ALERT – FTC Issues Updated Guidance for Compliance with COPPA

On June 21, 2017, the Federal Trade Commission (FTC) updated its guidance for compliance with the Children’s Online Privacy Protection Act (COPPA).  COPPA regulates websites and other online services in connection with collection of information from children under 13.  The full version of the FTC’s updated guidance is available at https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance

The FTC guidance instructs businesses to:

  • Determine if a company’s website or online service collects information from children under 13
  • Post a privacy policy that complies with COPPA
  • Directly notify parents before collecting personal information from children
  • Get parents’ verifiable consent before collecting personal information from children
  • Honor parents’ ongoing rights regarding personal information collected from children
  • Implement reasonable security procedures to protect the personal information collected from children

The FTC’s updated guidance addresses new models used to obtain personal data, such as voice activated devices used to collect personal information.  The guidance incorporates reference to new products, like connected toys and other products intended for children that collect information like voice recordings or geolocation data.  It also introduces two new methods for obtaining parental consent: (1) asking knowledge-based authentication questions and (2) using facial recognition to match a verified photo ID.

“Website or online service” under COPPA, according to the updated guidance, includes mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads), internet-enabled gaming platforms, plug-ins, advertising networks, internet-enabled location-based services, voice-over internet protocol services, and connected toys or other Internet of Things devices.  In addition, “[p]ersonal information” includes each of the following:  full name; home or other physical address, including street name and city or town; online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier; screen name or user name where it functions as online contact information; telephone number; Social Security number; a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier; a photo, video, or audio file containing a child’s image or voice; geolocation information sufficient to identify a street name and city or town; or other information about the child or parent that is collected from the child and is combined with one of these identifiers.  Evident from the foregoing list, personal information is defined broadly under COPPA.

The FTC’s updated guidance also notes that if Company A collects personal information through Company B’s child-directed site or service — through an ad network or plug-in, for example — Company B is responsible for complying with COPPA, even if Company B does not collect the personal information.  Moreover, a company’s privacy policy, to be posted on the homepage and on any page where a company collects personal information from children, must describe the company’s practices, and the practices of any other companies collecting personal information on the company’s site or service.

The FTC’s updated guidance shows regulators are concerned with adapting to new technology that collect children’s personal information and providing clear notice to parents. If you need assistance reviewing your business’s compliance with COPPA in light of the updated guidance provided by the FTC, please contact Cindy Motley, 312-849-1972, cindy.motley@sedgwicklaw.com or Nora Wetzel, 415-627-3478, nora.wetzel@sedgwicklaw.com.

New Jersey Senate Passes Bill Limiting Identity-Card Scanning by Retailers for Limited Purposes

On June 22, 2017, the New Jersey Senate passed the Personal Information and Privacy Protection Act (“the Act”), now awaiting Governor Christie’s handling. The Act permits retailers to scan a person’s identity card (“I.D. card”) for specified purposes and limits the type of information that may be collected to the name, address, date of birth, state issuing the I.D. card, and I.D. card number.

Scanning of I.D. cards, like a drivers’ license, by a retailer is permitted only to:

  • Verify authenticity of the I.D. card or identity of the person (1) if the person is paying for goods or services in a method other than cash, or (2) if the person is returning an item or  (3) if the person requests a refund or exchange;
  • Verify the person’s age when providing age-restricted goods or services;
  • Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service;
  • Prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;
  • Establish or maintain a contractual relationship;
  • Record, retain, or transmit information as required by State or federal law;
  • Transmit information to a consumer reporting agency, financial institution, or debt collector, to be used as permitted by the Fair Credit Reporting Act, Gramm Leach Bliley Act, or the Fair Debt Collections Practices Act; or
  • Record, retain or transmit information by a covered entity governed by HIPAA.

A retailer may not save any of the scanned information when the scanned information is used solely to (1) verify the authenticity of the I.D. card, (2) verify the identity of a person who is making a non-cash payment, is returning an item, or is seeking a refund or exchange, or (3) verify a person’s age in an age-restricted transaction.

If a retailer saves the scanned information arising from any of the other permitted purposes, the scanned information must be “securely stored.”  Though the Act does not itself define what “secure” storage is, the N.J. Identity Theft Prevention Act (N.J.S.A. 56:8-161 et seq.) (“N.J. I.D. Theft Law”) gives us some guidance. Excepted from the N.J. I.D. Theft Law’s definition of breach is personal information that is encrypted or rendered unreadable. (N.J.S.A. 56:8-161).  This suggests that at minimum, secure storage might require encrypting or using some other technology to render the scanned information unreadable, or anonymizing it to be disassociated with any person.

