The Ever Expanding Scope of Cyber Risks: All Policy Lines Beware

What exactly is a cyber risk, and in particular a risk that is covered by insurance, is a constantly evolving concept. Insureds, insurers and reinsurers are continually faced with new types of risks and claims that fall within the rubric of “cyber.” What is a cyber risk is often broadly construed as anything related to the use of a computing device or network. As cyber risks expand, so do their impact on insurance lines, both those designed to apply to them and those that are impacted inadvertently in what has become known as “silent cyber” coverage. Thus, insurers in all lines need to become familiar with identifying and addressing cyber risks.

The types of events that can trigger cyber coverage, and the scope of coverage afforded by cyber policies, still vary considerably. In the early 2000’s, in the wake of the enactment of data breach notification laws that began in the U.S. in 2003 in California (and now are present in 48 states in the U.S. and worldwide), most cyber policies focused on payment of breach investigation and notification costs for events that involved the loss or theft of protected personal information maintained in electronic formats. That is still a fundamental coverage afforded by almost all cyber policies, and is often a coverage added on to other types of policies. However, in recent years, there has been an expansion of the type of cyber events to which businesses, and their insurers, are subject. Some of the current cyber events do not even involve an actual breach of computer systems, but merely the threat of one.

Even the basic exposure of businesses to theft and loss of protected personal information has increased in scope. Laws and regulations in the U.S. are expanding the definition of what constitutes protected personal information, for example increasingly including on-line log-in credentials and biometrics. Jurisdictions outside the U.S., many of which already had a broad definition of protected personal information, are adopting notification requirements, such as the EU’s General Data Protection Regulation (“GDPR”) that will go into effect in May 2018. This has increased the exposure to businesses, and to their insurers who provide coverage for the costs of investigating and responding to a data breach. While cyber insurers offering stand-alone cyber coverage are likely aware of these developments, insurers offering breach response add-on coverage to “traditional” lines of coverage such as professional liability and other E&O insurance may not be fully taking into account the impending increase in exposure presented by these developments.

Moreover, there has been expansion of cyber risks well beyond the theft or loss of information. As demonstrated by recent news stories, cyber events now include denial of service attacks and attacks directed at destruction of information and systems. This is in addition to the rapid increase in cyber extortion and ransomware, funds transfer frauds utilizing social engineering and electronic communications to trick business employees into making wire transfers to bank accounts controlled by criminals (often referred to as business email compromise), and similar events that may not include a theft of information or breach of a business’s own computer systems. Often, the resulting damages are well beyond investigation and notification costs, and include economic losses resulting from denial of access to systems, property and data damage, bodily injury (particularly when medical devices are affected) and an array of third party claims by corporate and individual customers, business partners, and others affected by the event.

These days, just the vulnerability to a cyber-attack, even if an attack or breach has not occurred, can generate claims against a business by regulators, customers, and shareholders. Increasingly, there are regulatory and legal proceedings that allege failure by a business to comply with the growing number of laws and regulations that require cybersecurity protection to be in place or require disclosure of data collection and security practices, with resulting fines, injunctive relief and potentially other damages awarded for non-compliance. Recent lawsuits against a law firm and a medical device developer, while so far unsuccessful, generated substantial legal defense costs. Regulatory proceedings investigating businesses compliance with security and disclosure requirements for cyber risks can also be expensive to defend. Vulnerabilities in cybersecurity have led to finger pointing by businesses to their cybersecurity vendors and other business parties. Vulnerabilities in software that increase the risk of cyber-attacks of any kind, be it auto theft, data compromise, or privacy violations, can also generate claims even before a breach or loss occurs.

Businesses faced with such losses and claims often look not only to stand alone cyber insurance policies to pay, but also to other types of policies they may have in their insurance arsenal. Many “traditional” lines of insurance have expanded to include add-on coverages for breach response or other designated cyber risks to first party property, third party professional liability and other types of E&O lines, and even general liability.

However, often other lines less deliberately, and often inadvertently, get caught up in claims that arise from cyber risks, and are faced with requests to cover claims of economic losses, property damage or bodily injury. Virtually every insurer has been faced with a claim they never anticipated, which arose from what can be described as a cyber event because it involved use of or affected a computer system even tangentially.

Crime insurers are now facing the increasing number of funds transfer frauds that involve usage of computers, resulting in a series of conflicting court decisions as to coverage. D&O insurers have been faced with claims by shareholders against boards of companies that sustained data breaches for their role in alleged inadequate cyber security or breach response. Employer’s liability insurers may see claims from employees disciplined or terminated because of cyber events and perceived fault. Media liability insurers (and cyber insurers offering media coverage as part of stand-alone cyber policies) are faced with claims arising from the content of statements on business websites and social media. Products liability and product recall insurers are likely to see claims arising from allegedly defective cyber security in devices connected to networks, which these days include a broad range of consumer and health-related products. Property insurers have long dealt with claims arising from events ranging from stolen computers to network outages, resulting in property damage and business interruption claims both direct and contingent. Some insurers on these lines have embraced extensions of coverage that knowingly encompass such cyber risks. Others have relied on cyber exclusions that can be difficult to fashion to exclude all possible exposures from all possible cyber related events. Personal lines insurers, such as homeowner insurers, are not immune, as individuals as well as businesses are at times faced with claims, as demonstrated by those against families who have a member accused of cyberbullying.

