State Updates on Cybersecurity Regulations: New York DFS Issues FAQs on Its Cybersecurity Regulations and Colorado Adopts Rules Applicable to Broker-Dealers and Investment Advisors

New York and Colorado have continued to take the lead in cybersecurity requirements for regulated financial institutions.

The New York Department of Financial Services (DFS), which issued the first state cybersecurity regulation directed at its regulated financial institutions, 23 NYCRR Part 500, recently updated its “Frequently Asked Questions Regarding 23 NYCRR Part 500” on July 31, 2017, to assist entities covered by the regulation in their compliance. It has also announced a new online portal for secure transmission of all notifications required under this new regulation.

Meanwhile Colorado’s Division of Securities adopted the new cybersecurity rules it had proposed earlier this year applicable to broker-dealers purchasing securities in Colorado and investment advisors who do business in the state.

For background, see our May 3, 2017, article, “Other States Start to Follow New York Lead on Cybersecurity of Regulated Entities,” in which we addressed the recently enacted New York State Department of Financial Services cybersecurity regulation and the then-proposed Colorado regulations targeted at financial advisers.

New York FAQs

The New York DFS Regulations that went into effect March 1, 2017, (with transition periods) were designed to “promote the protection of customer information and information technology systems or regulated entities.”  The regulated “Covered Entities” were defined to mean any “Person” operating under or required to operate under a license, registration charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law of New York.

On July 31, 2017, the DFS issued its updated “Frequently Asked Questions Regarding 23 NYCRR Part 500,” which provides its answers to 18 frequently asked questions concerning the regulations. The FAQs provide insight into how the DFS interprets the regulations and the extent to which it will defer to the “appropriate judgment” of the Covered Entities on certain issues, including the circumstances under which an “unsuccessful attack” constitutes a “Cybersecurity Event” that meets the reporting requirements of the regulations.

It is noteworthy that the FAQs state that the DFS “trusts” that Covered Entities will exercise appropriate judgment in these situations and does not intend to “penalize” Covered Entities for the exercise of honest, good faith judgment. They also address a wide variety of issues, including that an entity can be both a Covered Entity and a Third Party Service Provider, and the impact of a Covered Entity’s relationship with its Affiliates in complying with the regulations. The New York DFS is adamant that the Covered Entity will be responsible for complying with the regulations regardless of its adoption of its Affiliate’s cybersecurity program or utilization of an Affiliate’s CISO. The Covered Entity remains charged with annually certifying its compliance with the regulations.

The following are some of the other issues that are addressed in the FAQs (here is a full list of the FAQs):

The circumstances under which a Covered Entity must submit notice to DFS of a Cybersecurity Event:

The Department recognizes that Covered Entities are subject to many daily attempts to gain unauthorized access to their Information Systems and the information stored on them, and most are unsuccessful and will not be reportable, such as those of a routine nature. However, it also notes some unsuccessful attacks will be reportable if “in the considered judgment of the Covered Entity” it is “sufficiently serious to raise a concern.” Thus, while the DFS states it trusts that Covered Entities will exercise “appropriate judgment” as to “which unsuccessful attacks must be reported” and it “does not intend to penalize Covered Entities for the exercise of honest, good faith judgment,” a Covered Entity cannot automatically consider an unsuccessful attempt to not be reportable. (See FAQ 1.)

A reportable cybersecurity event is one that is described as fitting into at least one of the following categories:

  • The Cybersecurity Event impacts the Covered Entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
  • The Cybersecurity Event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.

In addition, a Covered Entity is required to give notice to DFS when the Covered Entity is required to give notice to affected consumers under other laws and regulations. The DFS noted in response to an FAQ regarding whether notice must be given to the Department when a Cybersecurity Event involved harm to consumers, that if a notice is required under New York’s information security breach and notification law (General Business Law Section 899-aa), then that Cybersecurity Event must also be reported to the Department. (FAQ 5.)

A reportable Cybersecurity Event is to be reported as promptly as possible, but in no event later than 72 days “from a determination that a reportable Cybersecurity Event has occurred.” (FAQ 15.) The circumstances under which a Covered Entity must address the cybersecurity issues of its subsidiaries and affiliates are as follows:

When a subsidiary or other affiliate of a Covered Entity presents risks to the Covered Entity’s Information Systems or the Nonpublic Information stored on those Information Systems, those risks must be evaluated and addressed in the Covered Entities Risk Assessment, cybersecurity program and cybersecurity polices. (FAQ 3.)

The circumstances under which a Covered Entity that qualifies for a limited exemption must still comply with the regulations are as follows:

The DFS notes that the exemptions are limited in scope (see 23 NYCRR Part 500.19), and even entities that qualify for those exemptions are only exempt from complying with certain provisions of the regulation. They must still comply with the sections listed in the exemptions that apply to covered entities. (FAQ 4.)

To provide a secure route for submission of such notices to DFS, as well as for submission of required certificates of compliance by the Covered Entities of their other obligations under the new Regulation, DFS  has also announced a new online portal.

It is important for those subject to these New York regulators to monitor the FAQs published by DFS. The FAQs provide guidance into the DFS’s interpretation and enforcement of its newly adopted regulation.