The Act also requires retailers to “promptly” report any breach of the security of the scanned information to the N.J. State Police and any “affected persons” in accordance with the N.J. I.D. Theft Law, which already includes a reporting obligation to the State Police any time a business must notify a New Jersey resident of a breach of its personal information. While the new Act does not define “prompt” reporting, timing for reporting breaches of scanned information under the new Act are probably governed by the same time frames as under the N.J. I.D. Theft Law — the most expedient time possible without unreasonable delay. (N.J.S.A. 56:8-163).

Further, the new Act expands the scope information subject to breach reporting obligations. The existing N.J. I.D. Theft Law defines Personal Information which triggers reporting obligations, if breached, as “an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.” (N.J.S.A. 56:8-161). The new Act maintains some of the same elements of personal information including name, state issuing the I.D. card, and I.D. card number, however, two new data elements have been added — address and date of birth — provided the source of this data is scanning an I.D. card.

Finally, the Act prohibits the sale or dissemination of information obtained by a retailer from scanning I.D. cards to any third party for any purpose, including marketing, advertising or promotional activities, but with one exception — the Act does not bar an automated return fraud system from issuing a reward coupon to a loyal customer.

We also note the penalties provided by the Act are $2,500 for the first violation and $5,000 for any subsequent action and the Act permits a private right of action.

While the governor’s action with regard to the Act is uncertain, the passing of the Act suggests regulators are trending towards broadening the scope of information subject to breach reporting obligations and expanding the scope of information to which security-related regulations will be imposed.  Retailers should (1) check their incident response programs to evaluate them for expansion of breach reporting obligations, particularly in light of the potentially expanded scope of personal information imposed by New Jersey and (2) evaluate the security used (including encryption, redaction, anonymization, and other physical, technical and administrative safeguards) to protect their customer’s information, if retailers collect or plan to collect their customer’s personal information.

If you have questions about your incident response plan or how to evaluate your business’s security programs and procedures, please contact Cindy Motley, 312-849-1972, cinthia.motley@sedgwicklaw.com or Nora Wetzel, 415-627-3478, nora.wetzel@sedgwicklaw.

Two New Developments in Website Accessibility Cases: Nation’s First Website Accessibility Trial Verdict Is Far From a Winn for Retailers, and Hobby Lobby Is Dealt a Blow in California Decision

As numerous retailers know firsthand, website accessibility has become a hotbed for litigation in recent years. Despite plaintiffs filing scores of website accessibility claims against retailers each year, very few of these cases make it past pleadings, and there has been little to no guidance from the courts. This changed on June 13, 2017, in Juan Carlos Gil v. Winn-Dixie Stores, Inc., Case No.: 16-23020-CIV-SCOLA (S.D. Fl.) (available here), when U.S. District Court Judge Robert N. Scola, Jr. issued the very first post-trial web accessibility verdict, finding that grocer Winn-Dixie violated Title III of the Americans with Disabilities Act (ADA) by having an inaccessible website to visually impaired consumers. Judge Scola ordered injunctive relief, providing the parties with a draft three-year injunction, and also awarded Gil his attorneys’ fees and costs.

Although this decision carries no precedential authority over other federal courts or judges, including those in the Southern District of Florida, the decision remains significant for businesses trying to defend themselves against web accessibility claims.

Background

Like most website accessibility claims, the crux of the Gil action is that the plaintiff, a visually impaired consumer, was allegedly unable to use the services on Winn-Dixie’s website (in this case, downloading coupons, refilling prescriptions, and finding store locations) with the assistance of his screen reader software. Based on his experiences, Gil claimed that Winn-Dixie’s website violated Title III of the ADA, because it was inaccessible to the visually impaired. The complaint was filed on July 12, 2016.

Although the Winn-Dixie suit was one of Gil’s first times bringing website accessibility claims, it has been far from his last. Since April 2016, he has filed similar suits against more than 60 other retailers, all in the Southern District of Florida. Scott Dinin, his counsel in each of these actions, is a leading player in the web access arena.

On October 24, 2017, Winn-Dixie filed a motion for judgment on the pleadings, requesting that the court dismiss the case on the grounds that a website is not a place of public accommodation pursuant to Title III of the ADA. Winn-Dixie’s motion prompted the United States Department of Justice (DOJ) to file a Statement of Interest, which noted that Winn-Dixie’s argument could not “be squared with the plain language of the statute, the regulations, or with federal case law addressing this issue.” The DOJ continued:

Because the United States respectfully submits this Statement of Interest to clarify public accommodations’ longstanding obligation to ensure that individuals with disabilities are not excluded, denied services, or treated differently than other individuals because of the absence of auxiliary aids and services, such as accessible electronic technology. This obligation means that websites of places of public accommodation, such as grocery stores, must be accessible to people who are blind, unless the public accommodation can demonstrate that doing so would result in a fundamental alteration or undue burden.

On March 15, 2017, Judge Scola rejected Winn-Dixie’s Motion, explaining that Gil had alleged sufficient facts that, if proven at trial, would demonstrate a “nexus” between Winn-Dixie’s physical store locations and its website that would place the website within the purview of Title III.