Thus, it is increasingly important for insurers to train both underwriters and claims handlers involved in other lines of insurance than cyber stand-alone policies to recognize the risk of cyber exposures when drafting coverage forms and exclusions, underwriting prospective insureds, and receiving notice of a claim. Often, identifying a potential cyber related claim and consulting with internal talent experienced in addressing such risks can be key to controlling the risk and exposure both on an individual and aggregate basis for the insured, the insurer, and the reinsurer.

*This article was originally published in the TransRe Global Cyber Newsletter

Sedgwick LLP Teams Up With Non-Profit To Assist Hurricane Maria Victims in Puerto Rico

Sedgwick LLP appreciates all of our Puerto Rico clients, and in an effort to help the communities in which they serve, we invite you to support the people of Puerto Rico by donating to Asesores Financieros Comunitarios, a charity and non-profit providing assistance to those impacted by Hurricane Maria. Asesores Financieros Comunitarios is a United Way affiliate, and your donation will provide economic assistance for employees laid off and on reduced-leave as a result of Hurricane Maria. Donations do qualify as a Federal Exemption 501c3. For more information, and to donate now, please click here.

State Updates on Cybersecurity Regulations: New York DFS Issues FAQs on Its Cybersecurity Regulations and Colorado Adopts Rules Applicable to Broker-Dealers and Investment Advisors

New York and Colorado have continued to take the lead in cybersecurity requirements for regulated financial institutions.

The New York Department of Financial Services (DFS), which issued the first state cybersecurity regulation directed at its regulated financial institutions, 23 NYCRR Part 500, recently updated its “Frequently Asked Questions Regarding 23 NYCRR Part 500” on July 31, 2017, to assist entities covered by the regulation in their compliance. It has also announced a new online portal for secure transmission of all notifications required under this new regulation.

Meanwhile Colorado’s Division of Securities adopted the new cybersecurity rules it had proposed earlier this year applicable to broker-dealers purchasing securities in Colorado and investment advisors who do business in the state.

For background, see our May 3, 2017, article, “Other States Start to Follow New York Lead on Cybersecurity of Regulated Entities,” in which we addressed the recently enacted New York State Department of Financial Services cybersecurity regulation and the then-proposed Colorado regulations targeted at financial advisers.

New York FAQs

The New York DFS Regulations that went into effect March 1, 2017, (with transition periods) were designed to “promote the protection of customer information and information technology systems or regulated entities.”  The regulated “Covered Entities” were defined to mean any “Person” operating under or required to operate under a license, registration charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law of New York.

On July 31, 2017, the DFS issued its updated “Frequently Asked Questions Regarding 23 NYCRR Part 500,” which provides its answers to 18 frequently asked questions concerning the regulations. The FAQs provide insight into how the DFS interprets the regulations and the extent to which it will defer to the “appropriate judgment” of the Covered Entities on certain issues, including the circumstances under which an “unsuccessful attack” constitutes a “Cybersecurity Event” that meets the reporting requirements of the regulations.

It is noteworthy that the FAQs state that the DFS “trusts” that Covered Entities will exercise appropriate judgment in these situations and does not intend to “penalize” Covered Entities for the exercise of honest, good faith judgment. They also address a wide variety of issues, including that an entity can be both a Covered Entity and a Third Party Service Provider, and the impact of a Covered Entity’s relationship with its Affiliates in complying with the regulations. The New York DFS is adamant that the Covered Entity will be responsible for complying with the regulations regardless of its adoption of its Affiliate’s cybersecurity program or utilization of an Affiliate’s CISO. The Covered Entity remains charged with annually certifying its compliance with the regulations.

The following are some of the other issues that are addressed in the FAQs (here is a full list of the FAQs):

The circumstances under which a Covered Entity must submit notice to DFS of a Cybersecurity Event:

The Department recognizes that Covered Entities are subject to many daily attempts to gain unauthorized access to their Information Systems and the information stored on them, and most are unsuccessful and will not be reportable, such as those of a routine nature. However, it also notes some unsuccessful attacks will be reportable if “in the considered judgment of the Covered Entity” it is “sufficiently serious to raise a concern.” Thus, while the DFS states it trusts that Covered Entities will exercise “appropriate judgment” as to “which unsuccessful attacks must be reported” and it “does not intend to penalize Covered Entities for the exercise of honest, good faith judgment,” a Covered Entity cannot automatically consider an unsuccessful attempt to not be reportable. (See FAQ 1.)

A reportable cybersecurity event is one that is described as fitting into at least one of the following categories:

  • The Cybersecurity Event impacts the Covered Entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
  • The Cybersecurity Event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.

