ALERT – OCR Issues Quick Response Cyber Attack Checklist and Graphic

In the aftermath of the recent WannaCry ransomware attack and the May 12, 2017 notification from Laura Wolf, Critical Infrastructure Protection Lead of Health and Human Services (HHS) discussed in Cinthia Motley’s May 13, 2107 Alert:  Ransomware – a Global Wake-Up Call, the HHS Office of Civil Rights “OCR”) issued a Quick Response Cyber Attack checklist and graphic on June 9, 2017. The checklist and the corresponding infographic outline the following steps a HIPAA covered entity and  business associates need to consider taking in response to a cyber-related security incident:

  1. Execute its response and mitigation procedures and contingency plans.
  2. Report the crime to law enforcement agencies.
  3. Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs).
  4. Report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.

While all of these steps may not necessarily apply to all situations, we recommend that HIPAA covered entities and business entities review their current IRP and procedures and compare them to the OCR checklist. As noted in the OCR checklist, the OCR considers all mitigation efforts taken by the entity during any breach investigation. Such efforts include voluntary sharing of breach-related information with law enforcement agencies and other federal and ISAOs. As noted in the OCR graphic, even if there is not a breach, the entity must document and retain all information considered during the risk assessment of the cyber-attack, including how it determined that no breach occurred.

If you are concerned that your business does not have the proper IRP or needs assistance in developing one, the Sedgwick Cybersecurity team can assist you. Contact us at SedgwickResponder@sedgwicklaw.com, or contact Cinthia Motley (312) 849-1972 or cinthia.motley@sedgwicklaw.com. or Carol Gerner (312) 849-1959 or carol.gerner@sedgwicklaw.com.

Executive Order Directs Federal Agencies to Put Their Own Houses in Good Cybersecurity Order

On May 11, 2017, the White House issued an executive order aimed at strengthening the cybersecurity of federal networks and critical infrastructure. The order mandates that federal department and agency heads take an active role in reviewing, improving, and modernizing cybersecurity risk management, and stands as major action toward enhancement of cybersecurity in the wake of high profile federal agency breaches such as that of the Office of Personnel Management and of the IRS in 2015, and an election riddled with headlines of hackers releasing sensitive information taken directly from government agencies.

A hallmark of the Order is that it places cybersecurity responsibility squarely on department and agency leaders, laying out a series of reporting and reviewing deadlines that synthesize and build upon the Cybersecurity Framework and other measures first implemented by previous administrations. The Order seems poised to prioritize modernization in the area by moving away from “antiquated” and “difficult-to-defend” IT systems and exploring the possibility of upgrading to shared IT services and use of the cloud. It also emphasizes the importance of training and educating in the field of cybersecurity, to help prepare for and combat future threats.

Overall, the order is seen by many as a big step towards holding federal agencies responsible for the same cybersecurity assessments and measures that they expect and require of the entities they regulate. Despite government vulnerability to cyberattacks, generally government agencies have not previously been held as accountable for the same vulnerabilities they investigate in the private sector. By not only requiring that federal agencies now utilize the cybersecurity framework promulgated by The National Institute of Standards and Technology (“NIST”) in the prior administration, but also by requiring department and agency heads to take an active role in reviewing and reporting on compliance with the framework, the Order focuses on holding agencies accountable and, as one White House spokesperson put it—asking them to practice what they preach.

Some commentators feel that the order does not go far enough, with one Senator calling it simply a “plan for a plan,” which prioritizes further review and reporting over actual action against real time threats. What also remains to be seen is whether the short, ninety day reporting timeframes mandated by the order are workable, and whether the changes that will result from the report and review periods will be financially feasible for the agencies, and also for the private sector companies that do business with them and will likely be subject to increased scrutiny as well. Other concerns voiced center on the provisions directing that the Secretary of Defense, as well as the Directors of National Intelligence and the FBI, will be involved in efforts to support the cybersecurity risk management of owners and operators of the Nation’s critical infrastructure, and the impact that will have on privacy of personal information maintained by the various agencies.  

In the meantime, the Order serves as an important step to hold the federal government responsible for its own cybersecurity and to prioritize cybersecurity in a time that it is clearly needed.

