California Passes Internet of Things Law

California continues to pave the way for privacy and cybersecurity legislation as Governor Brown recently signed the first Internet of Things (“IoT”) security law in the United States (SB-327).

While connected devices offer users convenience and efficiency, California lawmakers recognized that such devices also raise serious security and privacy issues. The stated purpose of SB-327 is “to ensure that [I]nternet-connected devices are equipped with reasonable security measures to protect them from unauthorized access, use, destruction, disclosure, or modification by hackers.” Lawmakers identified several concerns, including physical dangers posed by connected cars and medical devices (e.g., connected insulin pumps that can be hacked to deliver lethal doses), as well as concerns over hacks of connected devices to create “botnets,” which have already resulted in major Internet crashes and Denial of Service attacks (attacks intended to prohibit authorized users from accessing networks or devices).

SB-327 has received criticism for its vague terminology, which critics argue fails to provide covered entities with clear direction, thereby preventing them from knowing whether they achieved compliance. Some have also said that SB-327’s requirements are not strict enough. Others applauded the law, saying that despite potential flaws, it was a necessary step in the right direction.

What does SB-327 Require?

Manufacturers must equip connected devices with “reasonable” security features. The bill lacks specificity but, at a minimum, the security features must be (1) appropriate to the nature and function of the device; (2) appropriate to the information it may collect, contain, or transmit; and (3) designed to protect information contained on the device from unauthorized access, destruction, use, modification, or disclosure.

Subject to (1)-(3) in the preceding paragraph, if a device provides a method of authentication outside a local area network (i.e., a remote method of verifying the user’s authority to access the device), it will be deemed to have a reasonable security feature if the manufacturer includes (1) preprogramed passwords that are unique to each device, or (2) a feature requiring a user to generate a new means of authentication before the device can be accessed for the first time (e.g., password set-up, verification code, etc.).

Who does SB-327 Apply to?

Companies that manufacture, or contract to manufacture, connected devices that are sold in or offered for sale in California. Notably, the law does not apply to companies that “contract only to purchase [] connected device[s], or only to purchase and brand [] connected device[s].”

Who Enforces SB-327?

Unlike the recent California Consumer Privacy Act of 2018, SB-327 does not provide a private right of action, nor does it include specific monetary penalties. Rather, enforcement authority belongs exclusively to the Attorney General, a city attorney, a county counsel, or a district attorney.

When does SB-327 go into Effect?

The law is currently scheduled to go into effect on January 1, 2020.

Tagged with: , , , , , ,
Posted in Data Security, Internet of Things

Recent Decision Sends Companies Rushing to Review Browsewrap Agreements

A California federal court recently held in Rushing v. Viacom, Inc. that an arbitration provision in Viacom’s End User License Agreement (“EULA”) was one click shy of enforceability, and denied the company’s motion to dismiss claims against it pending arbitration. Plaintiffs did not receive sufficient notice of the provision when downloading a children’s game called Llama Spit Spit, the court found, because the user could access the application without clicking on the link to the EULA.

The court relied on this fact in rejecting Viacom’s contentions that the plaintiff had either actual or constructive notice of the arbitration provision. Viacom attempted to establish actual notice by arguing that the underlying complaint contained a quote from the section of the app description that also notifies readers that “use of [the] app is subject to the Nickelodeon End User License Agreement” and that the EULA contains an arbitration provision.

That argument fell flat, the court reasoned, because to read that description the plaintiffs would have had to click a hyperlink titled “more” — and the plaintiffs could have downloaded the app without doing so. “In this circumstance, the mere fact that the complaint happens to quote from the same section of the app description that helps Viacom on this motion is not at all sufficient for Viacom to carry its burden of proving actual notice by a preponderance of the evidence,” the court concluded.