In addition, a Covered Entity is required to give notice to DFS when the Covered Entity is required to give notice to affected consumers under other laws and regulations. The DFS noted in response to an FAQ regarding whether notice must be given to the Department when a Cybersecurity Event involved harm to consumers, that if a notice is required under New York’s information security breach and notification law (General Business Law Section 899-aa), then that Cybersecurity Event must also be reported to the Department. (FAQ 5.)

A reportable Cybersecurity Event is to be reported as promptly as possible, but in no event later than 72 days “from a determination that a reportable Cybersecurity Event has occurred.” (FAQ 15.) The circumstances under which a Covered Entity must address the cybersecurity issues of its subsidiaries and affiliates are as follows:

When a subsidiary or other affiliate of a Covered Entity presents risks to the Covered Entity’s Information Systems or the Nonpublic Information stored on those Information Systems, those risks must be evaluated and addressed in the Covered Entities Risk Assessment, cybersecurity program and cybersecurity polices. (FAQ 3.)

The circumstances under which a Covered Entity that qualifies for a limited exemption must still comply with the regulations are as follows:

The DFS notes that the exemptions are limited in scope (see 23 NYCRR Part 500.19), and even entities that qualify for those exemptions are only exempt from complying with certain provisions of the regulation. They must still comply with the sections listed in the exemptions that apply to covered entities. (FAQ 4.)

To provide a secure route for submission of such notices to DFS, as well as for submission of required certificates of compliance by the Covered Entities of their other obligations under the new Regulation, DFS  has also announced a new online portal.

It is important for those subject to these New York regulators to monitor the FAQs published by DFS. The FAQs provide guidance into the DFS’s interpretation and enforcement of its newly adopted regulation.

New Colorado Regulation

The Colorado Division of Securities has now also adopted new cybersecurity rules, which are applicable to broker-dealers purchasing securities in Colorado and investment advisors who do business in the state. New Colorado Regulation (see page 45; 51-4.8)

The Colorado regulations are less onerous and narrower in application than the New York Regulation. They are limited to broker-dealers purchasing securities in the state and investment advisors doing business in Colorado. For those entities, the Colorado rules require cybersecurity procedures to protect “Confidential Personal Information.”  Publicly available information is not considered Confidential Personal Information. They only require that broker-dealers and investment advisors “establish and maintain written procedures ‘reasonably’ designed to ensure cybersecurity. While the Colorado Division of Securities may consider a variety of factors in determining what is reasonable, the cybersecurity procedures must include: (a) annual risk assessment that does not have to be conducted by third-parties; (b) secure email, including encryption and digital signatures for emails containing Confidential Personal Information; (c) authentication of client’s email instructions and employee access to electronic communication; and (d) disclosure to clients of the risks of utilization of electronic communication. The required annual risk assessment does not have to be conducted using an independent third party.

Unlike New York’s regulations, Colorado’s rules do not have requirements for third party vendors. In addition, the final rules adopted in Colorado deleted the breach notification requirement to the Department that was in the initial proposed rules. Thus, overall it is less burdensome, and less costly, than the New York regulation. Entities subject to them are still, of course, subject to federal financial regulation and oversight, such as that provided by the SEC.

It remains to be seen whether other states will enact their own cybersecurity regulations, and if so, which entities will be subject to such regulation.

And Now There are Three: Nevada Joins California and Delaware in Privacy Policy Requirements for Website Operators

The latest development with respect to privacy policies involves amendments to existing legislation governing state statutes governing the security of personal information for website operators and online service providers. (See June 30, 2017 Alert – FTC Issues Updated Guidance for Compliance with COPPA).  This may be the next wave of statutory amendments in the ongoing battle to balance the collection of personal information with a consumer’s right to privacy.  Nevada has now joined California and Delaware with its recent amendment to its Security of Personal Information statute (NRS 603A – Security of Personal Information).  California was the first state to require commercial websites and online services to post a privacy policy in 2004, which was amended in 2013 to require new privacy disclosures regarding tracking on online visits. (See the California Online Privacy Protection Act (CalOPPA)).  Delaware’s Online Privacy and Protection Act (“DOPPA”) went into effect on January 1, 2016.  The Nevada amendments which become effective on October 1, 2017, is narrower in scope than the laws of California and Delaware.  The Legislative Counsel’s Digest indicates that it excludes in-state entities whose revenue is primarily from sources other than online sales and who have fewer than 20,000 unique visitors per year.  It also limits its application to website operators that “purposefully” direct or conduct activities in Nevada, or consummate a transaction with the state or one of its residents.

For those entities who do not fall within the parameters of the exclusion, the amendments require notice of the following  categories of information:

  1. Identify the categories of “covered information” collected through the website and categories of third parties with whom that information may be shared.

“Covered information” includes (a) a first and last name; (b) a home or other physical address that includes the names of a street and city or town; (c) an electronic mail address; (d) a telephone number; (e) a social security number; (f) an identifier what allows a specific individual to be contacted either physically or online; and (g) any other information concerning an individual collected from that person through the website or online service in combination with any other identifier in a form that makes the information personally identifiable.

