Last November, Taft’s Scot Ganow and Bill Wagner wrote on Ohio first-of-its kind state legislation which would provide companies a safe harbor from some litigation resulting from a data breach. This month, Governor John Kasich signed the Ohio Senate Bill 220, also known as the Ohio Data Protection Act, into law. The law goes into effect in November, and is aimed at providing entities conducting business in Ohio with special protection from litigation in the event of a security incident or breach under certain circumstances. Specifically, the law creates a safe harbor affirmative defense when an entity adopts cybersecurity measures designed to: (1) protect the security and confidentiality of personal information; (2) protect against any anticipated threats or hazards to the security or integrity of the personal information; and (3) protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.
Taft summer associate Jordan Jennings-Moore contributed to this article.
In today’s world, very few people remain completely unscathed by a data breach somewhere. From Target, to Anthem, Wendy’s or Equifax, individuals across the country have grown accustomed to getting breach notification letters. Most recently, Alabama and South Dakota became the last two jurisdictions in the United States to adopt data breach notification laws. This means that any person or entity conducting business in the U.S. must be prepared to protect personal identifying information (PII) belonging to customers, clients, and employees.
Encryption is an easy way to protect PII. It wasn’t always that way, but technologies have made it easier and cheaper to do. And this has legal benefits. A common trend seen amongst all U.S. jurisdictions is an encryption exception to providing notice of a data breach. Why? Well, because encrypted data is not “personal data.” Therefore, loss of encrypted data is often not a “breach” under the law. Encryption saves you time, your reputation and thousands, if not millions, of dollars. That’s huge.
During her time at Taft, our Dayton summer associate Jordan Jennings followed the trends of data breach notification laws and worked with me on updating our materials to reflect the ever changing world of state privacy and security law (i.e. California). I asked her to pitch in on this update and report on some of her findings below. (Spoiler alert: encryption is a pretty big deal.)
Rebekah Mackey, Taft summer associate, contributed to this article.
Just months after the European Union’s General Data Protection Regulation, or “GDPR” changed the landscape of data privacy around the globe, California reaffirmed its position as the United States pioneer of consumer-friendly data privacy protections with the state legislature’s passage of Assembly Bill No. 375.
The California Consumer Privacy Act (“Act”) was originally a ballot initiative to be voted on by California residents in November, but the fate of the policy changed course rapidly when AB 375 passed within one week of being introduced in the state’s legislature. Here are some of the key provisions of which businesses and consumers should be aware when the law goes into effect Jan. 1, 2020.
As we assist clients with preparing for GDPR compliance before and after this Friday’s effective date, I thought to share some quick thoughts on the law and what we are seeing here at Taft.
- “GDPR Compliant.” Be wary of companies making such claims and don’t make such claims, yourselves. As with HIPAA, there is no such thing as a stamp of “compliance” approval. And, like bragging about your information security, warranting that you are “compliant” is just asking for that claim to be challenged. “Compliance” will be a moving target with a law that has yet to go into effect. Work toward meeting the requirements, but don’t ever think you have achieved all of them (or that your vendors or subcontractors have).
- See this as an opportunity. Don’t ignore the law’s requirements and its applicability to your business, no matter how small. Get informed and make good risk-based decisions on how to implement, if at all. I am advising many clients to see GDPR as an opportunity to get their global data governance act together. Here in the States, I often like to say, “if you can make California happy with your information privacy practices, you can likely make any other state happy too.” Well, if you can satisfy the EU’s requirements, chances are you can meet any country (or company’s) requirements. So, don’t look at this as just a compliance requirement. It is an opportunity to upgrade your business plan. The reality is good information privacy and security practices will be the cost of admission to competition for business.
- It’s all about the (personal) data. Before you take the plunge into GDPR compliance, make sure you actually process “personal data” for “data subjects” that are “in the Union.” Be it for employees or customers, do you process the personal data of individuals that are in the EU when you process such data? Maybe you don’t collect “personal data” or maybe those individuals are not “in the Union.” It is not about citizenship or residency. Is the data subject in the Union or do you process personal data? If not, you may not have to comply.
- You are not alone. Loads of companies are struggling to figure out if GDPR applies and what, if any, things they need to implement to meet the law’s requirements. And yes, even companies in the EU are struggling. Keep calm and carry on. It is a marathon and not a sprint.
- Just get started. You may not be “compliant” on May 25, 2018–or even May of 2019 for that matter. What is important is that you have a plan and start to execute it – just like with data here in the U.S. Do you at least have a plan and a story to tell when something bad happens?
That’s it. Short and sweet. Now, back to the fun.
On March 28, 2018, over sixteen years after California passed the nation’s first data breach notification law, Alabama became the fiftieth, and final, state to join the club. As a result, any person or entity conducting business in the United States must be prepared to safeguard personal identifying information belonging to customers, clients, and employees, while also being ready to comply with all applicable state and federal laws and regulations.