Likewise, Viacom failed to show that the plaintiffs had constructive notice of the arbitration provision. The EULA in question is a “browsewrap agreement,” to which a user agrees simply by using the website. The validity of this type of agreement “turns on whether the website puts a reasonably prudent user on inquiry notice of the terms of the contract,” the court noted. Again, the “more” hyperlink sunk Viacom’s argument for enforceability. The court reasoned that because there was no need for users to click on that hyperlink to download and use the app, and nowhere else were they warned that using the site constituted acceptance of the EULA, they could not be held to its terms.

Key Takeaway: The Rushing case serves as a reminder that arbitration is a creature of contract, and basic rules of offer and acceptance apply. As noted by the court: “A user cannot accept an offer through silence and inaction where she could not reasonably have known that an offer was ever made to her.” At least in this instance, an arbitration provision in an EULA tucked behind an ignorable hyperlink did not get the job done.

Tagged with: , , ,
Posted in Litigation

Anthem Agrees to Record Data Breach Settlement

In the wake of the largest U.S. health care data breach in history, Anthem, Inc., has agreed to pay $16 million to the Office for Civil Rights, which is a record settlement for alleged HIPAA violations. According to the Department of Health and Human Services (“HHS”), the previous high was a $5.55 million settlement paid in 2016. In addition to the monetary payment, Anthem has also agreed to take “substantial” corrective action to prevent a similar breach from occurring in the future.

The settlement arose out of a 2014 breach involving the electronic protected health information (“ePHI”) of nearly 79 million people. On January 29, 2015, Anthem discovered that hackers had gained accessed to its IT system through a persistent threat attack. Further investigation revealed that hackers had sent spear phishing emails to one of Anthem’s subsidiaries and at least one employee took the bait. Through that seemingly simple act, the hackers were then able to infiltrate Anthem’s system and compromise its stored ePHI, consisting of names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

Anthem has already agreed to settle the class action litigation filed on behalf of its consumers, which was approved in August of 2018. Anthem will pay $115 million to approximately 19 million consumers, which includes a pool of $15 million for out-of-pocket expenses, along with free credit monitoring and identity theft protection services. Anthem also agreed to nearly triple its annual spending on data security for the next three years and implement various cybersecurity controls and reforms, such as changing its data retention policies, adhering to specific remediation schedules, and conducting annual IT security risk assessments and settlement compliance review.

The Anthem breach places the spotlight squarely on the need for employee education and training, emphasizing that data security is as much a people problem as it is an IT problem. The best security measures in the world are only as good as those implementing them. As hackers become more sophisticated, companies who maintain sensitive data must become more vigilant, as even a minor lapse like opening a suspicious email can have devastating consequences. Indeed, as HHS noted in its press release, “OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI” well before the breach was discovered. You can read HHS’s press release here.

With cybersecurity experts stressing that being hacked is a not a question of if, but when, we would all do well to heed Ben Franklin’s advice that “an ounce of prevention is worth a pound of cure.”

Tagged with: , , , , , ,
Posted in Cyberattack, Data Breach, Data Security, HIPAA, OCR

Key Takeaways from the California Consumer Privacy Act of 2018

On June 28, 2018, a month after the European Union’s General Data Protection Regulation went into effect, California passed its own comprehensive piece of privacy legislation—the California Consumer Privacy Act of 2018 (“CCPA”).  The bill was passed as part of an effort to give California residents the “ability to protect and safeguard their privacy” as a result of increased consumer awareness over privacy issues such as those involving Cambridge Analytica. Due to how quickly the bill made its way through the legislature, it lacks clarity in many areas.  It is likely that the bill will undergo several amendments between now and its enforcement date of January 1, 2020 and as such, businesses and those in charge of compliance should stay abreast of further developments.

As drafted, the CCPA affords California residents the right to: (1) know what personal information is being collected about them, (2) know whether their personal information is sold or disclosed and to whom, (3) say no to the sale of personal information, (4) access their personal information, and (5) receive equal service and price, even if they exercise their privacy rights.  The key takeaways of the current version of the CCPA are as follows: Read more ›

Tagged with: ,
Posted in Regulations

Technical FACTA Violation Insufficient to Confer Standing

A federal court in Texas cut short a putative class action alleging violation of the truncation requirement under the Fair and Accurate Credit Transactions Act (FACTA), sending a clear message to plaintiffs that minor inconvenience flowing from a procedural violation of FACTA does not establish standing. This decision comes as more good news to the defense bar, as it joins a growing list of cases extending the U.S. Supreme Court’s watershed Spokeo decision to cases brought under FACTA.

