Coming to a Government Contract Near You: Mandatory Information Safeguarding Requirements

Justin A. ChiarodoPhilip E. Beshara, and Heather L. Petrovich

The government recently finalized a sweeping amendment to the Federal Acquisition Regulation (“FAR”) that will impose basic information system safeguarding requirements on many federal acquisitions, marking the latest in the continuing government effort to regulate and enhance cybersecurity protections in the industry. The Final Rule, effective June 15, 2016, imposes fifteen basic safeguarding requirements for contractors with information systems containing information provided by, or generated for, the government under a federal contract.

Though many contractors likely maintain information security standards that meet or exceed the new rule, they should confirm their compliance status by assessing these requirements against their current cybersecurity compliance program (to help mitigate the risk of a breach of contract claim or more serious enforcement action). This should include confirming that the requirement is flowed down to subcontractors where appropriate.

The new Rule (available here) broadly applies to all federal contractors and subcontractors with information systems that process, store, or transmit “federal contract information” (i.e., information provided by, or generated for, the government under a federal contract). These safeguarding requirements will be imposed on most acquisitions (including acquisitions below the simplified acquisition threshold and commercial item procurements). The only exception is the acquisition of commercial-off-the-shelf (“COTS”) items. Contractors and subcontractors must also flow down the requirements to all subcontracts where the subcontractor may have federal contract information residing in—or transiting through—its information systems.

While the Rule imposes 15 new requirements, they are characterized as “basic” security controls. Indeed, many companies will already be familiar with these standards, as most, if not all, are employed as standard best practices. Several are drawn directly from the National Institute of Standards and Technology (“NIST”) guidelines applicable to federal agencies. Importantly, the Rule does not impact the considerably higher safeguarding standards governing contractors dealing with Controlled Unclassified Information (“CUI”) or classified information.

Compliance with these safeguards may not only shield a contractor from liability in the event of an inadvertent release of information, but as the government indicated in its commenting on the Rule, the failure of a contractor to maintain the required safeguards may constitute a breach of a contract. Nonetheless, the security controls set forth in the Rule represent standard industry best practices and should be implemented by any prudent contractor regardless of the presence of covered information. To this end, any company doing business with the federal government should look to these guidelines as representative of the types of essential practices it should employ.

The Final Rule will be implemented through FAR Subpart 4.19 and a new contract clause (FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems”). The 15 requirements are set forth below:

  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control/limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
  10. Monitor, control, and protect organizational communications (e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Unforeseen Consequences of Hacking: When Someone Wants To Use Your Cybercrime Misfortune Against You In A Litigation

Michelle Gitlitz Courtney and D. Morgan Barry

Companies that are hacked face a range of repercussions, such as notifying clients and customers that the privacy of their information has been compromised and implementing a new security system. In July 2015, it was highly publicized that the extramarital affair dating website Ashley Madison was hacked and the names of thousands of cheating men and women were disclosed to the public. While hacks often lead to the filing of class action complaints concerning inadequate cybersecurity measures, here, the plaintiffs’ counsel took an unprecedented position: they sought to use the content of press articles that cited to the leaked documents (including privileged documents) in the multidistrict class action lawsuit.[1]

The class action plaintiffs in the Ashley Madison litigation attempted to use the hacked documents to support their claims that Avid Dating Life (“Avid Dating”), the owner of the extramarital affair website, failed to properly secure users’ confidential information and committed fraud by maintaining fake female profiles on the website AshleyMadison.com.

Upon notice of Plaintiffs’ intention to use the documents, Avid Dating sought a restraining order to prevent Plaintiffs’ use of the documents that were disclosed as a result of the hack. Avid Dating asserted that the use of stolen documents in a litigation is against federal case law, state case law, the Rules of Professional Conduct, and ethics opinions. Supporting Avid Dating were the Amici Does, former users of the adultery website.

In response, Plaintiffs argued that they should be able to use news and media articles discussing the hacked documents (including privileged documents) in their class action complaint because Plaintiffs had no involvement in the hack, the documents were widely disseminated on the internet and in the media, Plaintiffs did not intend to use the stolen documents themselves, but instead use media reports that referenced the stolen documents, and the documents demonstrated Avid Dating’s own wrongful acts.

In a thoughtful, ten-page decision on April 29, 2016, Judge Ross of the Eastern District of Missouri ruled that Plaintiffs were not permitted to use the stolen documents or media reports referencing the documents.[2] Judge Ross did not consider Plaintiff’s innocence in the hack or the fact that the documents were already referenced in news publications to be influential in his decision. Because the documents were stolen and use of stolen documents compromises judicial integrity, Plaintiffs were not permitted to use the documents—end of story.

Judge Ross acknowledged the ethical dilemma in protecting from disclosure privileged hacked documents that showed wrongdoing on the part of Avid Dating: “[h]owever distasteful it may be that some of the e-mail communications between Avid and its counsel may show wrongful or inappropriate conduct, the Court cannot and will not allow Plaintiffs to take advantage of the work of hackers to access documents outside the context of formal discovery.”[3]

[1] In re Ashley Madison Customer Data Sec. Breach Litig., No. 4:15-md-02669 (E.D. Mo. Dec. 9, 2015).

[2] Id. pg. 8.

[3] Id.