ALERT: Ransomware – a Global Wake-Up Call

U.S. Regulator Warns of “Evidence” of Global Cyber Assault Occurring Inside the U.S. and Steps Your Company Should Take Against a Ransomware Attack 

On Friday, May 12, 2017, Laura Wolf, Critical Infrastructure Protection Lead of the Department of Health and Human Services (HHS) issued a notification stating that:

HHS is aware of a significant cyber security issue in the UK and other international locations affecting hospitals and healthcare information systems. We are also aware that there is evidence of this attack occurring inside the United States. We are working with our partners across government and in the private sector to develop a better understanding of the threat and to provide additional information on measures to protect your systems. We advise that you continue to exercise cyber security best practices – particularly with respect to email. (Emphasis added).

This alert comes in the heels of Friday’s global ransomware attack that has spread in nearly 100 countries. The attacks are being blamed on malware called WCry, WannaCry or Wana Decryptor.

So what measures can your company take to protect itself in the event of a ransomware attack?

If a company is infected with ransomware, they face two hard choices: either pay ransom to unknown criminals or try to restore its systems, if possible. With either option a company faces risks.  Thus, prevention and pre-breach planning are key, including taking the following steps:

Update systems and software with current patches: Ransomware spreads easily when it encounters unpatched or outdated software. The HHS has noted that the WannaCry ransomware may be exploiting a vulnerability in Server Message Block 1.0 (SMBv1). Microsoft also just released an emergency security patch update for all its unsupported versions of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions. In addition, keeping computer and antivirus up to date adds another layer of defense that could help stop malware.

Refresh, Review, Retrain: To protect your company from a ransomware attack properly train employees on cybersecurity.  Authorized users can expose a company the most when it comes to cybersecurity risks.  This includes employees who are vulnerable to social engineering and phishing attacks. Thus, train employees to identify phishing attacks and perform proper authentication of third parties before providing them with data or access to the network.

Data Access Controls: Granting users access to data and systems minimally necessary to do their jobs and closely monitoring access controls can help contain the spread of initial infections.

Implement Data Loss Prevention (DLP) and Intrusion Detection Systems: Quickly identifying potential infections with intrusion detection systems can allow a company to rapidly isolate infected servers and/or endpoints (computers), also preventing the spread of initial infections. Using data loss prevention tools companies can enforce protection policies, and administrators can secure sensitive business data and prevent illegal access to data.

Implement Regular and Offsite Data Backups: In the event of a ransomware attack, decryption keys are not always provided even when ransoms are paid. Backups stored on the same infected server are often encrypted along with the encrypted data. Thus, regular data backups that are continually tested to ensure they can be restored if needed are important to help a company recover its data, resume operations and avoid paying a ransom demand.  It is equally important that backups be stored offsite.

Implement, practice and update incident response and business continuity plans: Having a tested incident response plan will help an organization quickly respond to a security incident.  While many organizations have information security procedures in place, it is important that those plans and procedures be reviewed to address a potential ransomware attack.  Similarly, perhaps the biggest impact of a ransomware attack is the down time an organization may face, even causing business functions to come to halt.  Thus, it is critically important that companies update their business continuity plans to specifically address ransomware.

Quickly deploy incident response team and protect privilege: Quick incident response team deployment is essential when faced with a ransomware attack. This should include having legal, forensic and public relations consultants, as well as law enforcement contacts identified before a security incident occurs. Top level awareness is equally important as crisis management decisions will need to be made quickly, such as: whether the ransom demand will be paid and, if so, who should negotiate the ransom payment; how and when to notify law enforcement; as well as any internal or external communication necessary. As these decisions may greatly impact a company’s business, financial and legal obligations, it is critically important that in-house or outside legal counsel be involved from the outset to advise and guide the organization, including in the retention of outside consultants. This is the best measure to help protect attorney-client privilege as company executive are forced to navigate quickly through important decisions for the organization.

In short, being proactive is often easier and less costly than a reactive approach.  Cyber risks present a fast evolving landscape. Data loss through cybercrime and internal risks represent increasing business exposures. Prevention is key to mitigation in this area and a better option than facing a breach unprepared.  An entity that knows those risks and controls the data that flows within and outside its walls can best remain competitive in their marketplace.  Using this knowledge a company can most efficiently protect sensitive data and quickly respond to security incidents.

If you are concerned that your business needs help with combatting cybersecurity threats or responding to a security incident, the Sedgwick Cybersecurity team can assist you.  Contact us at SedgwickResponder@sedgwicklaw.com, or contact Cinthia Motley (312) 849-1972 or cinthia.motley@sedgwicklaw.com.

 

 

 

 

 

 

Sedgwick LLP Cinthia Motley Named Illinois Cybersecurity Litigation Lawyer of the Year

Sedgwick LLP is pleased to announce that Cinthia Granados Motley, partner and co-chair of the firm’s Cybersecurity and Privacy Group, was named the 2017 Corporate International Global Awards Cybersecurity Litigation Lawyer of the Year in Illinois.