The plaintiff sued Houston-based restaurant company Luby’s, Inc. after twice purchasing meals using his debit card and receiving computer-generated receipts displaying more than the last five digits of his card number. FACTA provides that “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last five digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of sale or transaction.” 15 U.S.C. § 1681c(g)(1). Thus, the plaintiff alleged a clear violation of the statute.

But that isn’t enough, the court held, granting the defendant’s motion to dismiss for lack of subject matter jurisdiction and rejecting the plaintiff’s argument that simply alleging a statutory violation is sufficient to confer standing. “The Fifth Circuit has not had the occasion to consider the question of standing in a case involving a FACTA violation,” the court noted. “The U.S. Supreme Court’s holding in Spokeo, Inc. v. Robins, however, is instructive and does not support the plaintiff’s position,” reasoned U.S. District Judge Kenneth M. Hoyt.

Under Spokeo, a plaintiff must show an actual injury flowing from the statutory violation in question. That injury must be “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” As a consequence of receiving the offending receipts from Luby’s, the plaintiff alleged that he had to check his bank statements and credit report to ensure that he was not the victim of identity theft. Further, he argued that the defendant’s statutory violation “wrongfully placed a burden on [him] to make sure the receipts were either destroyed or secured.”

The court made short work of these allegations, holding that such inconveniences do not rise to the level of actual injury. Further, because it was undisputed that the plaintiff discovered the violation immediately and the receipts remained in his possession, there was no impending risk of harm. So the court sent the plaintiff packing pursuant to Fed. R. Civ. P. 12(b)(1) — and gave the defense bar an additional arrow in their 12(b)(1) quiver.

Tagged with: , , , , ,
Posted in Litigation, Privacy

Updated SEC Guidance Highlights Importance of Solid Cybersecurity Policies and Procedures

The Securities and Exchange Commission (“SEC” or “Commission”) has given public companies a heads up on where the Commission is setting its sights in the ever-developing world of cybersecurity. Here’s what you need to know, and what you need to do, to stay on the right side of the SEC.

Public companies have experienced some significant and high-profile data breaches since the SEC issued its previous cybersecurity guidance in 2011. In light of the issues we have seen in recent years, the SEC released a new interpretive guidance (available here), updating the 2011 document and emphasizing the importance and complexity of companies’ reporting obligations as they relate to cybersecurity.

Two topics included in the new guidance did not appear in the prior version, and therefore should be particularly heeded: (1) the need for public companies to have strong cybersecurity policies and procedures in place; and (2) how prohibitions on insider trading apply in the cybersecurity arena. The new guidance also drives home the SEC’s continuing commitment to monitoring cybersecurity-related disclosures.

The guidance makes clear that a head-in-the-sand approach to cybersecurity issues is not an option. Effective, proactive disclosure protocols and procedures are essential elements of appropriately handling cybersecurity threats (potential or actualized), the guidance notes, and “the Commission believes that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks that the company has faced or is likely to face.”

The SEC also reminds public companies that cybersecurity policies and procedures must address insider trading, because information about a cybersecurity incident can easily fall under the “nonpublic material information” umbrella. When in possession of such information, directors, officers, and other corporate insiders must not trade company securities.

While the guidance contains many details that public companies should study carefully, the overarching lesson is that the SEC is taking cybersecurity very seriously and seems to be taking the position that the best defense is a good offense. Cozen O’Connor’s cybersecurity team stands ready to help companies develop and implement effective policies and procedures to minimize risk and maximize compliance with SEC rules and regulations as they relate to cybersecurity.

