RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Posts Tagged ‘#databreach’

California, Again, Amends its Data Breach Notification Statute

Posted on: October 23rd, 2015

By: Kacie Manisco

On October 6, 2015, Governor Jerry Brown signed into law three separate bills amending California’s Data Breach Notification Statute. Together, the amendments, which take effect on January 1, 2016, expand the definition of “personal information,” provide a new definition for the term “encrypted,” and impose additional formatting and substance requirements for individual data breach notification letters. These amendments apply to all persons and businesses conducting business in California, as well as to all California governmental agencies.

The first amendment, Senate Bill 34, expands the definition of “personal information” to include “information or data collected through the use or operation of an automated license plate recognition (“ALPR”) system.” The Bill imposes specific requirements on ALPR operators, such as police departments, to maintain a specified record of access to ALPR information. It further requires ALPR operators to implement “reasonable safeguards” to protect ALPR data from unauthorized use or disclosure, although it does not specify exactly what safeguards should be implemented in order to be “reasonable.” The amendment also provides a private right of action to individuals harmed by violation of these security requirements.

The second amendment to the Data Breach Notification Statute, assembly Bill 964, attempts to clarify the meaning of the term “encrypted” since, under California law, like other state data breach laws, notification is generally not required for breaches of information that is encrypted. The amendment defines “encrypted” to include data that has been rendered “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”  However, the statute does not specify any particular method or level of encryption that is required. 

Lastly, upon a security breach, existing law requires California businesses and agencies to issue a security breach notification meeting specific requirements, including that the notification be written in plain language. Senate Bill 570 imposes additional requirements on the formatting and language used for such security breach notifications.  The amendment requires the notification to be titled “Notice of Data Breach,” and it must present information under the following headings: “What Happened,” “What Information was Involved,” “What are we Doing,” “What You Can Do,” and “For More Information.”

California businesses and agencies must be attentive to the ever-changing notice requirements, as these amendments mark the third time in three years California has amended its Data Breach Notification Statute.  As we have discussed before, these changes highlight the importance of being prepared ahead of time before a breach occurs, which includes having data breach response plan in place that will help you timely comply with notice obligations like these.  We have created our FMG Cyber Toolkit to help our clients for this very reason.  Please contact one of our Cyber, Data Security, and Privacy practice group attorneys for more information about developing a plan for your organization.


Third Circuit Affirms FTC’s Authority Over Data Security: Decision Underscores Need for Cyber Policies and Procedures

Posted on: August 27th, 2015

By: David Cole

This week, the U.S. Court of Appeals for the Third Circuit released its much-anticipated decision in Federal Trade Commission v. Wyndham Worldwide Corporation, unanimously upholding the FTC’s authority to regulate businesses’ data security practices under Section 5 of the Federal Trade Commission Act (FTC Act).  As a result, businesses can expect increased enforcement by the FTC and greater scrutiny of their data security practices.

Section 5 of the FTC Act declares it unlawful for a business to engage in any “unfair or deceptive acts or practices in or affecting commerce,” and it empowers the FTC to enforce this provision through administrative actions and civil actions in federal court.  In recent years, the FTC has taken the position that businesses with inadequate data security practices, and businesses that do not adhere to their published data security and privacy policies, engage  in unfair and deceptive practices.  This has caught by surprise many who have not thought of inadequate data security as a potential unfair or deceptive practice.

The Third Circuit’s decision originated from a lawsuit that the FTC filed in federal court alleging that Wyndham engaged in unfair and deceptive practices surrounding three data breaches that occurred in 2008 and 2009.  It alleged that Wyndham’s data security was insufficient in a number of ways, including that:

  • payment card information was stored in clear readable text (instead of encrypted);
  • simple, easily guessed passwords were used (instead of complex passwords and multi-factor authentication);
  • readily available security measures were not used to limit access between systems (like firewalls);
  • adequate information policies and procedures were not implemented;
  • measures to detect and prevent unauthorized access were not used (like intrusion detection systems); and
  • proper incident response procedures were not followed.

Wyndham moved to dismiss the lawsuit, arguing that the FTC is not empowered to regulate businesses’ data security practices under section 5 of the FTC Act.  Alternatively, it argued that the FTC had not given “fair notice” of the data security standards it would enforce, and which businesses needed to satisfy in order to comply with the FTC Act.  The district court denied Wyndham’s motion to dismiss, but allowed it to appeal to the Third Circuit.  Many had hoped that the Third Circuit would reign in the FTC’s efforts to extend itself into the field of data security, but instead got the opposite result.

The Third Circuit unanimously agreed with the FTC and rejected Wyndham’s arguments, holding that the FTC does have authority under the FTC Act’s “unfairness” prong to bring enforcement actions against businesses for having inadequate data security.  The court cited language in the FTC Act, which authorizes the FTC to declare an act or practice unfair, in violation of section 5, if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”  In Wyndham’s case, the court decided that consumers could not have reasonably avoided their injury because Wyndham’s published privacy policy misled them by suggesting that it took steps to safeguard confidential information, when, in fact, it actually did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.

