On March 28, 2018, over sixteen years after California passed the nation’s first data breach notification law, Alabama became the fiftieth, and final, state to join the club. As a result, any person or entity conducting business in the United States must be prepared to safeguard personal identifying information belonging to customers, clients, and employees, while also being ready to comply with all applicable state and federal laws and regulations.

What Data?
The Alabama Data Breach Notification Act of 2018 (S.B. 318), goes into effect on June 1, 2018, and largely mirrors the requirements of many notification laws. Specifically, Alabama’s law pertains to “sensitive personally identifying information.” Sensitive personally identifying information includes an Alabama resident’s first name or first initial and last name in combination with any of the following:

  • Non-truncated Social Security or tax-identification number;
  • Non-truncated driver’s license, passport, or other government identification number,
  • Financial account number combined with security/access code, password, PIN, or expiration date necessary to access or enter into a transaction that will “credit or debit” the account;”
  • Username or email addresses in combination with a password or security question and answer that would permit access to an online account likely to contain sensitive personally identifying information; and
  • Health information, such as an individual’s medical condition, patient history, and health insurance identification numbers.

Continue Reading Alabama Rolls with Tide as Last State to Adopt Breach Notification Law

In a local news interview, I was recently asked to comment on the Facebook-Cambridge Analytica story involving the unauthorized use of Facebook user profile information by Cambridge Analytica for profiling and targeting purposes. The focus of the interview was what consumers can do to better protect themselves. However, there are learning opportunities for businesses too. Here are some quick points to consider for both parties.

Consumers

  1. Your choices matter most. I beat this drum pretty heavily, but it is true. While technology, the marketplace and even the law will serve to provide you some protections and redress when it comes to privacy and security matters, the biggest impact on protecting your personal information are the choices you make with respect to that information. What information you share, with whom (which companies) and under what conditions are all things you can control.
  2. Read the privacy policy. I joke in the interview that no one really reads my work in the privacy policies I write for my business clients. Well, there is a little truth in all jokes. Studies show the numbers on how many people read posted policies before providing their personal data, or even know what a privacy policy is, range from 10% to as many as 50%. Taking five minutes to review how a company collects, uses and shares your information can be enlightening and may make you question your patronage of that company. The terms of the privacy policy wouldn’t have stopped Cambridge from doing what it did with the Facebook data, but you would at least know how Facebook claims to share your information.
  3. Read the terms and conditions. Probably less appetizing than reading a privacy policy is reading the terms and conditions for any online transaction in which you engage. These are important too, but not just for privacy. These terms govern ownership of data, intellectual property rights and authorized and unauthorized uses—by the company and by you. It is all about risk. If you value the data involved in any transaction, or the opportunities it provides, take the time to read the agreement.

Businesses

  1. It’s a matter of trust. Have a privacy policy. And honor it. Privacy is all about trust. To be sure, Facebook is facing legal and regulatory fallout over this recent issue. However, the biggest impact might come in losing customers and reputational harm. Indeed, many are swearing off Facebook, especially considering this is the latest in a long line of privacy and security related issues for the company. Companies that want to earn customer loyalty, and indeed loyalty that might get them through a privacy or security crisis WHEN not IF it happens, will get a grip on their data and back-up their privacy promises in their privacy policies and terms of use. Better yet, ask yourself: Can we survive such a breakdown in our customers’ trust?
  2. Audit. Get up in your third parties’ business. Facebook could have verified that Cambridge actually deleted the Facebook profiles. Rather, it took a contractual attestation to the fact and allegedly did nothing more. Not always a bad idea, but if you are entrusting third parties to handle your customer’s sensitive data or data in large amounts, use your agreements as an opportunity to ensure that the third party uses the same (or better) safeguards than you do and reserve the right to verify. Not only does this prevent bad things from happening, it shows your customers, regulators, and opposing counsel that you take privacy seriously.
  3. Data is your business. I do not care what industry in which you operate—you are a data business. Get smart about the data you collect, store, share and destroy. Take the time to classify your data and map your data throughout your organization and with third parties. Write policies and procedures for how your data will be used properly and what is prohibited. Write agreements with your third parties and with your customers that are easy to understand and place a priority on data protection. And get insurance. Even with all the best practices, you WILL have a data incident. It is not IF but WHEN. Plan and invest in protection for not only your customer data, but the survival of your business and its reputation.

