Data Security Law Journal

Focusing on legal trends in data security, cloud computing, data privacy, and anything E

Texas’s Data Privacy Training Laws Change (Again)

Posted in Data Privacy, Data Security, Health Care Industry

In August of last year, I wrote about HB 300, a Texas law that, beginning September 1, 2012, created employee training and other requirements for any company doing business in Texas that collects, uses, stores, transmits, or comes into possession of protected health information (PHI).  The law’s training provisions required covered entities to train their employees every two years regarding federal and state law related to the protection of PHI, and obtain written acknowledgement of the training.  (The training was required for new employees within 60 days of their hiring).  Companies were required to train their employees in a manner specific to the way in which the individual employee(s) handle PHI.

Recently, however, the Texas legislature passed two bills that amend the requirements of HB 300 in a few significant ways.  Under SB 1609, the role-specific training requirement has changed.  Now, companies may simply train employees about PHI “as necessary and appropriate for the employees to carry out the employees’ duties for the covered entity.”

SB 1609 also changed the frequency of the training from once every two years to whether the company is “affected by a material change in state or federal law concerning protected health information” and in such cases the training must take place “within a reasonable period, but not later than the first anniversary of the date the material change in law takes effect.”  This change could mean more or fewer training sessions of employees depending on the nature of the covered entity’s business, the size of the covered entity, and the location of the covered entity.

SB 1610, which relates to breach notification requirements, is more puzzling.  Until now, Texas law required companies doing business in Texas that suffered data breaches affecting information of individuals residing in other states that did not have data breach notification laws (e.g., Alabama and Kentucky), to notify the individuals in those states of the breach.  SB 1610 removes that requirement and now provides that:  “If the individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person is a resident of a state that requires a [breached entity] to provide notice of a breach of system security, the notice of the breach of system security required under Subsection (b) [which sets forth Texas’s data breach notification requirements] may be provided under that state’s law or under required under Subsection (b).”

The natural interpretation of this provision is that a Texas company that suffers a breach of customer information where, for example, some of the customers reside in California, Massachusetts, or Connecticut, is not required to comply with those states’ data breach notification laws if the company complies with the standards set forth in Texas’s data breach notification law.  It will be interesting to see whether Texas receives any push back from other state Attorneys General who enforce their states’ data breach notification laws and may not be pleased with a Texas law that instructs companies doing business in Texas that the requirements for breach notification set forth by other states can be ignored if the Texas company meets Texas’s data breach notification requirements.  Nevertheless, the practical effect of this law is not clear because most companies will want to avoid the risk associated with ignoring another state’s data breach notification law.

In short, the legislative changes are a good reminder that companies doing business in Texas that collect, use, store, transmit, or otherwise handle PHI must determine whether they are complying with HB 300 and the more recent legislative acts that were signed into law June 14, 2013 and became effective immediately.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

U.S. Senate Considers Federal Data Security Legislation

Posted in Data Breach, Data Breach, Data Privacy, Data Security

Legislation was introduced in the U.S. Senate late last week that, if passed, would create proactive and reactive requirements for companies that maintain personal information about U.S. citizens and residents.  The legislation, titled the “Data Security and Breach Notification Act of 2013” (s. 1193) creates two overarching obligations:  to secure personal information and to notify affected individuals if the information is breached.  The bill requires companies to take reasonable measures to protect and secure data in electronic form containing personal information.  If that information is breached, companies are required to notify affected individuals “as expeditiously as practicable and without unreasonable delay” if the company reasonably believes the breach caused or will cause identity theft or other actual financial harm.

A violation of the obligations to secure or notify are considered unfair or deceptive trade practices that may be investigated and pursued by the FTC.  Companies that violate the law could be fined up to $1,000,000 for violations arising out of the same related act or omission ($500,000 maximum for failing to secure the personal information and $500,000 maximum for failing to notify about the breach of the personal information).

The legislation defines personal information as social security numbers, driver’s license numbers, passports numbers, government identification, and financial account numbers or credit/debit card numbers with their required PIN number.  The bill includes a safe harbor for personal information that is encrypted, redacted, or otherwise secured in a way that renders it unusable.