  1. Describes the process, if any, by which the user may review and request changes to “covered information” collected through the website.
  2. Disclose whether third parties may collect information about a user’s online activities from the website.
  3. Provide an effective date of the notice.
  4. Describe how the website operator will notify the consumer of any material changes to the notices required to be made under the new law.

Under the amendments, the Nevada Attorney General will have the power to issue temporary or permanent injunctive relief against the website operator and to assess penalties up to $5,000 per violation to enforce compliance.  No private right of action is afforded to the consumer for violations of these new provisions of the Nevada law.

So what does this mean for website operators in Nevada before October 1, 2017?  First, determine whether your website operations are excluded from the amendments.  If not, review all current privacy policies to determine which ones will need to be modified to comply with the law.  Finally, create any new policies that need to be provided under the new legislation and monitor developments on privacy policy legislation in other states to make sure your website operations will be in compliance with any future changes.  Illinois’ proposed “Right to Know” law passed the state Senate but failed to be approved by the House before the legislative session ended on May 31, 2017.  This bill may be reintroduced in a future legislative session.

If you need assistance reviewing your privacy policies, including website operations, please contact Cinthia Motley, 312-849-1972, cinthia.motley@sedgwicklaw.com or Carol Gerner, 312-849-1959, carol.gerner@sedgwicklaw.com.

New Jersey Bill Limiting Identity Card Scanning Signed Into Law

On July 21, 2017, New Jersey Governor Chris Christie signed into law a bill that places new restrictions on retailers’ collection and use of information collected when a customer’s identification (ID) card is scanned. The Personal Information and Privacy Protection Act (the Act) (we previously analyzed this bill, here) takes effect on October 1, 2017, and permits retailers to scan a person’s ID card for the following limited purposes:

  • To verify authenticity of the ID card or identity of the person (1) if the person is paying for goods or services in a method other than cash, or (2) if the person is returning an item or (3) if the person requests a refund or exchange;
  • To verify the person’s age when providing age-restricted goods or services;
  • To prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service;
  • To prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;
  • To establish or maintain a contractual relationship;
  • To record, retain, or transmit information as required by state or federal law;
  • To transmit information to a consumer reporting agency, financial institution, or debt collector, to be used as permitted by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, or the Fair Debt Collections Practices Act; and
  • To record, retain or transmit information by a covered entity governed by HIPAA.

Significantly, the Act prohibits retailers from selling or disseminating to third parties the information that they obtain from scanning ID cards, for almost any purpose, including marketing, advertising or promotional activities. The one exception to this rule is where a retailer’s automated return fraud issues a reward coupon to a loyal customer. We note the Act does not explain what an automated return fraud system is, thus, retailers should assess the extent to which they collect information from scanning ID cards and ensure that such information is excluded from what is shared with third parties.

The Act also prohibits retailers from saving the scanned information, when the scanned information is used solely to (1) verify the authenticity of the ID card, (2) verify the identity of a person who is making a non-cash payment, is returning an item, or is seeking a refund or exchange, or (3) verify a person’s age in an age-restricted transaction.

If any of the scanned information is saved, it must be “securely stored.” Although the Act does not define “secure” storage, the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-161 et seq.) (N.J. ID Theft Law) provides some guidance. Under that statute, the unauthorized access of personal information is not considered a “breach” where the information is encrypted or rendered unreadable (N.J.S.A. 56:8-161).  This suggests that at minimum, secure storage might require encrypting or using some other technology to render the scanned information unreadable, or anonymizing it to be disassociated with any person.

The Act also covers data breach reporting requirements. It requires retailers to “promptly” report any breach of the security of the scanned information to the New Jersey State Police and any “affected persons” in accordance with the N.J. ID Theft Law, which already includes a reporting obligation to the State Police any time a business must notify a New Jersey resident of a breach of his or her personal information. While the Act does not define “prompt” reporting, the timing for reporting breaches of scanned information likely mirrors the requirement imposed by the N.J. ID Theft Law — the most expedient time possible without unreasonable delay (N.J.S.A. 56:8-163).

The Act also expands the scope of information subject to breach reporting obligations. The existing N.J. ID Theft Law limits the “personal information” that triggers reporting obligations, if breached, to “an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or state identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account” (N.J.S.A. 56:8-161). The Act similarly includes the person’s name, state issuing the ID card, and ID card number; but also adds her address and date of birth.

The Act provides for $2,500 in penalties for the first violation and $5,000 for any subsequent action, and expressly permits a private right of action. There is no cap on penalties.

Retailers who do business in New Jersey should evaluate their compliance with the Act’s new requirements well in advance of October 1, 2017, when the law takes effect. It is unclear if the Act applies solely to retailers who have brick and mortar stores in New Jersey. The Act refers to “retail establishments” but does not define what a retail establishment is. But, because the Act addresses scanning ID cards, it is hard to imagine how ID cards could be scanned anywhere else but a physical location. This includes: (1) evaluating the extent to which they scan customers’ ID Cards and whether and to what extent the scanned information is saved, (2) ensuring that they do not share information scanned from customers’ ID cards with third parties, (3) evaluating the security used (including encryption, redaction, anonymization, and other physical, technical and administrative safeguards) to protect such information, if any is stored, and (4) evaluating their incident response programs for expansion of breach reporting obligations, particularly in light of the expanded scope of personal information imposed by the new law.

