Embed Size (px)
Citation preview
A BRAVE NEW WORLD: THE EVOLVING LEGAL LANDSCAPE
OF CYBERSECURITY
CLE Credit: 1.0 Friday, June 14, 2019
11:20 a.m. – 12:20 p.m. Combs-Chandler Galt House Hotel
Louisville, Kentucky
A NOTE CONCERNING THE PROGRAM MATERIALS The materials included in this Kentucky Bar Association Continuing Legal Education handbook are intended to provide current and accurate information about the subject matter covered. No representation or warranty is made concerning the application of the legal or other principles discussed by the instructors to any specific fact situation, nor is any prediction made concerning how any particular judge or jury will interpret or apply such principles. The proper interpretation or application of the principles discussed is a matter for the considered judgement pf the induvial legal practitioner. The faculty and staff of this Kentucky Bar Association CLE program disclaim liability therefore. Attorneys using these materials, or information otherwise conveyed during the program in dealing with a specific legal matter have a duty to research the original and current sources of authority.
Printed by: Evolution Creative Solutions 7107 Shona Drive
Cincinnati, Ohio 45237
Kentucky Bar Association
TABLE OF CONTENTS The Presenters ................................................................................................................. i A Brave New World: The Evolving Legal Landscape of Cybersecurity ............................................................. 1
i
THE PRESENTERS Brent D. Craft Vorys, Sater, Seymour Pease LLP Great American Tower 301 East Fourth St, Ste 3500 Cincinnati, Ohio 45202 [email protected] BRENT CRAFT is an associate in the Vorys litigation group. His practice is focused on complex commercial litigation, qui tam and federal False Claims Act cases, government procurement, intellectual property law, and internal investigations, including counseling clients on cybersecurity and data breach issues. Brent has presented on a number of cybersecurity and data breach topics, including state notification statutes and regulations, and recent information security case law. Brent received his J.D., magna cum laude, from the University of Kentucky College of Law, where he was a member of the Order of the Coif and the Kentucky Law Journal. He received his B.A., summa cum laude, from Transylvania University in Lexington, Kentucky.
J.B. Lind Vorys, Sater, Seymour and Pease LLP
Great American Tower 301 East Fourth St, Ste 3500
Cincinnati, Ohio 45202 [email protected]
J.B. LIND is a partner in the Vorys Cincinnati office and a member of the litigation group. Recognized for his work in complex commercial litigation matters, Mr. Lind has particular experience with information privacy/data breach litigation, business litigation involving closely held or limited liability corporations, probate/estate litigation and intellectual property litigation. These specific focus areas led to him to being named an adjunct professor at the NKU Chase College of Law teaching in the areas of information privacy and intellectual property. Mr. Lind also handles cases in insurance and product liability/toxic tort litigation. He is a frequent speaker on issues related to data security, privacy and breach at the annual NKU Chase College of Law Cybersecurity Symposium and has also recently spoken to the Kentucky Court of Appeals Annual Conference on the same topics.
ii
Jacob D. Mahle Vorys, Sater, Seymour and Pease LLP Great American Tower 301 East Fourth St, Ste 3500 Cincinnati, Ohio 45202 [email protected]
JACOB MAHLE is a partner in the Vorys Cincinnati office. His practice is focused on complex commercial litigation, and he has represented parties in a variety of commercial disputes. His practice includes representing corporate and individual defendants in government and regulatory investigations, defending False Claims Act matters involving CMS and the Department of Defense, representing retailers and financial institutions in data breach litigation, and counseling clients regarding privacy, data compliance issues, and incident response planning. Mr. Mahle has spoken frequently on the topic of cybersecurity and data privacy before corporate and business audiences, including at the annual Cybersymposium organized by Northern Kentucky University. Mr. Mahle teaches Information Privacy law, and Intellectual Property law, as an adjunct professor at the Northern Kentucky University Salmon P. Chase College of Law. Mr. Mahle is a member of the Cincinnati Bar Association. Mr. Mahle received his J.D., summa cum laude, from the University of Cincinnati College of Law, where he was a member of the Order of the Coif, and his B.A., summa cum laude, from Xavier University.
Eric W. Richardson
Vorys, Sater, Seymour and Pease LLP Great American Tower
301 East Fourth St, Ste 3500 Cincinnati, Ohio 45202
ERIC RICHARDSON is a partner in the Vorys Cincinnati office and a member of the litigation group since 1997. His practice is focused on civil litigation and encompasses data breach and complex commercial and intellectual property litigation. Mr. Richardson has represented clients in a variety of significant data breach cases involving national merchants. As part of that data breach litigation, Vorys defended its clients on claims by consumers and by issuing banks, including in class-action litigation and in individual cases pending in various jurisdictions throughout the United States. Mr. Richardson has presented on the issues of data security, privacy and breach, and on payment card penalties and class action litigation arising out of data breaches to various organizations, including the American Bar Association, the Association of Certified Fraud Examiners and the 2015 Chief Information Security Officer Executive Summit. Mr. Richardson teaches information privacy and data protection law, and intellectual property law, as an adjunct professor at the Northern Kentucky University Salmon P. Chase College of Law.