Data Breach Negligence Claims Not Recognized in Pennsylvania

By Steven L. Caponi and Elizabeth A. Sloan

163751742In an important and well-reasoned 12-page decision, Judge Wettick of the Court of Common Pleas of Allegheny County refused to create a common law duty to protect and secure confidential information. The decision was issued in the matter of Dittman v. UPMC, which was filed on behalf of over 62,000 plaintiffs. Although not binding state-wide, Judge Wettick’s decision represents an important step in the development of privacy law in Pennsylvania.

The complaint was filed against the University of Pittsburg Medical Center (“UPMC”) after names, birthdates, social security numbers, confidential tax information, addresses, salaries, and bank account information pertaining to current and former employees was stolen from UPMC’s computer systems. The plaintiffs alleged that UPMC had a common law “duty to protect the private, highly sensitive, confidential and personal financial information, and the tax documents of plaintiffs and the members of the proposed class.” The complaint claimed that UPMC violated this duty when it failed to “exercise reasonable care to protect and secure the information.”

Advocating for more than simple recognition of a general duty, the Dittman plaintiffs sought court imposition of very specific and onerous duties on UMPC. Given the nature of the employee/employer relationship, the plaintiffs argued that UPMC’s duties included the obligation to design, maintain, and test “its security systems to ensure that [] the members of the proposed Classes personal and financial information … was adequately secured and protected.” It was further argued that “UPMC [] had a duty to implement processes that would detect a breach of its security systems in a timely manner.” Lastly, the plaintiffs argued that UPMC should be liable for its failure to meet industry standards in the face of a risk that was reasonably foreseeable.

Judge Wettick’s decision is important not only for its ultimate holding, finding no common law cause of action for data breaches, but also for the three lines of thought relied upon to support his conclusion. Specifically, Judge Wettick found: (1) Pennsylvania’s economic loss doctrine precludes a negligence cause of action for economic loss stemming from a data breach; (2) public policy considerations mitigated against the creation of an affirmative duty of care in connection with data breach cases; and (3) the Pennsylvania General Assembly’s prior actions evidenced an intent not to impose such a duty.

With regard to the economic loss doctrine, the court noted that the UPMC employees sustained only economic losses resulting from the improper actions of third-party bad actors. With this finding in hand, the court turned to the economic loss doctrine and affirmed that “no cause of action exists for negligence that results solely in economic losses unaccompanied by physical injury or property damage.” Excavation Technologies, Inc. v. Columbia Gas Co. of Pa., 985 A.2d 840, 841 (Pa. 2009). Seeking to overcome the economic loss doctrine, the Dittmer plaintiffs invoked Pennsylvania Supreme Court case law, including Seebold v. Prison Health Servs., Inc., 57 A.3d 1232 (Pa.2012), to suggest the court should impose a common law duty of care on those who maintain the confidential data of third parties. The court rejected this argument as an improper effort to undermine the economic loss doctrine.

The court went on, however, to consider the factors articulated in Seebold and concluded “the controlling factors are the consequences of imposing a duty upon the actor and the overall public interest in the proposed solution.” Recognizing the magnitude of the problem, the court noted that “data breaches are widespread … frequently occur because of sophisticated criminal activity of third persons … [and] [t]here is not a safe harbor for entities storing confidential information.” Judge Wettick further noted that the imposition of a new duty was unnecessary because entities who store confidential information already have a strong incentive to protect the data and avoid the disastrous operational consequences resulting from a breach.

Addressing the public policy component of Seebold, the court adopted a very practical approach.  Judge Wettick determined that the creation of a new duty would expose Pennsylvania courts to the “filing each year of possibly hundreds of thousands of lawsuits by persons whose confidential information may be in the hands of third persons”—a burden the courts are not equipped to handle. He further recognized that there is an absence of guidance as to what actions constitute reasonable care, and allowing juries to determine what constitutes reasonable care is not a “viable method for resolving the difficult issue of the minimum requirements of care that should be imposed in data breach litigation.” Lastly, the court took notice of the fact that creation of a new cause of action would require companies to expend substantial resources defending lawsuits even though the entities “were victims of the same criminal activity as the plaintiffs.”

The court concluded its analysis into the propriety of creating a common law duty by noting that the Pennsylvania General Assembly extensively considered the issues surrounding data breaches when enacting the Breach of Personal Information Notification Act (the “Act”). 73 P.S. § 2301, et seq. (effective June 20, 2006). Notably, the Act did not establish a duty of care or a private cause of action. Rather, the Act created only a notification obligation in the event of a breach.  Had the General Assembly wished to impose a new duty, it had the opportunity to do so.  Exercising judicial restraint, Judge Wettick concluded “[i]t is not for the courts to alter the direction of the General Assembly because public policy is a matter for the Legislature.”

While Judge Wettick’s decision will surely not be the last word on liability stemming from data breach cases in Pennsylvania, it is highly instructive, well-reasoned, and likely to be followed by other Pennsylvania courts. A copy of the Judge Wettick’s decision can be obtained here.

And The Survey Says . . . GCs Need More Cybersecurity And Social Media Training

By Jeffrey Rosenthal

Social Media AppsBecoming better versed in issues surrounding cybersecurity and social media risk would greatly benefit general counsel at publicly traded companies, according to a recent survey of executive leadership.

In May 2015, a survey of 5,000 directors, board chairs and CEOs of publicly traded companies—sponsored by executive search firm BakerGilmore, and NYSE Governance Services—was released.  The survey was conducted in February and March of 2015.

Among the questions asked was the areas in which executives felt their general counsel would most benefit from gaining additional expertise so to add value to their company.  The overwhelming favorite: Cybersecurity risk—chosen by 67 percent of the executives surveyed.  The next closest answer was social media risk (39 percent), followed by crisis management (30 percent).