If you have questions about your incident response plan or how to evaluate your business’ security programs and procedures, please contact Cinthia Motley, 312-849-1972, cinthia.motley@sedgwicklaw.com or Nora Wetzel, 415-627-3478, nora.wetzel@sedgwicklaw.com.

ALERT – FTC Issues Updated Guidance for Compliance with COPPA

On June 21, 2017, the Federal Trade Commission (FTC) updated its guidance for compliance with the Children’s Online Privacy Protection Act (COPPA).  COPPA regulates websites and other online services in connection with collection of information from children under 13.  The full version of the FTC’s updated guidance is available at https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance

The FTC guidance instructs businesses to:

  • Determine if a company’s website or online service collects information from children under 13
  • Post a privacy policy that complies with COPPA
  • Directly notify parents before collecting personal information from children
  • Get parents’ verifiable consent before collecting personal information from children
  • Honor parents’ ongoing rights regarding personal information collected from children
  • Implement reasonable security procedures to protect the personal information collected from children

The FTC’s updated guidance addresses new models used to obtain personal data, such as voice activated devices used to collect personal information.  The guidance incorporates reference to new products, like connected toys and other products intended for children that collect information like voice recordings or geolocation data.  It also introduces two new methods for obtaining parental consent: (1) asking knowledge-based authentication questions and (2) using facial recognition to match a verified photo ID.

“Website or online service” under COPPA, according to the updated guidance, includes mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads), internet-enabled gaming platforms, plug-ins, advertising networks, internet-enabled location-based services, voice-over internet protocol services, and connected toys or other Internet of Things devices.  In addition, “[p]ersonal information” includes each of the following:  full name; home or other physical address, including street name and city or town; online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier; screen name or user name where it functions as online contact information; telephone number; Social Security number; a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier; a photo, video, or audio file containing a child’s image or voice; geolocation information sufficient to identify a street name and city or town; or other information about the child or parent that is collected from the child and is combined with one of these identifiers.  Evident from the foregoing list, personal information is defined broadly under COPPA.

The FTC’s updated guidance also notes that if Company A collects personal information through Company B’s child-directed site or service — through an ad network or plug-in, for example — Company B is responsible for complying with COPPA, even if Company B does not collect the personal information.  Moreover, a company’s privacy policy, to be posted on the homepage and on any page where a company collects personal information from children, must describe the company’s practices, and the practices of any other companies collecting personal information on the company’s site or service.

The FTC’s updated guidance shows regulators are concerned with adapting to new technology that collect children’s personal information and providing clear notice to parents. If you need assistance reviewing your business’s compliance with COPPA in light of the updated guidance provided by the FTC, please contact Cindy Motley, 312-849-1972, cindy.motley@sedgwicklaw.com or Nora Wetzel, 415-627-3478, nora.wetzel@sedgwicklaw.com.

New Jersey Senate Passes Bill Limiting Identity-Card Scanning by Retailers for Limited Purposes

On June 22, 2017, the New Jersey Senate passed the Personal Information and Privacy Protection Act (“the Act”), now awaiting Governor Christie’s handling. The Act permits retailers to scan a person’s identity card (“I.D. card”) for specified purposes and limits the type of information that may be collected to the name, address, date of birth, state issuing the I.D. card, and I.D. card number.

Scanning of I.D. cards, like a drivers’ license, by a retailer is permitted only to:

  • Verify authenticity of the I.D. card or identity of the person (1) if the person is paying for goods or services in a method other than cash, or (2) if the person is returning an item or  (3) if the person requests a refund or exchange;
  • Verify the person’s age when providing age-restricted goods or services;
  • Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service;
  • Prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;
  • Establish or maintain a contractual relationship;
  • Record, retain, or transmit information as required by State or federal law;
  • Transmit information to a consumer reporting agency, financial institution, or debt collector, to be used as permitted by the Fair Credit Reporting Act, Gramm Leach Bliley Act, or the Fair Debt Collections Practices Act; or
  • Record, retain or transmit information by a covered entity governed by HIPAA.

A retailer may not save any of the scanned information when the scanned information is used solely to (1) verify the authenticity of the I.D. card, (2) verify the identity of a person who is making a non-cash payment, is returning an item, or is seeking a refund or exchange, or (3) verify a person’s age in an age-restricted transaction.

If a retailer saves the scanned information arising from any of the other permitted purposes, the scanned information must be “securely stored.”  Though the Act does not itself define what “secure” storage is, the N.J. Identity Theft Prevention Act (N.J.S.A. 56:8-161 et seq.) (“N.J. I.D. Theft Law”) gives us some guidance. Excepted from the N.J. I.D. Theft Law’s definition of breach is personal information that is encrypted or rendered unreadable. (N.J.S.A. 56:8-161).  This suggests that at minimum, secure storage might require encrypting or using some other technology to render the scanned information unreadable, or anonymizing it to be disassociated with any person.