1
A BRAVE NEW WORLD: THE EVOLVING LEGAL LANDSCAPE OF CYBERSECURITY
Brent D. Craft, J.B. Lind, Jacob D. Mahle, and Eric W. Richardson
I. CURRENT CYBERSECURITY THREATS AND OUTCOMES
The proliferation of Internet use has transformed business models and driven economic growth. But it has also introduced new threats to data security, which continue to increase in frequency and magnitude. Nearly 8 billion records were compromised in 2018 through nearly 53,000 incidents and 2,216 confirmed data breaches. The victims of these breaches run the gamut, affecting entities in the healthcare industry, financial services industry, hospitality (hotels and restaurants), retail, and the public sector. In 2018, 58 percent of the victims of data breaches were considered small businesses. Cyberattacks have been estimated to cost the global economy more than $450 billion per year. The average total cost of a data breach in 2018 was $3.86 million, with the average cost per lost or stolen record being estimated at $148. These costs manifest themselves in a variety of ways:
• Detection and Escalation: Activities that allow a company to detect and report the breach to appropriate personnel within a specified time period (e.g., forensic investigation activities, audit services, crisis team management, communications).
• Notification Costs: Activities that allow the company to notify individuals who had data compromised in the breach (e.g., newsletters, telephone calls, emails).
• Post-Data Breach Response: Processes that help affected individuals or customers communicate with the company and costs associated with redress and reparation with data subject regulators (e.g., legal expenditures, credit reporting, issuing new accounts).
• Lost Business Cost: Activities associated with the cost of lost business, including customer churn, business disruption, and system downtime (e.g., cost of business disruption, cost of lost customers, reputational loss).
A. Big Breaches in 2018
The following list illustrates the broad range of entities and industries hit by large breaches in 2018. The numbers listed with each breach denote the number of individuals affected by the breach. 1. Saks and Lord & Taylor (retail) – 5 million (April 1, 2018):
Hacking group infected the retailers’ point-of-sale systems with malware that was likely installed through phishing emails and stole credit card numbers. The hackers announced that they planned to sell the credit card numbers on the dark web.
2
2. Sacramento Bee (news service) – 19.5 million (February 7, 2018): A hacker seized a voter registration database that the newspaper had obtained from the state for reporting purposes, and another internal database containing subscriber information. The databases included names, addresses, email addresses, phone numbers, political party affiliations, dates of birth, and places of birth.
3. Timehop (smartphone app) – 21 million (July 8, 2018): An
attacker gained access to the app’s cloud computing environment, because it wasn’t protected with two-factor authentication. The breach exposed the names, email addresses, dates of birth, phone numbers, and other personal information of app users.
4. Facebook (social media) – 29 million (September 28, 2018):
Hackers exploited as feature of Facebook’s platform (“view as”), which allowed the hackers to steal “access tokens” that were then used to take over users’ accounts. Included in the breach were users’ names, phone numbers, email addresses, and other personal information collected by Facebook.
5. Panera Bread (restaurant) – 37 million (April 2, 2018): A
reported database leak resulted in the disclosure of records for customers who had signed up for accounts to order food online via panerabread.com. The leak revealed customers’ names, addresses, email addresses, dates of birth, and last four digits of credit card numbers. Panera disputed the reported scope of the leak (claiming that it affected only 10,000 customers) but acknowledged the security flaw that resulted in the leak.
6. Marriott (hospitality/hotel) – 500 million (November 30, 2018):
After being alerted to an attempted intrusion of the Starwood reservation database, Marriott discovered an assault on its reservation system that dated back to 2014. Through the long-term attack, hackers stole the personal information of up to 500 million guests, including their names, addresses, phone numbers, email addresses, passport numbers, dates of birth, and other personal information.
B. Data Breach/Cybersecurity Threats and Technological Trends
Data breaches occur through the use of a variety of methods, all of which represent significant threats to any business, entity, or individual who transmits or receives sensitive, personal, and/or confidential information. These threats come in many forms – physical devices, hacking, malicious software – and cybercriminals are constantly working to enhance their techniques to evade the security measures that are developed to address these threats.
3
1. Physical threats.
Skimmers and shimmers physically copy credit, ATM and debit card information. These devices can be bought online – there is a low barrier to entry for those seeking to obtain personal data through the use of these devices. Shimmers, wafer-thin versions of skimmers, represent cybercriminals’ solution to the security chip integrated into credit cards. As awareness of the threat posed by skimmers and shimmers has increased, data thieves are developing new methods by which they can steal payment information at points of sale. Fraudsters will sometimes install pinhole-sized cameras in brochure holders, light bars, mirrors or speakers on ATMs to gather PIN details as they are entered. Once the fraudsters collect the PINs and the card numbers, they have enough information to compromise the cards. Some cyber thieves will also use keypad overlays to capture PIN numbers as they are entered. Through Bluetooth technology, the cybercriminals can receive and download the captured video, images, and information from a short distance away.
2. Hacking.
Hacking still represents the most commonly used tactic to breach systems and steal personal information and payment data – 48 percent of the data breaches in 2018 featured some form of hacking. Below are some of the newer methods that hackers are using to obtain personal data and payment information:
a. Formjacking.
Formjacking is essentially a virtual skimming technique in which hackers use malicious JavaScript code to steal credit card details and other information from payment forms on the checkout webpages of eCommerce sites. The use of this hacking technique trended upward in 2018. Nearly 5,000 unique websites were compromised with formjacking code every month in 2018. With data from a single credit card being sold for up to $45 on underground markets, just 10 credit cards stolen from compromised websites could result in a yield of up to $2.2 million for cyber criminals each month. The appeal of formjacking for cyber criminals is clear.
b. Trojan horses.