New Colorado Regulation

The Colorado Division of Securities has now also adopted new cybersecurity rules, which are applicable to broker-dealers purchasing securities in Colorado and investment advisors who do business in the state. New Colorado Regulation (see page 45; 51-4.8)

The Colorado regulations are less onerous and narrower in application than the New York Regulation. They are limited to broker-dealers purchasing securities in the state and investment advisors doing business in Colorado. For those entities, the Colorado rules require cybersecurity procedures to protect “Confidential Personal Information.”  Publicly available information is not considered Confidential Personal Information. They only require that broker-dealers and investment advisors “establish and maintain written procedures ‘reasonably’ designed to ensure cybersecurity. While the Colorado Division of Securities may consider a variety of factors in determining what is reasonable, the cybersecurity procedures must include: (a) annual risk assessment that does not have to be conducted by third-parties; (b) secure email, including encryption and digital signatures for emails containing Confidential Personal Information; (c) authentication of client’s email instructions and employee access to electronic communication; and (d) disclosure to clients of the risks of utilization of electronic communication. The required annual risk assessment does not have to be conducted using an independent third party.

Unlike New York’s regulations, Colorado’s rules do not have requirements for third party vendors. In addition, the final rules adopted in Colorado deleted the breach notification requirement to the Department that was in the initial proposed rules. Thus, overall it is less burdensome, and less costly, than the New York regulation. Entities subject to them are still, of course, subject to federal financial regulation and oversight, such as that provided by the SEC.

It remains to be seen whether other states will enact their own cybersecurity regulations, and if so, which entities will be subject to such regulation.

And Now There are Three: Nevada Joins California and Delaware in Privacy Policy Requirements for Website Operators

The latest development with respect to privacy policies involves amendments to existing legislation governing state statutes governing the security of personal information for website operators and online service providers. (See June 30, 2017 Alert – FTC Issues Updated Guidance for Compliance with COPPA).  This may be the next wave of statutory amendments in the ongoing battle to balance the collection of personal information with a consumer’s right to privacy.  Nevada has now joined California and Delaware with its recent amendment to its Security of Personal Information statute (NRS 603A – Security of Personal Information).  California was the first state to require commercial websites and online services to post a privacy policy in 2004, which was amended in 2013 to require new privacy disclosures regarding tracking on online visits. (See the California Online Privacy Protection Act (CalOPPA)).  Delaware’s Online Privacy and Protection Act (“DOPPA”) went into effect on January 1, 2016.  The Nevada amendments which become effective on October 1, 2017, is narrower in scope than the laws of California and Delaware.  The Legislative Counsel’s Digest indicates that it excludes in-state entities whose revenue is primarily from sources other than online sales and who have fewer than 20,000 unique visitors per year.  It also limits its application to website operators that “purposefully” direct or conduct activities in Nevada, or consummate a transaction with the state or one of its residents.

For those entities who do not fall within the parameters of the exclusion, the amendments require notice of the following  categories of information:

  1. Identify the categories of “covered information” collected through the website and categories of third parties with whom that information may be shared.

“Covered information” includes (a) a first and last name; (b) a home or other physical address that includes the names of a street and city or town; (c) an electronic mail address; (d) a telephone number; (e) a social security number; (f) an identifier what allows a specific individual to be contacted either physically or online; and (g) any other information concerning an individual collected from that person through the website or online service in combination with any other identifier in a form that makes the information personally identifiable.

  1. Describes the process, if any, by which the user may review and request changes to “covered information” collected through the website.
  2. Disclose whether third parties may collect information about a user’s online activities from the website.
  3. Provide an effective date of the notice.
  4. Describe how the website operator will notify the consumer of any material changes to the notices required to be made under the new law.

Under the amendments, the Nevada Attorney General will have the power to issue temporary or permanent injunctive relief against the website operator and to assess penalties up to $5,000 per violation to enforce compliance.  No private right of action is afforded to the consumer for violations of these new provisions of the Nevada law.

So what does this mean for website operators in Nevada before October 1, 2017?  First, determine whether your website operations are excluded from the amendments.  If not, review all current privacy policies to determine which ones will need to be modified to comply with the law.  Finally, create any new policies that need to be provided under the new legislation and monitor developments on privacy policy legislation in other states to make sure your website operations will be in compliance with any future changes.  Illinois’ proposed “Right to Know” law passed the state Senate but failed to be approved by the House before the legislative session ended on May 31, 2017.  This bill may be reintroduced in a future legislative session.

If you need assistance reviewing your privacy policies, including website operations, please contact Cinthia Motley, 312-849-1972, cinthia.motley@sedgwicklaw.com or Carol Gerner, 312-849-1959, carol.gerner@sedgwicklaw.com.

