Real-Life Attacks On Business & What You Can Do To Deter A Cybercriminal – Event September 7

To effectively guard against an enemy of any kind it’s important to know your enemy. This strategy is just as effective when fighting an online battle to protect your company’s data.

Before you can effectively defend against cyberattacks, it is important to educate yourself on potential threats and how to handle them. We invite you to join us on September 7 for part two of the Columbus Cybersecurity Series featuring FBI agent David Fine returns. During this portion of the presentation, you will hear real-life examples of attacks on businesses, including what schemes are prevalent today. You will also discover the very real impact these attacks have had on companies and, perhaps most importantly, what you can do to deter an attack on your business.

Click HERE to register.

Part one of the Columbus Cybersecurity Series took place in April. Attendees gained an overview of the cybercrime threat. Representatives from EasyIT, FirstMerit Bank, Rea & Associates, and Taft Stettinius & Hollister, LLP, also took part in a panel discussion about current cybersecurity threats. You can watch the videos from part one of the series on YouTube.

Cyber Insurance: Travelers Required to Defend Healthcare Records Storage Company From Class Actions

Savvy in-house counsel and business owners termsoften ask are whether the insurers selling cyber policies actually pay claims or whether the policyholders are just buying the right to later sue the insurers for coverage.  The initial wave of cyber insurance litigation involved policyholders trying to obtain coverage for data breaches under their standard commercial general liability policies.  This produced mixed results with some courts finding coverage, while others did not.  The next wave of cyber insurance litigation involved policyholders asserting claims under specialized cyber policies, which had better results for the policyholders.  The Travelers v. Portal Healthcare Solutions, LLC case falls into the latter category.

The Facts in Travelers v. Portal Healthcare Solutions, LLC

Glen Falls Hospital entered into a contract with Portal to electronically store confidential medical records.  Portal then contracted with Carpathia Hosting, Inc. to provide hosting services for the records.  The records of 2,300 patients were loaded onto the website.  When two patients did a Google search on their name, they were taken to the website.  From there, they were able to retrieve their personal information, including past and current medical treatment, medications, social history, physical examination, laboratory data, and future treatment plans, without having to undergo any security questions.

Two class actions lawsuits were filed against Portal alleging that for a period of four months, patient medical records were accessible on the internet to anyone without any security restrictions through a server operated by Portal and hosted by Carpathia.  When Portal sought coverage for the class actions, Travelers denied its duty to defend Portal against the claims and filed its own lawsuit against Portal seeking a declaration of no coverage.

Travelers’ Web Xtend Liability Policy

Portal purchased a Travelers’ Web Xtend Liability endorsement to its commercial general liability policy.  The insuring agreement of the endorsement stated that Travelers will defend the insured and “pay those sums that the insured (Portal) becomes legally obligated to pay as damages because of “personal injury”, “advertising injury”, or “web site injury” to which this insurance applies.”  The policy defined “advertising injury” as arising out of the “electronic publication of material that … gives unreasonable publicity to a person’s private life.”  The policy defined “personal injury” defined as injury arising out of the “electronic publication of material that … discloses information about a person’s private life.”

The District Court’s Ruling

Travelers filed a motion for summary judgment and argued that the allegations in the class action complaint merely alleged that the two plaintiffs saw their own medical records, but there were no allegations that anyone else saw the records.  Travelers reasoned that absent some evidence that a third party saw the records, there was no covered “publication.”

The Federal District Court for the Eastern District of Virginia applying Virginia law and the 8-corners rule rejected Travelers’ arguments.  That is, looking at the four-corners of the complaints and the four-corners of the policy, the Court held that Travelers’ duty to defend Portal had been triggered because publication occurred when the confidential information was “placed before the public,” and not when a member of the public read the information placed before it.  The Court stated:

By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Nobel is not “published” until a customer takes the book off the shelf and reads it.  Travelers’ understanding of the term “publication” does not comport with the term’s plain meaning, and the medical records were published the moment they became accessible to the public via an online search… the information was posted on the internet and thus, was given not just to a single thief but to anyone with a computer and internet access.

The Fourth Circuit’s Ruling

Travelers appealed the Court’s decision, which was affirmed by the Fourth Circuit Court of Appeals.  The Fourth Circuit commended the trial court’s sound legal analysis and held that “Travelers’s efforts to parse alternative dictionary definitions do not absolve it of the duty to defend Portal.”  Travelers Indem. Co. of Amer. v. Portal Healthcare Solutions, Inc., Case No. 14-1944 (4th Cir. April 11, 2016).