In her legal practice, Motley handles data privacy and security matters assisting clients, domestically and internationally, to implement effective information security practices, including information governance and litigation readiness. She represents clients in data security and privacy matters and routinely acts as incident response counsel to large international entities, as well as privacy litigation counsel.

Motley is a sought out, recognized attorney in the critical cybersecurity and privacy area of law and is honored to be recognized for her work. She was selected to be a Super Lawyers Top Women Attorney in Illinois, Super Lawyers Rising Star in 2012 – 2013 and was named as one of The National Law Journal’s Cybersecurity and Data Privacy Trailblazers. She also serves as adjunct professor at Chicago-Kent College of Law, teaching data management, information governance and e-discovery.

Preparing for PIPA — Data Protection and Implications for the Insurance Industry

On 2 December 2016, the administrative provisions of the Personal Information Protection Act 2016 (PIPA; the Act) came into force establishing the office and powers of the Privacy Commissioner and providing for the method of appointment of the Privacy Commissioner. The substantive provisions of the Act will not come into force until 2018.

One objective of Parliament in passing the Personal Information and Protection Bill was to put in train the process by which Bermuda may seek a data protection adequacy determination from the European Commission. An adequacy determination will be of considerable assistance to Bermuda reinsurers, for example, who need to import personal data from Europe for underwriting and claims-related purposes.

The resolution of the European Parliament in May 2016 regarding ongoing negotiations of the EU-US Privacy Shield, an arrangement intended to replace the now defunct ‘safe harbour’ decision, has emphasised the importance to a successful adequacy application by a non-EU country that the holder of the office responsible for the administration and enforcement of domestic personal information protection legislation should be independent from government. This fact was explicitly acknowledged by the Minister for Economic Development in his ministerial statement on 3 February 2017, announcing the commencement of the administrative provisions of the Act on 2 December 2016. The Minister said ‘the creation, staffing and operations of the Commissioner’s office will be done in a manner to ensure full compliance with those requirements’.

Insurers and insurance managers, agents and brokers, in common with all organisations, will need to adopt suitable measures and policies to give effect to their obligations and to the rights of individuals set out in the Act, when the substantive provisions come into force. It will be difficult to craft measures and policies to ensure compliance until the Privacy Commissioner (once appointed) has published guidance or the Minister for Economic Development has issued a code of conduct, but insurers and insurance managers, agents and brokers should be familiarising themselves with the Act’s substantive provisions now.

Overview of PIPA

The Act applies to every organisation that uses personal information in Bermuda where the personal information:

  • is used wholly or partly by automated means, or
  • forms, or is intended to form, part of a structured filing system.

‘Personal information’ is information about an identified or identifiable individual.

When the substantive provisions come into force, organisations must not use personal information unless one or more of the conditions of section 6 of the Act are met.

‘Using’ personal information ‘means carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it’.

There are some exclusions from the regulation of the use of ‘personal information’, such as the ‘use of business contact information for the purpose of contacting an individual in his capacity as an employee or official of an organisation’. However, whether all personal information used about an individual is ‘business contact information’, is likely to be hard to determine in some cases.

In practice, organisations are likely to seek to premise their lawful use of personal information predominantly on the satisfaction of condition (1)(a) of Section 6 of the Act, which requires obtaining the knowing consent of the individual. This is because compliance with the condition can be tested objectively.

Other conditions of use may also be of practicable assistance to organisations, for example, where use is necessary for the performance of a contract to which the individual is a party, or is pursuant to a provision of law that authorises it, or is in relation to publicly available information. But assessing compliance with these conditions will involve a greater degree of judgment than testing for consent.

Personal information may also be used (except sensitive personal information) where a reasonable person giving due weight to the sensitivity of the personal information would consider that the individual would not reasonably be expected to request that the use of his personal information should not begin or cease and the use does not prejudice the rights of the individual.

Since it will be difficult for organisations to anticipate in any given case whether this condition is fulfilled, it is likely that it will be used more as a last resort in connection with uses that would otherwise been unlawful rather than relied on by organisations as a general rule for ensuring their compliance with the Act.