In fact, only 5 percent of respondents assessed their general counsel’s grasp of the issues surrounding cybersecurity as “excellent”; 44 percent characterized it as “good”; and 47 percent as only “fair.”  Likewise, only 7 percent rated their general counsel’s working knowledge of social media risk as “excellent.”

“Not surprisingly, as the corporate world continues to grapple with fallout in the modern cyber era, directors believe general counsel would most benefit from additional education in cybersecurity and social media, areas in which many directors are admittedly lacking in expertise,” wrote the survey’s authors.

But there was also positive news for in-house lawyers:  General counsel are “much more likely” to be considered key members of the management team nowadays, as compared to a decade ago.  “Overall, general counsel are being lauded for their strategic contributions as well as pragmatic ones, making them increasingly valued members of the executive team,” the survey concluded.

A copy of the survey, entitled “GCs” Adding Value to the C-Suite,” is available here.

BBB Watchdog Cites Five On-Line Companies for Failing to Adhere to Enhanced Notice of Third-Party Data Collection for Online Behavioral Advertising

By Jennifer Daniels

blog_data

This week, the Online Internet-Based Advertising Accountability Program, a unit of the Better Business Bureau (“BBB”), released five decisions in which Answers Corporation, Best Buy, BuzzFeed, Go.com, and Yelp agreed to provide real-time “enhanced” notice and choice to website users whenever non-affiliates collect their information for personalizing ads.

A year ago, the BBB’s privacy watchdog issued a compliance warning that publishers must implement the transparency and consumer control requirements of the self-regulatory principles for online behavioral advertising (“OBA Principles”), or face a public compliance action. “Enhanced notice” requires companies to add a separate link that takes users directly to a site where they can opt out of receiving behaviorally targeted ads. The link itself generally appears beneath text like “Interest-based ads,” “About our ads,” or “AdChoices.”

Under the OBA Principles, including an opt-out mechanism in a privacy policy is not sufficient. Rather, the notice and choice must be provided at the time that information is being collected from consumers.  The OBA Principles apply to all segments of the advertising industry, from website publishers to third-party ad networks. The BBB and the Direct Marketing Association (“DMA”) coordinate to enforce the self-regulatory program by monitoring participating companies for program compliance, investigating, and reporting potentially non-compliant companies to appropriate regulatory agencies.

California Passes New Law Protecting Consumers From Data Breaches

By Jeffrey Rosenthal

123196886In response to high-profile intrusions at Target Corp., Neiman Marcus, Home Depot, Inc. and a host of other retailers, California recently passed new legislation implementing small but significant changes to its privacy laws.

On September 30, 2014, Governor Jerry Brown signed Assembly Bill 1710, authored by Assembly Members Roger Dickinson (D-Sacramento) and Bob Wieckowski (D-Fremont).  AB 1710 enhances consumer protections by strengthening the requirements businesses must adhere to in the event of a breach.

“Recent breaches emphasized the need for stronger consumer protections and awareness.  The retailers affected by the recent mega data breaches are not the first nor will they be the last,” said Dickinson, Chair of the Assembly Banking and Finance Committee.  “AB 1710 will increase consumer privacy, ensure appropriate fraud and identity theft protection, and safeguard against the exploitation of personal information.”

Specifically, AB 1710:

  • Requires the source of the breach to offer identity theft prevention mitigation services at no cost to the affected person for no less than 12 months if a Social Security Number or Driver’s license number are breached;
  • Prohibits the sale of social security numbers, except when part of a legitimate business transaction; and
  • Provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information.

Earlier versions of AB 1710 placed limits on the amount of payment information a retailer could store in its system; it also mandated more stringent encryption standards.  But a coalition of business groups opposed the bill—claiming the data management rules were “onerous and unneeded,” and that it would be ineffective for protecting customer data.  Although these provisions were ultimately removed, Dickinson told news outlets he intends to pick up the notification issue during the next legislative session.  He will also pursue future legislation to tighten encryption standards in California.

Not surprisingly, such legislation follows closely on the heels of a report released by California Attorney General Kamala Harris in February of 2014.  Titled Cybersecuity in the Golden State, the report details how in 2012 more than 2.5 million California residents were victimized by data breaches—more than half of which would have been protected had companies implemented stricter encryption procedures when transmitting personal data.

In light of AB 1710, retailers and consumer-facing business that “maintain” personal information (even if they do not own or license such data) should familiarize themselves with the parameters of the new law to ensure their data security procedures satisfy the law’s “reasonable security” requirement.

A copy of AB 1710 is available here.  The Attorney General report is available here.

The Celebrity Hacking Scandal and You: 3 Takeaways for Everyone

By Steven Caponi

By now we all know a hacker accessed the personal iCloud accounts of dozens of A-list celebrities and leaked nude photos of stars such as Jennifer Lawrence, Kate Upton, Kirsten Dunst, and Victoria Justice. The anonymous hacker[s] posted the nude images first on 4Chan, but, the photographs spread quickly and went viral.

This cyber-incident has sparked a significant debate on various topics, ranging from our privacy laws, to speculation over who may have committed this deplorable act, to emotionally charged disagreements over whether the celebrities themselves should bear some of the blame. The scattershot debate has left the average person wondering “what does this mean for me?” and “what can I do to protect myself?” Below are three takeaways everyone should consider.

