CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

City Hacks – Atlanta’s 2018 Cyberattack and the Growing Need for Cyber Liability Insurance

Posted on: February 12th, 2019

By: Matthew Weiss

Already a growing area of liability insurance for businesses, the importance of cyber insurance for local governments came to the forefront last March when the City of Atlanta suffered a malware attack in which its computer networks were hijacked by hackers seeking a ransom equal to $51,000 in bitcoin. The cyberattack left the City unable to perform basic services, including processing tickets in municipal court and providing Wi-Fi service at Hartsfield-Jackson International Airport. At one point, city employees were advised not to even turn on their computers.

While Atlanta’s cyberattack made national headlines, the role that cyber insurance played in its response has been largely undocumented. The City holds a cyber insurance policy with AIG, and the total cost associated with the cyberattack is believed to have approached $5 million.

Although Atlanta redacted key details of its cyber insurance policy, including its coverage limits, in response to press inquiries, the State of Georgia has acknowledged that it holds a $100 million cyber insurance policy, the largest of any state, covering more than 100 state agencies including every branch of state government except higher education. The policy was put to use when the Georgia Department of Agriculture’s computer system was infected by malware in December 2017, compromising the department’s computer system, including employee email and internal operation servers. The cost of the state’s response to the malware attack exceeded its self-insured retention of $250,000.

The recent experiences of the City of Atlanta and the Georgia Department of Agriculture exemplify the growing importance of cyber insurance for state and local governments. Governments are frequently considered prime targets for cyberattacks due to a lack of synchronization of government systems, the lack of harmonization among third-party vendors rendering services to those governments, and a dearth of qualified professionals employed by governments due to the fact that more lucrative careers are available in the private sector. Indeed, governments frequently assign cybersecurity to their IT departments, which are already overburdened and under-resourced. At the same time, as local governments become more digital, the impact of a cyberattack can become highly disruptive to the city’s operations, as the City of Atlanta’s experience showed. In fact, Forbes has reported that Lloyd’s City Risk Index estimates that the risk of cyberattack is the third most consequential threat to Atlanta and other North American cities, with a collective potential impact of more than $93 billion. Given these substantial risks, Lloyd’s concludes that cities and states should better utilize cyber insurance, with a 1% increase in insurance penetration resulting in a corresponding 22% decrease in the risk to taxpayers.

The growing need for cyber insurance among cities, counties, and states melds both the areas of local government law and insurance coverage and is certain to be a major growth area in the near future. Hopefully, Atlanta’s painful learning experience will better prepare other local governments in the months and years to come.

If you have any questions or would like more information, please contact Matthew Weiss at (678) 399-6356 or [email protected].

New Cybersecurity Trend: Data Security and Disposal Laws

Posted on: February 7th, 2019

By: David Cole & Amy Bender

Tales of data breaches flood our news reports these days. By now, you hopefully are aware that all 50 states have laws requiring persons and organizations that own or maintain computerized data that includes personal information to notify affected individuals, and sometimes the government, in the event of a data breach involving their personal information. (You know those letters you’ve received from hospitals, retail stores, and other companies advising you that they experienced a data breach that may have exposed your personal information? They didn’t notify you out of the goodness of their hearts – it’s the law!)

In the past, these laws have focused solely on notifying affected individuals about compromises to their personal information. Outside of specific industries, such as healthcare or financial services, which are regulated by laws applicable only to them, such as HIPAA and the Gramm-Leach- Bliley Act, respectively, there have not been laws of general applicability regulating the standard of care required for protecting personal information in the first place. Recently, however, a trend has emerged among state legislatures to take this next step in cybersecurity legislation by setting standards for businesses’ protection of consumers’ personal information.

The majority of states now have enacted data security and/or data disposal laws that place affirmative obligations on entities (or, in some instances, certain types of industries) that own or use computer data containing personal information to safeguard and/or dispose of or encrypt that data. Below is a current list of states that have adopted these laws:

(Click here for our discussion of the significant and comprehensive data security law California passed last year.)