When the substantive provisions of the Act come into force, organisations will be required to:

  • Safeguard personal information.
  • Only use it in a lawful and fair manner.
  • Provide individuals with privacy notices, which the organisation must take reasonably practicable steps to ensure are provided either before or at the time of collection of personal information, about the organisation’s practices and policies with respect of personal information.
  • Except with the consent of the individual, or where necessary to provide a service or product that is required by the individual, or in certain other circumstances, use personal information only for the specific purpose stated in the privacy notice.
  • Ensure that any personal information used is accurate and kept up to date to the extent necessary for the purposes of use and kept no longer than is necessary for that use.
  • Not transfer personal information to an overseas third party unless it reasonably believes the personal information will be subject to a level of protection comparable to that required by the Act.

There are penalties under the Act for certain breaches and for financial loss and emotional distress:

  • On summary conviction, in the case of an individual, to a fine of up to $25,000 or up to two years of imprisonment or to both.
  • On conviction on indictment, in the case of a person other than an individual, to a fine of up to $250,000.

The Privacy Commissioner, when appointed, will have various powers which may be used to assist insurers and insurance managers, agents, and brokers in confirming what they must do to comply, including powers to:

  • Comment on the implications for protection of personal information in relation to an organisation’s existing or proposed programmes.
  • Approve binding corporate rules for transfers of personal information to an overseas third party.
  • Give guidance and recommendations of general application to an organisation on matters relating to its rights or obligations under the Act.
  • Permit an organisation to transfer personal information to an overseas third party where the organisation has reasonably demonstrated that it is unable to assess the level of protection provided by the overseas third party for that personal information provided the transfer does not undermine the rights of the individual.
  • Establish certification mechanisms that can demonstrate compliance with the Act.

In addition, as noted at the start of this article, the Minister with responsibility for the Act (currently the Minister for Economic Development) may publish codes of practice.

Consequential amendments to other legislation necessary to implement the Act are expected to be tabled later this year.

BM_NXM2Nick Miles
Head of Non-Contentious Insurance
Sedgwick Chudleigh
nick.miles@sedgwicklaw.com 441.278.7164 direct

BM_MGC1

Mark Chudleigh
Managing Partner
Sedgwick Chudleigh
mark.chudleigh@sedgwicklaw.com 441.278.7160 direct

BM_AJP4Alex Potts
Partner
Sedgwick Chudleigh
alex.potts@sedgwicklaw.com 441.278.7165 direct

Privacy and Security — How the 115th Congress’ Repeal of the FCC’s New Privacy Rules Has Made Your Data Less Private and Decreased National Security

Between news reports featuring Russian-gate scandals, Syrian missile attacks and challenges to North Korea, one important news item went oddly underreported. That is the story about a loss of our privacy and security by the new Congress.

FCC’s new privacy rules

In October 2016, the Federal Communications Commission passed new rules that would have required Internet Service Providers (ISPs) to obtain your permission to effectively invade your privacy rights. The rules would have kept providers such as Comcast and Time Warner Cable from monetizing personal information based upon browser history. This history may include activity such as your searches, shopping habits and even secret obsessions. ISPs can insert adware that is undetectable and tracks your traffic and records your browsing history. This generates valuable data for the ISP, maximizing its profits and leaving you vulnerable.

On October 27, 2016, in a 3-2 vote, the FCC approved new rules regarding how ISPs handle their customers’ browsing history, mobile location data and other sensitive information generated by virtue of their customers’ use of the internet.

The purpose of the new rules was to restrict ISPs’ ability to share with advertisers and other third parties information collected from users. This was viewed by many as a big victory for privacy rights advocates. However, these rules are one of the more immediate victims of the November 8, 2016 election, which brought Republican control to both Congress and the White House.

The FCC’s new rules effectively created some of the strongest privacy regulations for any segment of the technology and telecommunications industries and could have had significant impact on ISPs’ ability to make a profit.

The new rules required an opt-in standard for third-party data uses. This is significant because historically in the U.S., privacy guidelines require only that users opt-out of data uses such as ad targeting based on behavioral data.

Also, not all internet entities were covered by the new FCC rules. The rules affected only companies that connect users to the internet, including Comcast, Verizon and Sprint. The rules did not apply to internet companies that have huge advertising businesses based on customer data, such as Facebook or Google. Those companies are regulated by the Federal Trade Commission (FTC). The result of the FCC’s new rules would have been a revenue and power shift away from ISPs towards already internet giants.

The 115th Congress

In March of this year, the House and the Senate voted to overturn the not-yet-implemented FCC new privacy rules. This was considered a victory for ISPs, which argued against regulation since it disadvantaged them compared to non-ISPs.

