The Federal Trade Commission Has Issued Important Guidance Regarding How To Respond To A Data Breach.
On October 25, 2016, the Federal Trade Commission (“FTC”) issued a guide and instructional video regarding how to respond to a data breach. Both the guide and video are available at this link, which also contains a summary by the FTC.
The FTC’s guidance is not binding, but it is important because it is likely to be used as a benchmark by other government agencies and by plaintiff’s lawyers who are trying to prove that a company acted negligently in responding to a data breach.
Among other things, the FTC’s guidance discusses:
- Securing a company’s operations in response to a data breach while not destroying forensic evidence;
- Fixing vulnerabilities; and
- Notifying appropriate parties.
- The FTC’s guidance helps show why companies should work proactively with attorneys to develop a game plan before a data breach occurs.
Until now, the federal government has only provided criminal sanctions for misappropriation of trade secrets, leaving civil remedies for businesses exclusively to the states. However, President Obama signed the Defend Trade Secrets Act of 2016 (DTSA) into law on May 11, 2016 effective immediately. DTSA creates a civil action for businesses to seek redress under federal law for the misappropriation of their trade secrets. This new federal law does not preempt state law, but provides businesses with the option to file their claims under either state or federal law. Federal courts can provide many benefits to plaintiffs, such as uniformity in law in all jurisdictions and efficiency given the federal system’s smaller case load.
DTSA matches much of what state law has already provided. Here is what is new:
“Whistleblower Immunity”: DTSA provides immunity from criminal and civil liability for an individual disclosing a trade secret to any federal, state, or local government official, or to an attorney, for the purpose of “reporting or investigating a suspected violation of law.” Immunity is also provided to individuals who disclose a trade secret to his or her attorney in an action against an employer for retaliation of reporting a violation of law. Additionally, this immunity allows the individual to use the trade secret in the retaliation court proceeding. DTSA requires employers to provide notice of this immunity to employees, independent contractors and consultants either by inclusion in an agreement that governs use of trade secrets or in a policy document cross-referenced in an agreement, which establishes the employer’s reporting policy for suspected violations of law. Failure to provide this notice will deprive employers of their right to another DTSA benefit – collection of exemplary damages and attorney fees – in an action against any employee, independent contractor or consultant who was not provided notice.
Ex Parte Seizure: DTSA includes an ex parte seizure provision that allows employers to seize another party’s property containing misappropriated trade secrets without their knowledge in extraordinary circumstances. This request for seizure may be granted if immediate and irreparable injury will occur as a result of a high likelihood the other party will evade, avoid, or not comply with other equitable relief by means of destroying, moving, hiding, or otherwise making such a matter inaccessible to the court.
Time is of the essence for employers to update their agreements to become compliant with DTSA and to consider updating policies on when trade secret misappropriation actions will be pursued. Employers should also consider adding this notice to confidentiality forms and non-disclosure agreements. Please contact the McGrath North Intellectual Property Group with your DTSA compliance concerns or to discuss commencing a misappropriation of trade secrets action.
McGrath North is pleased to host the International Association of Privacy Professionals (IAPP) Privacy After Hours event coming to Omaha on January 28. Privacy After Hours is a fun and easy way for IAPP members and non-members to get to know other local privacy professionals. There’s no agenda, just show up to the designated location and have a good time! The event is open to anyone who works in or is interested in privacy. The Omaha event will be Thursday, January 28, 2016, 6:15 pm – 7:45 pm at Fox and Hound, Western Crossing Shopping Center, 506 N 120th Street, Omaha, NE 68154.
For more information click here to access the IAPP website.
On October 6, 2015, the European Court of Justice (ECJ) issued a ruling invalidating the U.S.-EU Safe Harbor Framework (Safe Harbor). Safe Harbor is an agreement between the U.S. and the EU designed to create a streamlined way to transfer personal data from Europe to U.S. firms in accordance with European data protection rules. Over 4,000 U.S. companies are currently Safe Harbor self-certified.
Does It Impact Your Company?
