CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Latest Study in Cybersecurity Awareness and End User Behaviors

Posted on: September 5th, 2019

By: Michael Kouskoutis

Cybersecurity awareness company Proofpoint recently published its fourth-annual Beyond the Phish report, which analyzes end-user behavior and employee knowledge on cybersecurity.  Gathering from over 130 million data points across 14 categories, 16 industries and over 20 departments, this report is regarded as among the most useful cybersecurity studies published each year.

Notable findings include:

  • Participants incorrectly answered about 1 in 4 questions regarding identification of phishing threats.
  • Participants showed poor awareness surrounding risky communication channels (like connecting to public WiFi networks), and struggled to identify distinctions between public and private data.
  • Participants treat mobile devices differently, often taking greater risks than with stationary computers.
  • In comparison with prior reports, users have a greater understanding of ransomware and are becoming better at recognizing malicious pop-ups.
  • End users are also increasingly using physical security practices, such as locking devices before leaving them unattended.
  • End users in the finance industry performed the best, while those in education and transportation were the worst performing users across all industries.
  • End users in hospitality performed the worst in the “Physical Security Risks” category.
  • Workers in the insurance industry performed particularly well in the “Avoiding Ransomware Attacks” category.
  • Communications was the best performing department among all industries, while customer service, facilities and security departments performed the worst.
  • 83% of global organizations experienced phishing attacks in 2018.

The study also reported a significant increase in safe behaviors in organizations that offer continuous training across all cyber topics.  With human error being the leading cause of cybersecurity breaches, businesses should make cyber awareness a core component of employee training and offer continual training programs that are up-to-date with the latest threats to cybersecurity.  For more information with cyber data security or breach response, contact Michael Kouskoutis at [email protected].

Georgia High Court to Rule on Damages Required for Data Breach Claims

Posted on: September 3rd, 2019

By: Amy Bender

The Georgia Supreme Court soon will weigh in on the ongoing debate within the courts of when individuals may bring claims based on data breaches involving their personal information when they have not suffered any actual financial harm.

In what is now, however unfortunate, a familiar story, the plaintiffs in Collins et al. v. Athens Orthopedic Clinic, P.A. were patients at a medical clinic that experienced a ransomware attack that provided the hacker access to their personal information stored on the clinic’s computer database, such as their Social Security number, date of birth, and medical history. The hacker then posted the information on the Dark Web and another website. The clinic did not provide credit monitoring, identity theft protection, or other remedies to its victim patients, which the patients then had to purchase themselves. One of the plaintiffs also experienced fraudulent credit card charges, although she actually did not allege those changes were the result of the clinic’s data breach.

Instead of claiming any violation of a data breach statute, the plaintiffs brought claims under Georgia state law for negligence, breach of contract, unjust enrichment, declaratory judgment, Georgia Uniform Deceptive Trade Practices Act, and attorney’s fees. The trial court dismissed the claims before trial, and the Georgia Court of Appeals agreed, finding measures such as credit monitoring and identity theft protection and their associated costs, which are designed to prevent exposure to future, speculative harm, were not sufficient proof of the damages required to establish any of their claims.

The Georgia Supreme Court agreed to review the case and recently heard oral argument. A decision is expected within the next few months. At oral argument, some of the justices seemed skeptical of the lower courts’ rulings and the argument that the plaintiffs needed to wait until they had been victimized by identity fraud before they could file suit. However, no ruling has been made yet.

Courts around the country have taken differing views on whether the mere exposure of personal information, without more, is enough to be considered “damages” or if the plaintiff must prove additional financial harm. (See our related blog posts here, here, and here.) The upcoming Georgia Supreme Court decision hopefully will shed light on this issue and serve as a helpful guide for both organizations and individuals, at least within the State of Georgia.

Another takeaway from this case is that it usually is prudent for an organization that has experienced a data breach exposing personal information of its patients or clientele to bear the cost of credit monitoring and identity theft services, in addition to implementing strong data security measures that may prevent such an attack from occurring in the first place. Indeed, although not mandatory in Georgia and most other states, a handful of other states do require that these services be offered to affected individuals at no cost when they are notified of a data breach. Although these costs can be high, they can be covered by the organization’s cyber liability insurance policy and likely pale in comparison to the time and money the organization may spend defending a lawsuit arising out of the breach.