The Third Circuit also rejected Wyndham’s fair notice argument, stating that it was not entitled to know with “ascertainable certainty” what cybersecurity standards the FTC would require.  Instead, it held that the requirement of fair notice is met so long as a business can “reasonably foresee that a court could construe [its] conduct as falling within the meaning of the statute.”  Since Wyndham allegedly lacked “any” firewalls, encryption for certain customer files, and password requirements, among other things, the court held that Wyndham should have been on notice of the possibility that a court could find that its data security practices were unreasonable.

It is not yet known whether Wyndham will seek further review of the decision.  In the meantime, the Third Circuit’s decision establishes precedent that may be followed by other courts and, unless and until there is further appellate review or a challenge in another circuit that is decided against the FTC, it seems that the question of the FTC’s authority to regulate the data security field is now established.  As a result, businesses can expect more enforcement by the FTC and greater scrutiny of their data security practice.

This underscores the importance that businesses must place on their data security practices.  As we have written before, it is critical that businesses implement policies regarding their data security practices and their procedures for responding to a data breach if one occurs.  To help our clients accomplish this, FMG has developed a Data Breach Toolkit, which consists of policy and form documents intended to provide your organization with everything it needs from a document standpoint to help prevent a data breach from occurring and respond effectively if one happens.  To discuss the toolkit for your organization, as well as training that is available for your workplace, please contact one of our Data Security, Privacy and Cyber Liability Practice Team  attorneys.

FMG Data Breach Response Team

To best service our clients, you have 24/7 around-the-clock access to our Data Breach Response Team. Our attorneys provide you with a single point of contact for an immediate determination of the appropriate response to the breach and, where warranted, they will dispatch appropriate support service providers to your location to begin any investigation or resolution work that is needed. The lead members of our Data Breach Response Team are:

David Cole – Cyber Team Chair
(770) 818-1287 (o)
(404) 805-6558 (c)
[email protected]John Goselin (Atlanta office)
(770) 818-1423 (o)
(678) 478-3570 (c)
[email protected]

Jonathan Romvary (Philadelphia office)
(267) 758-6009 (o)
(609) 304-2883 (c)
[email protected]

Behnam Salehi (Philadelphia office)
(267) 758-6013 (o)
(949) 294-9230 (c)
[email protected]

Kacie Manisco (San Francisco office)
(415) 689-1215 (o)
(909) 969-3757 (c)
[email protected]

DOJ Issues Guidance for Best Practices Before, During, and After a Data Breach

Posted on: May 19th, 2015

By David Cole

In response to the increasing number of data breaches around the county, and the public attention being given to them, the Department of Justice (DOJ) recently issued a guidance document intended to help organizations prepare for and respond to data breaches. The document, titled “Best Practices for Victim Response and Reporting of Cyber Incidents,” is based on the DOJ’s experience investigating and prosecuting cybercriminals. The guidelines focus primarily on the proactive and reactive measures an organization should take with respect to data breaches.

Consistent with the NIST Cybersecurity Framework, the DOJ guidance recommends that, before any data breach occurs, organizations should conduct a risk assessment to identify and prioritize critical assets, data, and services.  In addition, the guidance recommends that organizations develop a data breach response plan that has specific, concrete procedures to follow in the event of a data breach.  Once a plan is developed, organizations should test the plan with “table top” exercises, and continually update the plan to reflect changes in personnel and structure. Organizations should also ensure that they maintain necessary technology to detect and respond to data breaches.

In the event of a data breach, the guidance recommends a number of basic steps.  It advises organizations to not use compromised systems to communicate once they become aware of a potential data breach.  After making an initial assessment of the nature and scope of the incident, the guidelines also suggest that an organization minimize continuing damage to its system by taking steps such as rerouting network traffic, blocking a denial of service attack, or isolating all or part of a compromised network. The organization also should record and collect all evidence and information that it can about the unauthorized access that occurred, which may involve imaging the affected computer and retaining all logs and records of the data underlying the incident.  Finally, the guidelines suggest that an organization notify its employees, management, law enforcement (including the Department of Homeland Security), and any potential victims.

The guidelines also warn that, in the event of a cyber-attack, that organizations should not “hack back” or intrude upon the suspect’s network.  “Hacking back” may violate a number of laws, and since many intrusions are launched from compromised systems, “hacking back” can damage or impair another victim’s system. The guidance also recommends that victim organizations continue monitoring their networks after a cyber-attack for any unusual activity to make sure that any unauthorized users are really gone.  After an incident is over, the DOJ recommends a post-incident review to identify deficiencies in planning and execution of the incident response plan.

Lastly, the DOJ suggests that before, during, and after a data breach, organizations work closely with legal counsel who is experienced in handling data breaches. The use of experienced counsel ensures that an organization will receive accurate advice from counsel who is comfortable with addressing the unique and varied issues that arise from a data breach.  To review your organization’s data breach preparedness and evaluate the best ways to implement these guidelines in your organization, please contact David Cole at (770) 818-1287 or [email protected].