The Alabama Data Breach Notification Act of 2018 (S.B. 318), goes into effect on June 1, 2018, and largely mirrors the requirements of many notification laws. Specifically, Alabama’s law pertains to “sensitive personally identifying information.” Sensitive personally identifying information includes an Alabama resident’s first name or first initial and last name in combination with any of the following:
- Non-truncated Social Security or tax-identification number;
- Non-truncated driver’s license, passport, or other government identification number,
- Financial account number combined with security/access code, password, PIN, or expiration date necessary to access or enter into a transaction that will “credit or debit” the account;”
- Username or email addresses in combination with a password or security question and answer that would permit access to an online account likely to contain sensitive personally identifying information; and
- Health information, such as an individual’s medical condition, patient history, and health insurance identification numbers.
In a local news interview, I was recently asked to comment on the Facebook-Cambridge Analytica story involving the unauthorized use of Facebook user profile information by Cambridge Analytica for profiling and targeting purposes. The focus of the interview was what consumers can do to better protect themselves. However, there are learning opportunities for businesses too. Here are some quick points to consider for both parties.
- Your choices matter most. I beat this drum pretty heavily, but it is true. While technology, the marketplace and even the law will serve to provide you some protections and redress when it comes to privacy and security matters, the biggest impact on protecting your personal information are the choices you make with respect to that information. What information you share, with whom (which companies) and under what conditions are all things you can control.
- Audit. Get up in your third parties’ business. Facebook could have verified that Cambridge actually deleted the Facebook profiles. Rather, it took a contractual attestation to the fact and allegedly did nothing more. Not always a bad idea, but if you are entrusting third parties to handle your customer’s sensitive data or data in large amounts, use your agreements as an opportunity to ensure that the third party uses the same (or better) safeguards than you do and reserve the right to verify. Not only does this prevent bad things from happening, it shows your customers, regulators, and opposing counsel that you take privacy seriously.
- Data is your business. I do not care what industry in which you operate—you are a data business. Get smart about the data you collect, store, share and destroy. Take the time to classify your data and map your data throughout your organization and with third parties. Write policies and procedures for how your data will be used properly and what is prohibited. Write agreements with your third parties and with your customers that are easy to understand and place a priority on data protection. And get insurance. Even with all the best practices, you WILL have a data incident. It is not IF but WHEN. Plan and invest in protection for not only your customer data, but the survival of your business and its reputation.
Earlier this year, there was a report on a new spear-phishing attack seeking to steal people’s sensitive data. The spear-phishing email message, apparently drafted to look like it came from FedEx, included a link that took the recipient of the email to a Google Docs page and then used a script to download malware to the employee’s computer. What was notable about this spear-phishing attempt was that the email “bait” actually included employee sensitive data, such as his or her Social Security Number. This is yet another new wrinkle in such phishing attempts and should serve as a reminder about being diligent in continually monitoring and improving your cybersecurity program.
Last year alone, cybercriminal activity increased 38%. While cybercriminal activity comes in different forms, 90% of all successful cybersecurity attacks begin with phishing emails. That’s right, 90%! If you are wondering whether this should alarm you as a business owner, IT SHOULD. That’s because the greatest workplace threat to data security is rarely cyber-hackers. As we have shared before, the biggest risks are employees making things easy for hackers or violating policies themselves. Every day, millions of employees read their emails. Consequently, in reading those emails, every day thousands of employees unknowingly open phishing emails, downloading malware viruses to their computer and company databases.
U.S. privacy law is based on the principles of notice and consent – for instance, under FTC and state consumer protection laws, consumers given fair notice and the opportunity to consent generally cannot complain about the use of their data.
But as we have noted in prior posts, the E.U.’s General Data Protection Regulation (“GDPR”), which will become effective May 25 of this year, is more comprehensive than any U.S. privacy law in most respects. It treats personal data (defined broadly) as belonging to the person identified by the data, or “data subject.” The company collecting the data has a limited license to use that data in legitimate ways – as described in one article, a company can only use the data in ways that “wouldn’t surprise them or make them uncomfortable.”
It is unsurprising, then, that under the GDPR, the specific concepts of fair notice and consent are also more robust than in the U.S. This post will give an overview of the notice requirements under the GDPR, and a future post will explore the consent requirements.
Every year, the culprit that tops the list of information security risk is the same one from the previous year, and the year before that: your employees. Sure, hackers and technical failures get a lot of attention, but time and again it is the low-tech failures of employees that lead to security incidents and data breaches. To be clear, it is rarely the disgruntled employee, but more often the apathetic or unaware employee that clicks the phishing link or lets the bad guy into the building. And, unlike the technological safeguards that can cost you thousands of dollars, remedying the issues with employees doesn’t have to cost a lot time or money. However, it can still have the biggest payoff. Here are three easy things you can do to immediately reduce the risk to your sensitive information, and in doing so, truly make “security everyone’s business.”
