On February 22, 2019, another proposed amendment to the California Consumer Privacy Act (CCPA) was published. If enacted, this amendment will increase businesses’ potential exposure under the CCPA by, among other things, expanding the scope of private rights of action under the Act and eliminating a cure period prior to a civil enforcement action by the California Attorney General. The CCPA, originally enacted in June 2018 and first amended in September 2018, sets forth an entirely new privacy and security regime for many entities doing business in California. It imposes extensive requirements on the collection, use, and storage of consumer personal information, and applies to many businesses located both in and outside of the state. The deadline for all businesses to comply with the CCPA’s requirements is January 1, 2020, and the California Attorney General may bring an enforcement action six months after the passage of implementing regulations, or July 1, 2020, whichever comes first. The clock is ticking … The CCPA applies to any for-profit entity that (i) does business in California, (ii) collects “personal information” and/or determines the purposes and means of processing “personal information,” and (iii) satisfies at least one of the following threshold criteria: Has annual...
Author: John T. Wolak
In its June 6, 2018 decision, the Eleventh Circuit concluded that the Federal Trade Commission’s (“FTC”) Final Order against LabMD lacked adequate specificity and therefore was unenforceable. The Eleventh Circuit had previously issued a stay of enforcement of the FTC’s Final Order – as reported by this blog on November 16, 2016 – which had concluded that LabMD’s data security practices were “unreasonable” and constituted an “unfair” business practice in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §45(a) and (n). The FTC initiated an enforcement action against LabMD in August 2013, alleging that LabMD, which operated as a clinical laboratory testing center, failed to implement reasonable data security measures to protect patients’ sensitive personal information. LabMD’s alleged data security failures allowed an employee to install and maintain file-sharing software on a work-related computer for a period of at least three years, which allowed exposure of patient information on a peer-to-peer network accessible daily by millions of users. In July 2016, and on appeal following a hearing before an Administrative Law Judge, the FTC concluded that LabMD’s failures had caused, and were also likely to cause, substantial consumer injury, including identity theft and medical-identity...
The New Jersey Assembly is considering legislation that will require individuals and businesses that own or license personal information about a New Jersey resident to create and maintain a comprehensive information security program (“ISP”). The bill, A-5206, was introduced by Assemblywoman and Deputy Majority Leader Annette Quijano (D-Union) on November 30, 2017, and referred to the Assembly Homeland Security and State Preparedness Committee. If passed, New Jersey would join other states including Massachusetts (see 201 CMR 17.01 to 17.05) and Rhode Island (R.I. Gen. L. § 11-49.3-2), and sector-specific regulatory schemes including the Gramm-Leach-Bliley Act (16 CFR 314), New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule (45 CFR 164), that require a written information security program. The bill as currently drafted includes a minimum of 28 data security policies and practices that must be included in any company’s ISP. These include: Designating one or more employees to be in charge of the ISP; Ongoing employee training regarding risks to the security, confidentiality, and integrity of any records containing personal information, and imposing disciplinary measures for violation of ISP rules; Obligating a company to conduct...
Since Friday, May 12, over 200,000 companies from over 150 countries have become victims of a massive cyber-attack from the ransomware variant WannaCry (also known as WCry or WanaCryptor). The attackers demanded payment of $300 in Bitcoin from each victim to restore access to files that the ransomware encrypted. The attackers stated that the price of file retrieval would elevate to $600 after a short period of time, and if the company-victim refused to pay, the files would be permanently deleted. Notably, this particular ransomware appears to have been propagated primarily due to a failure to patch a Windows software vulnerability known as EternalBlue, and potentially gave the attackers access to the files they encrypted. Organizations large and small, domestic and international, are among the victims. The WannaCry attack is a stark reminder of the need to have comprehensive information governance and incident response plans in place. Planning for such an attack can be just as important, if not more so, than the response itself, and can block the threat or mitigate the damage, disruption, and liability suffered in the event the organization is a victim of a successful attack. Implement a Written Information Security Program. Knowing how to mitigate the...
On December 28, 2016, the New York Department of Financial Services (“DFS”) published an updated version of its proposed “Cybersecurity Requirements for Financial Services Companies.” The updated regulations will become effective on March 1, 2017. As previously reported, these regulations are an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.
11th Circuit’s Stay Suggests that the FTC’s Final Order Against LabMD May Itself be “Unfair” and “Unreasonable”
As reported on this blog on September 27, 2016, the FTC issued a Final Order holding that LabMD’s data security practices were “unreasonable” and constituted an “unfair” business practice in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §45(a) and (n). The findings were a clear signal of the FTC’s expanding efforts to regulate data security and to incentivize companies handling sensitive data to implement and maintain strong data security practices. On Thursday, November 10, 2016, the 11th Circuit stayed enforcement of the FTC’s Final Order pending a full hearing and final decision on LabMD’s appeal, and called into question the validity of the FTC’s conclusions as to what may constitute an actionable “privacy harm” following a data security breach.
Is a commercial policyholder able to get insurance under the terms of its computer fraud coverage (typically offered as part of a crime policy) for a fraud based upon information transmitted by email? Not according to the Fifth Circuit’s recent decision in Apache Corporation v. Great American Insurance Company, which vacated the trial court’s judgment and left the policyholder with a $2.4 million uninsured loss. While the opinion is unpublished and therefore should have limited precedential value, it highlights the importance of reviewing your company’s coverage profile in an effort to close potential gaps in insurance coverage for security breaches and other losses involving computer use.
Regulations Proposed by NY Department of Financial Services are a Significant Development for Regulated Entities … and Everyone Else
On September 13, 2016, New York Governor Andrew M. Cuomo announced new first-in-the-nation proposed regulations to protect against the ever growing threat of cyber-attacks in the financial services industry. The proposed regulations, to be enforced by the New York State Department of Financial Services, would apply only to an entity regulated by the NY Department of Financial Services – from a multi-national bank to a “mom-and-pop” operation. However, the regulations are important for all companies to review and consider, regardless of their location or scope of operations, because the proposal represents an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.
The FTC Confirms That Mere Disclosure of Health Information is a “Substantial Injury” Justifying Sanctions for “Unreasonable” Data Security Practices
The Federal Trade Commission (“FTC” or “the Commission”) recently confirmed that disclosure of sensitive consumer data as a result of inappropriate data security practices may be deemed an “unfair act or practice” in violation of the Federal Trade Commission Act (“FTC Act”). This decision is important because the FTC reached this conclusion with no evidence of actual economic or physical harm, or any actual health and safety risks as a result of the disclosure. The Commission’s decision is also notable because it emphasizes the FTC’s expanding reach in the regulation of data security.
Policyholders may still enforce an insurer’s duty to defend under a Commercial General Liability (“CGL”) policy for claims arising out of a data security breach, according to a recent Fourth Circuit decision. While the decision was issued in an unpublished opinion (a mere 18 days after oral argument), the decision represents a significant victory for policyholders seeking insurance coverage for claims arising out of data breaches resulting in the disclosure of personal information.