Unfortunately, there is not one universal standard for how to secure and destroy data containing personal information, but rather, the standard varies by state. Organizations that operate in multiple states thus may have to comply with multiple and differing requirements. In addition, many of these laws only provide general, and often vague, guidelines that do not specify particular technologies or data security measures that should be implemented. For instance, many laws only require that businesses implement “reasonable” administrative, physical, and/or technical safeguards to protect personal information from unauthorized use or disclosure, and then describe “reasonable” measures as those “appropriate based on the size of the business and the nature of information maintained.” That may be clear as mud, but at least it’s a start and enough to put businesses on notice that doing nothing is not an option.

For these reasons, we recommend that businesses work with legal counsel to understand the laws of the states where they do business and to conduct a security risk assessment to evaluate the information they maintain, the potential risks to it, and the current measures in place to protect it. Working with legal counsel, businesses should then work with an experienced cybersecurity provider to translate that risk assessment into an actionable plan for improving data security and privacy within their organization. The legal standards still might be vague, but going through a process like this will put businesses in the best position to demonstrate good faith and reasonable efforts to meet their legal obligations if and when an incident occurs or a claim is made by a third party.

Please contact David Cole, Amy Bender, or one of the other members of our Data Security, Privacy & Technology team at FMG for additional questions or to discuss conducting a risk assessment for your organization.

The Sixth Circuit Finds Coverage For Fraudulent Wire Transfer Under Crime Policy

Posted on: September 12th, 2018

By: Allen Sattler

Business email compromise (“BEC”) claims consist of incidents where cyber criminals access or use a company’s email system to commit a crime, usually for financial gain and often including the use of trickery to convince an employee to wire transfer corporate funds to the criminal’s account.  According to statistics reported by the FBI,  BEC claims are on the rise, especially in the last three years.  In 2016, there was a 2,370% increase in email account compromise attacks, involving losses of nearly $346 million, and the frequency of BEC claims continues to rise.

Several insurers offer coverage for BEC claims, including for losses sustained as the result of fraudulent wire transfer.  In American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of Am., 5:16-cv-12108 (6th Cir 2018), the Sixth Circuit became the latest federal appeals court to interpret an insurance policy that included coverage for fraudulent wire transfers.  In a decision dated July 13, 2018, the Sixth Circuit ruled that the crime policy provides coverage for the loss incurred by the insured.

American Tooling Center (“ATC”), a Michigan manufacturer in the automobile industry, hired a Chinese company to manufacture stamp dies.  To receive payment for its work, the Chinese company would send invoices to ATC, and ATC would route payment to its vendor via wire transfer.  In 2015, a person outside the company intercepted an email from ATC to its vendor.  That person impersonated an employee of the vendor and told ATC that because of an audit, ATC should wire transfer payment on its outstanding invoices to a different bank account.  ATC complied with the instructions and wired over $800,000 to the thief’s bank account.  The thief was never identified, and the money was not recovered.

ATC made a claim to its insurer pursuant to a “Computer Fraud” provision of its crime policy to recover the money lost.  The insurer denied coverage, arguing that ATC did not suffer a loss until it eventually paid the outstanding invoices to the Chinese vendors, and that ATC therefore did not suffer a “direct loss” as required by the policy wording.  The insurer also argued that the acts by ATC in changing the bank account information without verification constituted intervening acts that break the chain of causation.  The Sixth Circuit disagreed, holding that ATC immediately lost the money when it wired the money to the thief, and that the thief’s instructions to ATC directly caused the loss.  The Court also rejected an argument by the insurer that the policy required that the thief first gain access to ATC’s computer systems prior to triggering coverage, and that here, the thief did not hack into the email system to commit the fraud.  The Court ruled that the policy language was not so limited.

The insurer sought reconsideration of the ruling, which the Sixth Circuit recently denied.

If you have any questions or would like more information, please contact Allen Sattler at [email protected].