Beginning in April 2018, the General Services Administration (GSA) will publish for 60 days of public comment updates to its cybersecurity requirements for eventual integration into the GSA Acquisition Regulation (GSAR). [GSAR Case 2016-G511, Information and Information Systems Security, 83 Fed. Reg. 1941 (Jan. 12, 2018).] Then, beginning in August 2018, the GSA will publish for 60 days of public comments updates to its cyber incident reporting requirements for GSA contractors. [GSAR Case 2016-515, Cyber Incident Reporting, 83 F.R. 1941 (Jan. 12, 2018).] GSA’s brief description of the updates and some factors it might consider are summarized below.
I. GSA’s New Cybersecurity Requirements
Currently, the GSA cybersecurity requirements mandate that contractors protect the confidentiality, integrity, and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities and threats in accordance with the Federal Information Security Modernization Act of 2014 and associated Federal cybersecurity requirements. The final rule will require contracting officers to incorporate applicable GSA requirements within statements of work to ensure compliance with the new rule; demand that contractors implement best practices for preventing cybersecurity incidents; and impose cybersecurity requirements for internal contractor systems, external contractor systems, cloud systems, and mobile systems. It will also update existing GSAR provision 552.239-70, Information Technology Security Plan and Security Authorization, and GSAR clause 552.239-71, Security Requirements for Unclassified Information Technology Resources, to only require the provision and clause when the contract will involve information or information systems connected to a GSA network.
II. GSA’s New Incident Reporting Requirements
Like the existing cybersecurity requirements, the existing cyber incident reporting policy, GSA Order CIO 9297.2, GSA Information Breach Notification Policy, did not previously go through the rulemaking process. The final cybersecurity incident reporting rule will require contracting officers to include cyber incident reporting requirements within GSA contracts and orders placed against GSA multiple award contracts. The final rule will also outline the roles and reporting responsibilities of the GSA contracting officer, contractors, and agencies ordering off of GSA contracts; establish a contractor’s reporting obligations where the confidentiality, integrity, or availability of GSA information or information systems are potentially compromised or where the information nor information systems owned or managed by or on behalf of the U.S. Government is potentially compromised; establish explicit timeframes for reporting cyber incidents; describe the details and required elements of a cyber incident report; provide Government points of contact for submitting reports; and explain the process for determining which agency will be primarily responsible for the cyber incident. The rule will also outline additional contractor requirements for cyber incidents involving personally identifiable information (PII).
Much like the Safeguarding Covered Defense Information and Cyber Incident Reporting regulation, DFARS 252.204-7012, the new GSAR rule will clarify both GSA and ordering agencies’ authority to access contractor systems in the event of a cyber incident; establish a requirement for the contractor to preserve images of affected systems; ensure contractor employees receive appropriate training for reporting cyber incidents; and outline how contractor attributional/proprietary information provided as part of the cyber incident reporting process will be protected and used.
III. Some Factors GSA Might Consider
There are 23 categories and 84 subcategories of Controlled Unclassified Information and it’s hard to argue that any are less deserving of the protections afforded by the National Institute of Standards and Technologies Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
For data security, GSA might consider following the DFARS Safeguarding Rule and require that contractors implement the security practices of SP 800-171 in effect at the time of the solicitation and as updated and authorized by the GSA Contracting Officer. GSA might also explicitly recognize that while compliance with SP 800-171 is expected, there may be events in which additional cybersecurity is warranted. Likewise, if the contractor intends to use an external cloud service provider to store, process, or transmit any controlled unclassified information in performance of a GSA contract, the contractor should require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline and that the cloud service provider complies with requirements for cyber incident reporting, media preservation and protection, access for forensic analysis, and cyber incident damage assessment.
For cyber incident reporting, GSA might consider the breach notification obligations under the Department of Homeland Security Acquisition Regulation, (HSAR), Safeguarding Controlled Unclassified Information (HSAR Case 2015-001), proposed rule. The HSAR final rule is expected in September 2018. [82 Fed. Reg. 40293.] Currently, GSA requires that initial notification be completed within 60 calendar days of the date the incident was determined to be a breach, unless communication cannot occur during this time frame. [GSA Information Breach Notification Policy, 9297.2C CIO, July 31, 2017.] As DHS determined, it’s better to notify affected persons sooner rather than later so that they can take steps to protect themselves and their families. Contractors that are subject to certain state data breach notification laws may find that they are subject to shorter reporting obligation deadlines (like 30 days for Florida residents and 45 days for Ohio residents). And, while the GSA determines on a case-by-case basis whether credit monitoring will be offered under the existing policy, it might be better to simply have a standing rule requiring that such services be provided and then see how many people actually sign up for the service.