Yes, if your company has relied on its Safe Harbor certification for authority to transfer data from the EU to the U.S. for processing (for example, if your company transfers European employees’ personal data back to the U.S. for human resources purposes) or if your company uses vendors or suppliers that have relied on the Safe Harbor to transfer data from the EU to the U.S.
What Are Your Company’s Next Steps?
If you believe your company may be affected by this decision, we recommend working quickly to analyze any cross-border data flows to the U.S. Such analysis includes a thorough review of your company’s supply chain. If your company transfers data from the EU to a U.S. processor, or accesses data of EU data subjects that may be stored or processed by a processor in the EU, we recommend reviewing all agreements executed with such processors, identify which ones have represented they are Safe Harbor certified and promptly work with each such entity to find an alternative means to satisfy the European data protection rules.
For compliance purposes, we also recommend mapping out what kinds of data is processed cross-borders (personal and otherwise), identify the data subjects (customers, employees, etc.) and estimate the amount of transferred data.
How Can Your Company Continue to Transfer Data in the Absence of Safe Harbor?
To the extent that your company or your vendors or suppliers have relied on Safe Harbor for data transfers, you should consider alternative mechanisms to legalize such data transfers, including incorporating the Model Contract Clauses by addenda into current supplier and vendor agreements, implementing Binding Corporate Rules or obtaining prior written consent from all data subjects.
Please contact a member of the McGrath North Privacy and Data Security Group if you have further questions, would like to discuss how the Safe Harbor ruling applies to your company or if you would like additional information on how to make your company compliant with the EU Data Protection Directive.
Read the press release from the European Court of Justice. (http://www.politico.eu/wp-content/uploads/2015/10/schrems-judgment.pdf)
McGrath North is pleased to host the International Association of Privacy Professionals (IAPP) Privacy After Hours event coming to Omaha on October 15. Privacy After Hours is a fun and easy way for IAPP members and non-members to get to know other local privacy professionals. There’s no agenda, just show up to the designated location and have a good time! The event is open to anyone who works in or is interested in privacy. The Omaha event will be Thursday, October 15, from 5:30 – 7 p.m. at Fox and Hound, Western Crossing Shopping Center, 506 N 120th Street, Omaha, NE 68154.
For more information click here to access the IAPP website.
A recent federal court decision upheld the Federal Trade Commission’s (FTC) authority to take enforcement action on behalf of consumers against businesses that fail to take reasonable steps to secure sensitive consumer information.
The U.S. Court of Appeals for the Third Circuit ruled that the FTC could proceed with a lawsuit alleging hotel chain Wyndham Worldwide Corp. was, at least in part, responsible for the three unauthorized intrusions it experienced over the span of two years that compromised the credit card numbers of 619,000 customers and lead to more than $10.6 million in fraudulent charges (click here to read the ruling). The FTC alleged that Wyndham had engaged in cybersecurity practices that, collectively, were unfair and unreasonable, resulting in unnecessary exposure of consumers’ sensitive data. Such Wyndham cybersecurity practices cited by the FTC as unfair and unreasonable, included but were not limited to, lax password management, lack of appropriate firewall protection for consumer data, use of outdated software and its failure to follow proper incident response procedures.
Going forward, based on the reasoning of the Wyndham decision, it is going to be difficult for any business, large or small, to take the position that it was somehow unaware of the importance of cybersecurity. As such, it is imperative that your business have appropriate cybersecurity practices and policies in place for the protection of sensitive consumer information. When reviewing your business’s current cybersecurity practices and policies, keep in mind the following principles:
- Be aware of all the personal information collected, retained and shared. Review your system to learn how your business and/or vendors use consumer data. Restrict access to sensitive data to only those “need to know” employees or vendors.
- Keep only personal information required for legitimate business operations. If you don’t need it, don’t keep it.
- Use physical and electronic security to protect the information your business retains. Such security could include firewalls, encryption of sensitive data or implementing password management rules.
- Properly dispose of personal information as soon as it is no longer necessary for business operations. When disposing of old computers and portable storage devices, use software for securely erasing data.
