Sedgwick LLP Cinthia Motley Named Illinois Cybersecurity Litigation Lawyer of the Year

Sedgwick LLP is pleased to announce that Cinthia Granados Motley, partner and co-chair of the firm’s Cybersecurity and Privacy Group, was named the 2017 Corporate International Global Awards Cybersecurity Litigation Lawyer of the Year in Illinois.

In her legal practice, Motley handles data privacy and security matters assisting clients, domestically and internationally, to implement effective information security practices, including information governance and litigation readiness. She represents clients in data security and privacy matters and routinely acts as incident response counsel to large international entities, as well as privacy litigation counsel.

Motley is a sought out, recognized attorney in the critical cybersecurity and privacy area of law and is honored to be recognized for her work. She was selected to be a Super Lawyers Top Women Attorney in Illinois, Super Lawyers Rising Star in 2012 – 2013 and was named as one of The National Law Journal’s Cybersecurity and Data Privacy Trailblazers. She also serves as adjunct professor at Chicago-Kent College of Law, teaching data management, information governance and e-discovery.

Preparing for PIPA — Data Protection and Implications for the Insurance Industry

On 2 December 2016, the administrative provisions of the Personal Information Protection Act 2016 (PIPA; the Act) came into force establishing the office and powers of the Privacy Commissioner and providing for the method of appointment of the Privacy Commissioner. The substantive provisions of the Act will not come into force until 2018.

One objective of Parliament in passing the Personal Information and Protection Bill was to put in train the process by which Bermuda may seek a data protection adequacy determination from the European Commission. An adequacy determination will be of considerable assistance to Bermuda reinsurers, for example, who need to import personal data from Europe for underwriting and claims-related purposes.

The resolution of the European Parliament in May 2016 regarding ongoing negotiations of the EU-US Privacy Shield, an arrangement intended to replace the now defunct ‘safe harbour’ decision, has emphasised the importance to a successful adequacy application by a non-EU country that the holder of the office responsible for the administration and enforcement of domestic personal information protection legislation should be independent from government. This fact was explicitly acknowledged by the Minister for Economic Development in his ministerial statement on 3 February 2017, announcing the commencement of the administrative provisions of the Act on 2 December 2016. The Minister said ‘the creation, staffing and operations of the Commissioner’s office will be done in a manner to ensure full compliance with those requirements’.

Insurers and insurance managers, agents and brokers, in common with all organisations, will need to adopt suitable measures and policies to give effect to their obligations and to the rights of individuals set out in the Act, when the substantive provisions come into force. It will be difficult to craft measures and policies to ensure compliance until the Privacy Commissioner (once appointed) has published guidance or the Minister for Economic Development has issued a code of conduct, but insurers and insurance managers, agents and brokers should be familiarising themselves with the Act’s substantive provisions now.

Overview of PIPA

The Act applies to every organisation that uses personal information in Bermuda where the personal information:

  • is used wholly or partly by automated means, or
  • forms, or is intended to form, part of a structured filing system.

‘Personal information’ is information about an identified or identifiable individual.

When the substantive provisions come into force, organisations must not use personal information unless one or more of the conditions of section 6 of the Act are met.

‘Using’ personal information ‘means carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it’.

There are some exclusions from the regulation of the use of ‘personal information’, such as the ‘use of business contact information for the purpose of contacting an individual in his capacity as an employee or official of an organisation’. However, whether all personal information used about an individual is ‘business contact information’, is likely to be hard to determine in some cases.

In practice, organisations are likely to seek to premise their lawful use of personal information predominantly on the satisfaction of condition (1)(a) of Section 6 of the Act, which requires obtaining the knowing consent of the individual. This is because compliance with the condition can be tested objectively.

Other conditions of use may also be of practicable assistance to organisations, for example, where use is necessary for the performance of a contract to which the individual is a party, or is pursuant to a provision of law that authorises it, or is in relation to publicly available information. But assessing compliance with these conditions will involve a greater degree of judgment than testing for consent.

Personal information may also be used (except sensitive personal information) where a reasonable person giving due weight to the sensitivity of the personal information would consider that the individual would not reasonably be expected to request that the use of his personal information should not begin or cease and the use does not prejudice the rights of the individual.

Since it will be difficult for organisations to anticipate in any given case whether this condition is fulfilled, it is likely that it will be used more as a last resort in connection with uses that would otherwise been unlawful rather than relied on by organisations as a general rule for ensuring their compliance with the Act.

When the substantive provisions of the Act come into force, organisations will be required to:

  • Safeguard personal information.
  • Only use it in a lawful and fair manner.
  • Provide individuals with privacy notices, which the organisation must take reasonably practicable steps to ensure are provided either before or at the time of collection of personal information, about the organisation’s practices and policies with respect of personal information.
  • Except with the consent of the individual, or where necessary to provide a service or product that is required by the individual, or in certain other circumstances, use personal information only for the specific purpose stated in the privacy notice.
  • Ensure that any personal information used is accurate and kept up to date to the extent necessary for the purposes of use and kept no longer than is necessary for that use.
  • Not transfer personal information to an overseas third party unless it reasonably believes the personal information will be subject to a level of protection comparable to that required by the Act.

There are penalties under the Act for certain breaches and for financial loss and emotional distress:

  • On summary conviction, in the case of an individual, to a fine of up to $25,000 or up to two years of imprisonment or to both.
  • On conviction on indictment, in the case of a person other than an individual, to a fine of up to $250,000.

The Privacy Commissioner, when appointed, will have various powers which may be used to assist insurers and insurance managers, agents, and brokers in confirming what they must do to comply, including powers to:

  • Comment on the implications for protection of personal information in relation to an organisation’s existing or proposed programmes.
  • Approve binding corporate rules for transfers of personal information to an overseas third party.
  • Give guidance and recommendations of general application to an organisation on matters relating to its rights or obligations under the Act.
  • Permit an organisation to transfer personal information to an overseas third party where the organisation has reasonably demonstrated that it is unable to assess the level of protection provided by the overseas third party for that personal information provided the transfer does not undermine the rights of the individual.
  • Establish certification mechanisms that can demonstrate compliance with the Act.