Earlier this year, there was a report on a new spear-phishing attack seeking to steal people’s sensitive data.  The spear-phishing email message, apparently drafted to look like it came from FedEx, included a link that took the recipient of the email to a Google Docs page and then used a script to download malware to the employee’s computer. What was notable about this spear-phishing attempt was that the email “bait” actually included employee sensitive data, such as his or her Social Security Number.  This is yet another new wrinkle in such phishing attempts and should serve as a reminder about being diligent in continually monitoring and improving your cybersecurity program.

Last year alone, cybercriminal activity increased 38%. While cybercriminal activity comes in different forms,  90% of all successful cybersecurity attacks begin with phishing emails. That’s right, 90%! If you are wondering whether this should alarm you as a business owner, IT SHOULD. That’s because the greatest workplace threat to data security is rarely cyber-hackers. As we have shared before, the biggest risks are employees making things easy for hackers or violating policies themselves. Every day, millions of employees read their emails. Consequently, in reading those emails, every day thousands of employees unknowingly open phishing emails, downloading malware viruses to their computer and company databases.

Continue Reading Data security: The bad guys are stepping up their game. Are you?

U.S. privacy law is based on the principles of notice and consent – for instance, under FTC and state consumer protection laws, consumers given fair notice and the opportunity to consent generally cannot complain about the use of their data.

But as we have noted in prior posts, the E.U.’s General Data Protection Regulation (“GDPR”), which will become effective May 25 of this year, is more comprehensive than any U.S. privacy law in most respects. It treats personal data (defined broadly) as belonging to the person identified by the data, or “data subject.” The company collecting the data has a limited license to use that data in legitimate ways – as described in one article, a company can only use the data in ways that “wouldn’t surprise them or make them uncomfortable.”

It is unsurprising, then, that under the GDPR, the specific concepts of fair notice and consent are also more robust than in the U.S. This post will give an overview of the notice requirements under the GDPR, and a future post will explore the consent requirements.

Continue Reading What’s in a notice? Privacy notices under the GDPR

Every year, the culprit that tops the list of information security risk is the same one from the previous year, and the year before that: your employees. Sure, hackers and technical failures get a lot of attention, but time and again it is the low-tech failures of employees that lead to security incidents and data breaches. To be clear, it is rarely the disgruntled employee, but more often the apathetic or unaware employee that clicks the phishing link or lets the bad guy into the building. And, unlike the technological safeguards that can cost you thousands of dollars, remedying the issues with employees doesn’t have to cost a lot time or money. However, it can still have the biggest payoff. Here are three easy things you can do to immediately reduce the risk to your sensitive information, and in doing so, truly make “security everyone’s business.”

Continue Reading The Enemy Within: Why Employees Top the List of Security Risks Each Year (and what you can do to make sure yours don’t)

Beginning in April 2018, the General Services Administration (GSA) will publish for 60 days of public comment updates to its cybersecurity requirements for eventual integration into the GSA Acquisition Regulation (GSAR). [GSAR Case 2016-G511, Information and Information Systems Security, 83 Fed. Reg. 1941 (Jan. 12, 2018).] Then, beginning in August 2018, the GSA will publish for 60 days of public comments updates to its cyber incident reporting requirements for GSA contractors. [GSAR Case 2016-515, Cyber Incident Reporting, 83 F.R. 1941 (Jan. 12, 2018).] GSA’s brief description of the updates and some factors it might consider are summarized below.

I. GSA’s New Cybersecurity Requirements

Currently, the GSA cybersecurity requirements mandate that contractors protect the confidentiality, integrity, and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities and threats in accordance with the Federal Information Security Modernization Act of 2014 and associated Federal cybersecurity requirements. The final rule will require contracting officers to incorporate applicable GSA requirements within statements of work to ensure compliance with the new rule; demand that contractors implement best practices for preventing cybersecurity incidents; and impose cybersecurity requirements for internal contractor systems, external contractor systems, cloud systems, and mobile systems. It will also update existing GSAR provision 552.239-70, Information Technology Security Plan and Security Authorization, and GSAR clause 552.239-71, Security Requirements for Unclassified Information Technology Resources, to only require the provision and clause when the contract will involve information or information systems connected to a GSA network.