From a policyholder perspective, make sure you ask your broker and your lawyer about the claim history of the insurer before you buy a particular policy.  Is the insurer generally known for paying claims or are you just buying the right to file a lawsuit for coverage?  We wrote about CNA’s NetProtect 360 policy in a prior post that is also a cautionary case worth reading.  In addition, in 2015, Travelers filed, and later settled, a subrogation lawsuit (standing in the shoes of the policyholder) against Ignition Studio, Inc., a website designer, following a data breach at an Illinois bank where the website designer failed to incorporate reasonable security into the bank’s new website.  Following a data breach, Travelers paid the claim and then sued the website designer to recoup the damages it paid.  The bank’s claim was under a cyber-insurance policy rather than the type of endorsement at issue in Portal’s case.

Policyholders also want to be cautious when entering into contracts with vendors for electronic records storage.  First, try not to limit your damages to the price paid for the vendor’s services.  The vendor’s fee will likely be dwarfed by the cost to respond to a data breach and defend and possibly settle a lawsuit.

Second, negotiate the right to pursue damages against the vendor’s professional liability insurer.  Make sure the vendor’s insurance will cover the potential loss and expenses, is adequate in amount, and stays in force during the term of the contract.

Buyer beware remains the appropriate adage.

HIPAA Phase II Audits Begin

On Monday, March 21, 2016, the Health and Human Services Office for Civil Rights (“OCR”) began the long-awaited Phase II of OCR’s random audit program to determine compliance with the patient privacy provisions included in the Health Insurance Portability and Accountability Act (“HIPPA”). As we discussed earlier here, these audits will extend beyond simply covered entities and will also include business associates.

Covered entities and business associates will receive an email from OCR entitled “Audit Entity Contact Verification.”  This email simply allows OCR to verify contact information—receipt of this email does not mean that your organization is necessarily going to be audited.  After confirming contact information, OCR will create an audit pool; actual audits will begin in a few months.  Speaking at a PHI Protection Network Conference last week, an OCR representative stated that OCR expects to audit approximately 150 covered entities and 50 business associates in 2016.  Audit protocols will be released on the OCR website later this year, prior to the date audits begin.

OCR will be looking for “serious compliance issues” that may trigger further investigation, with possible financial penalties.  Audit findings will also be used to develop new guidance and policies aimed at strengthening adherence to HIPAA rules.

Will the New DoD Cybersecurity Regulations Cause a New Wave of Protest Disputes?

The new DoD cybersecurity regulations require contractors to implement the security requirements specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” not later than Dec. 31, 2017. DFARS, 252.204-7008(c)(1).

However, a contractor may propose to vary from the NIST SP 800-171 requirements under two circumstances. Under DFARS 252.204-7008(c)(2), a contractor may propose to vary from the security requirements specified by NIST SP 800-171 through a written explanation of one of the following:

  1. Why a particular security requirement is not applicable.
  2. How an alternative, but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and will achieve equivalent protection.

When DFARS council published the first interim version of DFARS 252.204-7008, the regulation gave an authorized representative of the DoD chief information officer limited discretion to either “approve or disapprove” such a request. DFARS 252.204-7008(d), published Aug. 26, 2015. The latest version of this regulation now provides that the authorized representative of the DoD CIO “will adjudicate” requests to vary from the NIST SP 800-171 requirements. DFARS 252.204-7008(c)(2)(ii), published Dec. 31, 2015. Both the August and December 2015 versions of this DFARS regulation require that the decision be made “in writing prior to contract award.”

This raises an interesting situation. When an awardee has proposed that an alternative security measure will achieve equivalent protection to NIST SP 800-171 or that a security requirement is not applicable, besides the security issue, there is the potential for a bid protest as well. Disappointed offerors could challenge whether the awardee is in compliance with NIST SP 800-171 and, if not, argue that a contract should be awarded to that offeror.

Much like the subject of Organizational Conflicts of Interest (“OCI”) created its own body of protest law as to whether an awardee did or did not have an OCI as defined in FAR Subpart 9.5, whether the proposed awardee had proposed an effective mitigation strategy and whether the agency had considered it properly, the new cybersecurity requirements of DFARS 252.204-7008 could lend themselves to similar protest challenges. Going forward, an unsuccessful offeror can protest whether a proposed awardee has fully complied with NIST SP 800-171, as required by DFARS, 252.204-7008, whether certain security requirements identified by the proposed awardee as not applicable are actually applicable and whether a deviation proposed, but not yet adjudicated, would still achieve equivalent protection. If the proposed awardee failed in any of these areas, it would not have proper security measures in place and arguably should not receive a contract award.