The Act also requires retailers to “promptly” report any breach of the security of the scanned information to the N.J. State Police and any “affected persons” in accordance with the N.J. I.D. Theft Law, which already includes a reporting obligation to the State Police any time a business must notify a New Jersey resident of a breach of its personal information. While the new Act does not define “prompt” reporting, timing for reporting breaches of scanned information under the new Act are probably governed by the same time frames as under the N.J. I.D. Theft Law — the most expedient time possible without unreasonable delay. (N.J.S.A. 56:8-163).

Further, the new Act expands the scope information subject to breach reporting obligations. The existing N.J. I.D. Theft Law defines Personal Information which triggers reporting obligations, if breached, as “an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.” (N.J.S.A. 56:8-161). The new Act maintains some of the same elements of personal information including name, state issuing the I.D. card, and I.D. card number, however, two new data elements have been added — address and date of birth — provided the source of this data is scanning an I.D. card.

Finally, the Act prohibits the sale or dissemination of information obtained by a retailer from scanning I.D. cards to any third party for any purpose, including marketing, advertising or promotional activities, but with one exception — the Act does not bar an automated return fraud system from issuing a reward coupon to a loyal customer.

We also note the penalties provided by the Act are $2,500 for the first violation and $5,000 for any subsequent action and the Act permits a private right of action.

While the governor’s action with regard to the Act is uncertain, the passing of the Act suggests regulators are trending towards broadening the scope of information subject to breach reporting obligations and expanding the scope of information to which security-related regulations will be imposed.  Retailers should (1) check their incident response programs to evaluate them for expansion of breach reporting obligations, particularly in light of the potentially expanded scope of personal information imposed by New Jersey and (2) evaluate the security used (including encryption, redaction, anonymization, and other physical, technical and administrative safeguards) to protect their customer’s information, if retailers collect or plan to collect their customer’s personal information.

If you have questions about your incident response plan or how to evaluate your business’s security programs and procedures, please contact Cindy Motley, 312-849-1972, cinthia.motley@sedgwicklaw.com or Nora Wetzel, 415-627-3478, nora.wetzel@sedgwicklaw.

Two New Developments in Website Accessibility Cases: Nation’s First Website Accessibility Trial Verdict Is Far From a Winn for Retailers, and Hobby Lobby Is Dealt a Blow in California Decision

As numerous retailers know firsthand, website accessibility has become a hotbed for litigation in recent years. Despite plaintiffs filing scores of website accessibility claims against retailers each year, very few of these cases make it past pleadings, and there has been little to no guidance from the courts. This changed on June 13, 2017, in Juan Carlos Gil v. Winn-Dixie Stores, Inc., Case No.: 16-23020-CIV-SCOLA (S.D. Fl.) (available here), when U.S. District Court Judge Robert N. Scola, Jr. issued the very first post-trial web accessibility verdict, finding that grocer Winn-Dixie violated Title III of the Americans with Disabilities Act (ADA) by having an inaccessible website to visually impaired consumers. Judge Scola ordered injunctive relief, providing the parties with a draft three-year injunction, and also awarded Gil his attorneys’ fees and costs.

Although this decision carries no precedential authority over other federal courts or judges, including those in the Southern District of Florida, the decision remains significant for businesses trying to defend themselves against web accessibility claims.

Background

Like most website accessibility claims, the crux of the Gil action is that the plaintiff, a visually impaired consumer, was allegedly unable to use the services on Winn-Dixie’s website (in this case, downloading coupons, refilling prescriptions, and finding store locations) with the assistance of his screen reader software. Based on his experiences, Gil claimed that Winn-Dixie’s website violated Title III of the ADA, because it was inaccessible to the visually impaired. The complaint was filed on July 12, 2016.

Although the Winn-Dixie suit was one of Gil’s first times bringing website accessibility claims, it has been far from his last. Since April 2016, he has filed similar suits against more than 60 other retailers, all in the Southern District of Florida. Scott Dinin, his counsel in each of these actions, is a leading player in the web access arena.

On October 24, 2017, Winn-Dixie filed a motion for judgment on the pleadings, requesting that the court dismiss the case on the grounds that a website is not a place of public accommodation pursuant to Title III of the ADA. Winn-Dixie’s motion prompted the United States Department of Justice (DOJ) to file a Statement of Interest, which noted that Winn-Dixie’s argument could not “be squared with the plain language of the statute, the regulations, or with federal case law addressing this issue.” The DOJ continued:

Because the United States respectfully submits this Statement of Interest to clarify public accommodations’ longstanding obligation to ensure that individuals with disabilities are not excluded, denied services, or treated differently than other individuals because of the absence of auxiliary aids and services, such as accessible electronic technology. This obligation means that websites of places of public accommodation, such as grocery stores, must be accessible to people who are blind, unless the public accommodation can demonstrate that doing so would result in a fundamental alteration or undue burden.