The case went to trial on June 5, 2017. The two-day, non-jury trial included testimony by Gil, Gil’s website accessibility expert, and a corporate representative from Winn-Dixie who had knowledge about its website applications.

The Court’s Order: Websites That Operate as a “Gateway” to Physical Store Locations Are Places of Public Accommodation Covered by the ADA

Judge Scola issued an order in favor of Gil on June 12, 2017. Judge Scola held that Winn-Dixie violated Title III of the ADA by failing to provide an accessible public website and, thus, denying individuals with disabilities with “full and equal enjoyment” of its website.

The ruling expressly avoids deciding whether Winn-Dixie’s website, itself, is a place of public accommodation. Instead, the court reasoned that because Winn-Dixie’s website “is heavily integrated with Winn-Dixie’s physical store locations,” the website is considered a place of public accommodation under Title III as it “operates as a gateway to the physical store location.” The court noted that a customer’s ability to download coupons, locate stores, and refill prescriptions on the website sufficiently demonstrated a nexus between the website and physical store locations.

In finding that Winn-Dixie’s website is inaccessible to visually impaired users, the court adopted the Web Content Accessibility Guidelines (WCAG) 2.0 as the accessibility standard that Winn-Dixie must follow to make its website ADA compliant. Even though the guidelines have not been formally adopted by the DOJ, Judge Scola’s ruling confirms that WCAG 2.0 is the leading industry standard for accessibility. (We have previously recommended in “Online Retailers Increasingly at Risk of Website Accessibility Lawsuits,” that online retailers endeavor to meet WCAG 2.0 standards.)

The court expressly rejected Winn-Dixie’s argument that the cost of remediating the website, which Winn-Dixie estimated to be $250,000.00, was an undue burden. In response, the court stated that whatever the cost of remediation may be, it “pales in comparison to the $2 million Winn-Dixie spent in 2015 to open the website and the $7 million it spent in 2016 to remake the website for the Plenti [customer rewards] program.”

Notably, and of significant import to retailers facing such claims,  the court did not limit the reach of its order to only those portions of Winn-Dixie’s website that it operates internally. The court specifically held Winn-Dixie responsible for the entire website’s lack of accessibility, notwithstanding the fact that portions of the website are operated by third party vendors such as Google and American Express. The court explained, “[m]any, if not most, of the third party vendors may already be accessible to the disabled and, if not, Winn-Dixie has a legal obligation to require them to be accessible if they choose to operate within the Winn-Dixie website.”

Lastly, the court provided the parties with a draft injunction, ordering Winn-Dixie to do the following, among other things:

  • Adopt and implement a web accessibility policy that ensures that its website conforms with WCAG 2.0 criteria;
  • Require any third party vendors who participate on its website to be fully accessible to the disabled by also conforming with WCAG 2.0 criteria;
  • Display a publicly available Statement of Accessibility on the website;
  • Provide mandatory training, once a year, to all employees who write or develop programs or codes for the website on how to conform all web content and services with WCAG 2.0 criteria; and
  • Conduct web accessibility monitoring of its website once every three months to identify non-compliance with WCAG 2.0 criteria.

Gorecki v. Hobby Lobby Serves Further Blow to Online Retailers

On June 15, 2017, just a week after the Gil decision was issued, Judge John F. Walter of the Central District of California denied a motion to dismiss website accessibility claims in Gorecki v. Hobby Lobby Stores, Inc. (Case No.: 2:17-cv-01131-JFW-SK). Hobby Lobby argued in its motion that because the U.S. Department of Justice had not promulgated final website accessibility regulations under Title III setting forth specific accessibility standards, it would violate due process to grant injunctive relief, since Hobby Lobby did not have sufficient notice of the need to make its website accessible. Hobby Lobby also argued the action should be dismissed under the primary jurisdiction doctrine which, if applied, would hold that the court should not rule on website accessibility issues until DOJ promulgates and adopts regulations. In the past, these arguments have failed in the context of website accessibility, but their potential viability was recently revisited after Judge James S. Otero of the Central District of California dismissed a website accessibility action on these same grounds in Robles v. Dominos Pizza LLC (Case No.: 2:16-cv-06599-SJO-FFM).

The Court in Gorecki rejected each of Hobby Lobby’s arguments. With regards to Hobby Lobby’s claim that it lacked sufficient notice, the court emphasized that DOJ has articulated its position that Title III requires website accessibility for over 20 years — in speeches, congressional hearings, amicus briefs and Statements of Interest, rulemaking efforts, and enforcement actions and related settlement agreements — and that regardless, Title III has always required “full and equal enjoyment” and the provision of “auxiliary aids and services for ‘effective communication.’” The court also rejected Hobby Lobby’s argument that the primary jurisdiction doctrine should apply, stating that the case could be handled like other Title III matters, and that invoking the doctrine could needlessly delay potentially meritorious claims.

