CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘cybersecurity’

New Cybersecurity Trend: Data Security and Disposal Laws

Posted on: February 7th, 2019

By: David Cole & Amy Bender

Tales of data breaches flood our news reports these days. By now, you hopefully are aware that all 50 states have laws requiring persons and organizations that own or maintain computerized data that includes personal information to notify affected individuals, and sometimes the government, in the event of a data breach involving their personal information. (You know those letters you’ve received from hospitals, retail stores, and other companies advising you that they experienced a data breach that may have exposed your personal information? They didn’t notify you out of the goodness of their hearts – it’s the law!)

In the past, these laws have focused solely on notifying affected individuals about compromises to their personal information. Outside of specific industries, such as healthcare or financial services, which are regulated by laws applicable only to them, such as HIPAA and the Gramm-Leach- Bliley Act, respectively, there have not been laws of general applicability regulating the standard of care required for protecting personal information in the first place. Recently, however, a trend has emerged among state legislatures to take this next step in cybersecurity legislation by setting standards for businesses’ protection of consumers’ personal information.

The majority of states now have enacted data security and/or data disposal laws that place affirmative obligations on entities (or, in some instances, certain types of industries) that own or use computer data containing personal information to safeguard and/or dispose of or encrypt that data. Below is a current list of states that have adopted these laws:

(Click here for our discussion of the significant and comprehensive data security law California passed last year.)

Unfortunately, there is not one universal standard for how to secure and destroy data containing personal information, but rather, the standard varies by state. Organizations that operate in multiple states thus may have to comply with multiple and differing requirements. In addition, many of these laws only provide general, and often vague, guidelines that do not specify particular technologies or data security measures that should be implemented. For instance, many laws only require that businesses implement “reasonable” administrative, physical, and/or technical safeguards to protect personal information from unauthorized use or disclosure, and then describe “reasonable” measures as those “appropriate based on the size of the business and the nature of information maintained.” That may be clear as mud, but at least it’s a start and enough to put businesses on notice that doing nothing is not an option.

For these reasons, we recommend that businesses work with legal counsel to understand the laws of the states where they do business and to conduct a security risk assessment to evaluate the information they maintain, the potential risks to it, and the current measures in place to protect it. Working with legal counsel, businesses should then work with an experienced cybersecurity provider to translate that risk assessment into an actionable plan for improving data security and privacy within their organization. The legal standards still might be vague, but going through a process like this will put businesses in the best position to demonstrate good faith and reasonable efforts to meet their legal obligations if and when an incident occurs or a claim is made by a third party.

Please contact David Cole, Amy Bender, or one of the other members of our Data Security, Privacy & Technology team at FMG for additional questions or to discuss conducting a risk assessment for your organization.

Lessons Learned from the SEC’s Order in the Yahoo! Data Breach Enforcement Action

Posted on: May 22nd, 2018

By: Jennifer Lee

On April 24, 2018, the SEC issued an order in the enforcement action against Altaba Inc., formerly Yahoo! Inc., and imposed a $35 million fine relating to the 2014 data breach which affected more than 500 million Yahoo! user accounts.

SEC’s Findings

The SEC found that Yahoo! violated federal securities laws by failing to disclose the 2014 data breach for almost two years. The SEC focused on the fact that despite its knowledge of the data breach, Yahoo!’s annual and quarterly reports made no mention of the data breach as a risk factor. Instead, the reports represented that the company only faced the risk of potential future data breaches that may expose its users’ personally identifiable information which may lead to litigation, loss of revenue, and damage to its reputation.

In addition, Yahoo! management’s analysis of the company’s financial condition also omitted changes to revenue that were expected to result from the public disclosure of the 2014 data breach.

Lastly, the stock purchase agreement between Yahoo! and Verizon entered into on July 23, 2016 and filed with the SEC on July 25, 2016 was misleading because it contained affirmative representations denying the existence of any significant data breaches.

The data breach was not disclosed until September 2016 in a press release filed as an attachment to a Form 8-K. After the public announcement of the data breach, Yahoo!’s stock price decrease by 3%, resulting in a $1.3 billion drop in its market cap.

Lessons Learned

Disclosures regarding cybersecurity risk factors that discuss potential incidents are misleading if they do not discuss known incidents that have already occurred. The SEC found that the omission of the 2014 data breach in the risk factor disclosures were misleading because it suggested that a significant data breach had not yet occurred, which in turn implied that any negative effects that may result from future breaches are merely speculative.

Companies should perform regular assessments of cybersecurity threats and their likely impact on the business to determine whether such issues should be disclosed as a risk factor. Regulation S-K item 303 requires companies to include trends or uncertainties reasonably likely to have a material impact on their business. Item 503(c) requires companies to disclose the most significant risk factors that make the company speculative or risky. Because cybersecurity incidents have the potential to and often do, in fact, lead to a significant depreciation in a company’s stock price and market cap, failing to perform regular assessments of cybersecurity threats and their likely impact on the business will inevitably lead companies to run afoul of Regulation S-K.

Be mindful of other state, federal, and international regulations that govern disclosure of data breaches and other cybersecurity incidents. Currently, data breach notification obligations in the United States consist of a patchwork of individual state statutes. In addition, the EU’s General Data Protection Regulation, which takes effect on May 25, 2018, contains a whole new set of rules regarding the disclosure of data breaches and other cybersecurity incidents. Companies that operate on a national or international level must be aware of their disclosure obligations under these regulatory structures and how they may affect companies’ disclosure obligations under federal securities laws.