In addition, as noted at the start of this article, the Minister with responsibility for the Act (currently the Minister for Economic Development) may publish codes of practice.

Consequential amendments to other legislation necessary to implement the Act are expected to be tabled later this year.

BM_NXM2Nick Miles
Head of Non-Contentious Insurance
Sedgwick Chudleigh
nick.miles@sedgwicklaw.com 441.278.7164 direct

BM_MGC1

Mark Chudleigh
Managing Partner
Sedgwick Chudleigh
mark.chudleigh@sedgwicklaw.com 441.278.7160 direct

BM_AJP4Alex Potts
Partner
Sedgwick Chudleigh
alex.potts@sedgwicklaw.com 441.278.7165 direct

Privacy and Security — How the 115th Congress’ Repeal of the FCC’s New Privacy Rules Has Made Your Data Less Private and Decreased National Security

Between news reports featuring Russian-gate scandals, Syrian missile attacks and challenges to North Korea, one important news item went oddly underreported. That is the story about a loss of our privacy and security by the new Congress.

FCC’s new privacy rules

In October 2016, the Federal Communications Commission passed new rules that would have required Internet Service Providers (ISPs) to obtain your permission to effectively invade your privacy rights. The rules would have kept providers such as Comcast and Time Warner Cable from monetizing personal information based upon browser history. This history may include activity such as your searches, shopping habits and even secret obsessions. ISPs can insert adware that is undetectable and tracks your traffic and records your browsing history. This generates valuable data for the ISP, maximizing its profits and leaving you vulnerable.

On October 27, 2016, in a 3-2 vote, the FCC approved new rules regarding how ISPs handle their customers’ browsing history, mobile location data and other sensitive information generated by virtue of their customers’ use of the internet.

The purpose of the new rules was to restrict ISPs’ ability to share with advertisers and other third parties information collected from users. This was viewed by many as a big victory for privacy rights advocates. However, these rules are one of the more immediate victims of the November 8, 2016 election, which brought Republican control to both Congress and the White House.

The FCC’s new rules effectively created some of the strongest privacy regulations for any segment of the technology and telecommunications industries and could have had significant impact on ISPs’ ability to make a profit.

The new rules required an opt-in standard for third-party data uses. This is significant because historically in the U.S., privacy guidelines require only that users opt-out of data uses such as ad targeting based on behavioral data.

Also, not all internet entities were covered by the new FCC rules. The rules affected only companies that connect users to the internet, including Comcast, Verizon and Sprint. The rules did not apply to internet companies that have huge advertising businesses based on customer data, such as Facebook or Google. Those companies are regulated by the Federal Trade Commission (FTC). The result of the FCC’s new rules would have been a revenue and power shift away from ISPs towards already internet giants.

The 115th Congress

In March of this year, the House and the Senate voted to overturn the not-yet-implemented FCC new privacy rules. This was considered a victory for ISPs, which argued against regulation since it disadvantaged them compared to non-ISPs.

Congress’ action not only upsets privacy right advocates and impacts the privacy rights of individuals, but it also impacts cybersecurity for the entire nation. Although this didn’t make a big splash in the news, it is important that the American public understand that not only is individual privacy compromised, but cybersecurity is weakened because privacy and security are linked together. Privacy is characterized by a control of access to information and security — by blocking the FCC’s more stringent privacy rules, Congress has weakened cybersecurity for all Americans.

Security: ISPs have a bad track record on security

Your ISP continually collects huge amounts of data such as search results, places you visit on the internet (dates and times), how often you visit and how long you are on a particular site. This is your web browsing history. ISPs also record financial and personal information or data via your transactions on the web through your browser.

ISPs do not have a great track record of keeping information safe. In fact, there have been a number of high-profile breaches such as the AOL breach involving the data of more than 500 million users. Recently, Comcast suffered a large breach of information involving the data for almost 600 thousand users. The new rules would have required ISPs to obtain opt-in to provide your information to third parties. This would have reduced the now treasure trove of data held by the ISPs, thereby reducing the exposure to a breach of personal data.

In addition to obtaining credit card and other financial data, hackers can pinpoint the browser history of each individual which may be used as blackmail against that individual.

Insertion of adware and spyware weaken security

A number of ISPs insert adware and spyware into their browsers, which generates targeted advertising. For purposes of this article, we will refer to adware and spyware, which are not very different in terms of invasiveness or functionality, as just adware. ISPs insert adware into browsers that analyze browsing history in order to customize ads specifically for you.

The insertion of adware into a browser is a major threat to cybersecurity because inserting new code into a webpage could break the security of that page. The new FCC privacy rules would have ended this practice. In basic terms of security, hackers take advantage of this security weakness in the insertion process to break into sites and applications that you use. It gives hackers an easy way in.

A related security issue comes from ISPs installing adware into devices, such as a mobile phone, which most of us purchase directly from the service provider as part of a service agreement. In the past, ISPs have justified the installation of adware on the basis that it was to improve the wireless network service and performance. After a lot of blowback, ISPs backed down on pushing the adware application. ISPs will likely revert back to placing adware on mobile devices since the Congressional repeal of the FCC privacy rules effectively removes the FCC as a privacy watchdog. And adware can record virtually all of your phone functions, including systems logs apps usage and other communications. Any adept hacker can utilize interception of the adware and obtain sensitive information such as usernames and passwords without having to do much in the way of sophisticated hacking. A hacker can hijack your phone entirely and access almost anything including your contacts, phone numbers and call history logs.