Conclusion

Although the Gil and Gorecki decisions are not binding, both decisions highlight the risks of litigating website accessibility claims, particularly in instances where there is a nexus between the business’ website and its physical store location.

 

If you are concerned that your business needs help combatting cybersecurity threats or responding to a security incident, the Sedgwick Cybersecurity team can assist you. Contact us at SedgwickResponder@sedgwicklaw.com.

Rallying Cry: Health Care Cybersecurity a Key Public Health Concern

On June 2, 2017, the Health Care Industry Cybersecurity Task Force published its Report on Improving Cybersecurity in the Health Care Industry. The lengthy and comprehensive Report serves as a wake-up call to the medical field, taking seriously the threat of cyber-attacks targeting health care providers, the dangers created by increasing digital interconnectivity in the medical field, and the industry’s shortcomings in its ability to handle the cyber-related challenges it presently faces. The House Energy and Commerce Subcommittee on Oversight and Investigations held a hearing on June 8 on the report and HHS’ greater role in cybersecurity efforts.

The Task Force was established by Congress as part of the Cybersecurity Act of 2015 and created to address cybersecurity issues facing the healthcare industry following an increase in identity theft, ransomware, and hacking. Healthcare leaders across the public and private sector worked closely together and with the general public over the course of a year, and this Report reflects their findings. It acknowledges that despite significant cybersecurity risks facing and created by the health care industry’s recent and ongoing transition to wholesale use of interconnected medical devices, most healthcare providers fail to take accountability for the security risks they help create. The Report calls upon healthcare organizations to take responsibility for securing themselves and the data they collect, and identifies six key imperatives for providers to follow in preparing to meet what the Report deems “an urgent challenge.” These imperatives are:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
  2. Increase the security and resilience of medical devices and health IT.
  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  4. Increase health care industry readiness through improved cybersecurity awareness and education.
  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
  6. Improve information sharing of industry threats, weakness, and mitigations.

The Report highlights the danger of patient information falling into the wrong hands, noting that healthcare data can be misused for fraud, identity theft, supply-chain disruptions, theft and sale of propriety information, stock manipulation, and disruption of patient care. It focuses on the nature of the healthcare industry itself, a “large, diverse, and open” conglomerate subject to “a matrix of well-intentioned federal and state laws and regulations that can impede addressing issues across jurisdictions”; and emphasizes the industry’s unique, sharing culture, whereby healthcare professionals prioritize the speedy, seamless treatment of patients at the risk of opening themselves up to increased cybersecurity risks.

As discussed in our May 13, 2017 Alert on Ransomware, proactive is often easier and less costly than a reactive approach. Cyber risks continue to present a fast evolving landscape, especially in the healthcare area. Prevention is key to mitigation in this area and a better option than facing a breach unprepared.  A health care entity that knows those risks and controls the data that flows within and outside its walls will be better equipped to protect sensitive data and mitigate possible security incidents.

If you are concerned that your business needs help combatting cybersecurity threats or responding to a security incident, the Sedgwick Cybersecurity team can assist you. Contact us at SedgwickResponder@sedgwicklaw.com, or contact Kimberly Cook (305.671.2159) or kimberly.cook@sedgwicklaw.com or Alexandra Block (305.671.2167) or alexandra.block@sedgwicklaw.com.

ALERT – OCR Issues Quick Response Cyber Attack Checklist and Graphic

In the aftermath of the recent WannaCry ransomware attack and the May 12, 2017 notification from Laura Wolf, Critical Infrastructure Protection Lead of Health and Human Services (HHS) discussed in Cinthia Motley’s May 13, 2107 Alert:  Ransomware – a Global Wake-Up Call, the HHS Office of Civil Rights “OCR”) issued a Quick Response Cyber Attack checklist and graphic on June 9, 2017. The checklist and the corresponding infographic outline the following steps a HIPAA covered entity and  business associates need to consider taking in response to a cyber-related security incident:

  1. Execute its response and mitigation procedures and contingency plans.
  2. Report the crime to law enforcement agencies.
  3. Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs).
  4. Report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.

While all of these steps may not necessarily apply to all situations, we recommend that HIPAA covered entities and business entities review their current IRP and procedures and compare them to the OCR checklist. As noted in the OCR checklist, the OCR considers all mitigation efforts taken by the entity during any breach investigation. Such efforts include voluntary sharing of breach-related information with law enforcement agencies and other federal and ISAOs. As noted in the OCR graphic, even if there is not a breach, the entity must document and retain all information considered during the risk assessment of the cyber-attack, including how it determined that no breach occurred.

If you are concerned that your business does not have the proper IRP or needs assistance in developing one, the Sedgwick Cybersecurity team can assist you. Contact us at SedgwickResponder@sedgwicklaw.com, or contact Cinthia Motley (312) 849-1972 or cinthia.motley@sedgwicklaw.com. or Carol Gerner (312) 849-1959 or carol.gerner@sedgwicklaw.com.