1. You Can’t Un-Ring the Bell

Unfortunately, for individuals who find their embarrassing moments, confidential information, or indiscretions strewn across the Internet, there is little hope of putting the genie back in the bottle. As much as we talk about the Internet as a singular object, it is in an amalgamation of millions of computers, servers, and websites, all controlled by different people located across the globe. As a result, the Internet has a long memory that is impossible to erase.

…there is little hope of putting the genie back in the bottle.

Compounding these structural difficulties is a cultural/legal mindset in the U.S. that generally values the free flow of information over personal privacy. The First Amendment allows the free flow of information, while relying on tort law, primarily libel, and invasion of privacy, to protect individuals’ rights. Search engines and Internet providers enjoy robust protections from liability for the content they provide unless they have direct knowledge it is false or violates copyright law. As a result, individuals cannot realistically seek redress against the thousands of websites that may contain embarrassing information and are stymied by various protections preventing the public from forcing the large content providers to block access to embarrassing content.

There is, however, a ray of hope for those who want greater privacy protections. In contrast to the U.S., the European Union and its member nations have chosen to follow a path where the privacy rights of individuals receive greater protections. Following a landmark decision by the European high court earlier this year, numerous search providers must consider individuals’ requests to remove links that they say infringe on their privacy. The decision has resulted in what is commonly referred to as the “right to be forgotten” movement. Currently, each nation in the E.U. has a data protection agency through which citizens can appeal for help in erasing their online histories. Whether the “right to be forgotten” movement takes hold in America remains to be seen.

2. The Law Offers Little Solace

For anyone looking to the courts for justice, they will likely find that the patchwork of 50 divergent laws and the absence of comprehensive federal legislation render an adequate judicial remedy a long shot at best.

Putting aside the breadth of the state and federal laws, there are several initial obstacles that must be overcome before one could consider legal action. First and most obvious is the inability to identify who stole or released your information. Hackers work in the shadows of the Internet, adopt catchy “street names,” and take extraordinary steps to hide their location. Even if the hacker can be identified, there are significant jurisdictional limitations that constrain cybercrime prosecution or litigation.

…it is very difficult to determine where a cybercrime was committed because the perpetrator, the victim, and the data at issue may be located in different jurisdictions.

The legal concept of jurisdiction involves territory, with the reach of a law being limited by the boundaries of the state or country. Thus, to apply a particular state law, the crime or tort must have occurred within the territorial boundaries of that state. Unfortunately, it is very difficult to determine where a cybercrime was committed because the perpetrator, the victim, and the data at issue may be located in different jurisdictions. This raises many questions, which largely remain unanswered: Where did the crime occur? Which state has jurisdiction over the crime? And, where is the hacker subject to personal jurisdiction?

These issues have sparked a push for comprehensive federal legislation governing cyberattacks, data breaches, and victims’ rights. Due to deep philosophical divisions in Washington, D.C., however, this much-needed legislation has failed to make any serious progress. Currently, hacking victims can invoke the Communications Decency Act of 1996 (“CDA”), but the CDA is drafted in a way that protects service providers and website operators more than the public. Section 20 of the CDA states that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Therefore, unless the provider, for example 4chan, was directly involved in the hacking and release of the racy photographs, it is not liable for damages.

Until the laws are updated, a criminal and civil remedy appears elusive.

3. Don’t Look to Your Cloud Provider

Much of the anger resulting from the celebrity hacking scandal has been directed toward “big Internet companies” generally, and Apple specifically. The arguments rest on the assumption that if the celebrity photographs were taken from a cloud, the operator of the cloud must be responsible. While this position holds a certain simplistic charm, it is unlikely to carry the day in court.

Although the exact method used by the hackers has yet to be identified, the response from Apple has been both swift and consistent with the position adopted by other cloud providers. Apple has vigorously denied its systems have been compromised and suggests the hackers accessed the accounts after obtaining the celebrities’ email and passwords. The implication of this argument is to suggest the celebrities’ computers were hacked, not Apple’s iCloud servers. As the party bearing the burden of proof in a civil trial, the celebrities will need to refute Apple’s argument by demonstrating how the hack occurred and that the hack could not have occurred but for an issue with Apple’s security protocols. This will be no easy task.

…if the celebrity photographs were taken from a cloud, the operator of the cloud must be responsible. While this position holds a certain simplistic charm, it is unlikely to carry the day in court.

Even if the celebrities manage to establish the hacker’s method, the ability to obtain any meaningful compensation will be severely limited by their cloud service agreements. Cloud providers often limit direct damages by capping the aggregate dollar amount for all claims under the service agreement. In the case of Apple, its cloud service agreement—which is ignored by most users—states that Apple cannot be “LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES… .”

With little ability to undo the damage caused by an embarrassing data breach, nearly insurmountable obstacles precluding a civil/criminal prosecution, and a cloud service agreement rendering a contract action against the provider illusory—what is the average person to do? The answer is as unsatisfying as it is simple. Keep your most confidential, valuable, and embarrassing items in a location that is not accessible to the Internet.

 

Delaware Adopts Law Requiring the Destruction of Consumers’ Personally Identifiable Information

By Steven Caponi & Elizabeth Sloan

On July 1, 2014, Delaware Governor Jack Markell signed into law Delaware House Bill 295, which amends Section 6 of the Delaware Code relating to trade and commerce. The new law, 6 Delaware Code §§50C-101 thru 50C-401, places new obligations on commercial entities with respect to the destruction of records containing the personally identifiable information of consumers. Importantly, the law exposes companies to new civil lawsuits by consumers and administrative enforcement actions by the Delaware Department of Justice.  The new law is effective on January 1, 2015.