Here are some other important provisions of the legislation:

  • There is no guidance as to what “reasonable measures” means under the obligation to secure personal information, which is problematic (although not very different from state data breach notification laws) because it provides no certainty as to when a company may face liability for failing to adopt certain security safeguards.
  • With respect to the duty to notify, the bill explicitly allows for a reasonable period of time after a breach for the breached entity to determine the scope of the breach and to identify individuals affected by the breach.
  • The legislation would preempt state data breach notification laws, but compliance with other federal laws that require breach notification (e.g., HIPAA/HITECH) is deemed to be compliance with this law.
  • The bill requires that breached entities notify the Secret Service or the FBI if a breach affects more than 10,000 individuals.
  • The bill also allows for a delay of notification if such notification would threaten national or homeland security, or if law enforcement determines that notification would interfere with a civil or criminal investigation.
  • There is no private cause of action for violating the legislation.  The bill is silent as to whether private causes of action based on common law or other statutory claims (e.g., negligence, state unfair trade practices claims, etc.) may be pursued, to the extent such causes of action are recognized.

The remains, however, a big question as to whether this legislation will ultimately become law.  Given the political climate in D.C. and the lack of success of similar federal legislation in the past, the outlook is bleak.  The ambiguity of the required proactive security measures and the lack of clarity as to whether private causes of action may be pursued for non-statutory violations also raise political problems for the legislation on both sides of the aisle.   Nevertheless, there is growing climate of concern regarding privacy and security issues that may result in this legislation being included within a larger package of legislation on cybersecurity and data privacy.  It will be important to keep an eye on the status of this bill moving forward.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

The SEC’s Guidance on Cyber Risks and Incidents: A Deeper Dive

Posted in Data Security, SEC

In October 2011, the U.S. Securities and Exchange Commission’s Division of Corporation Finance issued “CF Disclosure Guidance: Topic No. 2”, which was a guidance intended to provide some clarity as to the material cyber risks that a publicly traded company should disclose.  I previously wrote about the guidance.  This blog post is the first of a three-part series to take a deeper look at the guidance:  what does the guidance mean and require (Part I), how is the SEC using/enforcing the guidance (Part II), and how are companies complying with the guidance (Part III)? 

What is a disclosure guidance?

A disclosure guidance provides the views of a specific division of the SEC (in this case, the Division of Corporation Finance) regarding disclosure obligations (in this case, disclosure obligations relating to cybersecurity risks and cyber incidents).  It is not a rule, regulation, or statement of the Securities and Exchange Commission.  The SEC has neither approved nor disapproved its content.  In fact, the guidance did very little to change the legal landscape because companies are already required to disclose materials risks and incidents, so to the extent a cyber risk/incident is material, it must be disclosed regardless of the subject disclosure guidance.  Nevertheless, at a minimum, the guidance has brought attention to the need for a company to disclose risks/incidents related to cybersecurity and it attempts to clarify the types of cyber risks/incidents that should be disclosed.

What is the likelihood that the SEC will more clearly mandate disclosure of cyber incidents and risks?

Based on some recent events, there is a reasonable likelihood that we will see a Commission-level statement relatively soon, clearly and explicitly requiring publicly traded companies to disclose material cyber incidents and risks in their public filings.

On April 9, 2013, Senator Jay Rockefeller sent a letter to the recently confirmed SEC Chairwoman, Mary Jo White, in which he strongly urged the SEC to issue the guidance at the Commission level.  Senator Rockefeller cited investors’ needs to know whether companies are effectively addressing their cybersecurity risks, and a need for the private sector to make significant investments in cybersecurity.

Chairwoman White responded positively to Senator Rockefeller’s letter.  She reiterated the existing disclosure requirements to disclose risks and events that a reasonable investor would consider material.  She also informed Senator Rockefeller that she has asked the SEC staff to provide her with a briefing of current disclosure practices relating to cyber incidents/risks and overall compliance with the guidance, as well as recommendations for further action in this area.  In short, I would not be surprised to see further instruction from the SEC on the cyber incident/risk disclosure issue this year.

What is a cybersecurity risk or cyber incident under the guidance?