Executive Order Directs Federal Agencies to Put Their Own Houses in Good Cybersecurity Order

On May 11, 2017, the White House issued an executive order aimed at strengthening the cybersecurity of federal networks and critical infrastructure. The order mandates that federal department and agency heads take an active role in reviewing, improving, and modernizing cybersecurity risk management, and stands as major action toward enhancement of cybersecurity in the wake of high profile federal agency breaches such as that of the Office of Personnel Management and of the IRS in 2015, and an election riddled with headlines of hackers releasing sensitive information taken directly from government agencies.

A hallmark of the Order is that it places cybersecurity responsibility squarely on department and agency leaders, laying out a series of reporting and reviewing deadlines that synthesize and build upon the Cybersecurity Framework and other measures first implemented by previous administrations. The Order seems poised to prioritize modernization in the area by moving away from “antiquated” and “difficult-to-defend” IT systems and exploring the possibility of upgrading to shared IT services and use of the cloud. It also emphasizes the importance of training and educating in the field of cybersecurity, to help prepare for and combat future threats.

Overall, the order is seen by many as a big step towards holding federal agencies responsible for the same cybersecurity assessments and measures that they expect and require of the entities they regulate. Despite government vulnerability to cyberattacks, generally government agencies have not previously been held as accountable for the same vulnerabilities they investigate in the private sector. By not only requiring that federal agencies now utilize the cybersecurity framework promulgated by The National Institute of Standards and Technology (“NIST”) in the prior administration, but also by requiring department and agency heads to take an active role in reviewing and reporting on compliance with the framework, the Order focuses on holding agencies accountable and, as one White House spokesperson put it—asking them to practice what they preach.

Some commentators feel that the order does not go far enough, with one Senator calling it simply a “plan for a plan,” which prioritizes further review and reporting over actual action against real time threats. What also remains to be seen is whether the short, ninety day reporting timeframes mandated by the order are workable, and whether the changes that will result from the report and review periods will be financially feasible for the agencies, and also for the private sector companies that do business with them and will likely be subject to increased scrutiny as well. Other concerns voiced center on the provisions directing that the Secretary of Defense, as well as the Directors of National Intelligence and the FBI, will be involved in efforts to support the cybersecurity risk management of owners and operators of the Nation’s critical infrastructure, and the impact that will have on privacy of personal information maintained by the various agencies.  

In the meantime, the Order serves as an important step to hold the federal government responsible for its own cybersecurity and to prioritize cybersecurity in a time that it is clearly needed.

ALERT: Ransomware – a Global Wake-Up Call

U.S. Regulator Warns of “Evidence” of Global Cyber Assault Occurring Inside the U.S. and Steps Your Company Should Take Against a Ransomware Attack 

On Friday, May 12, 2017, Laura Wolf, Critical Infrastructure Protection Lead of the Department of Health and Human Services (HHS) issued a notification stating that:

HHS is aware of a significant cyber security issue in the UK and other international locations affecting hospitals and healthcare information systems. We are also aware that there is evidence of this attack occurring inside the United States. We are working with our partners across government and in the private sector to develop a better understanding of the threat and to provide additional information on measures to protect your systems. We advise that you continue to exercise cyber security best practices – particularly with respect to email. (Emphasis added).

This alert comes in the heels of Friday’s global ransomware attack that has spread in nearly 100 countries. The attacks are being blamed on malware called WCry, WannaCry or Wana Decryptor.

So what measures can your company take to protect itself in the event of a ransomware attack?

If a company is infected with ransomware, they face two hard choices: either pay ransom to unknown criminals or try to restore its systems, if possible. With either option a company faces risks.  Thus, prevention and pre-breach planning are key, including taking the following steps:

Update systems and software with current patches: Ransomware spreads easily when it encounters unpatched or outdated software. The HHS has noted that the WannaCry ransomware may be exploiting a vulnerability in Server Message Block 1.0 (SMBv1). Microsoft also just released an emergency security patch update for all its unsupported versions of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions. In addition, keeping computer and antivirus up to date adds another layer of defense that could help stop malware.

Refresh, Review, Retrain: To protect your company from a ransomware attack properly train employees on cybersecurity.  Authorized users can expose a company the most when it comes to cybersecurity risks.  This includes employees who are vulnerable to social engineering and phishing attacks. Thus, train employees to identify phishing attacks and perform proper authentication of third parties before providing them with data or access to the network.

Data Access Controls: Granting users access to data and systems minimally necessary to do their jobs and closely monitoring access controls can help contain the spread of initial infections.

Implement Data Loss Prevention (DLP) and Intrusion Detection Systems: Quickly identifying potential infections with intrusion detection systems can allow a company to rapidly isolate infected servers and/or endpoints (computers), also preventing the spread of initial infections. Using data loss prevention tools companies can enforce protection policies, and administrators can secure sensitive business data and prevent illegal access to data.