II. GSA’s New Incident Reporting Requirements

Like the existing cybersecurity requirements, the existing cyber incident reporting policy, GSA Order CIO 9297.2, GSA Information Breach Notification Policy, did not previously go through the rulemaking process. The final cybersecurity incident reporting rule will require contracting officers to include cyber incident reporting requirements within GSA contracts and orders placed against GSA multiple award contracts. The final rule will also outline the roles and reporting responsibilities of the GSA contracting officer, contractors, and agencies ordering off of GSA contracts; establish a contractor’s reporting obligations where the confidentiality, integrity, or availability of GSA information or information systems are potentially compromised or where the information nor information systems owned or managed by or on behalf of the U.S. Government is potentially compromised; establish explicit timeframes for reporting cyber incidents; describe the details and required elements of a cyber incident report; provide Government points of contact for submitting reports; and explain the process for determining which agency will be primarily responsible for the cyber incident. The rule will also outline additional contractor requirements for cyber incidents involving personally identifiable information (PII).

Much like the Safeguarding Covered Defense Information and Cyber Incident Reporting regulation, DFARS 252.204-7012, the new GSAR rule will clarify both GSA and ordering agencies’ authority to access contractor systems in the event of a cyber incident; establish a requirement for the contractor to preserve images of affected systems; ensure contractor employees receive appropriate training for reporting cyber incidents; and outline how contractor attributional/proprietary information provided as part of the cyber incident reporting process will be protected and used.

III.  Some Factors GSA Might Consider

There are 23 categories and 84 subcategories of Controlled Unclassified Information and it’s hard to argue that any are less deserving of the protections afforded by the National Institute of Standards and Technologies Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

For data security, GSA might consider following the DFARS Safeguarding Rule and require that contractors implement the security practices of SP 800-171 in effect at the time of the solicitation and as updated and authorized by the GSA Contracting Officer. GSA might also explicitly recognize that while compliance with SP 800-171 is expected, there may be events in which additional cybersecurity is warranted. Likewise, if the contractor intends to use an external cloud service provider to store, process, or transmit any controlled unclassified information in performance of a GSA contract, the contractor should require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline and that the cloud service provider complies with requirements for cyber incident reporting, media preservation and protection, access for forensic analysis, and cyber incident damage assessment.

For cyber incident reporting, GSA might consider the breach notification obligations under the Department of Homeland Security Acquisition Regulation, (HSAR), Safeguarding Controlled Unclassified Information (HSAR Case 2015-001), proposed rule. The HSAR final rule is expected in September 2018. [82 Fed. Reg. 40293.] Currently, GSA requires that initial notification be completed within 60 calendar days of the date the incident was determined to be a breach, unless communication cannot occur during this time frame. [GSA Information Breach Notification Policy, 9297.2C CIO, July 31, 2017.] As DHS determined, it’s better to notify affected persons sooner rather than later so that they can take steps to protect themselves and their families. Contractors that are subject to certain state data breach notification laws may find that they are subject to shorter reporting obligation deadlines (like 30 days for Florida residents and 45 days for Ohio residents). And, while the GSA determines on a case-by-case basis whether credit monitoring will be offered under the existing policy, it might be better to simply have a standing rule requiring that such services be provided and then see how many people actually sign up for the service.

There are several helpful resources for contractors looking to comply with the National Institute of Standards and Technologies Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” To help contractors meet the requirements, NIST recently issued NIST Handbook 162, entitled “NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements.”  The Handbook provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171, Revision 1.

The assessment procedures consist of an assessment objective and a set of potential assessment methods and assessment objects that be used to perform the assessment.  Each assessment objective includes a determination statement related to a CUI security requirement that is the subject of the assessment and traced back to SP 800-171. The application of an assessment procedure to a security requirement produces assessment findings. These findings reflect or are used to determine if the security requirement has been satisfied.

“Assessment objects identify the specific items being assessed and can include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system. Mechanisms are the specific hardware, software, or firmware safeguards employed within a system. Activities are the protection-related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan, and monitoring network traffic). Individuals or groups of individuals are people apply the specifications, mechanisms, or activities described above.”

The assessment methods define the nature of the assessor’s actions and include examine, interview, and test. The assessor examines one or more assessment objects. Any security requirements that are deemed non-applicable are noted in the system security plan.  The CUI security requirements are then deemed either satisfied or other than satisfied based on the findings and evidence produced during the assessment. Contractors will be able to claim compliance with the security requirements specified in SP 800-171 using the procedures in SP 800-171A.

So how does it work? Each security requirement is assessed by examine, interview, and test. For example, security requirement 3.1.4(a) involves separation of duties. Potential assessment methods and objects include examining policies and procedures, interviewing personnel, and testing to make sure mechanisms implementing the separation of duties exist. For assessment findings other than satisfied, contractors may choose to defined subcategories of findings to indicate the severity or criticality of the weakness or deficiencies discovered and the potential adverse effects on the contractor. “Defining such subcategories can help to establish priorities for needed risk mitigation actions.  Organizations may also choose to employ a more granular approach to findings by introducing a partially satisfied category for assessment.”