Tagged with: , , , , , ,
Posted in Data Security, Privacy, Regulations

EU’s New Privacy Law—What You Need to Know

The European Union (EU) Parliament’s new data privacy law, known as the General Data Protection Regulation (GDPR), is set to become enforceable in all EU member states on May 25, 2018, just six months from now. The GDPR replaces the former Data Protection Directive.

Among other things, the GDPR provides new clarity about the applicability of its regulations to U.S. companies without data processing establishments in the EU. Under the old Directive, it was ambiguous as to whether U.S. companies without a physical presence in Europe were subject to its requirements. That ambiguity has been removed. The new Regulation states that, regardless of the location of a data processing establishment, the GDPR applies to all companies processing personal data of EU residents.

This expansion of jurisdiction is arguably the biggest change to the EU privacy laws. And it is of utmost importance for U.S. companies conducting business in the EU to understand and comply with the GDPR because violations come with heavy penalties.

Here are some of the GDPR’s key provisions:

  • Penalties – penalties can be as high as 4 percent of annual global turnover or €20 Million, whichever is greater.
  • Consent – requests for consent must be simple and easy-to-read, and include the purpose for data processing.
  • Withdraw – withdrawing consent must be as easy as providing consent.
  • Breach notification – notification must be made within 72 hours of first awareness of an incident in all EU member states where the breach is likely to “result in a risk for the rights and freedoms of individuals.”
  • Rights to access – rights are expanded as data subjects can request confirmation as to whether his/her personal data is processed, where and for what purpose. When requested, an electronic copy of the personal data shall be provided to the data subject, free of charge.
  • Right to be forgotten – the right to be forgotten allows the data subject to have the data controller erase his/her personal data and cease further dissemination of the data.
  • Data Portability – this new concept allows a data subject to request a data controller to transmit his/her data to another controller.
  • Privacy by Design – requires the inclusion of data protection from the onset of the designing of systems, rather than as an addition.
  • Data Protection Officer – controllers and processors whose core activities include regular and systematic monitoring of data subjects must appoint a data protection officer.

Again, the scope of the GDPR extends to all companies that process the personal data of any EU residents, even if your company does not have a physical presence in Europe, so keep the above concepts in mind as we head into the new year.

Tagged with: , , , , , , ,
Posted in Data Security, Privacy, Regulations, Standards

Cybersecurity Best Practices — How General Counsel Can Prepare For The Worst

Take note GCs: The question is not if you will have to respond to a cybersecurity incident—the question is when. That was the message from speakers and panelists at the Association of Corporate Counsel’s annual meeting this year.

Indeed, the majority of all U.S. businesses have experienced at least one cybersecurity incident in the last year, with some estimates as high as 80%. And a data breach involving so-called knowledge assets (confidential business information) costs an average of $5.4 million to resolve, up to a maximum of $270 million for the largest breaches.

The good news for GCs is that having a well-designed response plan in place can lower the risk of a breach and greatly minimize the damage if a breach occurs. Some best practices discussed at the ACC meeting, and elsewhere, are worth considering:

Best Practices

  • Cultivate close relationships with IT directors to make it more likely that GCs are contacted in the event of a breach or crisis.
  • Extend the relationships to as many IT employees as possible to overcome the personal responsibility that some employees feel when a breach occurs.
  • Evaluate and routinely measure employee security training levels.
  • Meet with as many relevant departments as possible to assess the specific risks and issues that could arise if/when a breach occurs.
  • Conduct a thorough survey of the data collected by the organization, focusing on employee, consumer, medical, and financial data, and determine if any data does not need to be stored.
  • Critically examine contracts and breach procedures of existing vendors that are privy to sensitive data or have access to internal systems.
  • Perform vendor due diligence before committing to any new contractual relationships and consider requiring vendors to fill out a questionnaire indicating their experience and policies with data breaches, training level of their employees, and general control procedures for sensitive data.
  • For vendors that have access to critical information, consider requiring the vendors to provide independent third-party security assessments or audits.
  • Create a standard data privacy and security addendum that can be attached to vendor contracts (which are usually drafted by vendors) to ensure that the organization’s data is being protected and include risk allocation provisions that apply should the vendor be subject to or lead to a breach.
  • Monitor relationships with vendors to ensure continued compliance with contract provisions, applicable laws, regulations, and industry standards. Further, ensure that once the relationship ends, the vendor destroys or returns company data as appropriate.
  • Document the plan. Create a list of policies and procedures to be followed if there is an incident, and include clearly defined roles and individuals who need to be contacted.
  • Make sure to focus on the immediate aftermath of a breach — the first 48 hours being most critical — and ensure that internal and external communications keep stakeholders apprised as the situation develops.
  • Consider working with a public relations firm to develop consistent messaging that can be efficiently communicated in a crisis.
  • Create an internal response team, including members of management, IT, legal, and public relations that can quickly decide remedial steps and appropriate communication.
  • Consider the company’s overall insurance program and whether cyber risks are covered.
Tagged with: , , , , , , ,
Posted in Data Breach, Data Security

Financial Services Committee Rounds Out Equifax Hearings

The House Financial Services Committee this morning rounded out a full week of congressional hearings for former Equifax CEO Richard Smith. Chairman Jeb Hensarling (R-TX) reiterated his earlier calls for national standards for data security and breach notifications.

Ranking Member Maxine Waters (D-CA) blasted the “stranglehold” that credit reporting agencies have on the American consumer and touted her newly introduced bill, H.R. 3755, the Comprehensive Consumer Credit Reporting Reform Act. H.R. 3755 would shift the burden of fixing credit mistakes towards the agencies and away from consumers. It would additionally limit the use of credit reports in the employment background check process.

Ranking Member Waters questioned the relevance of Smith’s presence before the committee, arguing that since he is no longer a permanent member of Equifax he cannot adequately inform Congress of the steps the company is taking to address the breach. Smith defended the relevancy of his testimony, stating that he is still an advisor to company leadership.

With five panel hearings completed, both the House and Senate have had extensive opportunity to both criticize Equifax for its shortcomings and gather information on the breach itself. Whether Congress will use this information and come to a consensus on how to ensure consumers’ rights are protected in the future remains to be seen.

 

Tagged with: , , , , , , ,
Posted in Cyber crimes, Cyberattack, Data Breach, Data Security, Legislation, Privacy

Equifax Hearings – Round Three

Richard Smith, former Chairman and CEO of Equifax, faced his third congressional hearing in two days, appearing this afternoon before the Senate Judiciary Committee’s Privacy, Technology, and the Law Subcommittee to discuss the recently revealed Equifax data breach and efforts to monitor data broker cybersecurity.

In a departure from the previous Equifax hearings, members of the committee were more reserved in their criticism of the consumer credit agency, adopting a stern but not aggressive tone on both sides of the aisle. Ranking Member Al Franken (D-MN) also broke from the pattern of previous hearings by addressing not only the consumer protection implications of the breach but national security concerns as well.

Another dissimilarity with previous Equifax hearings was the subcommittee’s decision to feature a second panel of expert witnesses instead of focusing its attention solely on Smith. In the second witness panel, subcommittee members heard from Jamie Winteron, the Director of Strategic Research Initiatives at Arizona State University’s Global Security Initiative, and Tyler Moore, an assistant professor of cybersecurity and information assurance at the University of Tulsa’s Tandy School of Computer Science.

The Judiciary subcommittee’s relatively subdued tone and focus on industry experts likely reflects the members’ desire to use the hearing to arrive at a substantive solution rather than to pile on the chorus of voices criticizing Equifax. Nevertheless, Smith will appear one more time before Congress this week at a hearing before the House Financial Services Committee on Thursday morning.

 

Tagged with: , , , , , , ,
Posted in Cyber crimes, Cyberattack, Data Breach, Data Security, Legislation, Privacy
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Receive Email Updates

Email:

Cozen O’Connor Blogs