Implement Regular and Offsite Data Backups: In the event of a ransomware attack, decryption keys are not always provided even when ransoms are paid. Backups stored on the same infected server are often encrypted along with the encrypted data. Thus, regular data backups that are continually tested to ensure they can be restored if needed are important to help a company recover its data, resume operations and avoid paying a ransom demand.  It is equally important that backups be stored offsite.

Implement, practice and update incident response and business continuity plans: Having a tested incident response plan will help an organization quickly respond to a security incident.  While many organizations have information security procedures in place, it is important that those plans and procedures be reviewed to address a potential ransomware attack.  Similarly, perhaps the biggest impact of a ransomware attack is the down time an organization may face, even causing business functions to come to halt.  Thus, it is critically important that companies update their business continuity plans to specifically address ransomware.

Quickly deploy incident response team and protect privilege: Quick incident response team deployment is essential when faced with a ransomware attack. This should include having legal, forensic and public relations consultants, as well as law enforcement contacts identified before a security incident occurs. Top level awareness is equally important as crisis management decisions will need to be made quickly, such as: whether the ransom demand will be paid and, if so, who should negotiate the ransom payment; how and when to notify law enforcement; as well as any internal or external communication necessary. As these decisions may greatly impact a company’s business, financial and legal obligations, it is critically important that in-house or outside legal counsel be involved from the outset to advise and guide the organization, including in the retention of outside consultants. This is the best measure to help protect attorney-client privilege as company executive are forced to navigate quickly through important decisions for the organization.

In short, being proactive is often easier and less costly than a reactive approach.  Cyber risks present a fast evolving landscape. Data loss through cybercrime and internal risks represent increasing business exposures. Prevention is key to mitigation in this area and a better option than facing a breach unprepared.  An entity that knows those risks and controls the data that flows within and outside its walls can best remain competitive in their marketplace.  Using this knowledge a company can most efficiently protect sensitive data and quickly respond to security incidents.

If you are concerned that your business needs help with combatting cybersecurity threats or responding to a security incident, the Sedgwick Cybersecurity team can assist you.  Contact us at SedgwickResponder@sedgwicklaw.com, or contact Cinthia Motley (312) 849-1972 or cinthia.motley@sedgwicklaw.com.

 

 

 

 

 

 

Sedgwick LLP Cinthia Motley Named Illinois Cybersecurity Litigation Lawyer of the Year

Sedgwick LLP is pleased to announce that Cinthia Granados Motley, partner and co-chair of the firm’s Cybersecurity and Privacy Group, was named the 2017 Corporate International Global Awards Cybersecurity Litigation Lawyer of the Year in Illinois.

In her legal practice, Motley handles data privacy and security matters assisting clients, domestically and internationally, to implement effective information security practices, including information governance and litigation readiness. She represents clients in data security and privacy matters and routinely acts as incident response counsel to large international entities, as well as privacy litigation counsel.

Motley is a sought out, recognized attorney in the critical cybersecurity and privacy area of law and is honored to be recognized for her work. She was selected to be a Super Lawyers Top Women Attorney in Illinois, Super Lawyers Rising Star in 2012 – 2013 and was named as one of The National Law Journal’s Cybersecurity and Data Privacy Trailblazers. She also serves as adjunct professor at Chicago-Kent College of Law, teaching data management, information governance and e-discovery.

Preparing for PIPA — Data Protection and Implications for the Insurance Industry

On 2 December 2016, the administrative provisions of the Personal Information Protection Act 2016 (PIPA; the Act) came into force establishing the office and powers of the Privacy Commissioner and providing for the method of appointment of the Privacy Commissioner. The substantive provisions of the Act will not come into force until 2018.

One objective of Parliament in passing the Personal Information and Protection Bill was to put in train the process by which Bermuda may seek a data protection adequacy determination from the European Commission. An adequacy determination will be of considerable assistance to Bermuda reinsurers, for example, who need to import personal data from Europe for underwriting and claims-related purposes.

The resolution of the European Parliament in May 2016 regarding ongoing negotiations of the EU-US Privacy Shield, an arrangement intended to replace the now defunct ‘safe harbour’ decision, has emphasised the importance to a successful adequacy application by a non-EU country that the holder of the office responsible for the administration and enforcement of domestic personal information protection legislation should be independent from government. This fact was explicitly acknowledged by the Minister for Economic Development in his ministerial statement on 3 February 2017, announcing the commencement of the administrative provisions of the Act on 2 December 2016. The Minister said ‘the creation, staffing and operations of the Commissioner’s office will be done in a manner to ensure full compliance with those requirements’.

Insurers and insurance managers, agents and brokers, in common with all organisations, will need to adopt suitable measures and policies to give effect to their obligations and to the rights of individuals set out in the Act, when the substantive provisions come into force. It will be difficult to craft measures and policies to ensure compliance until the Privacy Commissioner (once appointed) has published guidance or the Minister for Economic Development has issued a code of conduct, but insurers and insurance managers, agents and brokers should be familiarising themselves with the Act’s substantive provisions now.

