Author:

Does the SHIELD Act Cover Your Business and Are You Ready?

Does the SHIELD Act Cover Your Business and Are You Ready?

As we have previously written, the privacy and security requirements of the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) are effective as of March 21, 2020. The SHIELD Act implements broad new data security requirements for all businesses that have the private information of New York residents, and reaches beyond New York’s own borders to compel companies – including companies that do not do business in New York – to take affirmative steps to protect the personal and private information of New York residents that the company may be collecting or storing. Initially, the SHIELD Act expands the definition of “private information” that must be safeguarded to include any information that can be used to identify a person, in combination with a social security number, a driver’s license number, a financial account number, or biometric information. Separate and apart from these “data elements,” the definition of “private information” also now includes “a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.” Second, the SHIELD Act applies to any company that possesses the private information of even a single New York resident...

NJ Assembly Initiates (Then Withdraws) Proposal to Ensure COVID-19 Coverage

NJ Assembly Initiates (Then Withdraws) Proposal to Ensure COVID-19 Coverage

Last week, legislation was introduced in the New Jersey Assembly that would require property insurers to cover business interruption losses arising from the COVID-19 pandemic suffered by small businesses (i.e., businesses with less than 100 full-time employees who work 25 or more hours per week). The bill would require coverage for any loss of business or business interruption “due to global virus transmission or pandemic” that is suffered for the duration of the State of Emergency declared by Governor Murphy on March 9, 2020. It appears that such coverage must be provided regardless of existing policy requirements (e.g., direct “physical loss” or “damage”) or potentially applicable exclusions (e.g., the “Virus or Bacteria” exclusion in many policy forms). After an initial favorable vote by the NJ Assembly Homeland Security and State Preparedness Committee, the bill was reportedly withdrawn by its sponsors, but may be amended and reintroduced in the short-term. The bill as initially drafted would provide significant relief to policyholders with small- to medium-sized businesses that may be the hardest hit in what is rapidly developing into a global economic crisis. This would certainly be welcome relief. However, that proposed relief comes with a potential backend cost to all policyholders...

Insurance Coverage in the Age of COVID-19

Insurance Coverage in the Age of COVID-19

As the coronavirus continues to dominate the news cycle, the actual (and anticipated) impact on business operations and business continuity has hijacked the attention of owners, managers, and C-suite executives at all levels and in all industries. Among the myriad issues to be resolved, one obvious question is the extent to which insurance coverage is available for business losses arising from this public health crisis, including reduction of business income, incurring of extra expenses, disruption of supply chains, event cancellations, and potential liability from stakeholder lawsuits. Some companies may have purchased specialized forms of insurance policies that are designed to provide specific coverage for losses suffered as a result of public health crises. However, the vast majority of companies will need to look to their traditional insurance policies – like property and directors and officers coverage – in order to obtain available insurance, if any, for these business related losses. As an initial matter, coverage for actual loss of business income and extra expense is typically part of a company’s property insurance policy and not separate, standalone coverage. Therefore, coverage for business income and related losses depends on demonstrating that these losses resulted from “physical loss” or “damage” to covered...

CCPA Amendments Expand Private Right of Action and AG’s Enforcement Power

CCPA Amendments Expand Private Right of Action and AG’s Enforcement Power

On February 22, 2019, another proposed amendment to the California Consumer Privacy Act (CCPA) was published. If enacted, this amendment will increase businesses’ potential exposure under the CCPA by, among other things, expanding the scope of private rights of action under the Act and eliminating a cure period prior to a civil enforcement action by the California Attorney General. The CCPA, originally enacted in June 2018 and first amended in September 2018, sets forth an entirely new privacy and security regime for many entities doing business in California. It imposes extensive requirements on the collection, use, and storage of consumer personal information, and applies to many businesses located both in and outside of the state. The deadline for all businesses to comply with the CCPA’s requirements is January 1, 2020, and the California Attorney General may bring an enforcement action six months after the passage of implementing regulations, or July 1, 2020, whichever comes first. The clock is ticking … The CCPA applies to any for-profit entity that (i) does business in California, (ii) collects “personal information” and/or determines the purposes and means of processing “personal information,” and (iii) satisfies at least one of the following threshold criteria: Has annual...

Eleventh Circuit Rules FTC’s Data Security Cease and Desist Order Against LabMD Is Unenforceable

Eleventh Circuit Rules FTC’s Data Security Cease and Desist Order Against LabMD Is Unenforceable

In its June 6, 2018 decision, the Eleventh Circuit concluded that the Federal Trade Commission’s (“FTC”) Final Order against LabMD lacked adequate specificity and therefore was unenforceable. The Eleventh Circuit had previously issued a stay of enforcement of the FTC’s Final Order – as reported by this blog on November 16, 2016  – which had concluded that LabMD’s data security practices were “unreasonable” and constituted an “unfair” business practice in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §45(a) and (n). The FTC initiated an enforcement action against LabMD in August 2013, alleging that LabMD, which operated as a clinical laboratory testing center, failed to implement reasonable data security measures to protect patients’ sensitive personal information. LabMD’s alleged data security failures allowed an employee to install and maintain file-sharing software on a work-related computer for a period of at least three years, which allowed exposure of patient information on a peer-to-peer network accessible daily by millions of users. In July 2016, and on appeal following a hearing before an Administrative Law Judge, the FTC concluded that LabMD’s failures had caused, and were also likely to cause, substantial consumer injury, including identity theft and medical-identity...