Computer Trojan horses are a class of infiltrations that attempt to present themselves as useful programs, which tricks users into downloading and letting them run. Their sole purpose is to infiltrate as unsuspiciously and easily as
4
possible so as to avoid detection. “Trojan horse” denotes a very broad category of malicious programs, and it is often divided into many subcategories:
i. Downloader – A malicious program with the ability to
download other infiltrations from the Internet. ii. Dropper – A type of Trojan horse designed to drop
other types of malware onto compromised computers.
iii. Backdoor – An application which communicates with
remote attackers, allowing them to gain access to a system and to take control of it.
Trojan horses usually take the form of executable files, and we are beginning to see them show up in smartphone apps. A prime example is a Trojan horse officially named Android.TechnoReaper, which hides under several “legit” Android apps that supposedly allow users to deploy several font types not usually found on their smartphones. Users agree to download and install a simple font right from the menu of the app, but the actual download redirects the link towards a spyware app, hosted on a private server. Thus, without their explicit permission, users would indeed install the desired font but also, a dangerous spyware program.
c. Artificial intelligence (“AI”).
Hackers are beginning to use artificial intelligence (“AI”) to enhance their hacking techniques and broaden their reach. An example is spear phishing, which uses carefully targeted digital messages to trick people into installing malware or sharing sensitive data. Hackers use machine-learning models to better match humans in crafting convincing fake messages (e.g., emails that appear to be from employers and/or co-workers). AI programs can also be used to continuously produce and send these spear-fishing emails on an automated basis, thereby blanketing organizations on a more widespread basis and at a faster rate. Hackers also use AI to help design malware that is capable of evading “sandboxes,” or security programs designed to spot rogue code before it is deployed in companies' systems.
5
3. Ransomware/denial-of-service attacks.
Ransomware attacks run malicious software designed to block access to a computer system until a sum of money is paid. Denial-of-service (DOS) attacks flood the system with additional traffic that overload it and make it unavailable. A number of hospitals have been hit as targets that require immediate action to recover services. Examples of recent “ransomware/DOS” attacks:
a. East Ohio Regional Hospital (EORH) (Harper’s Ferry, OH)
and Ohio Valley Medical Center (OVMC) (Wheeling, WV) (November 2018).
Ransomware attack affected the hospitals’ systems over the course of two days. During this time, the hospitals were forced to limit emergency room admissions to walk-up patients only and send patients to nearby hospitals. In order to address and remove the software, and as a precautionary measure to limit the spread of the malware, the hospitals’ systems were taken offline and staff switched to paper charting to keep patient information secure.
b. GitHub (February 2018).
GitHub – a popular online code management service used by millions of developers – was the victim of a DOS attack in which its servers were flooded with data traffic that took down its systems. The attackers used a strategy known as memcaching, in which a spoofed request is delivered to a vulnerable server that then floods a targeted victim with amplified traffic. Memcached databases are commonly used to help speed up websites and networks but have recently been weaponized by DOS attackers.
c. Dutch banks ABN AMRO, ING and Rabobank (January
2018).
Three Dutch banks were simultaneously hit by a DOS attack, which resulted in timed-out websites and slowed response times. The attack specifically affected the banks’ mobile and internet banking systems, which ran extremely slowly or became entirely unavailable. The same DOS attack also hit the Dutch national tax office, which went dark for about five to 10 minutes. Data security experts believe that cloud computing businesses, which house significant amounts of data for companies, are becoming bigger targets for ransomware and DOS attackers. The biggest cloud operators, like
6
Google, Amazon, and IBM, have a wealth of resources and large data security departments at their disposal, but smaller data storage companies are likely to be more vulnerable to attacks that could bring their entire business to a halt by blocking customers’ access to their stored information.
4. Carelessness.
Weak passwords make for easy targets. Up to 80 percent of all data breaches are attributed to stolen or weak passwords. In 2017, a hacker was infamously able to breach the system of Hacking Team, an IT security firm, by exploiting an engineer whose password was “P4ssword.”
Some of the most common passwords of 2018 included:
123456 Password 123456789 12345678 12345 111111 1234567 sunshine qwerty
Iloveyou princess admin welcome 666666 abc123 football 123123
monkey 654321 !@#$%^&* charlie aa123456 Donald password1 qwerty123
II. EXISTING LAWS AND EMERGING LEGAL TRENDS
A. Data Breach Notification Laws
After South Dakota and Alabama passed laws in 2018, all 50 states have data breach notification laws, along with U.S. Territories such as Puerto Rico, Guam, and the U.S. Virgin Islands. These define what constitutes a breach and what constitutes personally identifiable information – important definitions that typically trigger requirements under the law. Further, the laws define safe harbors, notification methods, the parties to whom notification should be made (e.g., consumers, law enforcement, state AG, regulators), and enforcement/penalty provisions.
1. Kentucky Notification Law, KRS 365.732.
The Kentucky Notification Law (KRS 365.732) became effective in July 2014. KRS 365.732(1)(b)-(c) defines information holder as “any person or business entity that conducts business in this state.” It also defines “Personally Identifiable Information” as a person’s first name/first initial and last name in combination with one or more other element such as: Social Security number, driver’s license number, account
7
number or credit or debit card number in conjunction with any required security code, access code, or password. KRS 365.732(1)(a) defines a breach as an “unauthorized acquisition” of “unencrypted and unredacted data” that “compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder” AND “actually causes, or leads the information holder to reasonably believe has caused or will cause, identify theft or fraud against any resident.” Disclosure must be made “following discovery or notification of the breach, to any resident of Kentucky whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” KRS 365.732(2). Disclosure must be made “in the most expedient time possible and without unreasonable delay.” Id. Delay may be permissible if law enforcement determines notification will “impede criminal investigation.” KRS 365.732(4). If more than 1,000 persons must be notified at one time, the information holder must also notify all consumer reporting agencies and credit bureaus. KRS 365.732(7). Notification may be provided through written notice or electronic notice if consumers have consented to receiving such notice consistent with the requirements of 15 U.S.C. §7001. KRS 365.732(5). Also, if cost of notice exceeds $250,000 or a class of people is greater than 500,000, substitute service can be made by email, conspicuous posting on a website, or through major statewide media. Id. Kentucky’s Notification Law does not include enforcement mechanisms, penalties, or allow for a private right of action. Plaintiffs must rely on separate statutory or common law remedies to bring claims for violating the law. See Savidge v. Pharm-Save, Inc., No. 3:17-CV-00186-TBR, 2017 U.S. Dist. LEXIS 197635, 2017 WL 5986972 (W.D. Ky. Dec. 1, 2017).