Smart Cities Face Hacking Threat

Posted on: August 15th, 2018

By: Ze’eva Kushner

As you sit in traffic, frustrated and wondering why the city or municipality cannot do something to ease congestion, know that a city’s use of internet-connected technology to make your commute better may also invite hackers to wreak havoc on your city.

Traffic is just one of many problems that “smart cities” use internet-connected technology to address.  A smart city can set up an array of sensors and integrate their data to monitor things like air quality, water levels, radiation, and the electrical grid.  That data then can be used to automatically inform fundamental services like traffic and street lights and emergency alerts.

Smart city technology provides many benefits to city management, including connectivity and ease of management.  However, these very same features make the technology an attractive target for hackers.  In a recently released white paper, IBM revealed 17 vulnerabilities in smart city systems around the world.  Some of these risks were as simple as failing to change default passwords that could be guessed easily, bugs that could allow an attacker to inject malicious software commands, and others that would allow an attacker to sidestep authentication checks.  Additionally, use of the open internet rather than an internal city network to connect sensors or relay data to the cloud presents an opportunity for hackers.

Atlanta is an example of a smart city that is attempting to improve its efficiency by employing smart city technology, with its focus being mobility, public safety, environment, city operations efficiency, and public and business engagement.  Atlanta knows all too well how crippling a hack can be, as it suffered from the ransomware attack in the Spring that kept residents from services such as paying their water bills or traffic tickets online.  The hacking threat to smart cities is real and significant.

If you have any questions or would like more information, please contact Ze’eva Kushner at [email protected].

The CCPA: Precursor To American GDPR Or Undue Burden On American Businesses

Posted on: July 30th, 2018

By: Jonathan Romvary

As we recently posted, California recently passed the landmark California Consumer Privacy Act of 2018 (“CCPA”) that goes into effect on January 1, 2020 and grants California residents new expansive privacy rights. Many observers are comparing its scope to that of the European Union’s General Data Protection Regulation (“GDPR”). However, as protective as the new statute may be for California residents, it represents a number of significant burdens and challenges for businesses throughout the country.

Unknown Final Requirements

Despite what appears to be a finalized bill, future amendments and clarifications to the CCPA are necessary and will likely significantly alter the current draft. The CCPA was enacted after a single week of legislative debate. The reasons for the quick turnaround can be debated but the current draft contains a number of errors that will need to be addressed before its effective date on January 1, 2020. The uncertainty surrounding the bill means that businesses attempting to be proactive in terms of compliance may be throwing darts in the dark.

Attorney General Regulations

Additionally, the bill instructs the California Attorney General to develop regulations ahead of the effective data in a number of areas to further the purposes of the CCPA. While its arguable whether this will provide greater protections to consumers, it will undoubtedly come at the burden of those businesses covered by the CCPA. At this time these specific AG regulations are unknown and with an upcoming election, there is no guarantee we will know what these regulations will be until late next year before implementation.

Compliance Burn Out

As we all know, the GDPR went into effect on May 25, 2018. Most companies have spent the last year conducting data flow analysis, mapping, and regulatory compliance in order to come into compliance prior to the effective date. According to an October 2017 survey by Paul Hastings LLP, the cost of GDPR compliance for Fortune 500 firms runs approximately $1 million just for the necessary technology that those companies need to comply.

Unfortunately for all of those companies that spent the last 12 to 18 months traversing GDPR compliance, you will not automatically be complying with the CCPA. The CCPA requirements, while similar, do not entirely overlap with the GDPR and, in many cases, the CCPA goes even further than the GDPR. All those companies will now need to engage in an additional 18 months of legal compliance reviews in anticipation of the January 1, 2020 implementation date.

The scope of the CCPA affects businesses across the country, not just those in California. The CCPA protections generally encompasses all retail and commercial activity that includes the collection of data relating to a resident of California which retained, sold or transferred by the business. While the CCPA contains numerous exemptions of data use and functionality these exceptions require close scrutiny and analysis by covered businesses. To discuss how the CCPA might affect your business and what you can do in anticipation of the numerous issues relating to the act, please contact Jonathan Romvary at [email protected].