- Have a plan to respond to security incidents. Designate someone on your staff to someone with sufficient authority within your organization to coordinate and implement the response plan. Investigate security incidents immediately.
Please contact a member of the McGrath North Privacy and Data Security Group if you have further questions or would like to discuss your business’s cybersecurity practices and policies.
Tom Kelley Listed in The Best Lawyers in America© 2016 in the Field of Privacy and Data Security Law.
McGrath North is pleased to announce that Tom Kelley was recently selected by his peers for inclusion in The Best Lawyers in America 2016 in the field of Privacy and Data Security Law. Inclusion in The Best Lawyers in America 2016 is based upon an exhaustive peer review survey comprising more than 6 million confidential evaluations by top attorneys in the U.S.
Don’t Make Your Cyber Insurance Coverage Illusory – Address Cyber Security Practices Before Purchasing Coverage
The risks of purchasing cyber insurance coverage before a business addresses its existing cyber security practices has just been made painfully clear by a recent case filed by an insurer in California. Columbia Casualty, a unit of Chicago-based CNA, is seeking a judicial ruling that it is not obligated to pay a $4.125 million class action settlement paid by California based Cottage Health System, a nonprofit organization that operates a network of hospitals in Southern California, arising out of a data breach at the hospital.
According to the complaint: (1) the insurer issued a cyber insurance claims made policy to the hospital effective from October 1, 2013, to October 1, 2014; (2) the hospital subsequently suffered a data breach involving over 32,500 confidential medical records between October 8, 2013, and December 2, 2013; (3) a class action lawsuit was filed against the hospital on or about January 27, 2014, with a $4.125 million settlement receiving preliminary court approval on or about December 24, 2014; and (4) the insurer agreed to fund the settlement, subject to a complete reservation of rights. Click here to review the complaint.
In its complaint, the insurer has asserted that a “failure to follow minimum required practices” exclusion precluded coverage on the alleged ground that the hospital did not follow its own description of its data security system in the insurance application. In the complaint, the insurer also asserted that the hospital’s failure to follow the data security protocols detailed in its application constituted a misrepresentation, and that all coverage was forfeited as a result of the alleged misrepresentation. As a result, the insurer has requested reimbursement of defense and settlement payments.
This case highlights the need for a policyholder to be diligent from the first day it reviews and completes an application for cyber insurance to make sure it understands the requirements for coverage. Stakeholders in information technology, treasury, finance, legal and risk management should all be involved in any review of a cyber insurance application to insure that appropriate coverage language is in place. In addition, after cyber coverage is purchased, a policyholder must be vigilant in implementing its cyber security practices, and create a record sufficient to prove that it has complied with policy requirements. At the end of the day, money spent on cyber insurance coverage is well spent only if covered losses are ultimately paid by the insurer.
If you have questions or would like to discuss cyber insurance coverage for your business, please contact a member of the McGrath North Privacy and Data Security team.
In the wake of the Anthem breach, hackers continue to target the healthcare industry. At the close of May, CareFirst BlueCross BlueShield reported a data breach that was initially discovered last year; however, when the incident was first noticed, the company believed they had adequately taken care of the problem. CareFirst said at the time it was believed they “had contained the attack and prevented any actual access to member information.” Unfortunately, ten months later, CareFirst discovered that the breach had, in fact, continued.
Information on about 1.1 million individuals was affected by the breach, which CareFirst discovered during an information technology security review conducted in the wake of the attacks on Anthem and Premera. In June 2014, according to CareFirst, hackers gained access to a single database where CareFirst stores data that is entered by members and other individuals in order to access the company’s websites and online services.
This incident offers a clear lesson to other organizations: it is time to review their security procedures and address gaps in protections before it is too late. Healthcare data is obtained and stored by a variety of entities that are expected to be aware of and acting to prevent these types of risks. Healthcare data is extremely valuable to criminals, as it can be re-packaged and sold for a number of different criminal campaigns. In light of these most recent attacks, we are encouraging all our clients to conduct an internal audit of the security protocols and implement HIPAA policies and procedures to prevent exposure to new threats in the technological world.
