In June, the U.S. Supreme Court resolved an important issue under the Federal Computer Fraud and Abuse Act (CFAA), which has been used by companies as they battle hackers, rogue employees, and terminated employees. The CFAA imposes criminal and civil liability when a person accesses a computer “without authorization or exceeds authorized access.” Rogue employees who obtain company information without a business need often find themselves facing a suit that seeks, among other things, damages under the CFAA. A company that can invoke a federal statute — especially one that also could create criminal liability — can create significant leverage in litigation.

The Court held that one “exceeds authorized access” when they access a computer with authorization but then obtain information located in particular areas of the computer — such as files, folders, or databases — that are off limits from a security standpoint. In other words, the employee needs to hack into an internal database in order to exceed the access provided by the employer.

Continue Reading U.S. Supreme Court Narrows the Reach of the Computer Fraud and Abuse Act

GDPR Image

The European Union’s (EU) General Data Protection Regulation (GDPR) sets out requirements for transferring personal data outside the European Economic Area. These requirements not only restrict the use and transfer of personal data, but also ensure that personal data is adequately protected with enforceable rights and effective judicial remedies. In 2020, the EU invalidated the EU-US Privacy Shield, a framework that many US companies relied on when transferring data. However, large tech companies, including Microsoft, have ensured compliance with the GDPR’s transfer requirements through the use of standard contractual clauses (SCCs). These SCCs are “pre-approved” by the European Commission to ensure that adequate protections and safeguards are in place for data transfers.

On May 6, 2021, Microsoft announced they were expanding its existing commitments to data privacy in the EU through a plan called the EU Data Boundary for the Microsoft Cloud (EU Data Boundary Plan). This pledge grows Microsoft’s data processing and storing capabilities in the EU by removing the need to move customer data outside the EU. Full implementation of this plan is set for the end of next year.

Continue Reading Freezing the Cloud: Microsoft Takes a Hardline on Data Privacy in the EU

I am often asked by clients and my partners alike, “What is the #1 thing companies should be doing to secure their data and systems?” Usually when I get requests to boil down everything involved in my practice area to one topic, I balk. And for good reason. However, this one is easy.

Multi-Factor Authentication or “MFA.” 

Continue Reading Multi-Factor Authentication (MFA). Please. Do it. Now.

The European Commission has finally released the first updates to the standard contractual clauses (SCCs) required for certain cross-border transfers in more than 10 years. The new SCCs include versions for use between processors and controllers, as well as one for transfers to third countries.  These new SCCs mark the first change in such clauses since 2010 and in view of the Court of Justice of the European Union’s decision in  Schrems II.

We will write more on this in the future, but the updated versions are intended to provide more flexibility for data processing for all parties to such a transfer and “will offer more legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers.”  Regulated entities currently operating under the 2010 versions will have 18 months to update existing agreements with these SCCs.

The White House issued this memorandum to corporate executives and business leaders this week in which it stresses the need for urgent vigilance in implementing many of the best information security best practices we commonly discuss on our Privacy and Data Security Insights blog.  The memo contains good information that any business of any size should consider and implement as quickly as possible to bolster its defenses to what has been an onslaught of ransomware attacks in the past year.  

Continue Reading White House Memo Stresses Need For Vigilance in Defending Against Ransomware Attacks

Taft Appellate attorneys Jon Olivito and Michael Robertson recently wrote about a U.S. Court of Appeals for the Sixth Circuit decision that clarified the scope of conduct that could potentially expose any consumer business to immense liability.

In Thomas v. TOMS King (Ohio), LLC, No. 20-3977 (6th Cir. May 11, 2021), a consumer sued a defendant business alleging a violation of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). The plaintiff alleged the defendant had violated the “truncation requirement” of FACTA and exposed her to an increased risk of identity theft by issuing a credit card that included the first six and last four digits of her credit card number. In an effort to thwart identify theft, the truncation requirement prohibits businesses from printing more than the last five digits of a customer’s credit or debit card number on a receipt. Violations of FACTA can expose businesses to actual and statutory damages, punitive damages, and attorneys’ fees.

Read the full Taft law bulletin.

As we have been writing over the past year, COVID-19 has presented a huge opportunity for hackers to wreak havoc on businesses and consumers.  While confidentiality of data is usually the focus with such data breaches, system and data access is also at risk of attack by these same threat actors.  We have seen this play out on a national scale the past couple of weeks with the pipeline shutdown due to ransomware.

According to the New York Department of Financial Services (“NYDFS”), insurance claims resulting from ransomware increased by 180% between 2018 and 2019, and almost doubled that amount in 2020. (Indeed, the pipeline company paid a ransom of $4.4 million.)  As a result, the U.S. cyber insurance market was $3.15 billion in 2019 and is expected to exceed $20 billion in the next five years. And just recently, a carrier announced it would no longer pay out for ransomware claims in France.   Earlier this year,  in response to the increase in ransomware attacks, the NYDFS issued seven best practices (“Framework”) that insurers should adopt, including a recommendation that insurers should stop paying ransom payments. Insurers should be aware of what the Framework entails and what this means for them when implementing cybersecurity programs and trying to obtain insurance coverage in the future.

Continue Reading NYDFS Answers Age Old “To Pay the Ransom or Not Pay the Ransom” Question with Definitive DON’T

In response to recommendations contained in the Solarium Commission report and the Solar Winds cybersecurity incident, President Biden issued an Executive Order on May 12, 2021, outlining new requirements for information technology providers that do business with the federal government. The purpose of the requirements are to protect federal networks from malicious cyber-attacks and to improve information-sharing between the U.S. government and the private sector on cyber issues, thereby strengthening the United States’ ability to respond to incidents when they occur.

Read more from Taft’s White House Transition Task Force here.

Guess what?  Last Thursday, the first Thursday in May, was World Password Day. Right? You didn’t even know it.  We in the Privacy and Data Security Practice Group thought it would be a perfect opportunity to talk about the importance of the most basic, but still effective way to safeguard your accounts and data. In the early days of the internet, a simple password was all you might need to adequately protect the one or two accounts you might have had. Your desktop login, your email, and maybe some early version of social media. Password security was taken so lightly; it wasn’t unusual for passwords to be stored in a plain text file on a desktop or on a sticky note at your desk. Those days are over. Well, they should be.

Continue Reading Celebrating World Password Day. Responsibly.

On April 1, 2021, the Supreme Court decided Facebook, Inc. v. Duguid, which narrowed the scope of the Telephone Consumer Protection Act of 1991 (TCPA). The Court unanimously ruled that Facebook did not violate the TCPA by sending unsolicited text messages to individuals without their consent, overturning the Ninth Circuit’s decision to broadly define automatic telephone dialing systems (“autodialers”) under the federal statute. The case boiled down to everyone’s favorite subject—grammar. Continue Reading Comma Again? The Supreme Court Provides a Grammar Lesson and Hands Down a Big Decision Impacting TCPA Compliance