2. Personal Information Security and Breach Investigation Procedures
and Practices Act, KRS 61.931 – 61.934.
Existing law, enacted Jan. 1, 2015, requires agencies of Kentucky state and local governments to implement policies and procedures to protect confidential, sensitive personal information and to notify individuals if their information has been compromised. Within 72 hours of a breach, appropriate parties must be notified, which may include the Commissioner of the Kentucky State Police, Auditor of Public Accounts, and the Attorney General. The agency also must conduct a reasonable and prompt investigation to determine whether the breach “has resulted in or is likely to result in the misuse of personal information.”
8
After investigation, if a breach was determined to occur, the agency must provide notice to affected individuals within 35 days. As with the Kentucky Notification Law, notice shall not be made if it would impede a criminal investigation. Notice is not required for personal information that was/is: redacted, disclosed to a government entity, publicly available, consented to be made available, or in a court document. The Attorney General may bring an action in Franklin Circuit Court against any agency for injunctive relief and/or legal remedies to enforce this law, but it does not create a private right of action. Agencies also must establish and implement “reasonable security and breach investigation procedures and practices,” which must be written and in accordance with policies of the Commonwealth Office of Technology. Legislative and judicial branches of the government must also implement reasonable security breach investigation procedures and practices, including taking appropriate corrective action to safeguard against such breaches.
3. Recent revisions and amendments to data breach notification laws.
a. Trend towards more stringent notification laws.
In 2018, several states joined a growing trend by revising their notification laws to include explicit deadlines for notifying affected individuals, as opposed to requiring simply that entities do so without unreasonable delay. For example, Colorado enacted a 30-day deadline for notifying affected individuals while Alabama, Arizona, and Oregon all passed legislation requiring notification within 45 days of discovery of a breach, and Louisiana and South Dakota implemented a 60-day deadline. Massachusetts also enacted significant changes to its notification law, the specifics of which are discussed in Section A.3.b below.
b. Recent overhaul of Massachusetts notification law.
States have begun enacting increasingly stringent notification laws. Once new requirements are imposed in one state, they soon spread to other states as legislatures continue to expand the protections available to their residents and to add obligations to entities that hold their residents’ personal information. For example, Massachusetts recently amended its data breach notification law, expanding the information that must be reported to Massachusetts regulators in connection with a data breach involving the personal information of
9
Massachusetts residents, imposing new requirements on compromised entities, and adding clarification to when entities are required to issue notice of a breach. These changes take effect on April 11, 2019. The changes to the Massachusetts data breach notification law are novel in nature and represent a trend toward more stringent requirements that could be adopted by more states as the threat of data breaches continue to increase. Under the amendment, entities that have experienced a data breach involving the personal information of Massachusetts residents are required to inform the Massachusetts Office of the Attorney General and the Office of Consumer Affairs and Business Regulation “whether the person or agency maintains a written information security program” (WISP). Existing Massachusetts law requires “[e]very person that owns or licenses personal information about a resident of the Commonwealth [to] develop, implement, and maintain a comprehensive information security program.” 201 CMR §17.03(1). This new requirement will provide Massachusetts regulators with a mechanism to penalize entities who have failed to implement a compliant WISP. Additionally, Massachusetts is now the fourth state to require companies to provide free credit monitoring services to affected individuals in data breaches involving Social Security numbers. California and Delaware require at least one year of credit monitoring services when Social Security numbers are compromised, Connecticut requires two years, and Massachusetts now requires 18 months. Interestingly, in the wake of recent breaches at credit reporting agencies, the amendment requires breached credit reporting agencies to provide 42 months of free credit monitoring services when Social Security numbers are involved. Further, affected individuals cannot be required to waive their right to a private right of action as a condition to receive the credit monitoring services. The amendment also changes the contents required in breach notifications. For example, companies must now disclose to Massachusetts regulators the types of personal information compromised in the breach. Companies must also inform affected residents that they have the right to place a security freeze on their credit reports at no charge. Additionally, if a subsidiary is breached, the notification to affected residents must now include the name of the parent or affiliated corporations. Finally, the amendment clarifies that notice cannot be delayed on grounds that the total number of residents
10
affected by the breach is not yet known. Rather, companies must give notice “as soon as practicable and without unreasonable delay” once an entity “knows or has reason to know” of a breach of a resident’s personal information.