Conclusion

The Congressional repeal of the FCC privacy rules will have security implications far beyond what was ever envisioned or intended. Without these privacy rules, ISPs will continue with impunity to sell user browser data and will likely resume dangerous practices such as inserting adware into mobile devices. Since there is no opt-in requirement, many consumers are unaware of these issues. Most users simply ignore or click through agreements without being aware of what is happening behind the scenes. The negative security implications of the repeal of the FCC rules are far reaching and have long-lasting implications for personal privacy and national security. The end result is simple — repealing the FCC’s privacy rules will not just be a disaster for Americans’ privacy, it will be disaster for America’s cybersecurity, too.

Originally published on Law360, April 26, 2017. Posted with permission.(subscription required)

Pay Up or Else: Hacker Holds Television Network to Cyber Extortion Over Unreleased Shows Stolen From a Third Party Production Company

Television dramas have consistently shown us that authorities do not negotiate with kidnappers and they refuse to pay ransom. “Ransom”, a television series on CBS, portrays a team that works to resolve ransom cases, including in the recent season finale, ransom demanded by a hacker. In an updated twist on this television plot, but this time, on the real world stage, a television network has reportedly been held to cyber extortion by a hacker over unreleased television shows and refused to pay ransom. For the cliffhanger, other networks are threatened to be the next targets. While this mind-boggling “life imitates art” drama appears slated for further episodes, what should be center stage, from a cybersecurity standpoint, is that the compromised security was that of a third party vendor.

A hacker (or a group of hackers) which operates under the name “The Dark Overlord” claims to have stolen unreleased episodes of the Netflix hit-series “Orange is the New Black.” During the past weekend, the hacker reportedly released ten episodes of this series to a pirate internet site when Netflix did not meet its ransom demands. The hacker said in a Twitter post: “It didn’t have to be this way, Netflix. You’re going to lose a lot more money in all of this than what our modest offer was.”  The hacker then threatened that it stole unreleased content from other networks including ABC, Fox, National Geographic and the Independent Film Chanel (IFC) – suggesting that additional releases are coming.  “Oh, what fun we’re all going to have,” the hacker posted on Twitter.  “We’re not playing any games anymore.”

In a statement, Netflix said: “We are aware of the situation.  A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved.” According to news sources, the breach reportedly occurred at Larson Studios, which operates in the heart of Hollywood “as a full-service Audio Post Production company specializing in digital mixing for High Definition television, film and multimedia.”

While the matter remains under investigation, the details of the compromise here have not been released. So far, this appears to be a case of alleged extortion involving stolen files, but not ransomware. (Ransomware is a more pervasive cybersecurity threat, which also involves extortion, but which encrypts files and a user is prevented from accessing those files until a ransom fee is paid, unless they can recover their files from backup.)  This is further suggested by the hacker’s history – having made headlines last year for allegedly stealing patient health information records from healthcare organizations, and demanding ransom to avoid the sale of the records on the dark web.

Whatever might be the details of the compromise here, this serves as a cautionary tale of the threat to a business when its information is in the hands (or, here, in the computers) of a retained third party. And while this is being played out in connection with the entertainment industry, where secrecy (for that suspense factor) is essential, fundamentally, secrecy is also critical to most other businesses. The message here is clear: Cybersecurity threats are ever-evolving, and this latest episode is another example that a company’s vulnerability to cyber events may depend not only on its own security but also that of its vendors. Companies should consider evaluating whether they are prepared for cyber extortion, including whether their incident response plans are current to properly address these emerging risks.

Other States Start to Follow New York Lead on Cybersecurity of Regulated Entities

Last fall, in response to the “ever-growing threat” posed to information and financial systems, the New York State Department of Financial Services (“DFS”) proposed cybersecurity regulations that were designed to “promote the protection of customer information and information technology systems of regulated entities” Regulated “Covered Entities” were defined to mean any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law of New York.   The regulations went into effect March 1, 2017, after a delay in enforcement as the result of comments from the affected industries during a notice and comment period as to the hardships that would have been imposed by the initial regulations.  The final version provides greater flexibility and discretion for businesses regulated by DFS and allow for Covered Entities to tailor a cybersecurity program that fits their business needs, and includes transition periods (180 days for most provisions, longer for others). The final version is codified under N.Y.C.R.R. Part 500 (“the Regulation”).  The details are discussed further below.

Other states are now starting to follow New York’s lead in mandating at least some degree of cybersecurity assessment for entities subject to state regulatory oversight.   Colorado, for example, scheduled a hearing for May 2, 2017, on proposed regulations targeted at financial investment advisors. While these are already subject to federal regulation as the Securities and Exchange Commission requires financial advisers it regulates to have written cyber security policies in effect, the proposed state regulations would impose additional obligations, including an annual assessment of cybersecurity exposures.   While the New York regulation would apply to financial advisors if they are licensed by the state, for example as an insurance broker or agent, it is not targeted at them.

The New York Regulations, and the proposed Colorado regulations, demonstrate that for financial institutions, cyber security compliance means satisfying state requirements as well as federal ones that may also apply, and the state ones may be more explicit and specific. This, of course is in addition to the general cybersecurity requirements that already exist in many states for protection of personally identifiable information of individuals, although they often are more general than the new regulations that state agencies overseeing financial institutions, such as the NY DFS, are putting into place.

Overview of New York Regulation

As New York is in the forefront of state regulation of cybersecurity of financial institutions, its provisions are likely to be a model for other states too. They serve as an important reminder that senior management must keep a close eye both externally at state and federal emerging requirements for cybersecurity, and internally on the implementation of appropriate and compliant programs for their organizations.