The heart of the new law is the obligation of “commercial entities” to take “all reasonable steps” to destroy consumers’ personal identifying information that is “no longer to be retained by the commercial entity” by “shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it entirely unreadable or indecipherable through any means. …”  By adopting a broad definition of “commercial entity,” the new requirements impact all corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, or other legal entity—whether or not for-profit.  Importantly, the law does not specify when documents must be destroyed, but rather, addresses how records should be destroyed when they will no longer be “retained” by a company.

In light of the definition of “commercial entity,” a company’s size, revenues, number of employees, and charitable status are irrelevant to the impact of the new requirements. The definition, however, raises the question of whether the new requirements apply just to entities doing business in Delaware, or if it also extends to entities formed in Delaware regardless of where they transact business. Given the number of companies incorporated in Delaware, the resolution of this ambiguity could have significant implications nationally.  Evidencing some degree of restraint, the law does not apply to financial institutions that are subject to the Gramm-Leach-Bliley Act; health insurers or healthcare facilities that are subject to the Health Insurance Portability and Accountability Act; consumer reporting agencies that are subject to the Federal Credit Reporting; and any government, governmental subdivision, agency, or instrumentality.

The Act also defines personal identifying information as “a consumer’s first name or first initial and last name in combination with any of the following data elements, when either the name or the data elements are not encrypted: social security number, passport number, driver’s license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information or confidential health care information.”  Also, “record” is defined equally broad so as to encompass information “inscribe[d] on a tangible medium, or that is stored in an electronic or other medium. …” Combined, the two definitions extend the scope of the new law to cover the destruction of both paper documents and all forms of electronic records, including records located on back-up tapes, local storage devices, and those stored in “the cloud.”

Reflecting a bias towards consumer rights, the law provides for both a public and private cause of action. Consumers who incur actual damages due to a reckless or intentional violation may bring a civil action against the commercial entity and obtain treble damages. Additionally, the Attorney General, through the Division of Consumer Protection of the Department of Justice, may bring an enforcement action in law or through an administrative proceeding if a violation has occurred and the Attorney General believes an enforcement action would be in the “public interest.”

A copy of the law and the relevant legislative history can be found at: http://legis.delaware.gov/LIS/lis147.nsf/vwlegislation/E7AF55FF393A832E85257C590067118D

Goodwill Investigating Possible Data Breach

By Steven Caponi

Yesterday it was announced that a number of financial institutions reported tracking what could be a series of credit card breaches involving various Goodwill locations nationally. Goodwill operates more than 2,900 stores nationwide and has annual retail sales of $3.79 billion. Goodwill issued a statement indicating it is working with the U.S. Secret Service to investigate the possible breaches. At this juncture the scope of the breach remains unknown, but early reports suggest Goodwill’s systems could have been compromised as far back as the middle of 2013.

Banking sources have also reported the potential fraud involves retail stores in Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington, and Wisconsin. Because Goodwill consists of a network of 165 independent agencies with separate regional headquarters in the United States, there is no centralized database containing customer credit card information. While this will make an investigation more difficult, it will also limit the scope of a breach and number of customers impacted.

In a statement sent to Krebs on Security, Goodwill said it first learned about a possible incident Friday, July 18.

“Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email. “Investigators are currently reviewing available information,” the statement continued. “At this point, no breach has been confirmed but an investigation is underway. Goodwills across the country take the data of consumers seriously and their community well-being is our number one concern. Goodwill Industries International is working with industry contacts and the federal authorities on the investigation. We will remain appraised of the situation and will work proactively with any individual local Goodwill involved taking appropriate actions if a data compromise is uncovered.”

Cybersecurity—There Is an App for That!

By Steven Caponi

Many of our readers and those active in cybersecurity have been following ThreatWatch from Nextgov. This highly informative site provides a daily snapshot of the data breaches impacting organizations and individuals on a global level. Although not an authoritative list of cyber attacks, ThreatWatch provides a good overview of the most prevalent cyber events on a rolling basis. In addition to identifying the target, the alerts name the suspected attackers and their methods of penetration, highlight patterns of activity, and note emerging trends/threats.

The information found at ThreatWatch is now available in the palm of your hand in the form of a new iPhone app, which includes some additional features. Aside from a daily rundown of the latest reported breaches hitting agencies, retailers, and every other sector, you now also receive threat level scores and story feeds from around the globe. For example, today’s threat level is a 12 on a 100-point scale, according to data analytics company HackSurfer. On an industry basis, utilities are at a level 3, financials are at a level 5, and information technology is at a level 81. Under the “Breaches” tab, there is an article discussing how a system engineer hired by a staffing agency copied and sold personal data from 7.6 million contracts with the Japanese education firm Benesse Corp. Included within the “Newsfeed” tab, you will have access to technology security articles from Guardian, Wired, and other reputable publications that are streamed constantly, along with commentary from cyber firms, such as Sophos and Malwarebytes.

The app is free and available for download at the Apple iTunes store.

Is the Password Finally Dead? Fernando Corbató Hopes So.

By Steven Caponi

As noted in a recent article in the Wall Street Journal, although his impact on our daily lives arguably rivals that of Bill Gates, Mark Zuckerberg, and other giants in the computer industry, the name Fernando Corbató remains obscure. He is, however, the father of the modern computer password. While toiling away at the Massachusetts Institute of Technology in the early 1960s, Mr. Corbató and his colleagues developed the password in order to control access to files on a large, shared computer. Little did they know that over 50 years later, billions of people across the globe would be forced to remember countless passwords and type them into devices ranging from their personal computers to ATMs, smartphones, tablets, and even home appliances. One cannot “Like a friend” on Facebook, check a bank balance, review a child’s school grades, or bid in an online auction for that completely unnecessary item that is destined to sit in the back of a closet, without first entering at least one password.