For more information or for assistance with data security or response measures, contact FMG’s Data Security, Privacy & Technology team.

Breaking – Eleventh Circuit Holds No TCPA Standing For Receipt of Single Unsolicited Text Message

Posted on: August 29th, 2019

By: Matthew Foree

In Salcedo v. Alex Hanna, the U.S. Court of Appeals for the Eleventh Circuit has just issued a major decision holding that receipt of a single unsolicited text message does not establish standing under the Telephone Consumer Protection Act (“TCPA”). A copy of the opinion is available here.

In this case, the plaintiff, who was a former client of the defendant law firm, received a multimedia text message from the defendant offering a 10% discount on his services. Plaintiff filed suit as a representative of a putative class of former clients who received unsolicited text messages from the defendant in the past four years alleging violations of the TCPA.

In reaching its decision, the court considered Eleventh Circuit precedent in the Palm Beach Golf Center-Boca, Inc. v. John G. Sarris, D. D. S., P. A. case, in which it found standing for a plaintiff who alleged that receiving a junk fax in violation of the TCPA harmed him because, during the time that it took to process the fax message, his fax machine was unavailable for legitimate business. The court distinguished that case based on differences between faxes and text messages.  Among other things, it found that a fax message consumed the fax machine entirely while a text does not consume a cellular phone.  It noted that, unlike a cellular phone, a fax machine is unable to receive another message while processing.

The court also looked to the judgment of Congress as to whether plaintiff’s allegations were treated as a concrete injury-in-fact. Among other things, the court recognized that “Congress’s legislative findings about telemarketing suggest that the receipt of a single text message is qualitatively different from the kinds of things Congress was concerned about when it enacted the TCPA. In particular, the findings in the TCPA show a concern for privacy within the sanctity of the home that do not necessarily apply to text messaging.” The court determined that Congress’s “privacy and nuisance concerns about residential telemarketing are less clearly applicable to text messaging.” Significantly, it noted that a single unwelcome text message will not always involve intrusion into the privacy of the home in the same way that a voice call to a residential line necessarily does.  As part of its analysis, the court also found the Ninth Circuit decision in the Van Patten v. Vertical Fitness Group, LLC case, which dealt with the same issue, unpersuasive.  It distinguished that case by noting that it stopped short of examining whether isolated text messages not received at home come within the judgment of Congress.

The Eleventh Circuit also found that history and the judgment of Congress do not support finding concrete injury in plaintiff’s allegations. It noted that the plaintiff did not allege “anything like enjoying dinner at home with his family and having the domestic peace shattered by the ringing of the telephone.” The court  summed up its position by stating that the “chirp, buzz, or blink of a cell phone receiving a single text message is more akin to walking down a busy sidewalk and having a flyer briefly waved in one’s face. Annoying, perhaps, but not a basis for invoking the jurisdiction of the federal courts.”

Judge Pryor concurred in judgment only and noted that the majority opinion appropriately, and her view, leaves unaddressed whether a plaintiff who allege that he had received multiple unwanted and unsolicited text messages may have standing to sue under the TCPA. With this understanding, she concurred in the majority’s judgment.

It remains to be seen how this case will be used to defeat standing in future cases, including how it is applied to cases involving multiple text messages and calls to cellular telephones.  This is a major decision that will have a drastic effect on standing in TCPA class action cases. If you have any questions about this decision, please do not hesitate to contact Matt Foree at [email protected].

Connecticut and Delaware Enact New Data Security Laws for the Insurance Industry

Posted on: August 8th, 2019

By: Ben N. Dunlap

Connecticut and Delaware have enacted new laws imposing data security obligations on the insurance industry, joining New York, South Carolina, Ohio, Michigan, and Mississippi.

Connecticut’s Insurance Data Security Law, signed by the Governor on July 26, 2019, creates new information security, risk management, and reporting requirements for carriers, producers, and other businesses licensed by the Connecticut Insurance Department.  Following the model of New York’s Department of Financial Services 2017 Cybersecurity Regulations, the Connecticut law requires licensees to maintain an information security program corresponding to the size and complexity of the licensee’s operations; perform regular risk assessments; and designate a responsible individual to oversee the information security program.  The law requires oversight by the licensee’s board of directors and annual certification of compliance to the Insurance Department.  The law also imposes a new reporting requirement: licensees will also have to report cybersecurity incidents to the Insurance Department within three business days.  The law becomes effective October 1, 2019, but licensees have until October 1, 2020 to prepare and implement programs compliant with the new requirements.