Congress’ action not only upsets privacy right advocates and impacts the privacy rights of individuals, but it also impacts cybersecurity for the entire nation. Although this didn’t make a big splash in the news, it is important that the American public understand that not only is individual privacy compromised, but cybersecurity is weakened because privacy and security are linked together. Privacy is characterized by a control of access to information and security — by blocking the FCC’s more stringent privacy rules, Congress has weakened cybersecurity for all Americans.

Security: ISPs have a bad track record on security

Your ISP continually collects huge amounts of data such as search results, places you visit on the internet (dates and times), how often you visit and how long you are on a particular site. This is your web browsing history. ISPs also record financial and personal information or data via your transactions on the web through your browser.

ISPs do not have a great track record of keeping information safe. In fact, there have been a number of high-profile breaches such as the AOL breach involving the data of more than 500 million users. Recently, Comcast suffered a large breach of information involving the data for almost 600 thousand users. The new rules would have required ISPs to obtain opt-in to provide your information to third parties. This would have reduced the now treasure trove of data held by the ISPs, thereby reducing the exposure to a breach of personal data.

In addition to obtaining credit card and other financial data, hackers can pinpoint the browser history of each individual which may be used as blackmail against that individual.

Insertion of adware and spyware weaken security

A number of ISPs insert adware and spyware into their browsers, which generates targeted advertising. For purposes of this article, we will refer to adware and spyware, which are not very different in terms of invasiveness or functionality, as just adware. ISPs insert adware into browsers that analyze browsing history in order to customize ads specifically for you.

The insertion of adware into a browser is a major threat to cybersecurity because inserting new code into a webpage could break the security of that page. The new FCC privacy rules would have ended this practice. In basic terms of security, hackers take advantage of this security weakness in the insertion process to break into sites and applications that you use. It gives hackers an easy way in.

A related security issue comes from ISPs installing adware into devices, such as a mobile phone, which most of us purchase directly from the service provider as part of a service agreement. In the past, ISPs have justified the installation of adware on the basis that it was to improve the wireless network service and performance. After a lot of blowback, ISPs backed down on pushing the adware application. ISPs will likely revert back to placing adware on mobile devices since the Congressional repeal of the FCC privacy rules effectively removes the FCC as a privacy watchdog. And adware can record virtually all of your phone functions, including systems logs apps usage and other communications. Any adept hacker can utilize interception of the adware and obtain sensitive information such as usernames and passwords without having to do much in the way of sophisticated hacking. A hacker can hijack your phone entirely and access almost anything including your contacts, phone numbers and call history logs.

Conclusion

The Congressional repeal of the FCC privacy rules will have security implications far beyond what was ever envisioned or intended. Without these privacy rules, ISPs will continue with impunity to sell user browser data and will likely resume dangerous practices such as inserting adware into mobile devices. Since there is no opt-in requirement, many consumers are unaware of these issues. Most users simply ignore or click through agreements without being aware of what is happening behind the scenes. The negative security implications of the repeal of the FCC rules are far reaching and have long-lasting implications for personal privacy and national security. The end result is simple — repealing the FCC’s privacy rules will not just be a disaster for Americans’ privacy, it will be disaster for America’s cybersecurity, too.

Originally published on Law360, April 26, 2017. Posted with permission.(subscription required)

Pay Up or Else: Hacker Holds Television Network to Cyber Extortion Over Unreleased Shows Stolen From a Third Party Production Company

Television dramas have consistently shown us that authorities do not negotiate with kidnappers and they refuse to pay ransom. “Ransom”, a television series on CBS, portrays a team that works to resolve ransom cases, including in the recent season finale, ransom demanded by a hacker. In an updated twist on this television plot, but this time, on the real world stage, a television network has reportedly been held to cyber extortion by a hacker over unreleased television shows and refused to pay ransom. For the cliffhanger, other networks are threatened to be the next targets. While this mind-boggling “life imitates art” drama appears slated for further episodes, what should be center stage, from a cybersecurity standpoint, is that the compromised security was that of a third party vendor.

A hacker (or a group of hackers) which operates under the name “The Dark Overlord” claims to have stolen unreleased episodes of the Netflix hit-series “Orange is the New Black.” During the past weekend, the hacker reportedly released ten episodes of this series to a pirate internet site when Netflix did not meet its ransom demands. The hacker said in a Twitter post: “It didn’t have to be this way, Netflix. You’re going to lose a lot more money in all of this than what our modest offer was.”  The hacker then threatened that it stole unreleased content from other networks including ABC, Fox, National Geographic and the Independent Film Chanel (IFC) – suggesting that additional releases are coming.  “Oh, what fun we’re all going to have,” the hacker posted on Twitter.  “We’re not playing any games anymore.”