New Jersey Bill Limiting Identity Card Scanning Signed Into Law

On July 21, 2017, New Jersey Governor Chris Christie signed into law a bill that places new restrictions on retailers’ collection and use of information collected when a customer’s identification (ID) card is scanned. The Personal Information and Privacy Protection Act (the Act) (we previously analyzed this bill, here) takes effect on October 1, 2017, and permits retailers to scan a person’s ID card for the following limited purposes:

  • To verify authenticity of the ID card or identity of the person (1) if the person is paying for goods or services in a method other than cash, or (2) if the person is returning an item or (3) if the person requests a refund or exchange;
  • To verify the person’s age when providing age-restricted goods or services;
  • To prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service;
  • To prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;
  • To establish or maintain a contractual relationship;
  • To record, retain, or transmit information as required by state or federal law;
  • To transmit information to a consumer reporting agency, financial institution, or debt collector, to be used as permitted by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, or the Fair Debt Collections Practices Act; and
  • To record, retain or transmit information by a covered entity governed by HIPAA.

Significantly, the Act prohibits retailers from selling or disseminating to third parties the information that they obtain from scanning ID cards, for almost any purpose, including marketing, advertising or promotional activities. The one exception to this rule is where a retailer’s automated return fraud issues a reward coupon to a loyal customer. We note the Act does not explain what an automated return fraud system is, thus, retailers should assess the extent to which they collect information from scanning ID cards and ensure that such information is excluded from what is shared with third parties.

The Act also prohibits retailers from saving the scanned information, when the scanned information is used solely to (1) verify the authenticity of the ID card, (2) verify the identity of a person who is making a non-cash payment, is returning an item, or is seeking a refund or exchange, or (3) verify a person’s age in an age-restricted transaction.

If any of the scanned information is saved, it must be “securely stored.” Although the Act does not define “secure” storage, the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-161 et seq.) (N.J. ID Theft Law) provides some guidance. Under that statute, the unauthorized access of personal information is not considered a “breach” where the information is encrypted or rendered unreadable (N.J.S.A. 56:8-161).  This suggests that at minimum, secure storage might require encrypting or using some other technology to render the scanned information unreadable, or anonymizing it to be disassociated with any person.

The Act also covers data breach reporting requirements. It requires retailers to “promptly” report any breach of the security of the scanned information to the New Jersey State Police and any “affected persons” in accordance with the N.J. ID Theft Law, which already includes a reporting obligation to the State Police any time a business must notify a New Jersey resident of a breach of his or her personal information. While the Act does not define “prompt” reporting, the timing for reporting breaches of scanned information likely mirrors the requirement imposed by the N.J. ID Theft Law — the most expedient time possible without unreasonable delay (N.J.S.A. 56:8-163).

The Act also expands the scope of information subject to breach reporting obligations. The existing N.J. ID Theft Law limits the “personal information” that triggers reporting obligations, if breached, to “an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or state identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account” (N.J.S.A. 56:8-161). The Act similarly includes the person’s name, state issuing the ID card, and ID card number; but also adds her address and date of birth.

The Act provides for $2,500 in penalties for the first violation and $5,000 for any subsequent action, and expressly permits a private right of action. There is no cap on penalties.

Retailers who do business in New Jersey should evaluate their compliance with the Act’s new requirements well in advance of October 1, 2017, when the law takes effect. It is unclear if the Act applies solely to retailers who have brick and mortar stores in New Jersey. The Act refers to “retail establishments” but does not define what a retail establishment is. But, because the Act addresses scanning ID cards, it is hard to imagine how ID cards could be scanned anywhere else but a physical location. This includes: (1) evaluating the extent to which they scan customers’ ID Cards and whether and to what extent the scanned information is saved, (2) ensuring that they do not share information scanned from customers’ ID cards with third parties, (3) evaluating the security used (including encryption, redaction, anonymization, and other physical, technical and administrative safeguards) to protect such information, if any is stored, and (4) evaluating their incident response programs for expansion of breach reporting obligations, particularly in light of the expanded scope of personal information imposed by the new law.

If you have questions about your incident response plan or how to evaluate your business’ security programs and procedures, please contact Cinthia Motley, 312-849-1972, cinthia.motley@sedgwicklaw.com or Nora Wetzel, 415-627-3478, nora.wetzel@sedgwicklaw.com.

ALERT – FTC Issues Updated Guidance for Compliance with COPPA

On June 21, 2017, the Federal Trade Commission (FTC) updated its guidance for compliance with the Children’s Online Privacy Protection Act (COPPA).  COPPA regulates websites and other online services in connection with collection of information from children under 13.  The full version of the FTC’s updated guidance is available at https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance

The FTC guidance instructs businesses to:

  • Determine if a company’s website or online service collects information from children under 13
  • Post a privacy policy that complies with COPPA
  • Directly notify parents before collecting personal information from children
  • Get parents’ verifiable consent before collecting personal information from children
  • Honor parents’ ongoing rights regarding personal information collected from children
  • Implement reasonable security procedures to protect the personal information collected from children

The FTC’s updated guidance addresses new models used to obtain personal data, such as voice activated devices used to collect personal information.  The guidance incorporates reference to new products, like connected toys and other products intended for children that collect information like voice recordings or geolocation data.  It also introduces two new methods for obtaining parental consent: (1) asking knowledge-based authentication questions and (2) using facial recognition to match a verified photo ID.