According to the guidance, a cyber incident can result from a deliberate attack or unintentional event and may include gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption.  Not all cyber incidents require gaining unauthorized access; a denial-of-service attack is such an example.  These incidents can be carried out by third parties or insiders and can involve sophisticated electronic circumvention of network security or social engineering to get information necessary to gain access.  The purpose may be to steal financial assets, intellectual property, or sensitive information belonging to companies, their customers, or their business partners.

Which cyber risks and incidents should be disclosed?

Publicly traded companies must disclose timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. According to the guidance, material information about cybersecurity risks and cyber incidents must be disclosed when necessary to make other required disclosures not misleading.

What factors should a company consider in determining whether a risk or incident should be disclosed?

According to the guidance, companies should consider a number of factors in determining whether to disclose a cybersecurity risk, including:  (1) prior cyber incidents and the severity and frequency of those incidents; (2) the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks (including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption); and (3) the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they were aware.

What should a company disclose about a cyber risk or incident after it has determined that it wishes to make a disclosure?

Once a company has determined that it will disclose a risk or incident, it must adequately describe the nature of the material risks and specify how each risk affects the company.  Generic risks need not be disclosed.  Examples of appropriate disclosures include:  (1) discussion of aspects of the business or operations that give rise to material cybersecurity risks and the potential costs and consequences; (2) descriptions of outsourced functions that have material cybersecurity risks and how the company addresses those risks; (3) descriptions of cyber incidents experienced by the company that are individually, or in the aggregate, material, including a description of the costs and other consequences; (4) risks related to cyber incidents that remain undetected for an extended period; and (5) description of relevant insurance coverage.  The disclosure should be tailored to the company’s particular circumstances and avoid generic “boilerplate” disclosure.  That said, companies are not required to disclose information that would compromise the company’s cybersecurity.  Instead, companies should provide sufficient disclosure to allow an investor to appreciate the nature of the risks faced by the company in a manner that would not compromise the company’s cybersecurity.

Where in the public filing should the disclosure(s) be made?

There are a number of places in a company’s public filing where a disclosure of a cyber incident or risk may be made:

(1) Management’s Discussion and Analysis of Financial Condition – if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to affect the company’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results of financial condition.  An example provided in the guidance is a cyber attack that results in theft of material stolen intellectual property; there, the company should describe the property that was stolen, and the effect of the attack on its results of operations, liquidity, and financial condition, and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition.  If it is “reasonably likely” that the attack will lead to reduced revenues, an increase in cybersecurity protection costs, or litigation costs, then those outcomes, the amount, and duration, should be discussed.

(2) Description of Business – if a cyber incident affects a company’s products, services, relationships with customers/suppliers, or competitive conditions, then the company should disclose these effects in the “Description of Business” section of the public filing.  An example provided in the Guidance is where a cyber incident materially impairs the future viability of a new product in development; such an incident and the potential impact should be discussed.

(3) Legal Proceedings – if a legal proceeding to which a company “or any of its subsidiaries” is a party involved a cyber incident, information may need to be disclosed in the “Legal Proceedings” section of the public filing.  The example provided in the Guidance is where customer information is stolen, which results in material litigation; there, the name of the court, the date the lawsuit was filed, the parties, a description of the factual basis, and the relief sought should be disclosed.

(4) Financial Statement Disclosures – companies should consider whether cyber risks and incidents have an impact on a company’s financial statements, and, if so, include them.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Data Security Remains Top Concern in Corporate Boardrooms

Posted in Data Security, Surveys and studies

Last August, I wrote about a survey by Corporate Board Member and FTI Consulting, Inc., showing that data security was the top legal risk for corporate directors and general counsel.

That same survey was taken again in 2013, and the results were released last week in a report entitled “Law in the Boardroom.” The gist of the report is that “the newest area of major concern continues a trend noted in last year’s study:  data security and IT risk is one of the most significant issues for both directors and general counsel.”

Here are some other significant findings in the survey:

  • More than one-quarter of director and general counsel respondents earmarked cyber risk as an area that will require their attention in 2013.
  • The average annualized cost of cybercrime jumped 6% to $8.9 million in 2012.
  • Interestingly, general counsel do not seem to think directors will be spending as much time on this topic as the legal department itself will.
  • Only one-third of general counsel felt “very confident” in their company’s ability to respond, and less than one-quarter of directors agree.   Only 51% of GCs are at least somewhat confident in their company’s ability to handle a breach.