On March 15, 2017, Judge Scola rejected Winn-Dixie’s Motion, explaining that Gil had alleged sufficient facts that, if proven at trial, would demonstrate a “nexus” between Winn-Dixie’s physical store locations and its website that would place the website within the purview of Title III.

The case went to trial on June 5, 2017. The two-day, non-jury trial included testimony by Gil, Gil’s website accessibility expert, and a corporate representative from Winn-Dixie who had knowledge about its website applications.

The Court’s Order: Websites That Operate as a “Gateway” to Physical Store Locations Are Places of Public Accommodation Covered by the ADA

Judge Scola issued an order in favor of Gil on June 12, 2017. Judge Scola held that Winn-Dixie violated Title III of the ADA by failing to provide an accessible public website and, thus, denying individuals with disabilities with “full and equal enjoyment” of its website.

The ruling expressly avoids deciding whether Winn-Dixie’s website, itself, is a place of public accommodation. Instead, the court reasoned that because Winn-Dixie’s website “is heavily integrated with Winn-Dixie’s physical store locations,” the website is considered a place of public accommodation under Title III as it “operates as a gateway to the physical store location.” The court noted that a customer’s ability to download coupons, locate stores, and refill prescriptions on the website sufficiently demonstrated a nexus between the website and physical store locations.

In finding that Winn-Dixie’s website is inaccessible to visually impaired users, the court adopted the Web Content Accessibility Guidelines (WCAG) 2.0 as the accessibility standard that Winn-Dixie must follow to make its website ADA compliant. Even though the guidelines have not been formally adopted by the DOJ, Judge Scola’s ruling confirms that WCAG 2.0 is the leading industry standard for accessibility. (We have previously recommended in “Online Retailers Increasingly at Risk of Website Accessibility Lawsuits,” that online retailers endeavor to meet WCAG 2.0 standards.)

The court expressly rejected Winn-Dixie’s argument that the cost of remediating the website, which Winn-Dixie estimated to be $250,000.00, was an undue burden. In response, the court stated that whatever the cost of remediation may be, it “pales in comparison to the $2 million Winn-Dixie spent in 2015 to open the website and the $7 million it spent in 2016 to remake the website for the Plenti [customer rewards] program.”

Notably, and of significant import to retailers facing such claims,  the court did not limit the reach of its order to only those portions of Winn-Dixie’s website that it operates internally. The court specifically held Winn-Dixie responsible for the entire website’s lack of accessibility, notwithstanding the fact that portions of the website are operated by third party vendors such as Google and American Express. The court explained, “[m]any, if not most, of the third party vendors may already be accessible to the disabled and, if not, Winn-Dixie has a legal obligation to require them to be accessible if they choose to operate within the Winn-Dixie website.”

Lastly, the court provided the parties with a draft injunction, ordering Winn-Dixie to do the following, among other things:

  • Adopt and implement a web accessibility policy that ensures that its website conforms with WCAG 2.0 criteria;
  • Require any third party vendors who participate on its website to be fully accessible to the disabled by also conforming with WCAG 2.0 criteria;
  • Display a publicly available Statement of Accessibility on the website;
  • Provide mandatory training, once a year, to all employees who write or develop programs or codes for the website on how to conform all web content and services with WCAG 2.0 criteria; and
  • Conduct web accessibility monitoring of its website once every three months to identify non-compliance with WCAG 2.0 criteria.

Gorecki v. Hobby Lobby Serves Further Blow to Online Retailers

On June 15, 2017, just a week after the Gil decision was issued, Judge John F. Walter of the Central District of California denied a motion to dismiss website accessibility claims in Gorecki v. Hobby Lobby Stores, Inc. (Case No.: 2:17-cv-01131-JFW-SK). Hobby Lobby argued in its motion that because the U.S. Department of Justice had not promulgated final website accessibility regulations under Title III setting forth specific accessibility standards, it would violate due process to grant injunctive relief, since Hobby Lobby did not have sufficient notice of the need to make its website accessible. Hobby Lobby also argued the action should be dismissed under the primary jurisdiction doctrine which, if applied, would hold that the court should not rule on website accessibility issues until DOJ promulgates and adopts regulations. In the past, these arguments have failed in the context of website accessibility, but their potential viability was recently revisited after Judge James S. Otero of the Central District of California dismissed a website accessibility action on these same grounds in Robles v. Dominos Pizza LLC (Case No.: 2:16-cv-06599-SJO-FFM).

The Court in Gorecki rejected each of Hobby Lobby’s arguments. With regards to Hobby Lobby’s claim that it lacked sufficient notice, the court emphasized that DOJ has articulated its position that Title III requires website accessibility for over 20 years — in speeches, congressional hearings, amicus briefs and Statements of Interest, rulemaking efforts, and enforcement actions and related settlement agreements — and that regardless, Title III has always required “full and equal enjoyment” and the provision of “auxiliary aids and services for ‘effective communication.’” The court also rejected Hobby Lobby’s argument that the primary jurisdiction doctrine should apply, stating that the case could be handled like other Title III matters, and that invoking the doctrine could needlessly delay potentially meritorious claims.