B. Ohio Data Protection Act
On August 3, 2018, Governor John Kasich signed Senate Bill 220, also known as the Ohio Data Protection Act (O.R.C. §1354). Under the Act, eligible organizations may rely on their conformance to certain cybersecurity frameworks as an affirmative defense against tort claims in data breach litigation. The Act is intended to provide organizations with a legal incentive to implement written cyber-security programs. In order to qualify for this new defense, the organization must implement a written cybersecurity program designed to (1) protect the security and confidentiality of personal information; (2) protect against anticipated threats or hazards to the security or integrity of personal information; and (3) protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud. The scale of the cybersecurity program should be appropriate to the organization based on its size and complexity, the nature and scope of its activities, the sensitivity of the personal information protected under the program, the cost and availability of tools to improve its information security, and the resources available to the organization. Additionally, the organization’s cybersecurity program must “reasonably conform” to one of the following cybersecurity frameworks:
1. National Institute of Standards and Technology’s
(NIST) Cybersecurity Framework; 2. NIST special publication 800-171, or 800-53 and 800-53a; 3. Federal Risk and Authorization Management Program’s Security
Assessment Framework; 4. Center for Internet Security’s Critical Security Controls for Effective
Cyber Defense; 5. International Organization for Standardization (ISO)/International
Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards.
For organizations that accept payment cards, their cybersecurity programs must also comply with the Payment Card Industry’s Data Security Standards (PCI-DSS) to qualify for the affirmative defense. Similarly, organizations subject to certain state or federally mandated security requirements may also qualify, such as the security requirements in the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security
11
Modernization Act (FISMA), or the Health Information Technology for Economic and Clinical Health Act (HITECH). The legislation expressly states that it does not “create a minimum cybersecurity standard that must be achieved” or “impose liability upon businesses that do not obtain or maintain practices in compliance with the act.” Rather, it seeks “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.” This law will be the first in the nation which incentivizes businesses to implement certain cybersecurity controls by providing them with an affirmative defense. Many of the specified frameworks, like NIST, do not have a standard certification process, so proving that a security program conforms to the applicable framework may be difficult in some circumstances.
C. New York Cybersecurity Regulation, 23 NYCRR 500
Effective March 1, 2017, New York’s Cybersecurity Requirements for Financial Services Companies is a first-of-its-kind regulation in the U.S., establishing security requirements for banks, insurance companies, and other financial services institutions regulated by the N.Y. Department of Financial Services (“NYDFS”). It is a potential benchmark/model for states to follow. The law requires covered entities to establish a cybersecurity program to protect consumer data, a written policy approved by a board or senior officer, a Chief Information Security Officer to oversee data/systems protection, and controls to ensure network safety. The adopted programs must proactively assess risks and establish protections, as well as detect and respond to potential events. The regulation sets forth comprehensive actions companies must take that extend to vendor and third-party provider management. Duties may be triggered by any event that has a reasonable likelihood of materially harming normal operations, including unsuccessful attacks that raise potential concerns.
D. Equifax and Associated Legislation
The May-July 2017 Equifax breach compromised 147.9 million Americans’ names, Social Security numbers, birth dates, addresses, and driver’s license numbers. The breach affected 40 percent of Kentucky families. It prompted the attorneys general in various states to submit proposals for strengthening data breach protections and remedial measures. One such measure was signed into law by Governor Bevin on March 30, 2018. House Bill 46 amended KRS 367.365 to allow for security freezes to be requested by methods established by the consumer reporting agency; allow consumers to request a replacement personal identification number or password in the same manner as the original security freeze request. The law became effective immediately, as the text notes that security breaches and the risk of identity theft are on the rise.
12
On March 29, the Colorado governor signed HB 1233, which authorizes a parent or legal guardian to request a credit reporting agency place a security freeze on a protected consumer’s credit file; the law defines protected person to include a minor under 16 years of age or an individual who is a ward of the legal guardian. According to HB 1233, if no credit file exists for the protected consumer, the credit reporting agency is required to create a record and then initiate the security freeze on such record without charge. Additionally, among other things, the law prohibits the charging of a fee for the “placement, temporary lift, partial lift, or removal of a security freeze” on a protected consumer’s credit file and allows for a protected consumer to remove the security freeze if they demonstrate the representative’s authority is no longer valid. HB 1233 became effective on January 1, 2019.
E. California Consumer Privacy Act of 2018
The California Consumer Privacy Act (“CCPA”) was enacted on June 28, 2018 and further amendments to the CCPA were enacted on September 23, 2018. The CCPA becomes effective on January 1, 2020. The key components of the CCPA include new consumer rights as well as new compliance obligations for covered businesses. Consumers are provided the right to obtain their personal information collected by businesses in the prior 12 months and are entitled to know the categories of personal information collected, sold, and disclosed by the business, the categories of third-party recipients who received the personal information, and the uses of the consumer’s personal information. Consumers are further afforded the right to obtain deletion of personal information and to opt-out of the sale of personal information. On the compliance side, businesses are required to assess and document data practices related to the collection, disclosure, and use of personal information and to publish specific contact information to allow consumers to exercise their rights. The act broadly applies to “businesses,” defined to include any for profit legal entity (e.g., corporation, partnership, LLC) that does business in the State of California, that collects consumers’ personal information, and that meets one of the following thresholds:
• Has gross revenue in excess of $25,000,000;
• Buys, receives, or sells for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
• Derives 50 percent or more of its revenue from selling consumers’ personal information
See Cal. Civ. Code §1798.140(c). The CCPA also broadly defines “Personal information” and includes “information that identifies, relates to, describes, is capable of being
13
associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” See Cal. Civ. Code §1798.140(o). The Act creates a private right of action for any consumer whose “nonencrypted or nonredacted” personal information is subject to unauthorized access and exfiltration “as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate…to protect the information.” See Cal. Civ. Code §1798.150(a)(1). Specifically, under the Act, an affected consumer may institute a civil action to recover:
• Actual damages, or statutory damages between $100 and $750 (1) per consumer and (2) per incident, whichever is greater;1
• Injunctive and declaratory relief; and
• Any other relief the court deems proper.