Here are some additional links:

  • DFARS 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, available here;
  • NIST SP 800-171, Revision 1 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, available here;
  • Draft NIST SP 800-171A – Assessing Security Requirements for Controlled Unclassified Information, available here;
  • NIST’s Manufacturing Extension Partnership’s Handbook 162, NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements, available here;
  • DoD’s Frequently Asked Questions (FAQs) dated Jan. 27, 2017 – Implementation of DFARS Case 2013-D018, Network Penetration Reporting and Contracting for Cloud Services, available here;
  • DoD’s Procurement Toolbox Cybersecurity Resources, available here;
  • The National Archives Controlled Unclassified Information Registry – Categories and Subcategories, available here;
  • Taft’s Checklists and Other Blog Posts on the DFARS Safeguarding Regulations, available here;
  • Taft’s webinar on the Defense Department Cybersecurity Rules, available here.

If you have a particular question about the DFARS Safeguarding Covered Defense Information and Cyber Incident Reporting regulation or NIST SP 800-171, let us know and we might use your question for an upcoming blog post.

It seems like I get this question once every couple of months.

Hey Bill, my company just got sued. After paying premiums for years, I finally had to make a claim. My insurance company wrote me a “reservation of rights” letter. They offered to have one of their “panel counsel” defend my company, but then they listed 15 reasons why they don’t need to cover the lawsuit, including that there is no “covered claim,” the event was not an “occurrence” or accident but resulted from “intentional” conduct, and the damages may not have “occurred during a policy period.”

Needless to say, I’m worried that the insurance company’s “panel counsel” may be beholden to the insurance company and consciously or unconsciously hinder my coverage. I am concerned that the insurance company’s attorney may be more interested in protecting his future stream of new cases from the insurance company than me as our paths may never cross again.

Under what circumstances can I choose my own defense attorney? I want to raise the issue now so I don’t have to clean up a mess after the fact. Help!

  1. What state law governs the conflict of interest issue? The answer usually begins with an unsatisfying “it depends,” because conflict of interest laws vary by state. What might be a conflict of interest giving the policyholder the right to select counsel in one state may not be sufficient in another state.
  2. A “conflict of interest” doesn’t mean that the conflicted party is engaged in conduct harmful to the other party. It means their interests are divergent, which creates a potential for such harm.  “When a potential conflict of interest between insured and insurer arises, the insurance company’s duty of good faith requires it to notify the insured.  …  Once notified …, the insured has the option of hiring a new lawyer, one whose loyalty will be exclusively to him.  If he exercises that option, the insurance company will be obligated to reimburse the reasonable expense of the new lawyer.”  C. Wegman Constr. Co. v. Admiral Ins. Co., 629 F.3d 724, 729 (7th Cir. 2011) (cleaned up).
  3. Generally, a policyholder may select defense counsel of their choice when the insurance company reserves the right to deny coverage on a basis that will be decided in the underlying litigation. So on the issue of whether the event was an “occurrence,” will the jury deciding the underlying case be required to decide whether the event resulted from an accident or an intentional act? If so, you as the policyholder should have the right to select your own defense attorney.
  4. Under Indiana law, a conflict of interest is sufficient to require the insurer to pay for the policyholder’s choice of defense counsel where there is a “significant risk that an attorney selected by and under the control [of the insurer] would be materially limited in the representation.” Armstrong Cleaners, Inc. v. Erie Ins. Exchange, 364 F. Supp. 2d 797, 817 (S.D. Ind. 2005). The issue is governed by Rule 1.7(a) of the Indiana Rules of Professional Conduct. Rule 1.7(a) states that unless a client gives informed consent, a lawyer shall not represent a client if the representation involves a concurrent conflict of interest. A concurrent conflict of interest exists if there is a “significant risk” that the representation of one or more clients will be “materially limited” by the lawyer’s responsibilities to another client or another entity paying the bill. Courts have held that a concurrent conflict of interest exists when the handling of the underlying litigation may affect whether the claim is covered or not covered.
  5. You should raise the conflict of issue at the beginning of the representation. You don’t need to wait until an actual conflict arises. Rule 1.7(a) requires a significant risk of that the representation may be materially limited.