Like OCI challenges, many protests will be filed with nothing more than a good faith belief that an awardee may not have fully satisfied the security obligations or may not have fulfilled them as delineated in the DFARS. This will add another dimension to bid protests. Working backward, this means, as part of the competitive procurement evaluation process, the DoD will have to ensure that security requirements have been properly vetted, that security compliance concerns are raised during discussions and that offerors/bidders have addressed the subject in their proposals via narrative or a certification. In other words, not only will DoD contractors have to determine how to comply with DoD’s cybersecurity requirements, they will have to determine how to deal with them in the procurement process itself – including bid protests.

It never gets any easier, does it?

On February 4, 2016, Taft presented a webinar focused on helping government contractors understand what they need to do to meet the necessary security requirements in this provision. The audio for that presentation can be found by clicking HERE.

Data Breach Victims Have No Legal Remedies Under Indiana Law

Indiana law does not grant consumers the right to sue Anthem or any other data base owner for negligence following a data breach, according to the federal judge presiding over the Anthem data breach multi-district litigation.  Order, In re Anthem, Inc. Data Breach Litig., No. 15-MD-2617 (N.D. Cal. Feb. 14, 2016).

Instead, Indiana law grants consumers only the right to be notified of the data breach without unreasonable delay.  Indiana Code § 24-4.9-3-1.  If notice is not properly given, the Indiana Attorney General may then seek penalties against the data base owner for up to $150,000.  Ind. Code § 24-4.9-4-2.  However, neither consumers nor the Attorney General may maintain an action under Indiana law against the data base owner for negligently failing to safeguard the consumers’ personal information from accidental loss or theft.

I. Background Facts

Between December 2014 and January 2015, thieves stole from Anthem the personally identifiable information (“PII”) belonging to 80 million customers, including millions of Indiana residents.  This information included personal information (such as names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, and employment information, including income data) and individually-identifiable health information (pertaining to the individual claim process, medical history, diagnosis codes, payment and billing records, test records, dates of service, and all other health information that an insurance company has or needs to process claims).

According to the class action plaintiffs, Anthem was on notice of the need to safeguard PII as a result of prior incidents and specific warnings from the federal government.  In 2009, while doing business under the name Wellpoint, approximately 600,000 Anthem customers had their PII compromised due to a data breach.  In 2013, the U.S. Department of Health and Human Services fined Anthem $1.7 million for various HIPPA violations related to data security.  And, in 2014, the federal government informed Anthem and other healthcare companies of the possibility of future cyberattacks and advised companies to take appropriate defensive measures, such as using encryption and enhanced password protection.

Furthermore, plaintiffs alleged that Mandiant, the cybersecurity firm Anthem hired to investigate the breach, determined that Anthem’s negligence led to the most recent data breach.  Mandiant supposedly found that Anthem and its affiliates failed to take reasonable measures, such as encrypting data at rest, to secure the PII in their possession.  Plaintiffs alleged that the defendants did not heed these warnings resulting in the massive data breach in December 2014 through January 2015.

Multiple class action lawsuits were filed against Anthem and affiliated and non-affiliated companies following news of the data breach.  Those cases were consolidated in the multi-district litigation pending in federal court in San Jose, California.

II. The Court’s Ruling

Anthem and the other defendants moved to dismiss several of the claims asserted in the class action complaint.  The court issued an 82-page ruling granting in part and denying in part those motions.  The focus of this blog post is the court’s ruling on the motion to dismiss the Indiana claim for negligence.

The court decided to dismiss the Indiana negligence claim for several reasons.  First, the court did not believe it was appropriate for a federal court to create a new cause of action under Indiana law in the absence of any controlling Indiana authority.  The court noted that there was no controlling decision by the Indiana Supreme Court or Court of Appeals having ever found that a data base owner has a duty to exercise reasonable care to prevent a breach or that any resulting damages, e.g. for credit monitoring, would be recoverable under Indiana law.

Second, the court held that the Indiana legislature’s decision not to create a cause of action for consumers following a data breach weighed strongly against the court unilaterally creating a new cause of action.  In 2007, the United States Court of Appeals for the Seventh Circuit held that Indiana law did not grant a bank’s potential customers the right to sue for damages following a data breach of their personal information.  Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 637 (7th Cir. 2007).  At the time, Indiana’s data breach notification law (adopted in 2006), did not grant Indiana consumers a private cause of action.  The Anthem court held that the Seventh Circuit decision put the Indiana legislature on notice that no private cause of action existed and the legislature purposely chose not to add a private cause of action when it amended the Indiana data breach notification law in 2009.