Conclusion

Although the Gil and Gorecki decisions are not binding, both decisions highlight the risks of litigating website accessibility claims, particularly in instances where there is a nexus between the business’ website and its physical store location.

 

If you are concerned that your business needs help combatting cybersecurity threats or responding to a security incident, the Sedgwick Cybersecurity team can assist you. Contact us at SedgwickResponder@sedgwicklaw.com.

Rallying Cry: Health Care Cybersecurity a Key Public Health Concern

On June 2, 2017, the Health Care Industry Cybersecurity Task Force published its Report on Improving Cybersecurity in the Health Care Industry. The lengthy and comprehensive Report serves as a wake-up call to the medical field, taking seriously the threat of cyber-attacks targeting health care providers, the dangers created by increasing digital interconnectivity in the medical field, and the industry’s shortcomings in its ability to handle the cyber-related challenges it presently faces. The House Energy and Commerce Subcommittee on Oversight and Investigations held a hearing on June 8 on the report and HHS’ greater role in cybersecurity efforts.

The Task Force was established by Congress as part of the Cybersecurity Act of 2015 and created to address cybersecurity issues facing the healthcare industry following an increase in identity theft, ransomware, and hacking. Healthcare leaders across the public and private sector worked closely together and with the general public over the course of a year, and this Report reflects their findings. It acknowledges that despite significant cybersecurity risks facing and created by the health care industry’s recent and ongoing transition to wholesale use of interconnected medical devices, most healthcare providers fail to take accountability for the security risks they help create. The Report calls upon healthcare organizations to take responsibility for securing themselves and the data they collect, and identifies six key imperatives for providers to follow in preparing to meet what the Report deems “an urgent challenge.” These imperatives are:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
  2. Increase the security and resilience of medical devices and health IT.
  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  4. Increase health care industry readiness through improved cybersecurity awareness and education.
  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
  6. Improve information sharing of industry threats, weakness, and mitigations.

The Report highlights the danger of patient information falling into the wrong hands, noting that healthcare data can be misused for fraud, identity theft, supply-chain disruptions, theft and sale of propriety information, stock manipulation, and disruption of patient care. It focuses on the nature of the healthcare industry itself, a “large, diverse, and open” conglomerate subject to “a matrix of well-intentioned federal and state laws and regulations that can impede addressing issues across jurisdictions”; and emphasizes the industry’s unique, sharing culture, whereby healthcare professionals prioritize the speedy, seamless treatment of patients at the risk of opening themselves up to increased cybersecurity risks.

As discussed in our May 13, 2017 Alert on Ransomware, proactive is often easier and less costly than a reactive approach. Cyber risks continue to present a fast evolving landscape, especially in the healthcare area. Prevention is key to mitigation in this area and a better option than facing a breach unprepared.  A health care entity that knows those risks and controls the data that flows within and outside its walls will be better equipped to protect sensitive data and mitigate possible security incidents.

If you are concerned that your business needs help combatting cybersecurity threats or responding to a security incident, the Sedgwick Cybersecurity team can assist you. Contact us at SedgwickResponder@sedgwicklaw.com, or contact Kimberly Cook (305.671.2159) or kimberly.cook@sedgwicklaw.com or Alexandra Block (305.671.2167) or alexandra.block@sedgwicklaw.com.

ALERT – OCR Issues Quick Response Cyber Attack Checklist and Graphic

In the aftermath of the recent WannaCry ransomware attack and the May 12, 2017 notification from Laura Wolf, Critical Infrastructure Protection Lead of Health and Human Services (HHS) discussed in Cinthia Motley’s May 13, 2107 Alert:  Ransomware – a Global Wake-Up Call, the HHS Office of Civil Rights “OCR”) issued a Quick Response Cyber Attack checklist and graphic on June 9, 2017. The checklist and the corresponding infographic outline the following steps a HIPAA covered entity and  business associates need to consider taking in response to a cyber-related security incident:

  1. Execute its response and mitigation procedures and contingency plans.
  2. Report the crime to law enforcement agencies.
  3. Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs).
  4. Report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.

While all of these steps may not necessarily apply to all situations, we recommend that HIPAA covered entities and business entities review their current IRP and procedures and compare them to the OCR checklist. As noted in the OCR checklist, the OCR considers all mitigation efforts taken by the entity during any breach investigation. Such efforts include voluntary sharing of breach-related information with law enforcement agencies and other federal and ISAOs. As noted in the OCR graphic, even if there is not a breach, the entity must document and retain all information considered during the risk assessment of the cyber-attack, including how it determined that no breach occurred.

If you are concerned that your business does not have the proper IRP or needs assistance in developing one, the Sedgwick Cybersecurity team can assist you. Contact us at SedgwickResponder@sedgwicklaw.com, or contact Cinthia Motley (312) 849-1972 or cinthia.motley@sedgwicklaw.com. or Carol Gerner (312) 849-1959 or carol.gerner@sedgwicklaw.com.

LexBlog