The following is a summary of the significant provisions adopted in the final New York Regulations that highlight corporate responsibility, including Board involvement, for developing and maintaining a cybersecurity program, and the reporting requirements associated with such a program:

  1. The final regulations incorporated significant flexibility with respect to the requirements of a Covered Entity’s cybersecurity program. It is now permitted to adopt a cybersecurity program maintained by an “Affiliate”—a person under its control—instead of establishing its own cybersecurity program, so long as the Affiliate’s program meets the requirements of the Regulations.
  2. A qualified individual must now be designated to act as the Chief Information Security Officer (“CISO”) to oversee the implementation and enforcement of the cybersecurity program. The Covered Entity may utilize a person employed by a Third-Party Service Provider or an Affiliate to carry out these responsibilities, so long as someone in a senior position at the Covered Entity will supervise them. However, the Covered Entity itself must have sufficient, trained personnel to meet and execute the requirements of the cybersecurity program.
  3. Annual reports must be made by the CISO to the Covered Entity’s Board of Directors, which includes information regarding the cybersecurity program and policy, any existing cyber threats, the state of the Information Systems, and any Cybersecurity Events that have occurred in the preceding year.
  4. The sections regarding penetration testing and vulnerability assessment were changed to require that Covered Entities conduct annual penetration testing—a change from quarterly testing—based on identified risk. In addition, Covered Entities are now required to conduct biannual vulnerability assessments. Further, monitoring and testing of their cybersecurity program must now be done “periodically,” as opposed to annually. This is consistent with the new requirement that Covered Entities set up written policies and procedures regarding risk assessments, and conduct risk assessments periodically instead of annually.
  5. Covered Entities are required to maintain a reduced amount of “audit trail systems” (down from six to three) based upon the Covered Entity’s risk assessment. Systems are to be designed to detect “‘Cybersecurity Events’ that have a ‘reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.” A Covered Entity must retain audit trail system records for five years.
  6. The Regulation also sets forth extensive requirements regarding the role of Third Party Service Providers. Covered Entities must now implement written policies and procedures to ensure that system security and the security of Nonpublic Information is protected.  The Regulation outlines the types of issues to be covered in these policies and procedures, including guidelines for due diligence, encryption use, and notice requirements in case of a Cybersecurity Event.
  7. Covered Entities are given some flexibility in reporting a “Cybersecurity Event” which means an event that would “have a reasonable likelihood of materially harming any part of the normal operation(s) of the Covered Entity[,]” and that it is the type of event that requires notice to a governmental body. Covered Entities must notify DFS immediately, but no later than 72 hours, after a finding that an event has occurred.

There are numerous other fairly specific requirements for procedures and reporting, and thus the Regulation should be reviewed carefully by those entities subject to it.

New York, and now Colorado, are probably just the first in the series of states who will be considering and adopting their own scheme of cybersecurity regulation, with federal agencies overseeing various industries also increasingly adding cyber security requirements to their oversight of the entities they regulate. The challenge of compliance with a patchwork of regulations continues, with the most restrictive generally becoming the default standard to be met, as compliance with that will generally be compliance with those that are more general and less rigorous.

* The authors would like to acknowledge the contribution of Danya Ahmed, associate in the Sedgwick LLP New York Office, to this article.

Breach Notification Update: New Mexico becomes the 48th State Requiring Breach Notification and Tennessee Adds a Safe Harbor for Encryption

As the frequency of data breaches continues, so do legislative developments on notification requirements that must be met in the event of a breach of Personally Identifiable Information (PII). Even as of now, not every state has enacted such legislation.  Until April, there were three holdouts.  Now, however, we are down to two:  Alabama and South Dakota are the only remaining states that do not have data breach notification legislation.  New Mexico, previously the third holdout, has recently joined the majority and enacted its own statute.  On April 6, 2017, the Governor of New Mexico signed into law the Data Breach Notification Act (“Act”), 2017.  The Act will become effective on June 16, 2017, with several exemptions and carve outs, and inclusion of data protection requirements, discussed below.

In another recent development, Tennessee has clarified that the new breach notification statute it enacted last year will include a safe harbor for encrypted PII after all, at least in most situations.

New Mexico

While broad in the scope of PII to which it applies and specific in the number of days in which notification of a breach must be provided (45 days), the New Mexico statute has several exemptions and allows for a “risk of harm” analysis in the decision of whether notification is necessary. It also includes data protection requirements, and thus goes beyond just breach notification.  It is also noteworthy in its deference to federal reporting requirements, providing an exemption for persons subject to certain federal statutes.

The statute exempts the State of New Mexico and its political subdivisions from its provision (Section 12). The provisions of the Act do not apply to a person subject to the federal Gramm-Leach Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) (Section 8).  This provision of the Act reflects deference to the federal reporting requirements under those two statutes.

While the Act contains similar provisions to those of other states, the following Sections are noteworthy:

*  The definition of PII:   The statute defines PII as including “biometric data”.  This is consistent with the growing trend among states to include biometric data, e.g. the Illinois Personal Information Protection Act, which took effect on January 1, 2017 (Section 2)

*     Notification of a Security Breach:  –Section 6 requires that notification be made in the “most expedient time possible,  but not later than forty-five (45) calendar days following the discovery of the security breach, except as provided by Section 9. Section 9, entitled- Delayed Notification, is typical of breach notification statutes in providing that notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation or is necessary to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system.  Significantly, Section 6 also includes a risk of harm provision, in that it provides that notwithstanding the provisions of that Section, notification to affected New Mexico residents is not required, if after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.   However, the Act does not define what constitutes an “appropriate investigation” or “a significant risk of identity theft or fraud.”  When notification it is required, it is also to be provided to the office of the attorney general (with additional information required including the number of affected residents) and major consumer reporting agencies (Section 10).