In short, a company’s preparation for and response to cyber threats remain top concerns for general counsel and directors alike.  Fortunately, more companies are taking proactive measures, like mapping or inventorying data to apply the most stringent security safeguards to the most sensitive information.  Other proactive measures companies should consider include reviewing and revising information security policies, evaluating how to more effectively incorporate privacy and security concerns into the corporate culture, and refreshing employees on the risks and best practices in collecting, storing, using, and disposing of sensitive consumer and proprietary information.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

What Does A Cyber Attack Look Like?

Posted in All Things E, Data Breach, Data Security

The phrase “cyber attack” elicits thoughts of a compromised information system, a crashed computer network, or inappropriate access to sensitive electronic information.  It doesn’t usually conjure up images of machinery setting on fire, and smoke emerging from a factory.  Nevertheless, here is a video of an experimental cyber attack named Aurora, which took place on a generator in a manufacturing plant.

 

The experiment, which took place approximately five years ago, demonstrated potential vulnerabilities that could be used to attack much larger generators that produce the country’s electric power.  It is an interesting reminder of the impact that cyber attacks can have on critical infrastructure.

Data Breaches – Who is Causing Them, How, and What Can Companies Do About It?

Posted in Data Security, Surveys and studies

One of the leading annual studies analyzing the causes of data breaches was released earlier today.  The 2013 Verizon Data Breach Investigations Report analyzes what is causing data breaches, how the breaches are occurring, who are the hackers and the victims, and what trends can be gleaned from this information.  The report has become a “must read” for those in the data security industry and is often cited in board meetings, presentations, and by the media (the NY Times has already published a story about it). Those who do not have time to review the report may want to check out the Executive Summary.

The report studied 621 confirmed data breaches and more than 47,000 security incidents from all over the world.  Here is a summary of the most important findings:

  • Who is perpetrating the breaches?  A large majority (92%) of breaches are perpetrated by outsiders, and one out of every five are attributed to state-affiliated actors (95% of the state-affiliated espionage attacks relied on phishing in some way).  When breaches are perpetrated by insiders, more than 50% are a result of former employees taking advantage of their old accounts or backdoors that weren’t disabled, and more than 70% are committed within 30 days of resignation.
  • Who are the victims of breaches?  Larger organizations are increasingly becoming victims of breaches., and they are not isolated to any particular industry.  Manufacturing (33%), transportation (15%), professional (24%), and a variety of other industries (28%) are the targets of espionage attacks.
  • What assets are perpetrators targeting?  The most vulnerable assets are ATMs (30%), desktop computers (25%), file servers (22%), and laptops (22%).
  • How are breaches happening?  With respect to cyber breaches, they usually (76%) occur as a result of exploited weak or stolen credentials
  • Why are breaches happening?  The attackers are primarily seeking financial gain (75%), they are opportunistic (75%), and they prefer intrusions that are low in difficulty (78%).
  • How and when are breaches being discovered?  69% of breaches are discovered by an external party (9% are discovered by customers).  Perhaps more scary is the fact that 66% of breaches take months or years to discover, which is longer than it has taken to discover breaches in previous years.

The report provides some recommendations for what organizations can do to minimize some of the risks, some of which are commonly accepted best practices.  I noticed the emphasis in these recommendations on detection more so than prevention.  The report is driven by the (realistic) assumption that organizations are already operating in a compromised environment.  While organizations should continue trying to prevent breaches from occurring in the first place, they cannot entirely eliminate them.  Therefore, organizations should focus more of their efforts and resources on the detection of intrusions and protection of assets.

Here is a list of recommended practices from the report:

  • Eliminate unnecessary data; keep tabs on what’s left
  • Ensure essential controls are met; regularly check that they remain so
  • Collect, analyze, and share incident data to create a rich data source that can drive security program effectiveness
  • Collect, analyze, and share tactical threat intelligence, especially indicators of compromise, that can greatly aid defense and detection
  • Without deemphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology
  • Regularly measure things like “number of compromised systems” and “mean time to detection” in networks.  Use them to drive security practices
  • Evaluate the threat landscape to prioritize a treatment strategy.  Don’t bury into a one-size-fits-all approach to security
  • If you’re a target of espionage, don’t underestimate the tenacity of your adversary.  Nor should you underestimate the intelligence and tools at your disposal.