“Website or online service” under COPPA, according to the updated guidance, includes mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads), internet-enabled gaming platforms, plug-ins, advertising networks, internet-enabled location-based services, voice-over internet protocol services, and connected toys or other Internet of Things devices.  In addition, “[p]ersonal information” includes each of the following:  full name; home or other physical address, including street name and city or town; online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier; screen name or user name where it functions as online contact information; telephone number; Social Security number; a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier; a photo, video, or audio file containing a child’s image or voice; geolocation information sufficient to identify a street name and city or town; or other information about the child or parent that is collected from the child and is combined with one of these identifiers.  Evident from the foregoing list, personal information is defined broadly under COPPA.

The FTC’s updated guidance also notes that if Company A collects personal information through Company B’s child-directed site or service — through an ad network or plug-in, for example — Company B is responsible for complying with COPPA, even if Company B does not collect the personal information.  Moreover, a company’s privacy policy, to be posted on the homepage and on any page where a company collects personal information from children, must describe the company’s practices, and the practices of any other companies collecting personal information on the company’s site or service.

The FTC’s updated guidance shows regulators are concerned with adapting to new technology that collect children’s personal information and providing clear notice to parents. If you need assistance reviewing your business’s compliance with COPPA in light of the updated guidance provided by the FTC, please contact Cindy Motley, 312-849-1972, cindy.motley@sedgwicklaw.com or Nora Wetzel, 415-627-3478, nora.wetzel@sedgwicklaw.com.

New Jersey Senate Passes Bill Limiting Identity-Card Scanning by Retailers for Limited Purposes

On June 22, 2017, the New Jersey Senate passed the Personal Information and Privacy Protection Act (“the Act”), now awaiting Governor Christie’s handling. The Act permits retailers to scan a person’s identity card (“I.D. card”) for specified purposes and limits the type of information that may be collected to the name, address, date of birth, state issuing the I.D. card, and I.D. card number.

Scanning of I.D. cards, like a drivers’ license, by a retailer is permitted only to:

  • Verify authenticity of the I.D. card or identity of the person (1) if the person is paying for goods or services in a method other than cash, or (2) if the person is returning an item or  (3) if the person requests a refund or exchange;
  • Verify the person’s age when providing age-restricted goods or services;
  • Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service;
  • Prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;
  • Establish or maintain a contractual relationship;
  • Record, retain, or transmit information as required by State or federal law;
  • Transmit information to a consumer reporting agency, financial institution, or debt collector, to be used as permitted by the Fair Credit Reporting Act, Gramm Leach Bliley Act, or the Fair Debt Collections Practices Act; or
  • Record, retain or transmit information by a covered entity governed by HIPAA.

A retailer may not save any of the scanned information when the scanned information is used solely to (1) verify the authenticity of the I.D. card, (2) verify the identity of a person who is making a non-cash payment, is returning an item, or is seeking a refund or exchange, or (3) verify a person’s age in an age-restricted transaction.

If a retailer saves the scanned information arising from any of the other permitted purposes, the scanned information must be “securely stored.”  Though the Act does not itself define what “secure” storage is, the N.J. Identity Theft Prevention Act (N.J.S.A. 56:8-161 et seq.) (“N.J. I.D. Theft Law”) gives us some guidance. Excepted from the N.J. I.D. Theft Law’s definition of breach is personal information that is encrypted or rendered unreadable. (N.J.S.A. 56:8-161).  This suggests that at minimum, secure storage might require encrypting or using some other technology to render the scanned information unreadable, or anonymizing it to be disassociated with any person.

The Act also requires retailers to “promptly” report any breach of the security of the scanned information to the N.J. State Police and any “affected persons” in accordance with the N.J. I.D. Theft Law, which already includes a reporting obligation to the State Police any time a business must notify a New Jersey resident of a breach of its personal information. While the new Act does not define “prompt” reporting, timing for reporting breaches of scanned information under the new Act are probably governed by the same time frames as under the N.J. I.D. Theft Law — the most expedient time possible without unreasonable delay. (N.J.S.A. 56:8-163).

Further, the new Act expands the scope information subject to breach reporting obligations. The existing N.J. I.D. Theft Law defines Personal Information which triggers reporting obligations, if breached, as “an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.” (N.J.S.A. 56:8-161). The new Act maintains some of the same elements of personal information including name, state issuing the I.D. card, and I.D. card number, however, two new data elements have been added — address and date of birth — provided the source of this data is scanning an I.D. card.

Finally, the Act prohibits the sale or dissemination of information obtained by a retailer from scanning I.D. cards to any third party for any purpose, including marketing, advertising or promotional activities, but with one exception — the Act does not bar an automated return fraud system from issuing a reward coupon to a loyal customer.

We also note the penalties provided by the Act are $2,500 for the first violation and $5,000 for any subsequent action and the Act permits a private right of action.

While the governor’s action with regard to the Act is uncertain, the passing of the Act suggests regulators are trending towards broadening the scope of information subject to breach reporting obligations and expanding the scope of information to which security-related regulations will be imposed.  Retailers should (1) check their incident response programs to evaluate them for expansion of breach reporting obligations, particularly in light of the potentially expanded scope of personal information imposed by New Jersey and (2) evaluate the security used (including encryption, redaction, anonymization, and other physical, technical and administrative safeguards) to protect their customer’s information, if retailers collect or plan to collect their customer’s personal information.