*     Disposal of PII: –As part of its security provisions, the statute requires that persons who own or license records containing PII of a New Mexico resident arrange for “proper disposal” of records when they are no longer reasonably needed for business purposes, which in turn is defined as meaning shredding, erasing or otherwise modifying the personally identifying information to make it unreadable or indecipherable. (Section 3)

*     Security Measures for Storage of Personal Identifying Information:  – The statute requires that  a person that owns or licenses PII of a New Mexico resident “implement and maintain security procedures and practices appropriate to the nature of the information to protect the personally identifying information from unauthorized access, destruction, use, modification or disclosure.”  (Section 4)  While this gives some discretion as to what is appropriate, it remains to be seen what will end up being considered appropriate by the regulator.

*     Service Provider Use of PII – Implementation of Security Measures: The statute mandates that a person that discloses PII of a New Mexico resident pursuant to contract with a service provider require “by contract” that the service provider also implement and maintain reasonable security procedures. (Section 5)

Attorney General Enforcement – Civil Penalty – Section 11 allows for the Attorney General to bring an action on behalf of individuals and in the name of the state of New Mexico for alleged violations of the Act and seek injunctive relief, as well as damages for actual costs or losses, including consequential financial losses. In addition, for knowing or reckless violations of the Act, the court may impose civil penalties up to a maximum of $150,000.

Tennessee

The Tennessee legislature recently amended its data breach notification statute to add back in the encryption safe harbor in the definition of “personal information.” When Tennessee initially amended its data breach notification statute last year, it eliminated the encryption safe harbor provisions from the existing statute.  Without this recent amendment, Tennessee would have required data breach notification even when the personally identifiable information lost was encrypted.  While this was apparently out of concern arising from reports of situations in which hackers were able at times to decrypt files, it gave rise to a counterbalancing concern that it would disincentivize companies from encrypting data.  A reasonable level of encryption is still considered a good safeguard to most hacking, and thus the safe harbor was added, at least where the key to encryption is not also taken.

Keep an Eye on State Legislative Developments

As data breaches of Personally Identifiable Information continue to expand the type of information targeted and the security measures circumvented, state legislatures in an effort to protect their residents are now often reviewing their statutes directed at data security and breach notification to see if they are keeping up with those developments. Definitions of protected personal information are being expanded by many states, and many are also adding data security requirements either by way of safe harbors from breach notification or by express directives as to minimal data security procedures.  Entities that own or hold Personally Identifiable Information need to monitor legislative developments that may impact data breach security and notification requirements and take them into account in their breach preparedness and response plans.  This ongoing monitoring will help ensure compliance with statutory requirements and minimize regulatory and legal liability issues that may arise in the event of a data breach when requirements are not satisfied.

 

SENATE BILL 547

SENATE BILL 547_2

Sedgwick’s Cybersecurity Team Nominated for Advisen’s 2017 Cyber Risk Awards — Votes Welcomed!

Advisen, a leading provider of technology solutions for insurance companies, has short-listed Sedgwick’s Cybersecurity & Data Privacy group for their Fourth Annual Cyber Risk Awards. Specifically, Sedgwick is a finalist for the Cyber Law Firm of the Year award. The award recognizes the property and casualty insurance industry’s most influential cyber risk professionals.

The Sedgwick Cybersecurity & Privacy Group is a multi-disciplinary group of attorneys with extensive experience working closely with clients to address and reduce their cybersecurity and privacy risks and exposures. These risks affect organizations in every industry we represent, including healthcare, financial institutions, retailers, utilities and manufacturers, among others.

We service clients throughout the U.S. and the U.K. and our Incident Response Team is an approved provider by many of the major insurers. Sedgwick’s Cyber team litigates consumer class actions alleging violations of rights to privacy and consumer protection rights and unfair trade practices, and B2B litigation involving breached entities and their service providers or other third parties involved in the incident.

This is a huge honor, but we need your help and competitive spirit! Please help us by sharing the link below and casting a vote for Sedgwick.

Select Sedgwick LLP in the Cyber Law Firm of the Year dropdown.

Voting ends on Friday, May 19, 2017. Thank you for your support!
VoteNow2

 

 

“W-2 Phishing Attacks Targeting Businesses to Cash in on Busy Tax Season: 10 Tips to Protect Your Business”

Cyber criminals are taking advantage of tax season to lure valuable W-2 information from vulnerable businesses. An example of a common phishing scheme starts with a scammer posing as a legitimate employee of a company, sending an email that looks like it is coming from an internal email address, often the Human Resources department or the Finance department, or even from the CEO of the company. A cyber criminal may even impersonate an employee using stolen personal data from that employee. The email from the scammer attempts to trick the recipient into sending the scammer W-2’s, often creating a sense of urgency for a quick response. As we all know, a W-2 contains valuable information such as an individual’s name, address, social security number, salary and withheld taxes. Cyber criminals can use this information to file fake tax returns and pocket tax refunds.

As recently as February 17, 2017, the IRS warned of a new phishing scam where tax professionals and state tax agencies are sent an email impersonating a software provider with the subject line “Access Locked.” The email tells the recipient that access to the software was suspended due to errors in the recipient’s security details. Then, the email requires the recipient to “unlock” the software by clicking on a link that directs the recipient to a fake web page, prompting the recipient to provide his/her user name and password, which is used by the scammer to steal client information. https://www.irs.gov/uac/newsroom/security-summit-alert-tax-professionals-warned-of-new-scam-to-unlock-their-tax-software-accounts

Other common ways phishing attacks occur are by: (1) embedding a link in an email that redirects the recipient to an unsecured website that asks for sensitive personal information, (2) including with an email a malicious attachment or ad that allows an intruder to use loopholes in security to obtain personal information, or (3) impersonating a known vendor or an employee over the telephone to obtain company information.