Here are some examples of concurrent conflicts entitling the policyholder to select defense counsel. A software company gets sued for invasion of privacy after having inserted software onto laptop computers that record a user’s every search. The insurance company agrees to defend and reserves the right to deny coverage on the grounds that the event did not result from an “occurrence” (or accident), but from an intentional act. Rule 1.7(a) may permit the policyholder to select defense counsel to be paid for by the insurance company.

Another common example occurs in environmental cases. The same “occurrence” versus intentional act issue may result in courts allowing the policyholder to select defense counsel.

In addition, the Indiana Supreme Court denied transfer of a Court of Appeals’ decision holding that under “those sums” commercial general liability policies, an insurer does not have to pay for bodily injury, property damage, or personal injury that did not “occur during the policy period.” This raises the issue of how a court should allocate the responsibility for covering long tail claims, like environmental claims, that can occur over decades.

“The ideal method is a fact-based allocation, under which courts would determine precisely what injury or damage took place during each contract period or uninsured period and allocate the loss accordingly.”

Thomson, Inc. v. Ins. Co. of N. Am., 11 N.E.3d 982, 1022 (Ind. Ct. App. 2014), trans. denied, 33 N.E.3d 1039 (Ind. 2015).

So consider a scenario where environmental contamination takes place over decades where the policyholder knows he bought insurance, but cannot remember or prove through check payments or other business records what company provided coverage in earlier time periods. An insurance company that provided coverage more recently under a “those sums” policy reserves the right to deny coverage on the ground that the loss did not occur during a covered policy period is now in direct conflict with its policyholder. The policyholder now has powerful incentives to show the loss occurred during a more recent covered period, while the insurance company has an equally powerful incentive to show the loss occurred during an earlier period in which it did not insure the policyholder. Under such circumstances, the policyholder should be afforded the right to choose the defense attorney to represent the policyholder’s interests in the underlying lawsuit or claim.

Join Taft and Sikich for an informational session on Feb. 21 as two of our professionals share their experiences before and during a data breach and share their insights in the hopes of helping you better prepare for and survive a data breach. Register here.

Schedule:
3:30 – 4:00pm Registration & Networking
4:00 – 5:00pm Presentation
5:00 – 6:00pm Networking, drinks & hors d’oeuvres

Presenters:

Scot Ganow, Senior Counsel – Taft Stettinius & Hollister LLP
Scot is co-chair of Taft’s Privacy and Data Security Practice. As a former chief privacy officer in Fortune 100 companies, Scot brings a diverse business background to his privacy and data security practice at Taft. Scot regularly counsels clients of all sizes and industries from across the U.S. on security incidents and data breaches, as well as ways to avoid them.

Mark Shelhart, Director of Incident Response & IT Forensics – Sikich LLP
Mark’s expansive technical background and excellent communication skills allow him to efficiently drive e-discovery, incident response and other forensic projects to effective conclusions. Mark has more than 15 years of experience working in consulting, information technology, e-discovery and incident response.

 

Well, if Star Wars (May 4) and doughnuts (first Friday in June) can have their own day, you would hope a day might be dedicated to reminding us all about the importance of privacy and increasing awareness of ways we can empower ourselves and our clients to better use and protect personal information. Data Privacy Day began as Data Protection Day in Europe. The day commemorates the signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. As the Convention was signed on Jan. 28, 1982, Data Privacy Day is observed annually around the world on Jan. 28.

So, like many reflections you might ponder this time of year, let Data Privacy Day serve as the perfect time to stop and reflect on how your company is using personal information. Do you know:

  • What personal information you collect and why?
  • From whom you collect personal information?
  • With whom you share personal information?
  • Which law(s) or contracts may apply to your use of personal information?
  • Where, both physically and technically, you store personal information?
  • The safeguards in place around your personal information?
    • Administrative safeguards (i.e. policies, procedures, contracts)
    • Technical safeguards (i.e., encryption, firewalls, 2 factor auth.)
    • Physical safeguards (i.e. passkeys, locks, IDs, visitor mgmt.)

If you don’t know the answers to these basic questions, you really should wonder if you should be using personal information. The good news is that if you don’t know the answers, you are not necessarily alone. You can do a lot to find out the answers in a short period time. It doesn’t have to be complicated or expensive, but you have to get started and put a plan in place.

So, let Data Privacy Day be your new year’s resolution to get serious about data protection. Who knows? You might learn a lot about your company, its business and maybe find ways to improve both! And, as always, please celebrate responsibly.