If you have questions about your incident response plan or how to evaluate your business’s security programs and procedures, please contact Cindy Motley, 312-849-1972, cinthia.motley@sedgwicklaw.com or Nora Wetzel, 415-627-3478, nora.wetzel@sedgwicklaw.

Two New Developments in Website Accessibility Cases: Nation’s First Website Accessibility Trial Verdict Is Far From a Winn for Retailers, and Hobby Lobby Is Dealt a Blow in California Decision

As numerous retailers know firsthand, website accessibility has become a hotbed for litigation in recent years. Despite plaintiffs filing scores of website accessibility claims against retailers each year, very few of these cases make it past pleadings, and there has been little to no guidance from the courts. This changed on June 13, 2017, in Juan Carlos Gil v. Winn-Dixie Stores, Inc., Case No.: 16-23020-CIV-SCOLA (S.D. Fl.) (available here), when U.S. District Court Judge Robert N. Scola, Jr. issued the very first post-trial web accessibility verdict, finding that grocer Winn-Dixie violated Title III of the Americans with Disabilities Act (ADA) by having an inaccessible website to visually impaired consumers. Judge Scola ordered injunctive relief, providing the parties with a draft three-year injunction, and also awarded Gil his attorneys’ fees and costs.

Although this decision carries no precedential authority over other federal courts or judges, including those in the Southern District of Florida, the decision remains significant for businesses trying to defend themselves against web accessibility claims.

Background

Like most website accessibility claims, the crux of the Gil action is that the plaintiff, a visually impaired consumer, was allegedly unable to use the services on Winn-Dixie’s website (in this case, downloading coupons, refilling prescriptions, and finding store locations) with the assistance of his screen reader software. Based on his experiences, Gil claimed that Winn-Dixie’s website violated Title III of the ADA, because it was inaccessible to the visually impaired. The complaint was filed on July 12, 2016.

Although the Winn-Dixie suit was one of Gil’s first times bringing website accessibility claims, it has been far from his last. Since April 2016, he has filed similar suits against more than 60 other retailers, all in the Southern District of Florida. Scott Dinin, his counsel in each of these actions, is a leading player in the web access arena.

On October 24, 2017, Winn-Dixie filed a motion for judgment on the pleadings, requesting that the court dismiss the case on the grounds that a website is not a place of public accommodation pursuant to Title III of the ADA. Winn-Dixie’s motion prompted the United States Department of Justice (DOJ) to file a Statement of Interest, which noted that Winn-Dixie’s argument could not “be squared with the plain language of the statute, the regulations, or with federal case law addressing this issue.” The DOJ continued:

Because the United States respectfully submits this Statement of Interest to clarify public accommodations’ longstanding obligation to ensure that individuals with disabilities are not excluded, denied services, or treated differently than other individuals because of the absence of auxiliary aids and services, such as accessible electronic technology. This obligation means that websites of places of public accommodation, such as grocery stores, must be accessible to people who are blind, unless the public accommodation can demonstrate that doing so would result in a fundamental alteration or undue burden.

On March 15, 2017, Judge Scola rejected Winn-Dixie’s Motion, explaining that Gil had alleged sufficient facts that, if proven at trial, would demonstrate a “nexus” between Winn-Dixie’s physical store locations and its website that would place the website within the purview of Title III.

The case went to trial on June 5, 2017. The two-day, non-jury trial included testimony by Gil, Gil’s website accessibility expert, and a corporate representative from Winn-Dixie who had knowledge about its website applications.

The Court’s Order: Websites That Operate as a “Gateway” to Physical Store Locations Are Places of Public Accommodation Covered by the ADA

Judge Scola issued an order in favor of Gil on June 12, 2017. Judge Scola held that Winn-Dixie violated Title III of the ADA by failing to provide an accessible public website and, thus, denying individuals with disabilities with “full and equal enjoyment” of its website.

The ruling expressly avoids deciding whether Winn-Dixie’s website, itself, is a place of public accommodation. Instead, the court reasoned that because Winn-Dixie’s website “is heavily integrated with Winn-Dixie’s physical store locations,” the website is considered a place of public accommodation under Title III as it “operates as a gateway to the physical store location.” The court noted that a customer’s ability to download coupons, locate stores, and refill prescriptions on the website sufficiently demonstrated a nexus between the website and physical store locations.

In finding that Winn-Dixie’s website is inaccessible to visually impaired users, the court adopted the Web Content Accessibility Guidelines (WCAG) 2.0 as the accessibility standard that Winn-Dixie must follow to make its website ADA compliant. Even though the guidelines have not been formally adopted by the DOJ, Judge Scola’s ruling confirms that WCAG 2.0 is the leading industry standard for accessibility. (We have previously recommended in “Online Retailers Increasingly at Risk of Website Accessibility Lawsuits,” that online retailers endeavor to meet WCAG 2.0 standards.)