We offer some tips to help prevent succumbing to W-2 phishing attacks that are already plaguing this tax season:

  1. Pick up the phone: If you receive an email asking for a W-2 or hear of someone in your company receiving such an email, verify the authenticity of the request. A simple solution is to pick up the telephone and call the apparent author of the email to ask if he/she indeed asked for a W-2. The same rule of thumb should apply if you receive an email asking for a money transfer or other sensitive information.
  2. Check the sender’s email address for discrepancies: Often an email address from a scammer will look almost like a company’s internal email address, but there might be a spelling error with one letter off, or a period added or taken away. Scrutinize the email address from a sender asking for W-2s to see if there are any discrepancies that might provide a clue that the email is fake.
  3. Don’t just reply, forward instead: Instead of automatically hitting reply to an email from what appears to be a known colleague asking for W-2s or credentials that could be used to obtain W-2s, forward the email to the legitimate email address you have for the person who the email looks like it is coming from and ask she/he to verify if he/she sent the forwarded email.
  4. Redact W-2s: If your business is not required to provide or maintain unredacted W-2s, then redact (black out) all but the last 4 digits of social security numbers on W-2s you generate or maintain. This reduces the sensitive personal information available on the W-2 and makes the W-2s much less valuable if a scammer ever was able to obtain them.
  5. Encrypt W-2s (and all sensitive company information): Even if you cannot redact W-2s, all W-2s and sensitive company information should be encrypted, both at rest and when being transmitted (including in the mobile and “own device” environments).
  6. Train your workforce: Regularly educate and train your workforce on phishing attacks. Test your workforce on the training provided. Phishing attacks work because of human error. Training and testing of your workforce to recognize phishing attacks can greatly reduce the risk of success of a phishing attack.
  7. Implement and maintain strong information security: Ensure that your company has robust spam filters that are regularly updated, block malicious websites, enable browser ad-ons that prevent a user from clicking on malicious links, use antivirus software, and keep all security systems current with updates and patches. Apply all of these security programs to mobile environments and “own devices” to prevent exploitation of vulnerabilities in the mobile environment or from “bring your own device” practices.
  8. Restrict access to W-2 information: Ensure that only key personnel have authority to access personally identifiable information, in this case W-2 tax information. Such access should be restricted to only those who require it to perform their job duties.
  9. Restrict outflow of W-2 information: Restrict internal staff’s ability to copy sensitive data into unapproved methods of transmission, such as email and web browsers, including controlling the ability to copy, paste and print sections of documents. Loss prevention endpoint technology and application controls are available in this area.
  10. Implement, practice and update a Data Loss Prevention (DLP) Program: Cyber risks present a fast- evolving landscape. Data loss through cybercrime and internal risks represent increasing business exposures. Prevention is key to mitigation in this area and a better option than facing a breach unprepared. An entity that knows those risks and controls the data that flows within and outside of its walls can best remain competitive in the marketplace. Using this knowledge, a company can most efficiently protect sensitive data and quickly respond to security incidents.

If you would like more information or assistance in this area, please contact a member of our Cybersecurity & Privacy Team at SedgwickResponder@sedgwicklaw.com.You can also reach Cinthia Motley at cinthia.motley@sedgwicklaw.com or 312-849-1972 and Nora Wetzel at nora.wetzel@sedgwicklaw.com 415.627.3478

Recent Trends in Bankruptcy Sales of Customer Data

Introduction
In 2005, Congress amended the Bankruptcy Code to address privacy concerns in connection with sales of customer data in bankruptcy cases. The Code was specifically amended to restrict or prohibit the sale of customers’ personally identifiable information – as defined by the Bankruptcy Code – when in violation of a debtor company’s existing privacy policy.
In practice, the statute mostly has operated to facilitate these sales pursuant to a bankruptcy court approval process, which is conditioned upon satisfaction of certain procedural safeguards.  After quickly reviewing the basic statutory framework, we discuss some recent cases involving bankruptcy sales of customer data.  We then provide our summary of lessons learned and key takeaways.

Statutory Framework
Section 101(41A) of the Bankruptcy Code’s enumerates the specific items of personal information that constitute Personally Identifiable Information within the meaning of the Bankruptcy Code, if provided by an individual in connection with obtaining a product or service from the debtor primarily for personal, family or household purposes.  They are as follows: first and last name, residence, email address, telephone number, social security number, or credit card account numbers.  In addition, Section 101(41A) provides that Personally Identifiable Information can include a birth date, place of birth or any other item of information concerning an identified individual that, if disclosed, would result in identifying such individual physically or electronically, if such information is identified with one or more of the above enumerated items of personal information.

Section 363(b)(1) of the Bankruptcy Code provides that if the debtor has a privacy policy in effect at the time of the bankruptcy filing, which prohibits the transfer of Personally Identifiable Information (“PII”), the Information cannot be sold in bankruptcy unless additional requirements are satisfied.  If triggered, section 363(b)(1) prohibits the sale of PII unless the bankruptcy court finds that the sale is consistent with the debtor’s privacy policy or the court approves the sale at a hearing after (a) appointing a consumer privacy ombudsman to assist the court in reviewing the facts and circumstances of the sale and (b) finding that the sale of the information would not violate applicable nonbankruptcy law.

The bankruptcy court orders the appointment of the consumer privacy ombudsman pursuant to section 332 of the Bankruptcy Code, who may appear and be heard at the sale hearing.  Section 332 provides a non-exclusive list of the information and topics to be included in the ombudsman’s report and recommendations to the court. They include the potential losses or gains of privacy to consumers if the sale is approved, the potential costs or benefits to consumers if the sale is approved, and the potential alternatives that would mitigate privacy losses or potential costs to consumers.