The Indiana legislature, presumably aware of the Pisciotta decision, declined to provide plaintiffs a private cause of action when given the opportunity to amend the state’s data breach statutes in 2009.”

In addition, the court found that the Pisciotta decision comported with other the laws of other states that did not grant a private cause of action to data breach victims.  Accordingly, the court in the Anthem data breach litigation held that consumers have no legal remedies under Indiana law against a data base owner following a data breach.

In 2015, following news of the Anthem data breach, the Indiana Attorney General and other Attorneys General requested that Anthem provide identity theft protection coverage to consumers at no charge.  Anthem agreed to do so for all 80 million customers, including those in Indiana, even though Indiana law did not require that such coverage be provided.

III.  Takeaways

For Indiana consumers, the takeaway is to heed the Indiana Attorney General’s warnings and sign up for a credit freeze.  Consumers can protect themselves from identity and data theft by signing up for a credit freeze with the three major credit reporting agencies Equifax, Experian, and Transunion, available at this link.

For Indiana businesses, the takeaway is to continue to exercise reasonable diligence to safeguard consumer PII and to purchase cyber insurance.  Many data base owners have personally identifiable information belonging to more than just Indiana residents.  To the extent data base owners have information belonging to residents of other states, the data base owners will have to comply with the laws of those other states when doing business with those states’ residents.  Other states have imposed a duty on data base owners to safeguard PII in their possession and have granted consumers a private cause of action for negligently failing to safeguard PII.  There are also a host of laws that require certain businesses to safeguard PII.  You will want to exercise reasonable diligence to safeguard PII to defend yourself in lawsuits brought by residents of other states.  Also, cyber insurance offers a variety of benefits, including providing notice to consumers whose data has been breached.  Consumers have come to expect this type of coverage to be provided free of charge following a data breach.

Finally, given that class actions may be easily removed to federal court under the Class Action Fairness Act of 2005, it is unlikely that Indiana courts will be presented the opportunity to decide whether state law grants consumers the right to sue data base owners for negligence following a data breach unless a federal court certifies such a question to the Indiana Supreme Court to decide as a matter of first impression.  It is also unlikely that the Indiana legislature will grant consumers a right to sue for damages following a data breach anytime soon.



Webinar Replay Now Available on the New Defense Department Cybersecurity Rules

The U.S. Department of Defense published its Network Penetration Reporting and Cloud Computing Services regulations as an interim rule in August 2015 and updated them in December 2015.  Watch this new webinar replay at your convenience to learn about the regulations, how they may impact your business, and the concerns of industry groups. Click HERE to watch the webinar in its entirety.


Did China’s Agreement Not to Steal U.S. Intellectual Property Influence the Defense Department’s Decision to Grant a Two-Year Extension for Contractors to Comply with NIST SP 800-171’s Guidelines for Protecting Controlled Unclassified Information?


On June 4, 2015, the Office of Personnel Management announced that personally identifiable information for 4 million current and retired U.S. Government employees had been breached. China was suspected of having facilitated the breach.

Two weeks later, after the number of data breach victims had risen to 14 million, the National Institute of Standards and Technology (NIST) published its new Guidelines for Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171.

We published our summary of the new NIST SP 800-171 Guidelines shortly thereafter, which happened to be about two weeks after OPM’s July 2015 announcement that the number of data breach victims had grown to 21.5 million current and retired Government employees, contractors, and applicants.

Less than a month later, the U.S. Defense Department surprised its industrial base of approximately 10,000 contractors when it published, without prior notice, its new cyber security regulations. The new “Network Penetration Reporting and Contracting for Cloud Services” regulations required contractors to immediately report cyber incidents and data breaches and implement the NIST SP 800-171 Guidelines to protect covered defense information in their information systems. The Defense Department stated that the new regulations were being issued without prior notice and to be implemented immediately because of the urgent need to protect our national security.

“A determination has been made under the authority of the Secretary of Defense that urgent and compelling reasons exist to promulgate this interim rule without prior opportunity for public comment. This action is necessary because of the urgent need to protect covered defense information and gain awareness of the full scope of cyber incidents being committed against defense contractors.

*        *        *

Recent high-profile breaches of Federal information show the need to ensure that information security protections are clearly, effectively, and consistently addressed in contracts. Failure to implement this rule may cause harm to the Government through the compromise of covered defense information or other Government data, or the loss of operationally critical support capabilities, which could directly impact national security.”