The court expressly rejected Winn-Dixie’s argument that the cost of remediating the website, which Winn-Dixie estimated to be $250,000.00, was an undue burden. In response, the court stated that whatever the cost of remediation may be, it “pales in comparison to the $2 million Winn-Dixie spent in 2015 to open the website and the $7 million it spent in 2016 to remake the website for the Plenti [customer rewards] program.”

Notably, and of significant import to retailers facing such claims,  the court did not limit the reach of its order to only those portions of Winn-Dixie’s website that it operates internally. The court specifically held Winn-Dixie responsible for the entire website’s lack of accessibility, notwithstanding the fact that portions of the website are operated by third party vendors such as Google and American Express. The court explained, “[m]any, if not most, of the third party vendors may already be accessible to the disabled and, if not, Winn-Dixie has a legal obligation to require them to be accessible if they choose to operate within the Winn-Dixie website.”

Lastly, the court provided the parties with a draft injunction, ordering Winn-Dixie to do the following, among other things:

  • Adopt and implement a web accessibility policy that ensures that its website conforms with WCAG 2.0 criteria;
  • Require any third party vendors who participate on its website to be fully accessible to the disabled by also conforming with WCAG 2.0 criteria;
  • Display a publicly available Statement of Accessibility on the website;
  • Provide mandatory training, once a year, to all employees who write or develop programs or codes for the website on how to conform all web content and services with WCAG 2.0 criteria; and
  • Conduct web accessibility monitoring of its website once every three months to identify non-compliance with WCAG 2.0 criteria.

Gorecki v. Hobby Lobby Serves Further Blow to Online Retailers

On June 15, 2017, just a week after the Gil decision was issued, Judge John F. Walter of the Central District of California denied a motion to dismiss website accessibility claims in Gorecki v. Hobby Lobby Stores, Inc. (Case No.: 2:17-cv-01131-JFW-SK). Hobby Lobby argued in its motion that because the U.S. Department of Justice had not promulgated final website accessibility regulations under Title III setting forth specific accessibility standards, it would violate due process to grant injunctive relief, since Hobby Lobby did not have sufficient notice of the need to make its website accessible. Hobby Lobby also argued the action should be dismissed under the primary jurisdiction doctrine which, if applied, would hold that the court should not rule on website accessibility issues until DOJ promulgates and adopts regulations. In the past, these arguments have failed in the context of website accessibility, but their potential viability was recently revisited after Judge James S. Otero of the Central District of California dismissed a website accessibility action on these same grounds in Robles v. Dominos Pizza LLC (Case No.: 2:16-cv-06599-SJO-FFM).

The Court in Gorecki rejected each of Hobby Lobby’s arguments. With regards to Hobby Lobby’s claim that it lacked sufficient notice, the court emphasized that DOJ has articulated its position that Title III requires website accessibility for over 20 years — in speeches, congressional hearings, amicus briefs and Statements of Interest, rulemaking efforts, and enforcement actions and related settlement agreements — and that regardless, Title III has always required “full and equal enjoyment” and the provision of “auxiliary aids and services for ‘effective communication.’” The court also rejected Hobby Lobby’s argument that the primary jurisdiction doctrine should apply, stating that the case could be handled like other Title III matters, and that invoking the doctrine could needlessly delay potentially meritorious claims.

Conclusion

Although the Gil and Gorecki decisions are not binding, both decisions highlight the risks of litigating website accessibility claims, particularly in instances where there is a nexus between the business’ website and its physical store location.

 

If you are concerned that your business needs help combatting cybersecurity threats or responding to a security incident, the Sedgwick Cybersecurity team can assist you. Contact us at SedgwickResponder@sedgwicklaw.com.

Rallying Cry: Health Care Cybersecurity a Key Public Health Concern

On June 2, 2017, the Health Care Industry Cybersecurity Task Force published its Report on Improving Cybersecurity in the Health Care Industry. The lengthy and comprehensive Report serves as a wake-up call to the medical field, taking seriously the threat of cyber-attacks targeting health care providers, the dangers created by increasing digital interconnectivity in the medical field, and the industry’s shortcomings in its ability to handle the cyber-related challenges it presently faces. The House Energy and Commerce Subcommittee on Oversight and Investigations held a hearing on June 8 on the report and HHS’ greater role in cybersecurity efforts.

The Task Force was established by Congress as part of the Cybersecurity Act of 2015 and created to address cybersecurity issues facing the healthcare industry following an increase in identity theft, ransomware, and hacking. Healthcare leaders across the public and private sector worked closely together and with the general public over the course of a year, and this Report reflects their findings. It acknowledges that despite significant cybersecurity risks facing and created by the health care industry’s recent and ongoing transition to wholesale use of interconnected medical devices, most healthcare providers fail to take accountability for the security risks they help create. The Report calls upon healthcare organizations to take responsibility for securing themselves and the data they collect, and identifies six key imperatives for providers to follow in preparing to meet what the Report deems “an urgent challenge.” These imperatives are:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
  2. Increase the security and resilience of medical devices and health IT.
  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  4. Increase health care industry readiness through improved cybersecurity awareness and education.
  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
  6. Improve information sharing of industry threats, weakness, and mitigations.