Recent Bankruptcy Sales of Customer Data

  1. BPS Holdings (2017):  The debtor companies manufactured, distributed and sold sports equipment, accessories and apparel under a number of band names.  Products were sold in U.S. and Canada, and the companies operated a number of websites which collected a variety of PII from their customers, in some cases from minors.  After filing bankruptcy, the debtors requested bankruptcy court approval to complete two sales of their businesses:  (1) Sale of their soccer apparel and equipment business (“Soccer Business”) to their co-founder and (2) Sale of their hockey, lacrosse, and baseball businesses (“Other Business”) to a newly formed company.

    The bankruptcy court appointed a privacy ombudsman, who examined the debtors’ privacy policies and data collection practices among the various businesses.  The ombudsman recommended court approval of both sales under certain terms and conditions, and the both sales were recently approved by the bankruptcy court.

    Sale of Soccer Business:  The ombudsman found that the debtors operated two websites for the Soccer Business, pursuant to which they collected customer names, addresses, phone numbers, email addresses and order histories.  They did not collect any other categories of PII, nor track customer activity via cookies or other tracking technologies.  At the time of the bankruptcy filing, a privacy policy was posted on one of the websites, which promised customers that their PII would not be sold or transferred to any other company for any reason whatsoever.

    The privacy ombudsman  recommended that the court approve the sale subject to the following conditions: (1) the buyer must engage in substantially the same line of business, (2) the buyer must adhere to all material terms of the existing privacy policy, (3) the buyer must agree to obtain the customers’ affirmative consent before making any material changes to the privacy practices to the PII collected under the existing privacy policy, and (4) the buyer must agree to comply with applicable privacy and data protection laws.

    The privacy ombudsman did not recommend, and the buyer not agree,  that notice be given to the customers of the proposed sale with an ability to opt-out of the sale of their PII to the buyer.  The sale was approved without any required opt-out notice..

    Sale of the Other Businesses:  The ombudsman found that the debtors operated several websites and Instagram pages among the different sports businesses, collecting customer names, mailing addresses, phone numbers, email addresses, birth dates, ages, genders, zip codes, and payment information, in different combinations.  The debtors also collected anonymized customer usage and demographic data from Google and Amazon.  Certain of the websites also collected personally identifiable from minors.

    The ombudsman reported that some websites for the various businesses posted privacy policies, while others did not.  Most of the privacy policies promised customers that their PII would not be sold without prior notice; one of the websites posted a policy that PII might be shared with affiliated companies or third party service providers for the purpose of conducting business, and promised that PII would not be provided to any third parties for their own marketing purposes. In certain instances, the ombudsman indicated that he had requested, but had not received, any prior or currently applicable privacy policies.

    The ombudsman recommended that the sale be approved on a number of conditions.  As to websites which notified customers that their PII would not be sold without prior notice, the ombudsman recommended (1) email notice of the sale to customers, (2) if the buyer did not agree to be bound by the existing privacy policy, an opt-out opportunity, and (3) the buyer’s agreement to comply with applicable privacy and data protection laws.  As to the website which promised customers that their PII would not be shared, the ombudsman recommended that the buyer obtain the customers’ affirmative consent to the sale of the PII or a showing by the buyer that it would (1) engage in substantially the same line of businesses, (2) adhere in all material respects to the existing privacy policy (3) obtain customer affirmative consent before making any material changes to privacy practices, and (4)agree to comply applicable privacy and data protection laws.

    For websites with no privacy policies, the ombudsman did not recommend any conditions other than the buyer’s agreement to comply with applicable privacy and data protection laws.  For websites in which the ombudsman was unable to confirm the existence or absence of any privacy policy, the ombudsman recommended that the debtors obtain consent from the customers before the sale of their PII to the buyer.  Lastly, the ombudsman objected to the debtor’s transfer of any PII of children under the age 13, consistent with the Children’s Online Privacy Protection Act.

    The court approved the sale without requiring opt-out notices to consumers, but required affirmative customer consent with respect to the sale of PII collected prior to existing privacy policies for certain of the websites.  The court also required the debtors to delete all PII of children prior to the sale.

  2. Aeropostale (2016):  The debtor companies sold clothing in the U.S. and Canada in retail outlets and through 2 websites under a variety of brands. The websites collected customers’ names and addresses (mailing and email).  Phone numbers also could be collected for shipping purposes only. Similar PII was collected in the retail stores.  The websites also tracked and collected historical usage and transaction data, and the customers’ IP address, browser information and reference site domain name.

    The company also conducted certain contests and sweepstakes, which, in certain instances, required customers to provide their social security numbers, in addition to their names and addresses.  The company did not collect credit card numbers or other payment information.

    At the time of the bankruptcy filing, the posted privacy policy on one of the websites stated that the PII would not be shared with others “except with your consent or as described in this Privacy Policy.” The policy described a number of circumstances for the companies’ sharing of PII with affiliates or marketing or service partners, or where required by law, but the policy did not provide for the sharing of the PII in the event of a bankruptcy or sale of the company or its assets.  On the second website, the posted privacy policy explicitly promised customers that their PII would “never” be sold, rented or given away.

    After filing bankruptcy, the debtors conducted an auction of their operating assets, including the customer PII, and thereafter moved for approval of the sale to the winning bidder.  The court-appointed  ombudsman recommended approval of the sale of the customer PII after reporting that under the terms of the sale the proposed transfer of PII was subject to a 60 day opt-out notice to customers after the closing of the sale as to any future use of their PII by the buyer. The ombudsman noted that this opt-out provision was not a specific recommendation of the ombudsman, rather it was agreed to between the debtors and the buyer.

    The ombudsman specifically recommended that the sale be further conditioned upon the buyer’s agreement to (1) employ appropriate security controls and procedures to PII, (2) abide by all application laws and regulations with respect to PII, (3) abide by the debtor companies’ existing privacy policies and related promises, and (4) respect all prior requested opt-out requests by customers.  In addition, the ombudsman recommended that absent prior express consent from customers, the buyer’s future use of PII should be limited to the purposes of continuing business operations that were purchased and providing goods and services to customers.