We published several blog posts explaining the new cyber security regulations, new key terms under the regulations, and providing checklists to comply with the duties and obligations of the Network Penetration Reporting regulations and complying with the requirements for Contracting for Cloud Services regulations. We also provided the Defense Department’s answers to 43 frequently asked questions on the new regulations, released in November 2015.

Without a doubt, contractors were caught by surprise. The Defense Department’s imposition of the new regulations effective upon publication provided contractors with no time to assess deficiencies, procure expert guidance and advice, implement new procedures and processes, and achieve compliance.

Many contractors complained. Early requests by industry to hold a public meeting to educate industry on the regulations were denied, just as requests to extend the comment period were rejected.

When the Defense Department finally held a public meeting on the new regulations on December 14, 2015, 85 industry representatives registered for and attended the meeting to express their concern that contractors needed reasonable and appropriate time to fully comply with the new regulations.

But how much time is needed to achieve compliance? The American Bar Association Section of Public Contract Law submitted comments to the new regulations asking for a transition period of “at least one year to implement any security controls not required by the prior [Unclassified Controlled Technical Information] rule and to implement any future changes to NIST SP 800-171.” In contrast, the Council of Defense and Space Industry Associations asked that the Defense Department to phase in “implementation of the interim clause requirements by the end of calendar year 2017.”

Calmer-heads eventually prevailed. On December 30, 2015, the Defense Department announced that contractors would have two years, until December 31, 2017, to implement the security requirements specified by NIST SP 800-171.

There is some speculation that the Defense Department’s two-year extension may have been influenced by the September 2015 announcement of an agreement between the U.S. and China that neither government would support nor conduct cyber-related theft of intellectual property. While contractors are still required to report cyber incidents and data breaches, China’s agreement may have signaled to the Defense Department that it could afford to give contractors the additional time they requested and needed to comply with the new regulations. However, even after the announcement, there were continued reports of Chinese hacking aimed at stealing U.S. intellectual property.

Taft’s Government Contracts and Privacy and Data Security teams will present a webinar on the NIST SP 800-171 Guidelines on Thursday, February 4, 2016 from 12:00 p.m. to 1:00 p.m. Eastern Standard Time.

Register by clicking here. Instructions on how to access the webinar will be emailed to registered attendees prior to the date. For more information, contact Bethany Smith, Director of Business Development, at (513) 357-9470 or

Cyber Insurance Buyer’s Guide

Cyber Buyer's GuideYou need cyber insurance to protect your organization from the potentially-devastating financial harm that often follows a data breach, and to protect your brand and guard your reputation. Cyber insurance can help your organization survive a breach and pay the cost to notify customers of the breach and offer them credit monitoring services, defend your organization from class action lawsuits by customers, banks / credit card companies, and shareholders, and defend government investigations and enforcement proceedings. There are no standard-form cyber insurance policies. Instead, there are a variety of policies that offer a variety of benefits. Knowing what to consider when buying cyber insurance is valuable information.

Taft’s complimentary guide “Cyber Insurance: A Buyer’s Guide to Protect Your Business” is a compilation of our most popular cyber insurance articles containing helpful information about the benefits, terms, and conditions to look for when buying cyber insurance policies. The Guide also alerts you to risks inherent in the marketplace. To access the guide, please click here.

Taft encourages you to share the guide with other professionals who are just as passionate about protecting their businesses from cyber attacks.

Please Add Internal Threat Monitoring to NYDFS’s Cyber Security Requirements for Banks and Insurers

One best practice missing from the New York State Department of Financial Services’ announcement of potentiabigstock-Stack-of-manilla-file-folders-30317660-1080x675l new cyber security regulation requirements for banks and insurers was the need to develop an approach to monitor internal threats, including the detection of anomalous conduct by employees.

The FBI, SEC, and others have identified dishonest acts by employees as one of the major causes of data security breaches.  In fact, it’s one of the areas audited under the FFIEC’s Cybersecurity Assessment Tool.  Yet, internal threat monitoring is not specifically called out as a recommendation in what is otherwise a robust list of proposed cyber security requirements.

Banks and insurers should not wait for regulators to begin to monitor internal threats.


Answers to Frequently Asked Questions on DoD’s New Cyber Security Regulations

faqDoD recently published answers to 43 frequently asked questions on the Department of Defense Network Penetration Reporting and Contracting for Cloud Services regulations.  The FAQs document is available here.  In addition, you can read our blogs posts on the new regulations below.