These statistics, findings, and recommended practices should be considered by any organization that collects, uses, stores, and disposes sensitive information.  The threats to that information are real, they affect companies in all industries, and they are difficult to prevent.  Companies should evaluate and be prepared to respond to these increasing risks by adopting proactive administrative, technical, and physical security safeguards.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Data Breach Lawsuits – Revisiting the Risks

Posted in Data Breach, Data Breach, Data Privacy, Data Security, Lawsuits

Until recently, individuals whose information was compromised as a result of a company suffering a data breach faced an uphill battle when suing the company in a class action lawsuit.  Far more often than not, Courts dismissed the lawsuits or entered summary judgment in favor of defendants on grounds that the plaintiffs could not establish a cognizable injury, preemption by breach notification statutes, or lack of evidence that the data breach (as opposed to some other act of identity theft) caused the plaintiff’s damages.  I’m still convinced that the pro-defendant environment remains the norm.  Nevertheless, four recent cases are being used to support the argument that the tide may be turning in favor of plaintiffs.

Burrows v. Purchasing Power, 12-cv-22800-UU (S.D. Fla.)

The most recent example is a proposed settlement in a class action lawsuit against Winn-Dixie and one of its service providers arising from a breach of personally identifiable information of Winn-Dixie grocery store employees.  The employees’ personally identifiable information was allegedly compromised when an employee of a company that provided an employee benefit program to Winn-Dixie employees misused his access to the PII and filed fraudulent tax returns with it.

Approximately 43,500 employees filed a class action lawsuit in the Southern District of Florida against Winn-Dixie and its employee benefits service provider.  The lawsuit includes counts of negligence, violation of Florida’s Deceptive and Unfair Trade Practice statute, and invasion of privacy.  Plaintiffs alleged that Defendants failed to adequately protect and secure the plaintiffs’ personally identifiable information, and that the defendants failed to provide the plaintiffs with prompt and sufficient notice of the breach.

The defendants’ attempts to defeat the plaintiffs lawsuit on the pleadings failed.  Winn-Dixie was subsequently voluntarily dismissed from the lawsuit and the case proceeded against the service provider, which ultimately entered into a proposed settlement with the plaintiffs, agreeing to pay approximately $430,000 ($225,000 towards a settlement fund, $200,000 in attorney’s fees and costs, and a $3,500 incentive aware to the named plaintiff).  The settlement states that it was entered into “for the purpose of avoiding the burden, expense, risk, and uncertainty of continuing to litigate the Action, . . . and without any admission of any liability or wrongdoing whatsoever.”

The settlement requires the service provider to maintain rigorous security safeguards to minimize the risk of a similar incident in the future.  The settlement fund will be divided into four groups:  (1) a tax refund fraud fund (class members who show they were victims of tax refund fraud can be compensated for a portion of lost interest); (2) a tax preparer loss fund (class members can be compensated for fees paid to tax preparers for notifying the IRS of a tax fraud claim or assisting in resolving issues arising from the tax refund fraud, not to exceed $100); (3) a credit card fraud fund (class members who show they were victims of identity theft other than tax refund fraud that resulted in fraudulent credit card charges that the credit card company did not waive, up to $500); and, (4) a credit monitoring fraud (class members who receive compensation in any of the previous three groups may receive credit monitoring services for one year).  To “prove” they were victims of fraud, plaintiffs must prepare a statement under penalty of perjury regarding the facts and circumstances of their stolen identity.

The settlement was preliminarily approved by the court on April 12, 2013, and a fairness hearing is scheduled for October 4, 2013.  The amount of money being paid to plaintiffs and their lawyers in this case should give corporate counsel monitoring these lawsuits pause for concern.  The District Court’s order allowing the case to proceed beyond the pleadings phase will likely be used as an instruction manual for plaintiffs in future data breach cases.