In a statement, Netflix said: “We are aware of the situation.  A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved.” According to news sources, the breach reportedly occurred at Larson Studios, which operates in the heart of Hollywood “as a full-service Audio Post Production company specializing in digital mixing for High Definition television, film and multimedia.”

While the matter remains under investigation, the details of the compromise here have not been released. So far, this appears to be a case of alleged extortion involving stolen files, but not ransomware. (Ransomware is a more pervasive cybersecurity threat, which also involves extortion, but which encrypts files and a user is prevented from accessing those files until a ransom fee is paid, unless they can recover their files from backup.)  This is further suggested by the hacker’s history – having made headlines last year for allegedly stealing patient health information records from healthcare organizations, and demanding ransom to avoid the sale of the records on the dark web.

Whatever might be the details of the compromise here, this serves as a cautionary tale of the threat to a business when its information is in the hands (or, here, in the computers) of a retained third party. And while this is being played out in connection with the entertainment industry, where secrecy (for that suspense factor) is essential, fundamentally, secrecy is also critical to most other businesses. The message here is clear: Cybersecurity threats are ever-evolving, and this latest episode is another example that a company’s vulnerability to cyber events may depend not only on its own security but also that of its vendors. Companies should consider evaluating whether they are prepared for cyber extortion, including whether their incident response plans are current to properly address these emerging risks.

Other States Start to Follow New York Lead on Cybersecurity of Regulated Entities

Last fall, in response to the “ever-growing threat” posed to information and financial systems, the New York State Department of Financial Services (“DFS”) proposed cybersecurity regulations that were designed to “promote the protection of customer information and information technology systems of regulated entities” Regulated “Covered Entities” were defined to mean any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law of New York.   The regulations went into effect March 1, 2017, after a delay in enforcement as the result of comments from the affected industries during a notice and comment period as to the hardships that would have been imposed by the initial regulations.  The final version provides greater flexibility and discretion for businesses regulated by DFS and allow for Covered Entities to tailor a cybersecurity program that fits their business needs, and includes transition periods (180 days for most provisions, longer for others). The final version is codified under N.Y.C.R.R. Part 500 (“the Regulation”).  The details are discussed further below.

Other states are now starting to follow New York’s lead in mandating at least some degree of cybersecurity assessment for entities subject to state regulatory oversight.   Colorado, for example, scheduled a hearing for May 2, 2017, on proposed regulations targeted at financial investment advisors. While these are already subject to federal regulation as the Securities and Exchange Commission requires financial advisers it regulates to have written cyber security policies in effect, the proposed state regulations would impose additional obligations, including an annual assessment of cybersecurity exposures.   While the New York regulation would apply to financial advisors if they are licensed by the state, for example as an insurance broker or agent, it is not targeted at them.

The New York Regulations, and the proposed Colorado regulations, demonstrate that for financial institutions, cyber security compliance means satisfying state requirements as well as federal ones that may also apply, and the state ones may be more explicit and specific. This, of course is in addition to the general cybersecurity requirements that already exist in many states for protection of personally identifiable information of individuals, although they often are more general than the new regulations that state agencies overseeing financial institutions, such as the NY DFS, are putting into place.

Overview of New York Regulation

As New York is in the forefront of state regulation of cybersecurity of financial institutions, its provisions are likely to be a model for other states too. They serve as an important reminder that senior management must keep a close eye both externally at state and federal emerging requirements for cybersecurity, and internally on the implementation of appropriate and compliant programs for their organizations.

The following is a summary of the significant provisions adopted in the final New York Regulations that highlight corporate responsibility, including Board involvement, for developing and maintaining a cybersecurity program, and the reporting requirements associated with such a program:

  1. The final regulations incorporated significant flexibility with respect to the requirements of a Covered Entity’s cybersecurity program. It is now permitted to adopt a cybersecurity program maintained by an “Affiliate”—a person under its control—instead of establishing its own cybersecurity program, so long as the Affiliate’s program meets the requirements of the Regulations.
  2. A qualified individual must now be designated to act as the Chief Information Security Officer (“CISO”) to oversee the implementation and enforcement of the cybersecurity program. The Covered Entity may utilize a person employed by a Third-Party Service Provider or an Affiliate to carry out these responsibilities, so long as someone in a senior position at the Covered Entity will supervise them. However, the Covered Entity itself must have sufficient, trained personnel to meet and execute the requirements of the cybersecurity program.
  3. Annual reports must be made by the CISO to the Covered Entity’s Board of Directors, which includes information regarding the cybersecurity program and policy, any existing cyber threats, the state of the Information Systems, and any Cybersecurity Events that have occurred in the preceding year.
  4. The sections regarding penetration testing and vulnerability assessment were changed to require that Covered Entities conduct annual penetration testing—a change from quarterly testing—based on identified risk. In addition, Covered Entities are now required to conduct biannual vulnerability assessments. Further, monitoring and testing of their cybersecurity program must now be done “periodically,” as opposed to annually. This is consistent with the new requirement that Covered Entities set up written policies and procedures regarding risk assessments, and conduct risk assessments periodically instead of annually.
  5. Covered Entities are required to maintain a reduced amount of “audit trail systems” (down from six to three) based upon the Covered Entity’s risk assessment. Systems are to be designed to detect “‘Cybersecurity Events’ that have a ‘reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.” A Covered Entity must retain audit trail system records for five years.
  6. The Regulation also sets forth extensive requirements regarding the role of Third Party Service Providers. Covered Entities must now implement written policies and procedures to ensure that system security and the security of Nonpublic Information is protected.  The Regulation outlines the types of issues to be covered in these policies and procedures, including guidelines for due diligence, encryption use, and notice requirements in case of a Cybersecurity Event.
  7. Covered Entities are given some flexibility in reporting a “Cybersecurity Event” which means an event that would “have a reasonable likelihood of materially harming any part of the normal operation(s) of the Covered Entity[,]” and that it is the type of event that requires notice to a governmental body. Covered Entities must notify DFS immediately, but no later than 72 hours, after a finding that an event has occurred.

There are numerous other fairly specific requirements for procedures and reporting, and thus the Regulation should be reviewed carefully by those entities subject to it.

New York, and now Colorado, are probably just the first in the series of states who will be considering and adopting their own scheme of cybersecurity regulation, with federal agencies overseeing various industries also increasingly adding cyber security requirements to their oversight of the entities they regulate. The challenge of compliance with a patchwork of regulations continues, with the most restrictive generally becoming the default standard to be met, as compliance with that will generally be compliance with those that are more general and less rigorous.

* The authors would like to acknowledge the contribution of Danya Ahmed, associate in the Sedgwick LLP New York Office, to this article.

Breach Notification Update: New Mexico becomes the 48th State Requiring Breach Notification and Tennessee Adds a Safe Harbor for Encryption

As the frequency of data breaches continues, so do legislative developments on notification requirements that must be met in the event of a breach of Personally Identifiable Information (PII). Even as of now, not every state has enacted such legislation.  Until April, there were three holdouts.  Now, however, we are down to two:  Alabama and South Dakota are the only remaining states that do not have data breach notification legislation.  New Mexico, previously the third holdout, has recently joined the majority and enacted its own statute.  On April 6, 2017, the Governor of New Mexico signed into law the Data Breach Notification Act (“Act”), 2017.  The Act will become effective on June 16, 2017, with several exemptions and carve outs, and inclusion of data protection requirements, discussed below.

In another recent development, Tennessee has clarified that the new breach notification statute it enacted last year will include a safe harbor for encrypted PII after all, at least in most situations.

New Mexico

While broad in the scope of PII to which it applies and specific in the number of days in which notification of a breach must be provided (45 days), the New Mexico statute has several exemptions and allows for a “risk of harm” analysis in the decision of whether notification is necessary. It also includes data protection requirements, and thus goes beyond just breach notification.  It is also noteworthy in its deference to federal reporting requirements, providing an exemption for persons subject to certain federal statutes.

The statute exempts the State of New Mexico and its political subdivisions from its provision (Section 12). The provisions of the Act do not apply to a person subject to the federal Gramm-Leach Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) (Section 8).  This provision of the Act reflects deference to the federal reporting requirements under those two statutes.

While the Act contains similar provisions to those of other states, the following Sections are noteworthy:

*  The definition of PII:   The statute defines PII as including “biometric data”.  This is consistent with the growing trend among states to include biometric data, e.g. the Illinois Personal Information Protection Act, which took effect on January 1, 2017 (Section 2)

*     Notification of a Security Breach:  –Section 6 requires that notification be made in the “most expedient time possible,  but not later than forty-five (45) calendar days following the discovery of the security breach, except as provided by Section 9. Section 9, entitled- Delayed Notification, is typical of breach notification statutes in providing that notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation or is necessary to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system.  Significantly, Section 6 also includes a risk of harm provision, in that it provides that notwithstanding the provisions of that Section, notification to affected New Mexico residents is not required, if after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.   However, the Act does not define what constitutes an “appropriate investigation” or “a significant risk of identity theft or fraud.”  When notification it is required, it is also to be provided to the office of the attorney general (with additional information required including the number of affected residents) and major consumer reporting agencies (Section 10).