If you have questions or would like to discuss your HIPAA compliance questions, please contact a member of the McGrath North Privacy and Data Security team.
On February 13, 2015, Anthem, Inc. (Anthem) announced that on January 29, 2015, it discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to Anthem’s IT system and obtained personal information relating to consumers who were or are currently covered by Anthem or other independent Blue Cross and Blue Shield plans that work with Anthem. Anthem stated that it believed the suspicious activity may have occurred over the course of several weeks beginning in early December, 2014. Anthem has reported that the information accessed may have included individual names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses and employment information, including income data. For more information concerning the breach, click here to access the website created by Anthem to update employers about the breach.
Anthem is one of the largest health benefits companies in the United States. Through its affiliated health plans, Anthem companies deliver health benefit solutions through a portfolio of integrated health care plans and related services, along with a range of specialty products such as life and disability insurance benefits, dental, vision, behavioral health benefit services, as well as long term care insurance and flexible spending accounts. Headquartered in Indianapolis, Indiana, Anthem, Inc. is an independent licensee of the Blue Cross and Blue Shield Association serving members in California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia and Wisconsin; and specialty plan members in other states.
Employers who have Anthem plans or use Anthem as a third party administrator (TPA) for their health plans should review their plan documents to understand what rights and obligations the parties have in the event of a data security breach.
Federal And State Breach Notification Requirements. With respect to federal and state breach notification requirements, if protected health information was involved in the attack, the attack was most likely was a breach under HIPAA and subject to the HIPAA breach notification reporting rules. Given the nature of the information involved in the attack, most clients of Anthem will likely treat the attack as a breach under HIPAA and follow HIPAA’s breach notification reporting rules. In addition, forty seven states have separate breach notification reporting statutes that may be triggered when certain sensitive information (such as Social Security numbers) is breached. Since the rules vary from state to state, an affected employer will need to determine which State breach notification reporting statutes apply.
What Affected Employers Should Do Now. While Anthem’s investigation continues, affected employers should consider taking steps now to insure required breach reporting requirements are met.
- Obligation To Provide HIPAA Breach Notification. Breach notification obligations under HIPAA may depend on whether an employer’s health plan is fully insured or self-funded; and, if self-funded, whether Anthem has contractual obligations under its business associate agreement (Agreement) with an affected employer to provide the required notification. If a plan is fully insured, Anthem will likely be obligated to provide the notification. If a plan is self-funded, Anthem may also be obligated to provide the notification pursuant to its Agreement with the employer. Affected employers should review their Agreement with Anthem to make this determination.
- Obligation To Provide State Breach Notification. Under many State breach notification reporting statutes, the party that lost the data is the one responsible for issuing notification of the breach. A review by an affected employer of the applicable State breach notification reporting statutes will be required to determine its obligation to report the Anthem breach to its employees. An affected employer should also consider confirming with the respective State Attorney General that following the HIPAA breach notification reporting requirements will satisfy that State’s breach notification reporting requirements.
- Communication With Employees. Affected employers should urge employees affected by the Anthem breach to be extra vigilant for “phishing” schemes – targeted emails with embedded links that might seek to gain access to additional information – and any other suspicious written or verbal communications. Employees should also be encouraged to immediately change their passwords to all sensitive accounts and should monitor credit card and other financial accounts to guard against unusual activity. In addition, in its communications with its employees regarding the Anthem breach, an affected employer should note that any information regarding the Anthem beach has been provided by Anthem (where applicable), and that employer is not making any representations about the breach or surrounding facts.
- Review Anthem Mitigation Efforts. An affected employer should confirm with Anthem the steps currently being taken protect the employer’s employees and other affected individuals. The affected employer will want to review any agreements with Anthem to determine whether the victim protection, client indemnification, and paid notification being proposed by Anthem are consistent with Anthem’s obligations under such agreements.