While designed to help manage and secure files, the ubiquitous nature of the password has rendered it the most significant security risk to computers. In the wake of Heartbleed, and recent attacks on eBay, Yahoo, and Target, it is not surprising that the voices calling for the death of the password are growing louder. Just listen to John Proctor, Microsoft’s Vice President of Global Cybersecurity, who wrote a blog post on this subject last week, stating, “Allowing users to log in simply with a username and password is a grave error… Frankly, the password is dead.” Using equally blunt terms, Jeremy Grant, the head of the National Strategy for Trusted Identities in Cyberspace, stated, “Passwords are awful and need to be shot.” How did Mr. Corbató respond to these attacks on his invention? The 87-year-old retired researcher expressed the view shared by many—“It’s become a kind of a nightmare.”

Despite the nearly universal distain for the password, finding a replacement that would be accepted by the computer industry is not easy because the password is cheap to use and is a fundamental aspect of the architecture of most websites. Making things even more difficult are inertia and human behavior. Using a password has become a daily, routine part of human behavior, to the point where entering a personal identification number (“PIN”) has become second nature. And even in the face of a known breach such as Heartbleed, people refuse to change their passwords because they are typically easy to remember and used across many accounts.

The dissatisfaction with the password begs the question: What will the replacement look like?  There are currently many contenders waiting to supplant the password. These include hardware options such as fingerprint readers (i.e., Apple iPhone 5), iris scanners, and USB keys. There are also software options by companies such as BioCatch Inc., which is located in Boston, that verify a person’s identity by measuring how they hold a smartphone or drag a mouse across a screen. Recently, U.S. Bank announced it was joining other large financial institutions in testing voice biometrics as a potential replacement for the traditional password. This group, which includes Wells Fargo & Co. and Barclays Plc., are adopting voice biometrics software that requires users to login to an application or website by speaking a word or phrase. The word or phrase is compared to a previous recording the customer has made to verify it’s the same user.

One option that is gaining traction for its combination of security and simplicity is multifactor authentication (“MFA”). The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a computer system or network. This is achieved by combining two or three independent credentials: what the user knows (knowledge-based authentication), what the user has (security token or smart card), and what the user is (biometric verification). Single-factor authentication, in contrast, only requires knowledge that the user possesses (e.g., a PIN, phone number, Social Security number, etc.). For instance, some Google accounts use two-factor authentication that require smartphones to run an app that randomly generates a number that resets every 30 seconds. This number is required to login to your account.

Whatever security feature may lie ahead, it is safe to suggest that it will not be the much maligned password. While Mr. Corbató’s invention has served us well for the past fifty years, the frequency of major hacks and sophistication of cyber criminals have overwhelmed the password’s ability to serve as an effective gatekeeper to our data. When the inventor, users, and companies maintaining sensitive data all agree that change is needed, it is only a matter of time before the password is able to R.I.P.

 

FTC Letter is a Reminder for All M&A Deals

By Jennifer Daniels

On April 10, 2014, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, wrote a letter to both Facebook, Inc. and WhatsApp Inc. warning the companies that the FTC expects both companies to honor the privacy promises made by WhatsApp prior to its acquisition by Facebook.  In late February, Facebook announced that it would acquire the stock of WhatsApp, a company that offers instant messaging services with hundreds of millions of users worldwide.  WhatsApp has built a reputation for its privacy promises.  Conversely, Facebook’s privacy reputation is not a stellar one, as Facebook is the subject of a twenty year Consent Agreement with the FTC arising from a settlement of past allegations of deceptive practices in handling user data.  The April 10 letter from Ms. Rich offers a reminder to companies engaging in acquisitions to plan for the handling of personally identifiable information.

In the April 10 letter, Ms. Rich points out that the privacy promises made by WhatsApp in its privacy statement exceed the protections currently promised to Facebook users.  Ms. Rich explains that, if the acquisition is completed and WhatsApp fails to honor its promises, both companies could be in violation of Section 5 of the FTC Act and, possibly, the FTC order against Facebook.  Ms. Rich highlights other cases that the FTC has brought charging that companies failed to keep their privacy promises, including In re Genelink, Inc., In re Upromise, Inc., and In re Twitter, Inc.  In addition, the FTC made clear in in re Gateway Learning Corp. 

that, absent affirmative express consent by a consumer, a company cannot use data in a manner that is materially inconsistent with promises made at the time the data were collected.

Accordingly, Facebook and WhatsApp are not permitted to amend the WhatsApp privacy statement going forward and have the amended privacy statement apply to data that were collected by WhatsApp prior to the amendment.  If the companies want a modified privacy statement to apply retroactively to data that had been collected by WhatsApp in the past, they will need to obtain an opt-in consent from the impacted consumers.  Further,  Ms. Rich indicates in her letter that, because Facebook and WhatsApp are now making promises that the companies will not modify WhatsApp’s privacy practices following the acquisition, if the companies do decide to change WhatsApp’s privacy practices following the transaction, the FTC recommends that the companies offer existing users the ability to opt out of the future collection of their information, or at least make it clear to consumers that they have the ability to stop using the WhatsApp service.

