circuit which had approved the class action settlement between Google and a group (class) of Google users, the Supreme Court ordered the Ninth Circuit court to determine if the plaintiffs in that case had suffered a concrete injury before any settlement could be approved. But, in reaching that result, the Court did not give any guidance on how a court need decide if an injury- in- fact had occurred. Less than a week later, in denying certiorari to the parties in Zappos v. Stevens, the Court similarly declined to give any clarity to the injury in fact standard. In effect by refusing to resolve the split among the circuit courts where some have determined that simply identifying theft of information or cyber fraud and the THREAT of future misuse is sufficient to confer standing ( as the Sixth, Seventh, Ninth and D.C. Circuits have done) while others (the First, Second, Third, Fourth and Eighth Circuits) have held that simply alleging the threat of future harm is not enough to establish an actual harm sufficient for standing purposes, the Court has left that issue to the lower courts to continue to resolve on a piecemeal basis.

The Supreme Court’s inaction comes at a time when state legislatures are focusing on the injury -in- fact issue by enacting statutes that attempt to eliminate any requirement that a claimant must establish actual harm to succeed on cyber liability based lawsuit. California’s Privacy Act of 2018, Massachusetts Senate Bill 120 and the Illinois Biometric Privacy Act each either clearly state or simply suggest (in the case of the Illinois act)  that no injury apart from being subject to a theft or disclosure is needed to establish standing. Nevertheless, in those states that have NOT passed such legislation and in those states that are not within the jurisdictions of the Circuit Courts that have watered down the Article III requirement that a concrete injury be established to confer standing, defendants in cyber lawsuits – and their insurers and attorneys – can continue to focus on the lack of provable harm to defeat such claims.

If you have questions or would like more information, please contact Jeff Alitz at [email protected].

Currently pending in the Massachusetts legislature is Bill S.120 entitled “An Act Relative to Consumer Data Privacy”

Posted on: April 25th, 2019

By: Eric Martignetti

The proposed bill defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or the consumer’s device.” “Personal information” includes “biometric information.” “Biometric information” is “an individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity,” including “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”

Under the proposed bill, a business that collects a consumer’s personal information shall, at or before the point of collection, notify a consumer of: (1) the categories of personal information it will collect; (2) the business purpose for which their personal information will be used; (3) the categories of third parties to whom the business discloses their personal information; (4) the business purpose for the third-party disclosure; and (5) the consumer’s right to request a copy of their personal information, the deletion of their personal information, and the right to opt out of the disclosure of their personal information to third parties. Also, a business must include these five items either in its online privacy policy or on its website.

Under the proposed bill, a business shall also make reasonably available to consumers two or more methods, including a link on the home page of its website, for submitting a consumer verified request. Through a consumer verified request, a consumer can request: (1) the specific pieces of personal information the business has collected about them; (2) the sources from which their personal information was collected; (3) the names of third parties to whom the business disclosed their personal information; and (4) the business purpose for third-party disclosure.

The proposed bill applies to a “business” that: (1) “is organized or operated for the profit or financial benefit of its shareholders or other owners”; (2) “collects Massachusetts consumers’ personal information”; and (3) “has annual gross revenues in excess of $10,000,000” or “derives 50 percent or more of its annual revenues from third party disclosure of consumers’ personal information.”

The proposed bill carves out an exception for “a business collecting or disclosing personal information of the business’s employees so long as the business is collecting or disclosing such information within the scope of its role as an employer.” This exception would, in most cases, protect employers from lawsuits brought by employees under the Act.

The proposed bill creates a private right of action for consumers. In a private right of action, a consumer need not suffer a loss of money or property, and they may recover $750 in statutory damages of their actual damages, whichever is greater. A consumer may also recover costs and attorneys’ fees.

If you have any questions or would like more information, please contact Eric Martignetti at [email protected].

Massachusetts’ Will-o’-the-WISP

Posted on: April 24th, 2019

By: Zach Moura

Massachusetts revised its data breach notification law, effective April 10, 2019, to change the minimum standards for what companies should include in a Written Information Security Plan, or WISP. Companies that experience a data breach incident must now confirm in their breach notice to the Massachusetts Attorney General whether the company maintains a WISP and identify any steps taken or planned to take relating to the incident, including updating the WISP. The requirements apply to companies that handle personal information belonging to Massachusetts’ residents no matter where the company itself is located.

The revisions also reshape the requirements for notifications to impacted individuals. In data breach incidents in which Massachusetts residents’ Social Security numbers are exposed, Massachusetts now requires companies to offer 18 months of free credit monitoring services to impacted individuals. Entities must also now certify to the state’s Attorney General and Office of Consumer Affairs and Business Regulation (“OCABR”) that the credit monitoring services comply with the statute, and provide the name of the person responsible for the breach of security, if known. The revisions also obligate the OCABR to publicly post the sample notice on its website within one business day.

The new statute calls for rolling and continuous notifications to all impacted individuals as they are identified, rather than allowing a business to first determine the total number of impacted individuals before notifying them all at the same time. And if an investigation reveals more information on the data breach that, if known, would have been provided to the impacted individuals in the original notice, additional notices must be sent. Entities must also now identify any parent or affiliated corporation in the notification letter.

For any questions about the above, or whether a WISP complies with Massachusetts law, please contact Zach Moura at [email protected].