The Report highlights the danger of patient information falling into the wrong hands, noting that healthcare data can be misused for fraud, identity theft, supply-chain disruptions, theft and sale of propriety information, stock manipulation, and disruption of patient care. It focuses on the nature of the healthcare industry itself, a “large, diverse, and open” conglomerate subject to “a matrix of well-intentioned federal and state laws and regulations that can impede addressing issues across jurisdictions”; and emphasizes the industry’s unique, sharing culture, whereby healthcare professionals prioritize the speedy, seamless treatment of patients at the risk of opening themselves up to increased cybersecurity risks.

As discussed in our May 13, 2017 Alert on Ransomware, proactive is often easier and less costly than a reactive approach. Cyber risks continue to present a fast evolving landscape, especially in the healthcare area. Prevention is key to mitigation in this area and a better option than facing a breach unprepared.  A health care entity that knows those risks and controls the data that flows within and outside its walls will be better equipped to protect sensitive data and mitigate possible security incidents.

If you are concerned that your business needs help combatting cybersecurity threats or responding to a security incident, the Sedgwick Cybersecurity team can assist you. Contact us at SedgwickResponder@sedgwicklaw.com, or contact Kimberly Cook (305.671.2159) or kimberly.cook@sedgwicklaw.com or Alexandra Block (305.671.2167) or alexandra.block@sedgwicklaw.com.

ALERT – OCR Issues Quick Response Cyber Attack Checklist and Graphic

In the aftermath of the recent WannaCry ransomware attack and the May 12, 2017 notification from Laura Wolf, Critical Infrastructure Protection Lead of Health and Human Services (HHS) discussed in Cinthia Motley’s May 13, 2107 Alert:  Ransomware – a Global Wake-Up Call, the HHS Office of Civil Rights “OCR”) issued a Quick Response Cyber Attack checklist and graphic on June 9, 2017. The checklist and the corresponding infographic outline the following steps a HIPAA covered entity and  business associates need to consider taking in response to a cyber-related security incident:

  1. Execute its response and mitigation procedures and contingency plans.
  2. Report the crime to law enforcement agencies.
  3. Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs).
  4. Report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.

While all of these steps may not necessarily apply to all situations, we recommend that HIPAA covered entities and business entities review their current IRP and procedures and compare them to the OCR checklist. As noted in the OCR checklist, the OCR considers all mitigation efforts taken by the entity during any breach investigation. Such efforts include voluntary sharing of breach-related information with law enforcement agencies and other federal and ISAOs. As noted in the OCR graphic, even if there is not a breach, the entity must document and retain all information considered during the risk assessment of the cyber-attack, including how it determined that no breach occurred.

If you are concerned that your business does not have the proper IRP or needs assistance in developing one, the Sedgwick Cybersecurity team can assist you. Contact us at SedgwickResponder@sedgwicklaw.com, or contact Cinthia Motley (312) 849-1972 or cinthia.motley@sedgwicklaw.com. or Carol Gerner (312) 849-1959 or carol.gerner@sedgwicklaw.com.

Executive Order Directs Federal Agencies to Put Their Own Houses in Good Cybersecurity Order

On May 11, 2017, the White House issued an executive order aimed at strengthening the cybersecurity of federal networks and critical infrastructure. The order mandates that federal department and agency heads take an active role in reviewing, improving, and modernizing cybersecurity risk management, and stands as major action toward enhancement of cybersecurity in the wake of high profile federal agency breaches such as that of the Office of Personnel Management and of the IRS in 2015, and an election riddled with headlines of hackers releasing sensitive information taken directly from government agencies.

A hallmark of the Order is that it places cybersecurity responsibility squarely on department and agency leaders, laying out a series of reporting and reviewing deadlines that synthesize and build upon the Cybersecurity Framework and other measures first implemented by previous administrations. The Order seems poised to prioritize modernization in the area by moving away from “antiquated” and “difficult-to-defend” IT systems and exploring the possibility of upgrading to shared IT services and use of the cloud. It also emphasizes the importance of training and educating in the field of cybersecurity, to help prepare for and combat future threats.

Overall, the order is seen by many as a big step towards holding federal agencies responsible for the same cybersecurity assessments and measures that they expect and require of the entities they regulate. Despite government vulnerability to cyberattacks, generally government agencies have not previously been held as accountable for the same vulnerabilities they investigate in the private sector. By not only requiring that federal agencies now utilize the cybersecurity framework promulgated by The National Institute of Standards and Technology (“NIST”) in the prior administration, but also by requiring department and agency heads to take an active role in reviewing and reporting on compliance with the framework, the Order focuses on holding agencies accountable and, as one White House spokesperson put it—asking them to practice what they preach.

Some commentators feel that the order does not go far enough, with one Senator calling it simply a “plan for a plan,” which prioritizes further review and reporting over actual action against real time threats. What also remains to be seen is whether the short, ninety day reporting timeframes mandated by the order are workable, and whether the changes that will result from the report and review periods will be financially feasible for the agencies, and also for the private sector companies that do business with them and will likely be subject to increased scrutiny as well. Other concerns voiced center on the provisions directing that the Secretary of Defense, as well as the Directors of National Intelligence and the FBI, will be involved in efforts to support the cybersecurity risk management of owners and operators of the Nation’s critical infrastructure, and the impact that will have on privacy of personal information maintained by the various agencies.  