The Delaware Insurance Data Security Act, signed by the Governor on July 31, 2019, establishes a regulatory framework requiring insurers licensed to do business in Delaware to develop and implement a comprehensive data security program. Following the 2018 Model Act published by the National Association of Insurance Commissioners, the Delaware law requires insurers to report instances of data breaches to the Delaware Insurance Commissioner and consumers, and it authorizes the Department of Insurance to investigate violations of and impose penalties against insurance carriers.

The Delaware law requires licensees to (1) implement information security programs and conduct risk assessments to try to prevent data breaches and compromising of consumers’ nonpublic information and personal data; (2) conduct thorough investigations to determine if a cybersecurity event or data breach may have occurred and whose data may have been compromised; (3) notify the Insurance Commissioner within three business days of determining that a data breach or cybersecurity event has occurred; (4) notify all impacted consumers within 60 days of the determination that their data has or may have been compromised; and (5) offer free credit monitoring services for one year to consumers impacted by breaches.

If you have any questions or would like more information, please contact Ben Dunlap at [email protected].

Malware Incident in Philly Court that Downed Online Filing Highlights Concerns for Court Systems and Legal Community in the Future

Posted on: July 11th, 2019

By: Justin Boron

It’s back-to-normal for tech-dependent, legal professionals in the Philadelphia legal community. After a month with no access to online filing due to a malware incident in Philadelphia Court of Common Pleas, attorneys like me—who never knew a time where online filing didn’t exist—are again just a few keystrokes away from filing pleadings, motions, and briefs on time.

That means we can go back to filing mere minutes before the deadline, and it means an end to the anxiety from an uneasy dependence on staff and attorneys who still knew how to file it the ‘old-fashioned way’ — finalizing a paper brief enough in advance so that it can be mailed or walked-thru by a courier before the deadline. (It could have been worse: no one had to pull out the typewriter and white out).

But beyond the whiplash felt by tech-dependent professionals having their roles reversed with other more, tech-wary legal professionals, the malware incident announced May 21 illustrates how much online filing technology has changed the legal profession’s approach to deadlines, the need for local counsel or a reliable courier, and access to the hard copy record for court notices and pleading dockets—and how quickly its approach can regress if the system goes down.

It also exemplifies the increasing threat to public administration dependent on digital infrastructure.  The Emotet/Trickbot malware has evolved from mainly targeting banks to exposing flaws in the security of critical public infrastructure like courts, utilities, and local government facilities.[1]  In the last year, the City of Atlanta, the City of Baltimore, and other court systems have sustained similar incidents.

These security incidents can have serious consequences. Access to courts is a right that if deprived, can have dire consequences to criminal defendants.  It can also lead to paying expensive ransoms and could result in legal exposure if the threat actors are able to access and abscond with Personally Identifiable Information.

Fortunately, Philadelphia court officials believe there was no data removed from the system.  There was no reported ransom demanded, and court officials are shoring up the court’s digital security system to avoid a similar incident in the future.[2]

For other court and public administration systems tied to digital infrastructure, planning in advance of an incident will be key to how severely a security incident affects them.

As FMG has previously written on its Cyber, Privacy, and Security blog, the security incident within the City of Atlanta highlighted the importance of having adequate cyber insurance to cover the potentially high costs of breach response.[3]  Routine and pre-incident assessments as well as staying informed on the ever-changing landscape of threats also are important.  Likewise, it is advisable to retain breach counsel attorneys before an incident so they are familiar with the client’s systems and can move quickly to advise—within the protections of the attorney-client privilege—on steps to mitigate the harm from a security incident and to avoid legal exposure.

If you have questions or would like more information, please contact Justin Boron at [email protected].

[1] https://blog.malwarebytes.com/cybercrime/2019/03/emotet-revisited-this-pervasive-persistent-threat-is-still-a-danger-to-businesses/

[2] https://www.inquirer.com/news/philadelphia-courts-virus-hackers-russia-20190621.html?outputType=amp

[3] https://www.fmglaw.com/FMGBlogLine/insurance/city-hacks-atlantas-2018-cyberattack-and-the-growing-need-for-cyber-liability-insurance/.