Resnick v. AvMed, Inc., 1:10-cv-24513-JLK (S.D. Fla.)

I previously blogged about the Eleventh U.S. Circuit Court of Appeal’s opinion that allowed a data breach class action to proceed where the plaintiffs claimed they were victims of identify theft arising from the theft of a laptop computer containing their personal information.  I encourage corporate counsel to read that post to learn more about the factors the Eleventh Circuit looked to in allowing that case to proceed beyond the pleadings phase. That lawsuit remains pending in the U.S. Southern District of Florida.

Harris v. comScore, Inc., No. 11-C-5807 (N.D. Ill. Apr. 2, 2013)

Another recent legal development considered by many to be favorable to plaintiffs was a decision by the U.S. District Court for the District of Chicago court certifying a class of possibly more than one million people who claim that the online data research company comScore, Inc. collected personal information from the individuals’ computers and sells it to media outlets without consent.  Although the lawsuit did not arise from a data breach, some of the arguments regarding lack of injury and whether class certification is appropriate are the same.  The plaintiffs allege violations of several federal statutes including the Electronic Communications Privacy Act and the Stored Communications Act. The court rejected comScore’s arguments challenging class certification, including its argument that the issue of whether each plaintiff suffered damages from comScore’s actions precludes certification.  The lawsuit remains pending.

Tyler v. Michaels Stores Inc., SJC-11145, 2013 WL 854097 (Mass. Mar. 11, 2013)

The Massachusetts Supreme Judicial Court broadened the definition of the term “personal information” to include ZIP codes.  The court held that because retailers can use ZIP codes to find other personal information, retailers where prohibited by Massachusetts law (the Song-Beverly Credit Card Act) from collecting ZIP codes.  The court also ruled that the plaintiffs did not have to prove identity theft to recover under the statute.  They could instead rely on the fact that they received unwanted marketing materials and that their data was sold to a third party.  The fact that plaintiffs can proceed with their lawsuit without having to show that their information was actually compromised will undoubtedly be used by plaintiffs in data breach litigation to argue that the threshold for injury in such cases is lower that in other cases.

What’s the Takeaway?

What should corporate counsel take from these cases? It is still too early to tell if these cases are outliers or if they mark a new trend in favor of plaintiffs in privacy and data breach cases that will embolden the plaintiffs’ bar.  The most important takeaway for corporate counsel at this stage is that they must, at a minimum, monitor the litigation risks associated with data breaches and other privacy violations so they can advise their companies about these risks, which can in turn consider these risks when building security and privacy into various products and services.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

The Cybersecurity Executive Order – Have Your Say!

Posted in Data Security

On February 12th, President Obama issued an Executive Order on Cybersecurity that seeks to improve critical infrastructure cybersecurity in the United States by encouraging sharing of important cybersecurity information between the government and owners and operators of critical infrastructure.  “Critical infrastructure” means systems and assets so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.  Examples can be found here.    

To establish this partnership between the government and the private sector, the Order requires that:  (1) the Department of Homeland Security (DHS) must identify critical infrastructure; (2) the National Institute of Standards and Technology (NIST) must develop a framework of standards and procedures to help owners and operators of critical infrastructure identify, assess, and manage cyber risks; and (3) the DHS must work with sector-specific agencies to promote voluntary adoption of the Framework.

Now, pursuant to the Executive Order, private entities affected by the Order are being given an opportunity to have their say in what the standards, procedures, and incentives created by the governmental entities implementing the Order should look like.  The Department of Commerce and NIST have published two documents seeking input from operators and owners of critical infrastructure (and the private sector, generally) on how to develop a cybersecurity framework and promote incentives to improve critical infrastructure cybersecurity. 

NIST Request for Information

On February 26th, NIST issued a request for information from the public (particularly critical infrastructure owners and operators) in an effort to start developing the framework of standards, processes, procedures, and methodologies necessary to reduce cyber risks to critical infrastructure.  The request for information “is looking for current adoption rates and related information for particular standards, guidelines, best practices, and frameworks to determine applicability throughout the critical infrastructure sectors.  The [request] asks for stakeholders to submit ideas, based on their experience and mission/business needs, to assist in prioritizing the work of the Framework, as well as highlighting relevant performance needs of their respective sectors.”