See Cal. Civ. Code §1798.150(a)(1)(A)-(C). This section of the Act recognizes the ability of a consumer to bring a civil action individually, or on a class-wide basis, if certain notice requirements are met. See Cal. Civ. Code §1798.150(b). In addition to a private right of action, the CCPA also provides for administrative enforcement with penalties up to $2,500 ($7,500 if intentional) per violation. See Cal. Civ. Code §1798.155(b).
F. European Union (EU) General Data Protection Regulation (GDPR)
The EUGDPR was approved by EU Parliament April 14, 2016, and replaces the former Data Protection Directive. The regulatory scheme has the goal of harmonizing data privacy across the EU and updating prior directive, which was issued in 1995. The comprehensive regulation is a binding act that must be followed in its entirety by all organizations that process EU residents’ personal data, regardless of location. Enforcement began on May 25, 2018. The EUGDPR covers and contains a broad definition of “Personal Data.” Under the regulation, “Personal Data” is any data related to a natural person that can be used to directly or indirectly identify that person. This includes a person’s:
• Name
• Email address
1 The average data breach in the United States compromises approximately 31,465 records. See https://www.ibm.com/security/data-breach. With statutory damages between $100 and $750, a breach of California-based consumer records could cost between $3.15 million and $23.6 million in statutory damages alone.
14
• Social network posts
• Uploads of images
• IP Address
The EUGDPR establishes a number of rights with regard to persons and their data. These rights include:
• Right to be forgotten: the right to require an organization to delete an individual's personal data without undue delay
• Right to object: the right to prohibit certain data uses
• Right to rectification: the right to require that incomplete data be completed or that incorrect data be corrected
• Right of access: the right to know what data about the individual is being processed and how
• Right of portability: the right to request that personal data held by one organization be transported to another organization
These rights must be accommodated by “data controllers,” which the regulation defines as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.” The EUGDPR establishes a number of data security requirements with which data controllers and data processors must comply. A data processor is defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” The default rule under the EUGDPR security requirements is that data controllers and data processors should ensure that only personal data necessary for each specific purpose of processing is actually processed. Factors to be considered when determining compliance with this default rule include:
• Amount of personal data collected;
• Extent to which personal data is processed;
• Duration personal data is stored; and
• Access controls around personal data.
15
Controllers and processors are required to “implement appropriate technical and organizational measures” that take into account “the state of the art and costs of implementation” and nature of the processing and risks presented. Thus, controllers and processors must stay abreast of technological advancements, techniques, and risks in the area of data security, and be able to implement security actions that appropriately address and respond to risks as they emerge. The regulation includes several specific suggestions as to the types of security actions that might be considered “appropriate to the risk,” including:
• Pseudonymization and encryption of personal data;
• Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• Ability to restore the availability and access to personal data in a timely manner; and
• Establishment and maintenance of a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational security measures.
The EUGDPR also contains breach notification provisions and requirements. Under these provisions, as “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” In the event of a “personal data breach,” notice must be provided to the applicable Data Protection Authorities (DPAs), which are the independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. A DPA exists in each EU Member State. Notice to the appropriate DPAs must occur “without undue delay and, where feasible, not later than 72 hours” after discovery of the breach. If there is a delay in providing notice, the covered entity must provide a “reasonable justification” for the delay. Notice, however, is not required where the breach is unlikely “to result in a risk to the rights and freedoms of natural persons.” Notification to appropriate DPAs must include the following pieces of information:
• The nature of the personal data breach, including the number and categories of data subjects and personal data records affected;
• The data protection officer’s contact information;
• A description of the likely consequences of the personal data breach; and
16
• How the controller proposes to address the breach, including any mitigation efforts.
In certain circumstances, the EUGDPR requires the appointment of a Data Protection Officer (“DPO”). The appointment of a DPO is required in three specific cases:
• Where the processing is carried out by a public authority or body (includes companies that exercise control over);
• Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
• Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses.
The main role of a DPO is to assist and advise data processors and controllers regarding GDPR compliance. DPOs must be suitably qualified and report directly to the organization’s senior management. DPOs are also responsible for being the organization’s liaison with government officials. DPOs are also required to keep a register of all processing activities that involve personal data performed by the institution. The register must include explanatory information on the purpose of the processing operations and must be generally accessible within the organization and to regulators. The EUGDPR also contains a fine structure for violations of the regulation’s requirements. Under the EUGDPR, there are two tiers of administrative fines for non-compliance:
• Lower Level: Up to €10 million, or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
o Controllers and processors under Articles 8, 11, 25-39, 42, 43
o Certification body under Articles 42, 43
o Monitoring body under Article 41(4)
• Upper Level: to €20 million, or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
o The basic principles for processing, including conditions for
consent, under Articles 5, 6, 7, and 9
o The data subjects’ rights under Articles 12-22
17
o The transfer of personal data to a recipient in a third country or an international organization under Articles 44-49
o Any obligations pursuant to Member State law adopted under Chapter IX
o Any non-compliance with an order by a supervisory authority (83.6)
In determining the tier and ultimate amount of the fine, member supervisory authorities use and consider the following criteria:
• Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing.
• Intention: whether the infringement is intentional or negligent.
• Mitigation: actions taken to mitigate damage to data subjects.
• Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance.
• History: (83.2e) past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines.
• Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement.
• Data type: what types of data the infringement impacts; see special categories of personal data.
• Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party.
• Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct.
• Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement.
The EUGDPR also grants private right of action for persons who suffer “material or non-material damage” as a result of GDPR violation, which would include actions for pain and suffering and collective claims.
18
III. RECENT CYBERSECURITY/DATA BREACH CASES, ENFORCEMENT ACTIONS, AND SETTLEMENTS
A. Recent Data Breach Cases
1. Galaria v. Nationwide Mut. Ins. Co., 663 Fed. App’x. 384 (6th Cir.
2016).
This is a recent case from the Sixth Circuit concerning standing in the event of a data breach. Here, the Sixth Circuit held that, while it may not have been “literally certain” that plaintiffs' data would be misused, there was a “sufficiently substantial risk of harm” that exists when an individual’s data is exfiltrated through a data breach. For purposes of standing, the Sixth Circuit held that harm is not speculative where “data has already been stolen and is now in the hands of ill-intentioned criminals,” and that, in this specific case, the defendant’s offer of credit monitoring and ID-theft protection constituted recognition of the “severity of the risk” presented by the data breach. The Court held that when PII is stolen, it is “unreasonable to expect Plaintiffs to wait for actual misuse” before expending “time and money to monitor their credit, check their bank statements, and modify their financial accounts.” Accordingly, the harm that results from personal information being stolen or improperly accessed through a data breach is sufficient to confer standing.
2. In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., J.P.M.L.,
No. 2879 (U.S. Dist. MD).
As of February 6, 2019, 80 class actions had been filed against Marriott since news broke late last year that the personal information of 500 million Marriott International Inc. guests had been compromised. The consumers generally allege that Marriott took more than four years to discover the breach and then failed to notify its customers in a timely fashion. These class actions have now been consolidated in the U.S. District Court of Maryland, and the matter remains pending.
3. In re Equifax, Inc., Customer Data Security Breach Litigation, MDL
Docket No. 2800, 362 F.Supp.3d 1295 (N.D. Ga. 2019).
Court rejected Defendants’ arguments that Plaintiffs had failed to adequately allege a violation of data breach notification statutes associated with the Equifax breach:
According to the Defendants, the Complaint alleges that 41 days elapsed between Equifax's discovery of the Data Breach and the disclosure of the incident to the public. The Defendants contend these state data-breach statutes permit an entity time to determine the scope of a breach before notification,
19
and several of the statutes even establish specific time limits. Therefore, according to the Defendants, their notification met the requirements of these statutes. However, the Court concludes that the Plaintiffs have adequately alleged a violation of many of these statutes. Theses statutes require notification, for example, in "the most expedient time possible and without unreasonable delay" and, for example, within a reasonable time. The Plaintiffs have alleged facts from which a jury could conclude that the Defendants did not provide notice within a reasonable time, as these notification statutes require. Therefore, the Court concludes that the Plaintiffs have adequately stated a claim.
*** Finally, the Defendants contend that the Plaintiffs have failed to allege any injury resulting from a delay in notification. According to the Defendants, the Plaintiffs have not alleged when any injury occurred, and thus have not alleged any damage occurring between the time that Equifax should have notified them of the Data Breach, and the time that Equifax did publicly disclose the Data Breach. However, the Target court rejected this exact argument. There, the court reasoned that such an argument is premature at this stage and that plaintiffs need only plead "a 'short and plain statement' of their claims" under Rule 8. The Plaintiffs note that they could have frozen their credit earlier, or taken other precautions. At this stage of the litigation, such allegations are sufficient.”
4. In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-
02752-LHK, 2017 U.S. Dist. LEXIS 140212, 2017 WL 3727318 (N.D. Cal. Aug. 30, 2017).
Court rejected Defendants’ argument that “Plaintiffs have not pled facts showing how they were injured specifically as a result of Defendants’ purported notification delay,” as opposed to the “Data Breaches themselves”:
Plaintiffs allege that, as a result of the 2014 Breach, hackers stole the names, email addresses, recovery email accounts, telephone numbers, birth dates, passwords, security questions and answers, and account “nonces” (cryptographic values unique to each account) of Yahoo account holders, and then
20
“gained access to the email contents of all breached Yahoo accounts and thus any private information contained within those emails,” such as credit card information. See CCAC ¶¶ 1, 92. Moreover, once a hacker obtained access to a users’ email account the hacker could then “verify accounts and reset passwords” related to other accounts of Yahoo users. As a result of the Forged Cookie Breach, Plaintiffs allege that hackers remained logged into users’ email accounts for “weeks or indefinitely.” Id. ¶ 68. As a result of these Data Breaches, Plaintiffs Heines and Dugas experienced fraudulent charges on their accounts and fraudulent tax returns filed in their names, which resulted in harm to their credit scores and hours spent talking to the police, banks, and businesses. See CCAC ¶¶ 10, 12. According to the CCAC, Defendants were aware of the 2014 Breach as it was occurring in 2014, and yet Defendants did not notify Plaintiffs of the 2014 Breach until September 22, 2016, approximately two years later. See CCAC ¶ 73. Similarly, Plaintiffs allege that Defendants were aware of the Forged Cookie Breach as it was happening in 2015-2016, but that Defendants did not inform Plaintiffs of the Forged Cookie Breach until “February 2017,” one to two years later. See id. ¶¶ 80-82, 86.