New Jersey Poised to Mandate Across-the-Board Information and Data Security Preparedness

New Jersey Poised to Mandate Across-the-Board Information and Data Security Preparedness

The New Jersey Assembly is considering legislation that will require individuals and businesses that own or license personal information about a New Jersey resident to create and maintain a comprehensive information security program (“ISP”). The bill, A-5206, was introduced by Assemblywoman and Deputy Majority Leader Annette Quijano (D-Union) on November 30, 2017, and referred to the Assembly Homeland Security and State Preparedness Committee. If passed, New Jersey would join other states including Massachusetts (see 201 CMR 17.01 to 17.05) and Rhode Island (R.I. Gen. L. § 11-49.3-2), and sector-specific regulatory schemes including the Gramm-Leach-Bliley Act (16 CFR 314), New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule (45 CFR 164), that require a written information security program. The bill as currently drafted includes a minimum of 28 data security policies and practices that must be included in any company’s ISP. These include: Designating one or more employees to be in charge of the ISP; Ongoing employee training regarding risks to the security, confidentiality, and integrity of any records containing personal information, and imposing disciplinary measures for violation of ISP rules; Obligating a company to conduct...

Proper Planning Means You Do Not Need to Shed Tears When Hit with the Likes of WannaCry

Proper Planning Means You Do Not Need to Shed Tears When Hit with the Likes of WannaCry

Since Friday, May 12, over 200,000 companies from over 150 countries have become victims of a massive cyber-attack from the ransomware variant WannaCry (also known as WCry or WanaCryptor). The attackers demanded payment of $300 in Bitcoin from each victim to restore access to files that the ransomware encrypted. The attackers stated that the price of file retrieval would elevate to $600 after a short period of time, and if the company-victim refused to pay, the files would be permanently deleted. Notably, this particular ransomware appears to have been propagated primarily due to a failure to patch a Windows software vulnerability known as EternalBlue, and potentially gave the attackers access to the files they encrypted. Organizations large and small, domestic and international, are among the victims. The WannaCry attack is a stark reminder of the need to have comprehensive information governance and incident response plans in place. Planning for such an attack can be just as important, if not more so, than the response itself, and can block the threat or mitigate the damage, disruption, and liability suffered in the event the organization is a victim of a successful attack. Implement a Written Information Security Program. Knowing how to mitigate the...

NY Updates Cybersecurity Requirements for Financial Services Companies 0

NY Updates Cybersecurity Requirements for Financial Services Companies

On December 28, 2016, the New York Department of Financial Services (“DFS”) published an updated version of its proposed “Cybersecurity Requirements for Financial Services Companies.” The updated regulations will become effective on March 1, 2017. As previously reported, these regulations are an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.

11th Circuit’s Stay Suggests that the FTC’s Final Order Against LabMD May Itself be “Unfair” and “Unreasonable” 0

11th Circuit’s Stay Suggests that the FTC’s Final Order Against LabMD May Itself be “Unfair” and “Unreasonable”

As reported on this blog on September 27, 2016, the FTC issued a Final Order holding that LabMD’s data security practices were “unreasonable” and constituted an “unfair” business practice in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §45(a) and (n). The findings were a clear signal of the FTC’s expanding efforts to regulate data security and to incentivize companies handling sensitive data to implement and maintain strong data security practices. On Thursday, November 10, 2016, the 11th Circuit stayed enforcement of the FTC’s Final Order pending a full hearing and final decision on LabMD’s appeal, and called into question the validity of the FTC’s conclusions as to what may constitute an actionable “privacy harm” following a data security breach.

Believe It or Not: Computer Fraud Coverage May Not Cover Fraud Involving a Computer 0

Believe It or Not: Computer Fraud Coverage May Not Cover Fraud Involving a Computer

Is a commercial policyholder able to get insurance under the terms of its computer fraud coverage (typically offered as part of a crime policy) for a fraud based upon information transmitted by email? Not according to the Fifth Circuit’s recent decision in Apache Corporation v. Great American Insurance Company, which vacated the trial court’s judgment and left the policyholder with a $2.4 million uninsured loss. While the opinion is unpublished and therefore should have limited precedential value, it highlights the importance of reviewing your company’s coverage profile in an effort to close potential gaps in insurance coverage for security breaches and other losses involving computer use.