The request includes thirty-three questions in three different subject areas:  current risk management practices; use of frameworks, standards, guidelines, and best practices; and, specific industry practices.  The questions seek opinions on issues like the greatest challenges in improving cybersecurity, the role of national and international standards in critical infrastructure cybersecurity, the use of specific security safeguards, and the existence of current governmental and private security standards. 

Comments in response to this request for information are due by April 8th.  Companies seeking to respond should keep in mind that the responses are a matter of public record, so confidential business or personal information should not be included. 

Department of Commerce’s Notice of Inquiry

The Executive Order required the Department of Commerce to recommend incentives designed to promote participation in the voluntary cybersecurity program.  On March 28th, in an effort to improve its recommendations, the Department of Commerce published a notice of inquiry seeking input from stakeholders on twenty different issues relating to current incentives to strengthen cybersecurity and ways in which those incentives can be improved.  Significantly, responses to this notice will also be used to develop a broader set of recommendations that apply to U.S. industry as a whole, not just critical infrastructure operators and owners.  Some of the issues raised in the notice include the best ways to encourage businesses to invest in cybersecurity; any existing barriers or disincentives that inhibit cybersecurity investments; the differences in incentives for small businesses; how liability structures can be used as incentives; and how to keep incentives updated.

Comments to this response are due by April 29th.  Companies that respond should be aware that their responses are a matter of public record, so comments should not include confidential, proprietary, or business sensitive information.

The Takeaway

The standards/procedures/incentives that will be implemented as a result of the Executive Order on Cybersecurity will be, for the time being, voluntary and limited to critical infrastructure.  Over time, however, we can expect to see “standards creep.”  The standards may be applied to companies that are not owners and operators of critical infrastructure.  Also, the standards will likely become the yardstick by which the reasonableness of a company’s actions to limit cybersecurity risks will be measured, so if the standards do not become legislatively mandatory, they could become mandatory by practice.  The private sector and other organizations that will be affected by these standards, procedures, and incentives have a rare opportunity now to help shape them.  Everyone will benefit from corporate participation in responding to some or all of the questions in these notices.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Busy Day for Cybersecurity in D.C.

Posted in All Things E, Data Security

I’m a big fan of Bloomberg West.  Perhaps more so than almost any other television news program, it does a terrific job of providing both depth and breadth on issues that are important to the technology industry.  Tonight’s report by Megan Hughes about breaking developments on the cybersecurity front today was no exception.  Watch it here:

President Obama Seeks CEO Input on Cyber Battle: Video – Bloomberg.

The highlights:

  • President Obama met with CEO’s of major multinational corporations, financial leaders, and big players in critical infrastructure  at the White House . . . in the Situation Room.  The parties allegedly discussed the need for cybersecurity legislation and the President’s recent Executive Order on cybersecurity.
  • First Lady Obama’s personal information has allegedly been compromised.  The President used the development to create awareness of the problems posed by hackers and the proliferation of websites where stolen credit card numbers are sold on the black market.
  • The President of Mandiant will be testifying before the U.S. Senate next week.  No doubt, this report by Mandiant will be a significant topic of discussion.
  • The Director of National Intelligence has said that cyberattacks are now considered the #1 threat to U.S. security, replacing terrorism at the top of the list.
  • There were three separate Congressional hearings relating to Cybersecurity today, ranging from criminal prosecution and the FBI to Homeland Security and critical infrastructure to issues relating to funding for cyber initiatives.

In short, the Cyber Battle is on, and it’s going to take a united front between the  Executive branch, Congress, and the private sector for the U.S. to minimize the risks associated with cyber attacks.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

 

 

New U.S. Supreme Court Decision Will Likely Impact Data Breach Litigation

Posted in Data Breach, Data Security, Lawsuits

The following Data Security Law Journal post was authored by Becky Schwartz, my law partner at Shook Hardy & Bacon.  Becky is an experienced class action litigator who has developed a specialty in privacy litigation.  In this post, Becky discusses a recent U.S. Supreme Court decision that may make it more difficult for consumers to sue companies that suffer data breaches.  Special thanks to Becky for writing about this recent development in the law:

On February 26, 2013, the United States Supreme Court in Clapper v. Amnesty International confirmed a demanding threshold showing for plaintiffs suing based on increased risk of harm in privacy-related litigation.  The decision effectively resolves a circuit split over the application of the Article III standing requirement in data breach cases.  Plaintiffs must show that the threatened harm that establishes their standing to sue is “certainly impending,” not merely “possible.”  Given that many consumers cannot plead or prove that exposure of their data has resulted, or will result, in identity theft or any other financial injury, the high court’s recent decision should prove very useful to companies seeking early dismissal of individual or class action data breach litigation.

The Decision

Clapper involved issues of constitutional privacy arising out of a challenge to a 2008 amendment to the Foreign Intelligence Surveillance Act of 1978 (“FISA”), 50 U.S.C. §1881a.  FISA allows the federal government to conduct surveillance on the electronic communications of non-U.S. persons located outside the United States, but only after obtaining approval from a Foreign Intelligence Surveillance Court (“FISC”).  Plaintiffs in Clapper were several attorneys and human rights, labor, legal, and media organizations who sued to obtain a declaration that FISA is unconstitutional, and to obtain a prospective injunction against the surveillance on the grounds that it would encompass plaintiffs’ own sensitive international communications with individuals believed to be likely targets of the federal government.

Under the well-established Supreme Court precedent of Lujan v. Defenders of Wildlife, to establish Article III standing plaintiffs are required to show an “invasion of a legally protected interest” that is both “concrete and particularized” and “actual or imminent, not conjectural or hypothetical,” along with a causal connection between the injury alleged and the conduct complained of.  The district court dismissed the Clapper complaint upon concluding that plaintiffs had failed to show the requisite “injury in fact” necessary to confer Article III standing.  The Second Circuit reversed, holding that the injuries plaintiffs claimed were sufficiently concrete and imminent.

In the Supreme Court, the Clapper plaintiffs offered two arguments to support their claim of Article III standing.  First, they argued that there was an “objectively reasonable likelihood” that their communications would be monitored under §1881a at some point in the future, thus satisfying the imminent injury requirement.  Second, they claimed that in order to avoid having their confidential communications compromised by surveillance that might occur under §1881a, they had incurred actual harm by undertaking costly and burdensome measures, including international travel to conduct meetings in person, in order to avoid that surveillance.

The Supreme Court rejected both arguments.  First, the Court held that any threatened injury sufficient to confer Article III standing must be “certainly impending,” not merely “possible.”  It found that plaintiffs had not met this standard because their standing argument relied on a “speculative chain of possibilities,” including assumptions about the actions of an independent third party (in that case FISC) – actions that could not be predicted.  The Court expressly refused to “endorse standing theories that rest on speculation about the decisions of independent actors.”

Plaintiffs’ second argument was equally ill-fated.  The Court declined to accept the notion that plaintiffs could “manufacture standing by inflicting harm on themselves based on fear of hypothetical future harm that is not certainly impending.”  Were it to do so, it noted, “an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”

Justice Alito wrote for the majority in this 5-4 decision.

Key Takeaways

Notwithstanding its particular focus on governmental intrusions into privacy, Clapper broadly reinforces a stringent Article III standing requirement applicable in every data breach case where plaintiffs purport to have standing based solely on an increased risk of future harm.

Companies facing data breach litigation can and should consider moving to dismiss the complaint on the grounds that plaintiffs lack Article III standing, and may rely on Clapper to argue that:

  • The mere possibility that a third party criminal might someday misuse information obtained in a data breach is too speculative to demonstrate the “imminent” harm required to establish standing;
  • The actions of third-party hackers and/or criminals are utterly unpredictable; any assertion of standing premised on the probable acts of such persons improperly assumes the existence of a criminal who has both the ability and the desire to act on information obtained by way of a security breach;
  • Consumers cannot be permitted to “manufacture” standing for purposes of data breach litigation by voluntarily incurring costs to monitor their credit or otherwise guard against the mere possibility of harm that has yet to—and may never—materialize.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali or Rebecca Schwartz and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Rebecca Schwartz, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.