In the meantime, the Order serves as an important step to hold the federal government responsible for its own cybersecurity and to prioritize cybersecurity in a time that it is clearly needed.

ALERT: Ransomware – a Global Wake-Up Call

U.S. Regulator Warns of “Evidence” of Global Cyber Assault Occurring Inside the U.S. and Steps Your Company Should Take Against a Ransomware Attack 

On Friday, May 12, 2017, Laura Wolf, Critical Infrastructure Protection Lead of the Department of Health and Human Services (HHS) issued a notification stating that:

HHS is aware of a significant cyber security issue in the UK and other international locations affecting hospitals and healthcare information systems. We are also aware that there is evidence of this attack occurring inside the United States. We are working with our partners across government and in the private sector to develop a better understanding of the threat and to provide additional information on measures to protect your systems. We advise that you continue to exercise cyber security best practices – particularly with respect to email. (Emphasis added).

This alert comes in the heels of Friday’s global ransomware attack that has spread in nearly 100 countries. The attacks are being blamed on malware called WCry, WannaCry or Wana Decryptor.

So what measures can your company take to protect itself in the event of a ransomware attack?

If a company is infected with ransomware, they face two hard choices: either pay ransom to unknown criminals or try to restore its systems, if possible. With either option a company faces risks.  Thus, prevention and pre-breach planning are key, including taking the following steps:

Update systems and software with current patches: Ransomware spreads easily when it encounters unpatched or outdated software. The HHS has noted that the WannaCry ransomware may be exploiting a vulnerability in Server Message Block 1.0 (SMBv1). Microsoft also just released an emergency security patch update for all its unsupported versions of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions. In addition, keeping computer and antivirus up to date adds another layer of defense that could help stop malware.

Refresh, Review, Retrain: To protect your company from a ransomware attack properly train employees on cybersecurity.  Authorized users can expose a company the most when it comes to cybersecurity risks.  This includes employees who are vulnerable to social engineering and phishing attacks. Thus, train employees to identify phishing attacks and perform proper authentication of third parties before providing them with data or access to the network.

Data Access Controls: Granting users access to data and systems minimally necessary to do their jobs and closely monitoring access controls can help contain the spread of initial infections.

Implement Data Loss Prevention (DLP) and Intrusion Detection Systems: Quickly identifying potential infections with intrusion detection systems can allow a company to rapidly isolate infected servers and/or endpoints (computers), also preventing the spread of initial infections. Using data loss prevention tools companies can enforce protection policies, and administrators can secure sensitive business data and prevent illegal access to data.

Implement Regular and Offsite Data Backups: In the event of a ransomware attack, decryption keys are not always provided even when ransoms are paid. Backups stored on the same infected server are often encrypted along with the encrypted data. Thus, regular data backups that are continually tested to ensure they can be restored if needed are important to help a company recover its data, resume operations and avoid paying a ransom demand.  It is equally important that backups be stored offsite.

Implement, practice and update incident response and business continuity plans: Having a tested incident response plan will help an organization quickly respond to a security incident.  While many organizations have information security procedures in place, it is important that those plans and procedures be reviewed to address a potential ransomware attack.  Similarly, perhaps the biggest impact of a ransomware attack is the down time an organization may face, even causing business functions to come to halt.  Thus, it is critically important that companies update their business continuity plans to specifically address ransomware.

Quickly deploy incident response team and protect privilege: Quick incident response team deployment is essential when faced with a ransomware attack. This should include having legal, forensic and public relations consultants, as well as law enforcement contacts identified before a security incident occurs. Top level awareness is equally important as crisis management decisions will need to be made quickly, such as: whether the ransom demand will be paid and, if so, who should negotiate the ransom payment; how and when to notify law enforcement; as well as any internal or external communication necessary. As these decisions may greatly impact a company’s business, financial and legal obligations, it is critically important that in-house or outside legal counsel be involved from the outset to advise and guide the organization, including in the retention of outside consultants. This is the best measure to help protect attorney-client privilege as company executive are forced to navigate quickly through important decisions for the organization.

In short, being proactive is often easier and less costly than a reactive approach.  Cyber risks present a fast evolving landscape. Data loss through cybercrime and internal risks represent increasing business exposures. Prevention is key to mitigation in this area and a better option than facing a breach unprepared.  An entity that knows those risks and controls the data that flows within and outside its walls can best remain competitive in their marketplace.  Using this knowledge a company can most efficiently protect sensitive data and quickly respond to security incidents.

If you are concerned that your business needs help with combatting cybersecurity threats or responding to a security incident, the Sedgwick Cybersecurity team can assist you.  Contact us at SedgwickResponder@sedgwicklaw.com, or contact Cinthia Motley (312) 849-1972 or cinthia.motley@sedgwicklaw.com.

 

 

 

 

 

 

LexBlog