Overview of PIPA

The Act applies to every organisation that uses personal information in Bermuda where the personal information:

  • is used wholly or partly by automated means, or
  • forms, or is intended to form, part of a structured filing system.

‘Personal information’ is information about an identified or identifiable individual.

When the substantive provisions come into force, organisations must not use personal information unless one or more of the conditions of section 6 of the Act are met.

‘Using’ personal information ‘means carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it’.

There are some exclusions from the regulation of the use of ‘personal information’, such as the ‘use of business contact information for the purpose of contacting an individual in his capacity as an employee or official of an organisation’. However, whether all personal information used about an individual is ‘business contact information’, is likely to be hard to determine in some cases.

In practice, organisations are likely to seek to premise their lawful use of personal information predominantly on the satisfaction of condition (1)(a) of Section 6 of the Act, which requires obtaining the knowing consent of the individual. This is because compliance with the condition can be tested objectively.

Other conditions of use may also be of practicable assistance to organisations, for example, where use is necessary for the performance of a contract to which the individual is a party, or is pursuant to a provision of law that authorises it, or is in relation to publicly available information. But assessing compliance with these conditions will involve a greater degree of judgment than testing for consent.

Personal information may also be used (except sensitive personal information) where a reasonable person giving due weight to the sensitivity of the personal information would consider that the individual would not reasonably be expected to request that the use of his personal information should not begin or cease and the use does not prejudice the rights of the individual.

Since it will be difficult for organisations to anticipate in any given case whether this condition is fulfilled, it is likely that it will be used more as a last resort in connection with uses that would otherwise been unlawful rather than relied on by organisations as a general rule for ensuring their compliance with the Act.

When the substantive provisions of the Act come into force, organisations will be required to:

  • Safeguard personal information.
  • Only use it in a lawful and fair manner.
  • Provide individuals with privacy notices, which the organisation must take reasonably practicable steps to ensure are provided either before or at the time of collection of personal information, about the organisation’s practices and policies with respect of personal information.
  • Except with the consent of the individual, or where necessary to provide a service or product that is required by the individual, or in certain other circumstances, use personal information only for the specific purpose stated in the privacy notice.
  • Ensure that any personal information used is accurate and kept up to date to the extent necessary for the purposes of use and kept no longer than is necessary for that use.
  • Not transfer personal information to an overseas third party unless it reasonably believes the personal information will be subject to a level of protection comparable to that required by the Act.

There are penalties under the Act for certain breaches and for financial loss and emotional distress:

  • On summary conviction, in the case of an individual, to a fine of up to $25,000 or up to two years of imprisonment or to both.
  • On conviction on indictment, in the case of a person other than an individual, to a fine of up to $250,000.

The Privacy Commissioner, when appointed, will have various powers which may be used to assist insurers and insurance managers, agents, and brokers in confirming what they must do to comply, including powers to:

  • Comment on the implications for protection of personal information in relation to an organisation’s existing or proposed programmes.
  • Approve binding corporate rules for transfers of personal information to an overseas third party.
  • Give guidance and recommendations of general application to an organisation on matters relating to its rights or obligations under the Act.
  • Permit an organisation to transfer personal information to an overseas third party where the organisation has reasonably demonstrated that it is unable to assess the level of protection provided by the overseas third party for that personal information provided the transfer does not undermine the rights of the individual.
  • Establish certification mechanisms that can demonstrate compliance with the Act.

In addition, as noted at the start of this article, the Minister with responsibility for the Act (currently the Minister for Economic Development) may publish codes of practice.

Consequential amendments to other legislation necessary to implement the Act are expected to be tabled later this year.

BM_NXM2Nick Miles
Head of Non-Contentious Insurance
Sedgwick Chudleigh
nick.miles@sedgwicklaw.com 441.278.7164 direct

BM_MGC1

Mark Chudleigh
Managing Partner
Sedgwick Chudleigh
mark.chudleigh@sedgwicklaw.com 441.278.7160 direct

BM_AJP4Alex Potts
Partner
Sedgwick Chudleigh
alex.potts@sedgwicklaw.com 441.278.7165 direct

Privacy and Security — How the 115th Congress’ Repeal of the FCC’s New Privacy Rules Has Made Your Data Less Private and Decreased National Security

Between news reports featuring Russian-gate scandals, Syrian missile attacks and challenges to North Korea, one important news item went oddly underreported. That is the story about a loss of our privacy and security by the new Congress.

FCC’s new privacy rules

In October 2016, the Federal Communications Commission passed new rules that would have required Internet Service Providers (ISPs) to obtain your permission to effectively invade your privacy rights. The rules would have kept providers such as Comcast and Time Warner Cable from monetizing personal information based upon browser history. This history may include activity such as your searches, shopping habits and even secret obsessions. ISPs can insert adware that is undetectable and tracks your traffic and records your browsing history. This generates valuable data for the ISP, maximizing its profits and leaving you vulnerable.