The letter from Ms. Rich is an important reminder to companies that process personally identifiable consumer data that the handling of those data is an important consideration in any M&A transaction. When looking at structuring an acquisition, the parties must consider whether the privacy statements or consents under which personal data were collected allow disclosures of that data to a third party acquirer.  If they do not, then an asset acquisition may not be possible without violating those privacy statements and consents, because an asset acquisition necessarily involves a change in the legal entity that owns the data.  Companies must also anticipate this issue when preparing privacy statements and consents, and must include language that allows personal information to be disclosed to the purchaser of the business.  Further, even in a stock purchase where the target legal entity collecting and holding the data does not change (so there is arguably no disclosure of the data to a third party acquirer), the buyer should conduct diligence on the privacy promises of the seller to ensure that the buyer can live with the promises made regarding the data, understanding that any material change in the uses and disclosures of the data following the acquisition may require opt-in consent from the impacted consumers, which in many instances is nearly impossible to obtain.

Verizon’s Data Breach Report Reveals The Nine Most Pressing Corporate Security Threats

By Jeffrey Rosenthal

VerizonreportAs April comes to a close, it’s time once again for Verizon Enterprise Solutions’ Data Breach Investigations Report to remind us just how important data security is to the corporate world.

Released Wednesday, the report, now in its tenth year, concluded that hackers and cybercriminals have gotten faster at breaching corporate website defenses than companies’ ability to detect attacks—meaning many attacks were already complete before victims could even respond.

Verizon, which received contributions from 50 organizations worldwide, recorded nearly 63,500 “security incidents”—i.e., any attempt to attack a corporate computer system, successful or not—as well as 1,300 confirmed data breaches.  According to Verizon, nine out of ten security incidents in 2013 fell within nine basic categories, as discussed below:

1. Point-Of-Sale Intrusions.

Despite the widespread-publicity of the recent Target Corp. breach (resulting in hackers gaining access to the credit card numbers of around 40 million customers), the occurrence of point-of-sale intrusions has actually been trending downward over the last several years, Verizon claims.  But retailers and hotel companies in particular still need to be concerned about this kind of intrusion, as even a single attack can be devastating.

2. Web App Attacks.

Described as the “proverbial punching bag of the Internet,” web application attacks are by far the most common type of breach.  Accomplished by phishing techniques, installing malware, and correctly guessing security questions, Verizon insists better protection for Internet-facing applications starts with stronger passwords and two-factor authentication.

3. Insider And Privilege Misuse.

Common examples of insider misuse include employees using forbidden devices/services to send intellectual property to personal accounts, or sending messages while posing as another employee to get that person fired.  Verizon observed that while many of the people committing these crimes are payment chain personnel and end users, C-suite managers were more to blame in prior years.

4. Physical Theft And Loss.

Corporate assets (phones, laptops etc.) are stolen from offices more often than from homes or vehicles.  The primary cause is simple carelessness.  To counter, Verizon suggests companies back up data, encrypt devices and encourage employees to closely guard devices.

5. Miscellaneous Errors.

Sending an email with sensitive information to the wrong recipient is the most common example of unintentional data disclosure.  Other examples include accidentally posting non-public information to a company’s web server, or mailing documents to the wrong physical address.  While some human error is unavoidable, Verizon says data loss prevention software and tighter processes around postings can reduce occurrences.

6. Crimeware.

Crimeware consists of any illicit activity that does not fall under espionage or point-of-sale.  Most crimeware occurs when users download malicious files.  But it can also happen via “drive-by infections,” whereby a virus is downloaded when a user unknowingly clicks a deceptive pop-up window.  Corporations’ best defense against crimeware is to maintain the most up-to-date browsers and software.

7. Payment Card Skimmers.

This type of attack is mainly directed at ATMs and gas pumps.  Because it requires a skimming device be physically added to a machine, it’s considered a relatively crude manner of intrusion.  According to Verizon, the most-recent development is that, rather than retrieve the skimming device itself, criminals can remotely collect data via wireless means, like Bluetooth.  Although modern ATMs are mostly tamper-free, this is still a concern in certain parts of the world.

8. Denial-Of-Service.

Commonly referred to as DDoS attacks, these threats include attacks aimed at compromising networks and systems availability to shut down corporate, consumer-facing websites.  Primarily directed at the financial, retail and public sectors, potential motives include extortion, protest, or simple amusement.

9. Cyber-Espionage.

Unauthorized network/system access associated with state-affiliated actors tripled from last year.  Espionage also had the widest variety of “threat actions”—meaning once intruders gain access, they are engaging in multiple types of illegal activities.  About 21% of reported incidents originated from Eastern Europe.

While, at first glance, the increasing volume of cyber attacks may seem disheartening, there is a silver-lining here.  Because most attacks tend to follow one of the above nine patterns, companies stand a better chance of resisting intrusions if they take steps to combat the type of attack most common to their industry.  Recognizing your company’s greatest vulnerability and prioritizing the most likely type of cyber attack can mean the difference between preventing the intrusion altogether, or becoming the next Target.

Once again: a little knowledge can be a powerful tool when defending against mounting cyber attacks.

A copy of Verizon’s complete 2014 Data Breach Investigations Report is available here, with the Executive Summary available here.

Target Data Breach Suit By Banks Extends To Security Vendor

By Jeffrey Rosenthal

Target_logoDecember 18, 2013, was a dark day for Target Corp.  Nationally ousted as the victim of the largest retail data breach in history, Target’s CEO Gregg Steinhafel took pains to assure consumers “they will not be held financially responsible for any credit or debit card fraud.”