*     Disposal of PII: –As part of its security provisions, the statute requires that persons who own or license records containing PII of a New Mexico resident arrange for “proper disposal” of records when they are no longer reasonably needed for business purposes, which in turn is defined as meaning shredding, erasing or otherwise modifying the personally identifying information to make it unreadable or indecipherable. (Section 3)

*     Security Measures for Storage of Personal Identifying Information:  – The statute requires that  a person that owns or licenses PII of a New Mexico resident “implement and maintain security procedures and practices appropriate to the nature of the information to protect the personally identifying information from unauthorized access, destruction, use, modification or disclosure.”  (Section 4)  While this gives some discretion as to what is appropriate, it remains to be seen what will end up being considered appropriate by the regulator.

*     Service Provider Use of PII – Implementation of Security Measures: The statute mandates that a person that discloses PII of a New Mexico resident pursuant to contract with a service provider require “by contract” that the service provider also implement and maintain reasonable security procedures. (Section 5)

Attorney General Enforcement – Civil Penalty – Section 11 allows for the Attorney General to bring an action on behalf of individuals and in the name of the state of New Mexico for alleged violations of the Act and seek injunctive relief, as well as damages for actual costs or losses, including consequential financial losses. In addition, for knowing or reckless violations of the Act, the court may impose civil penalties up to a maximum of $150,000.

Tennessee

The Tennessee legislature recently amended its data breach notification statute to add back in the encryption safe harbor in the definition of “personal information.” When Tennessee initially amended its data breach notification statute last year, it eliminated the encryption safe harbor provisions from the existing statute.  Without this recent amendment, Tennessee would have required data breach notification even when the personally identifiable information lost was encrypted.  While this was apparently out of concern arising from reports of situations in which hackers were able at times to decrypt files, it gave rise to a counterbalancing concern that it would disincentivize companies from encrypting data.  A reasonable level of encryption is still considered a good safeguard to most hacking, and thus the safe harbor was added, at least where the key to encryption is not also taken.

Keep an Eye on State Legislative Developments

As data breaches of Personally Identifiable Information continue to expand the type of information targeted and the security measures circumvented, state legislatures in an effort to protect their residents are now often reviewing their statutes directed at data security and breach notification to see if they are keeping up with those developments. Definitions of protected personal information are being expanded by many states, and many are also adding data security requirements either by way of safe harbors from breach notification or by express directives as to minimal data security procedures.  Entities that own or hold Personally Identifiable Information need to monitor legislative developments that may impact data breach security and notification requirements and take them into account in their breach preparedness and response plans.  This ongoing monitoring will help ensure compliance with statutory requirements and minimize regulatory and legal liability issues that may arise in the event of a data breach when requirements are not satisfied.

 

SENATE BILL 547

SENATE BILL 547_2

Sedgwick’s Cybersecurity Team Nominated for Advisen’s 2017 Cyber Risk Awards — Votes Welcomed!

Advisen, a leading provider of technology solutions for insurance companies, has short-listed Sedgwick’s Cybersecurity & Data Privacy group for their Fourth Annual Cyber Risk Awards. Specifically, Sedgwick is a finalist for the Cyber Law Firm of the Year award. The award recognizes the property and casualty insurance industry’s most influential cyber risk professionals.

The Sedgwick Cybersecurity & Privacy Group is a multi-disciplinary group of attorneys with extensive experience working closely with clients to address and reduce their cybersecurity and privacy risks and exposures. These risks affect organizations in every industry we represent, including healthcare, financial institutions, retailers, utilities and manufacturers, among others.

We service clients throughout the U.S. and the U.K. and our Incident Response Team is an approved provider by many of the major insurers. Sedgwick’s Cyber team litigates consumer class actions alleging violations of rights to privacy and consumer protection rights and unfair trade practices, and B2B litigation involving breached entities and their service providers or other third parties involved in the incident.

This is a huge honor, but we need your help and competitive spirit! Please help us by sharing the link below and casting a vote for Sedgwick.

Select Sedgwick LLP in the Cyber Law Firm of the Year dropdown.

Voting ends on Friday, May 19, 2017. Thank you for your support!
VoteNow2

 

 

LexBlog