On October 27, 2016, in a 3-2 vote, the FCC approved new rules regarding how ISPs handle their customers’ browsing history, mobile location data and other sensitive information generated by virtue of their customers’ use of the internet.

The purpose of the new rules was to restrict ISPs’ ability to share with advertisers and other third parties information collected from users. This was viewed by many as a big victory for privacy rights advocates. However, these rules are one of the more immediate victims of the November 8, 2016 election, which brought Republican control to both Congress and the White House.

The FCC’s new rules effectively created some of the strongest privacy regulations for any segment of the technology and telecommunications industries and could have had significant impact on ISPs’ ability to make a profit.

The new rules required an opt-in standard for third-party data uses. This is significant because historically in the U.S., privacy guidelines require only that users opt-out of data uses such as ad targeting based on behavioral data.

Also, not all internet entities were covered by the new FCC rules. The rules affected only companies that connect users to the internet, including Comcast, Verizon and Sprint. The rules did not apply to internet companies that have huge advertising businesses based on customer data, such as Facebook or Google. Those companies are regulated by the Federal Trade Commission (FTC). The result of the FCC’s new rules would have been a revenue and power shift away from ISPs towards already internet giants.

The 115th Congress

In March of this year, the House and the Senate voted to overturn the not-yet-implemented FCC new privacy rules. This was considered a victory for ISPs, which argued against regulation since it disadvantaged them compared to non-ISPs.

Congress’ action not only upsets privacy right advocates and impacts the privacy rights of individuals, but it also impacts cybersecurity for the entire nation. Although this didn’t make a big splash in the news, it is important that the American public understand that not only is individual privacy compromised, but cybersecurity is weakened because privacy and security are linked together. Privacy is characterized by a control of access to information and security — by blocking the FCC’s more stringent privacy rules, Congress has weakened cybersecurity for all Americans.

Security: ISPs have a bad track record on security

Your ISP continually collects huge amounts of data such as search results, places you visit on the internet (dates and times), how often you visit and how long you are on a particular site. This is your web browsing history. ISPs also record financial and personal information or data via your transactions on the web through your browser.

ISPs do not have a great track record of keeping information safe. In fact, there have been a number of high-profile breaches such as the AOL breach involving the data of more than 500 million users. Recently, Comcast suffered a large breach of information involving the data for almost 600 thousand users. The new rules would have required ISPs to obtain opt-in to provide your information to third parties. This would have reduced the now treasure trove of data held by the ISPs, thereby reducing the exposure to a breach of personal data.

In addition to obtaining credit card and other financial data, hackers can pinpoint the browser history of each individual which may be used as blackmail against that individual.

Insertion of adware and spyware weaken security

A number of ISPs insert adware and spyware into their browsers, which generates targeted advertising. For purposes of this article, we will refer to adware and spyware, which are not very different in terms of invasiveness or functionality, as just adware. ISPs insert adware into browsers that analyze browsing history in order to customize ads specifically for you.

The insertion of adware into a browser is a major threat to cybersecurity because inserting new code into a webpage could break the security of that page. The new FCC privacy rules would have ended this practice. In basic terms of security, hackers take advantage of this security weakness in the insertion process to break into sites and applications that you use. It gives hackers an easy way in.

A related security issue comes from ISPs installing adware into devices, such as a mobile phone, which most of us purchase directly from the service provider as part of a service agreement. In the past, ISPs have justified the installation of adware on the basis that it was to improve the wireless network service and performance. After a lot of blowback, ISPs backed down on pushing the adware application. ISPs will likely revert back to placing adware on mobile devices since the Congressional repeal of the FCC privacy rules effectively removes the FCC as a privacy watchdog. And adware can record virtually all of your phone functions, including systems logs apps usage and other communications. Any adept hacker can utilize interception of the adware and obtain sensitive information such as usernames and passwords without having to do much in the way of sophisticated hacking. A hacker can hijack your phone entirely and access almost anything including your contacts, phone numbers and call history logs.

Conclusion

The Congressional repeal of the FCC privacy rules will have security implications far beyond what was ever envisioned or intended. Without these privacy rules, ISPs will continue with impunity to sell user browser data and will likely resume dangerous practices such as inserting adware into mobile devices. Since there is no opt-in requirement, many consumers are unaware of these issues. Most users simply ignore or click through agreements without being aware of what is happening behind the scenes. The negative security implications of the repeal of the FCC rules are far reaching and have long-lasting implications for personal privacy and national security. The end result is simple — repealing the FCC’s privacy rules will not just be a disaster for Americans’ privacy, it will be disaster for America’s cybersecurity, too.

Originally published on Law360, April 26, 2017. Posted with permission.(subscription required)

LexBlog