    Thereafter, the bankruptcy court approved the sale after adopting the ombudsman’s recommended conditions to the sale of the PII.

  3. Golfsmith (2016):  The affiliated debtors were the largest specialty golf retailer in the world, offering customers an extensive selection of golf equipment and related services.  The debtors operated their business as an integrated multi-channel retailer, with retail stores, catalog sales and e-commerce pursuant a website. After filing bankruptcy, the debtors moved to sell their assets pursuant to a court supervised auction.  The winning bidder, a large sporting goods retailer, sought to purchase the business as a going concern.

    Included in the purchased assets were all of the Debtors’ customer information including contact information (name, email, mailing address, and phone number), birthday and gender, and transaction history, with the exception of any credit card information or social security number information that might be in the debtors’ possession.  At the time of the bankruptcy filing, the debtors’ privacy policy disclosed that certain PII would be shared with trusted third party service providers, but phone numbers would not be made available to other companies or organizations and email addresses would not be shared or distributed and would remain in the sole possession of the debtors.  An earlier privacy policy also promised customers that their email addresses would not be sold.

    The privacy ombudsman’s report recommended approval of the sale subject to a number of conditions, including the buyer’s agreement to (1) be bound by and succeed to the debtors’ existing privacy policy, (2) be responsible for any violation of the privacy policy after the closing of the sale, (3) notify the customers of the sale and provide them with an opt-out opportunity for the transfer of any customer PII to the buyer, which such notice to be posted both on the debtors’ website and retail stores, (4) provide further opt-out notice to customers of any attempt to convert the customers to the buyer’s privacy policy, and (5) safeguard all customer PII in a manner consistent with industry standard data protections and applicable information security laws and best practices.

    In addition, the ombudsman recommended that the buyer agree to destroy all PII for which it determined that there was no reasonable business need and that the debtors destroy all customer PII not transferred to the buyer within 90 days after the closing of the sale.

    The court approved the sale as conditioned by the ombudsman’s recommendations.

  4. RadioShack (2015):  After filing bankruptcy, the debtor proposed a sale of its customer records database along with certain IP on a standalone basis. The data was not part of a sale of the debtor’s business to the buyer as a going concern. The data base included customer names, email and mailing addresses, and phone numbers and extensive transaction data, including credit and debit card numbers and social security numbers.  The debtor carved-out the credit and debit card numbers and social security numbers from the proposed sale.

    The debtor’s pre-bankruptcy privacy policies advised customers that, among other things, the company’s mailing list would not be sold, customer PII would not be used for any purpose other than carrying out services requested from the company, and the company would not “sell or rent customer PII to anyone at any time.”

    The proposed sale drew objections from the Federal Trade Commission and State Attorneys Generals from 38 states.  In addition, the court appointed a consumer privacy ombudsman to review the proposed sale. Thereafter, the FTC, States Attorneys General, debtor and successful bidder mediated this dispute and reached a consensual resolution which also was subsequently endorsed by the ombudsman.

    As part of the settlement, the buyer agreed to purchase only a very limited subset of the customer PII, namely (1) email addresses of customers that were active within 2 years prior to the bankruptcy filing along with certain limited transaction data collected in the five years prior to the bankruptcy filing and (2) customer names and mailing addresses with certain limited transaction data associated therewith in the 5 year period prior to bankruptcy.  No customer phone numbers were sold.

    In addition, the buyer agreed to a number of other protections in the mediated settlement, including the buyer’s agreement to (1) become a successor in interest under the debtor’s existing privacy policies, adhering to all material terms and assuming liability for any violations thereof, (2) effectuate an extensive notice and opt-out procedure for affected customers, (3) not make further material changes to the privacy policies without further notice and opt-out opportunity to affected customers, (4)  safeguard all PII in a manner consistent with industry data security protections, applicable information security laws and best practice and (4) destroy all PII for which it had no reasonable business need. In addition, the debtor agreed to destroy any PII not conveyed to the buyer.

    The court approved the sale as modified by this mediated settlement.

Lessons Learned and Key Takeaways

  • Sales of customer PII on a standalone basis, or which are not part of a sale of the debtor’s business in which the buyer will continue to provide the same or similar products or services, will continue to draw greater judicial scrutiny and likely require more limitations and protections, as a condition to their approval by the bankruptcy court.
  • Absent objections by affected consumers, the bankruptcy courts likely will continue to approve sales of customer PII in bankruptcy cases in accordance with the recommendations of the consumer privacy ombudsmen who are appointed by the courts, in many instances with no opportunity for customer opt-out.
  • Although a number of bankruptcy sales of PII have included  some form of opt-out notice to the affected customers, it remains to be seen in future cases whether buyers will continue to agree or be required to provide  such notices.  Much may depend upon the particular factual circumstances, but consumer privacy ombudsman do not consistently recommended such restrictions as a condition to the approval of these sales.
  • Some bankruptcy sales of PII have been conditioned upon the buyer assuming certain liability for breaches of the debtor’s privacy policy and/or obligations to safeguard PII in accordance with applicable law or industry standards.  At the same time, the debtor’s assets are often sold to the buyer free and clear of any liens, claims, or interests, including potential successor liability. It remains to be seen whether significant disputes or litigation will arise after the closing of these bankruptcy sales of customer PII in the event of a subsequent discovery of a data security breach or other breach of the debtor’s prior privacy policies.

Chicago Attorneys Cinthia Granados Motley and Ashley Jackson Discuss Ways to Avoid Wrongful Collection of Data Claims

Chicago based  attorneys Cinthia Granados Motley and Ashley Jackson were published on Law360 February 7, 2017. The article, “10 Ways To Avoid Wrongful Collection Of Data Claims,” discusses tips by using the who, what, where, when and why of consumers to help answer the most asked questions.

LexBlog