But according to a March 10, 2014, putative class action in the District of Minnesota, Case No. 0:14-cv-00643, by Umpqua Bank, Steinhafel’s statement “omits” the fact that “it is the nation’s financial institutions—and not Target—ensuring that this is the case.”  According to Umpqua’s complaint, financial institutions are the ones incurring the real costs associated with protecting customer accounts.  This includes providing notice to consumers, reissuing payment cards and refunding fraudulent charges.  The cost of card replacement alone is estimated to ultimately rest around $200 million.

Since then, two more banks, Trustmark National Bank and Green Bank, N.A., have launched a similar class action against the retail giant in the Northern District of Illinois, Case No. 1:14-cv-02069, for its failure to maintain adequate data security protocols—despite suffering two nearly identical breaches in the years preceding this one.   While largely similar, the Trustmark suit, filed March 24, 2014, departs from the aforementioned Umpqua suit in that it also seeks to hold security company Trustwave Holdings, Inc. liable as well.

“Trustwave failed to live up to its promises, or to meet industry standards,” the Trustmark complaint alleged.  It goes on to claim the vendor’s failure to timely discover and/or report the breach to Target (or the public) further drove up costs.  “The damage done to the banks and other class members is monumental,” the suit asserts.  The alleged cost to banks/retailers could eventually exceed $18 billion.

In a striking turn of events, Trustwave publicly denied having done any cyberthreat mitigation work for Target on March 29, 2014.  This denial came one day after the New-York based Trustmark National Bank filed a notice of voluntary dismissal without prejudice in the proposed class action.  The notice did state, however, that Texas-based Green Bank, N.A. would nevertheless continue with the suit.

When a company suffers a data breach—and especially one as large as Target’s—it is eminently clear that an entire gamut of persons/entities may ultimately be affected.  While the details of the Trustmark action appear largely unsettled, the fact that information security vendors are now being included in class actions is indicative of the expanding legal fallout associated with such data breaches.

The Umpqua Bank and Trustmark National Bank complaint(s):

Accretive Health Settles FTC Charges that it Failed to Adequately Protect Consumers’ Personal Information

By Jennifer Daniels

Accretive Health, Inc. (“Accretive”) is a service provider for hospital systems nationwide, providing services related to the hospital systems’ revenue cycle operations.  In providing these services, Accretive obtains sensitive health information about its customers’ patients.  Accretive suffered a security breach that resulted in the exposure of sensitive, personally identifiable information for about 23,000 individuals.  As is often the case, that breach resulted in a complaint from the government.

Of course, Accretive’s clients are Health Insurance Portability and Accountability Act (“HIPAA”)-covered entities and Accretive is a business associate under HIPAA.  But this investigation was not a HIPAA investigation, but rather the claims made by the Federal Trade Commission (“FTC”) were under the FTC Act.  HIPAA-covered entities and their business associates should keep in mind that HIPAA compliance is not their only regulatory obligation to maintain the security of personal information.

The FTC argued that Accretive failed to provide reasonable and appropriate security for consumers’ personal information, which Accretive collected and maintained by engaging in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access.  The FTC claimed that, among other things, Accretive:

  • transported laptops containing personal information in a manner that made them vulnerable to theft or misappropriation;
  • failed to adequately restrict access to, or copying of, personal information based on an employee’s need for information;
  • failed to ensure that employees removed information from their computers for which they no longer had a business need; and
  • used consumers’ personal information in training sessions with employees and failed to ensure that the information was removed from employee computers after the training.

Accretive’s failures resulted in a July 2011 incident in Minneapolis, Minnesota in which an Accretive laptop containing 600 files related to 23,000 patients was left in the locked passenger compartment of an employee’s car and was stolen.  The laptop included sensitive personal and health information, including names, dates of birth, billing information, diagnostic information, and social security numbers.  The user of the laptop had data that was not necessary to perform his job.

The FTC argued that the failure by Accretive to employ reasonable and appropriate measures to protect personal information from unauthorized access was an unfair act or practice in violation of Section 5(a) of the FTC Act.

On January 13, the FTC published a notice in the Federal Register that the FTC had accepted, subject to final approval, a consent order applicable to Accretive.  The Proposed Order requires Accretive to establish and maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information.  The program must contain administrative, technical and physical safeguards appropriate to Accretive’s size and complexity, the nature and scope of its activities, and the sensitivity of the information it collects about consumers.  Specifically, the Proposed Order requires Accretive to:

  • designate an employee or employees to coordinate and be accountable for the information security program;
  • identify material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of information, and assess the sufficiency of any safeguards in place to control these risks;
  • design and implement reasonable safeguards to control the risks identified through risks assessment, and regularly test or monitor the effectiveness of the safeguards key controls, systems, and procedures;
  • develop and use reasonable steps to select and retains service providers capable of appropriately safeguarding personal information they receive from Accretive, and require service providers by contract to implement and maintain appropriate safeguards; and
  • evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to operations or business arrangement, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.

Companies handling sensitive personal information are advised to review the types of security measures that the FTC includes in these types of consents because they give companies a checklist of the measures that the FTC will expect to be in place at companies handling similar types of data.

In Accretive’s case, the Proposed Order will be in place for 20 years, and the order requires Accretive to obtain an assessment and report every other year for 20 years from a qualified, objective, and independent third party professional certifying that its security program meets the requirements of the order.

The FTC published a description of the consent, which is subject to public comment for thirty days, after which the FTC will decide whether to make the proposed order final.