If you have any questions or would like more information, please contact Jennifer Lee at [email protected].

 

Cybersecurity in Georgia Hits a Roadblock

Posted on: May 14th, 2018

By: Ze’eva Kushner

On May 8, 2018, Georgia’s Governor Nathan Deal made a controversial decision to veto a cybersecurity bill.  Issued in the wake of the massive data breach of Atlanta-based Equifax, among other data breaches across the country, the cybersecurity bill would have made logging into a computer without permission illegal, even if no information was stolen.  The recent ransomware attack on the City of Atlanta serves as a reminder of the potential significant costs of not having computer systems protected adequately.

However, the bill included multiple exemptions, one of which would have permitted individuals to engage in active defense measures aimed at preventing or detecting unauthorized computer access.  In the industry, this is often referred to as “hacking back.”  The defensive actions could have included techniques such as using beaconing technology to determine the location of a hacker or leaving one’s network to track down stolen data.  The legality of these cyber defense measures is murky.

Google and Microsoft both urged Governor Deal to veto the bill, explaining that the active defense exemption would have authorized the hacking of other networks and systems under the pretext of cybersecurity and potentially lead to anticompetitive behavior.  According to Governor Deal, the end result of the bill would have hurt organizations’ ability to secure their computer systems.

If you have any questions or would like more information, please contact Ze’eva Kushner at [email protected].

Cybersecurity Deadlines Approaching for Banking, Insurance, and Financial Services Companies

Posted on: February 8th, 2018

By: David A. Cole

Businesses that are subject to the New York Department of Financial Services (“DFS”) cybersecurity regulations should be aware of upcoming compliance deadlines. Don’t be fooled—these regulations may apply to your business even if you’re not located in New York. The DFS cybersecurity regulations broadly apply to any business “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] Banking Law, the Insurance Law or the Financials Services Law.” A full description of entities covered is listed on the DFS website.

Earlier this summer, covered entities had to meet an initial deadline requiring them to: (1) designate a Chief Information Security Officer; (2) establish a cybersecurity program; and (3) develop a written cybersecurity policy. Now, DFS has issued a press release to remind covered entities of another upcoming deadline under the cybersecurity regulations. By February 15, 2018, covered entities must submit a statement to DFS certifying their compliance with the regulations.  The certification must be submitted through DFS’ online cybersecurity portal.  A proposed certification of compliance form is attached as Appendix A to the regulations.

In addition, by March 1, 2018 (the one year anniversary of the cybersecurity regulations), covered entities must submit their first annual written report to their boards, governing bodies, or other appropriate individual/committee.   Also by this deadline, covered entities are required to have in place:

  • Regular cybersecurity awareness training;
  • Continuous monitoring or period penetration testing and vulnerability assessments;
  • Multi-factor authentication controls; and,
  • A process for the completion of written and documented periodic risk assessments of information systems in conformance with written policies and procedures.

If you need help meeting these requirements, are looking for assistance with the policies and procedures or training, or if you have any questions, please talk to one of our Data Security, Privacy & Technology attorneys. We are here to help!

Enhanced Privacy and Data Security Law on Tap for North Carolina

Posted on: February 8th, 2018

By: Paul H. Derrick

A bi-partisan privacy and data security bill will soon be rolled out in North Carolina, and its impact will be significant. North Carolina Attorney General Josh Stein and State Representative Jason Saine are co-authoring “The Act to Strengthen Identity Theft Protections.”  According to a recent press release and fact sheet, they plan to seek its introduction in the State’s General Assembly during the coming months.

The bill will bring dramatic changes to North Carolina’s existing Identity Theft Protection Act, particularly in two areas: (1) the imposition of an affirmative duty to implement and maintain data security procedures and practices; and (2) a 15-day breach notification window.  Companies that experience a data breach and have failed to maintain reasonable security practices will be deemed to have committed a per se violation of the North Carolina Unfair and Deceptive Trade Practices Act, and each person affected by the breach would constitute a separate and distinct violation of the law.  With provisions for treble damages and attorney’s fees, even for nominal violations, data breach litigation would quickly become much more lucrative for plaintiffs’ attorneys.

The proposed bill also would require companies to notify affected individuals and the Attorney General within 15 days following discovery or notification of a breach.  That is a substantial change from the current law’s requirement that notification be made “without unreasonable delay.”  Businesses will need to have a response plan already in place in the event a breach occurs, rather than waiting until the time arrives to develop a course of action.

Other provisions in the legislation update the definition of security breach to include ransomware attacks, broaden the definition of “personally identifiable information” to include medical information and insurance account numbers, allow consumers to freeze and unfreeze their credit without charge, and provide individuals with greater access to and control over their personal data.

Because it already has strong bi-partisan support, some version of the bill will almost surely be passed into law. North Carolina employers must not wait until that happens to begin preparing for it, however.  Businesses should audit their existing internal privacy and data security programs now and immediately develop meaningful and legally-compliant safeguards in any areas that are lacking.

Please contact Paul Derrick at [email protected] or anyone in FMG’s Data Security, Privacy, & Technology practice group if you would like more information on developing and implementing privacy and data security programs. We also have extensive experience in guiding organizations through data breaches and representing clients in data breach litigation.