A reasonable inference from these allegations is that if Plaintiffs had been aware of the Data Breaches a year to two years earlier, Plaintiffs could have taken earlier measures to mitigate the harms that they suffered from the Data Breaches. Most significantly, Plaintiffs could have changed their passwords. If Plaintiffs were able to change their passwords following the Data Breaches, the account information stolen during the Data Breaches would be useless to hackers because the information would be outdated. Plaintiffs also could have cancelled their Yahoo email accounts entirely. Moreover, even if Plaintiffs could not take these steps immediately, and thus even if hackers did access Plaintiffs’ Yahoo email accounts, Plaintiffs could have taken earlier steps to mitigate the fallout from their information being stolen, such as replacing their credit cards, freezing accounts, or placing credit alerts on their accounts. However, because Defendants delayed in notifying Plaintiffs of the Data Breaches for a year to two years, Plaintiffs could not take these mitigation
21
steps, and thus Plaintiffs have plausibly alleged that they faced incremental harms. Accordingly, the Court finds that Plaintiffs have plausibly alleged incremental damages arising from Defendants’ unreasonable delay in notifying Plaintiffs of the 2014 Breach and the Forged Cookie Breach, as opposed to damages arising from only the Data Breaches themselves.
5. Commonwealth v. Equifax, Inc., No. 1784CV03009BLS2, 35
Mass.L.Rptr. 106, 2018 Mass. Super. LEXIS 66 (Apr. 3, 2018).
This case is a prime example of a state Attorney General bringing an enforcement action for violation of statutory and regulatory data security requirements. The Commonwealth's allegations stated a viable claim for violation of the data security regulations, 201 Mass. Code Regs. 17.03 and 17.04, because it alleged that a corporation knew it needed to patch its open-source code in order to keep its databases secure and that it failed to do so. The facts alleged plausibly suggested that the corporation owned or licensed data containing personal information within the meaning of the Massachusetts Data Breach Notification Law, Mass. Gen. Laws ch. 93H, §2, and the data security regulations because the corporation allegedly maintained its own proprietary database and sold reports containing consumers' personal information. The allegations plausibly suggested that the corporation engaged in the kind of unfair or deceptive misrepresentations that violated the Massachusetts Consumer Protect Act, Mass. Gen. Laws ch. 93A.
B. Recent Data Breach Enforcement Actions
1. NYDFS/Equifax (June 2018).
On June 27, 2018, just days after the NYDFS announced its finalized regulations that extend its cybersecurity measures to credit reporting agencies, it announced a consent order entered into with Equifax. Equifax is required to submit to regulators a list of all planned, in process, or implemented remediation projects; an independent party must test the controls related to remediation efforts and report on the effectiveness of those controls. The company must also provide quarterly written reports to regulators on the progress of its compliance with the provisions of the order. NYDFS was joined in the consent order by banking regulators in Alabama, California, Georgia, Maine, Massachusetts, North Carolina, and Texas.
22
2. SEC/Voya Financial Advisors Inc. (September 2018).
In September 2018, Voya Financial Advisors Inc. (“Voya”), a broker-dealer and investment advisor, agreed to pay $1 million to settle charges for cybersecurity failures that led to a cyber intrusion that compromised thousands of customers’ personal information. The hackers infiltrated Voya’s proprietary web portal by impersonating Voya’s contractors over a six-day period in 2016, calling Voya’s support line and requesting that the contractors’ passwords be reset. The hackers used the new passwords to gain access to the personal information of 5,600 Voya customers. The improperly accessed customer information was then used to create new online customer profiles and to obtain unauthorized access to account documents for three customers.
The SEC charged Voya with violating Regulation S-P or the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft. The SEC also stated that Voya failed to adopt written policies and procedures reasonably designed to protect customer records and information, as well as failing to develop and implement a written Identity Theft Prevention Program. The SEC’s order also found that Voya’s failure to terminate the hackers’ access to its portal and systems resulted from weaknesses in Voya’s cybersecurity procedures, some of which had been exposed during prior similar attacks. The SEC also found that Voya failed to apply its cybersecurity procedures to the systems used by its independent contractors. This was the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule. According to Robert Cohen, chief of the SEC Enforcement Division’s Cyber Unit, this case serves as “a reminder to brokers and investment advisors that cybersecurity procedures must be reasonably designed to fit their specific business models,” and “[t]hey also must review and update the procedures regularly to respond to changes in the risks they face.”
C. High-Dollar Data Breach Settlements in 2018
As noted above, high-volume data breaches and violations of data security and notification requirements come with significant costs. Below are just a few of the high-dollar settlements from 2018 and early 2019 that are associated with cybersecurity and data breach issues: 1. Uber – $148 million: In September 2018, following an investigation
by the FTC, Uber agreed to pay a record settlement of $148 million to settle issues associated with a 2016 data breach that involved (1) the theft of over 57 million customers’ personal data and (2) Uber’s subsequent attempts to pay the hackers for deletion of the data and their silence, rather than properly reporting the breach.
23
2. Anthem – $115 million: In 2018, a federal district court in California approved a $115 million settlement by Anthem to resolve several class actions resulting from the theft of Anthem plan members’ names, dates of birth, health insurance information, Social Security numbers, and other data elements.
3. Yahoo! – $85 million: In October 2018, Yahoo agreed to pay $85
million in damages and attorney fees to settle the breach of its email service in 2013. However, in January 2019, a federal judge denied approval of the settlement, stating that the lack of details regarding the total amount of the settlement rendered it insufficient.
4. Experian – $22 million: In January 2019, Experian reached a
settlement in the amount of $22 million to resolve a consolidated class action regarding a breach of its systems in 2015.
24
