Photo of Cynthia Larose

Cynthia Larose is a Member in Mintz Levin’s Corporate Group and leads our Privacy and Security practice. She is a Certified Information Privacy Professional, working with clients in various industries to develop comprehensive information security programs on the front end, and providing timely counsel when it becomes necessary to respond to a data breach.

As our readers know we maintain a summary of U.S. state data breach notification laws, which we refer to as the “Mintz Matrix.”   Our latest update is available here, and it should be part of your incident response “toolbox” and part of your planning.

 During 2016, amendments to breach notification laws in five states went into effect (California, Nebraska, Oregon, Rhode Island and Tennessee).  And by the end of last year, well over twenty states had introduced or were considering new regulations or amendments to their existing security breach laws.  We expect there to continue to be significant regulatory activity in the data security space during 2017.  As always, we will keep you abreast of changes and will release updated versions of our Mintz Matrix to keep pace with developments in the states.

We are keeping an eye out for signs of support for a national breach notification law.  So far, there does not appear to be much political motivation for undertaking this effort.  A key sticking point is anxiety among a number of states that a federal law would offer less protection than their existing state law.  This is a valid concern since a national standard will only alleviate the significant burden of complying with the present patchwork of state laws if it has broad pre-emptive effect.  Only time will tell if state and federal lawmakers can work together to develop a comprehensive nationwide regime for security breach notification and remediation.

In the meantime, we must keep tabs on the forty-seven states (along with the District of Columbia, Guam, Puerto Rico and the Virgin Islands) with their own security breach laws.  Here is what’s been happening since our previous update in the Fall:

 California

 California amended its security breach law in order to require disclosure to affected residents (and to the Attorney General if more than 500 Californians are affected) when encrypted personal data is acquired by an unauthorized person together with an encryption key or security credential that could render the personal data readable or useable.

We note also that former Congressman Xavier Becerra recently took over as Attorney General in California, replacing Kamala Harris who aggressively pursued regulation in the privacy arena during her tenure as AG and who now serves California as one of its U.S. Senators.  Given this change in leadership, it will be interesting to see if the state continues to be a leader in pushing for stringent data security and privacy measures at the state and federal level.

 Illinois

Last summer Illinois passed an amendment to its Personal Information Protection Act (“PIPA”) that significantly broadened protections for personal information and the obligations imposed on businesses that handle such data.  The amendment became effective on January 1, 2017 and made several key changes to PIPA:

  • Definition of Personal Information. PIPA’s definition of “personal information” has now been expanded to include medical information, health insurance information, and unique biometric data used for authentication purposes (examples cited in the statute are a fingerprint, retina or iris image, or unique physical representations or digital representations of biometric data). The amended definition also encompasses a user name or email address in combination with a password or security question and answer that would permit access to an online account when either the user name or email address, or password or security question and answer, are not encrypted or redacted.
  • Encryption Safe Harbor. While PIPA already provided a safe harbor for data collectors if data disclosed due to a security breach was fully encrypted or redacted, the amendment clarified that the safe harbor does not apply if the keys to unencrypt or unredact or otherwise read compromised encrypted or redacted data have also been acquired in connection with the security breach.
  • Nature of Notification. For security breaches involving a user name or email address in combination with a password or security question and answer, data collectors may now provide notice in electronic or other form to affected Illinois residents. Such notice must direct individuals to promptly change their user name or password and security question and answer, or to take other appropriate steps to protect all online accounts for which the affected resident uses the same user name or email address/password or security question and answer. The amended statute also provides an additional option for substitute notice when residents affected by a security breach are confined to one geographic area.
  • New Exemptions. The amendment added an exemption for data collectors who meet their obligations under applicable provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). Any data collector that provides notice of a security breach to the Secretary of Health and Human Services pursuant to its obligations under HITECH must also provide this notification to the Illinois Attorney General within five business days of notifying the Secretary. This exemption will primarily apply to certain entities operating in the healthcare space. The amended statute also deems financial institutions subject to applicable provisions of the Gramm-Leach-Bliley Act in compliance with PIPA’s data security requirements.
  • Security Requirements. Beyond addressing breach notification, the amendment requires covered entities to implement and maintain reasonable security measures to protect records containing personal information of Illinois residents and to impose similar requirements on recipient parties when disclosing such personal information pursuant to a contract. The amended statute also requires state agencies to report security breaches affecting more than 250 Illinois residents to the Illinois Attorney General.

 Massachusetts

 For those information junkies out there!  The Office of Consumer Affairs and Business Regulation (the “OCABR”) in Massachusetts has created a public web-based archive of data breaches reported to the OCABR and the Massachusetts Attorney General since 2007.  The data breach notification archive is available at www.mass.gov/ocabr and includes information about which entity was breached, how many Massachusetts residents were affected, if the breach was electronic or involved paper, and the nature of remediation services offered to affected residents.

 It is always a good time to review your incident response plan and data privacy policies to bring everything in line with changes happening on the state level. 

 And now for the disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of the Mintz Levin privacy team or other experienced legal counsel when reviewing options and obligations in responding to a particular data security breach.

Make sure to get your February 2017 Mintz Matrix!  Available here for downloading and always linked through the blog’s right-hand navigation bar.

 

What does your TV-watching history say about you? According to a recent lawsuit against VIZIO, Inc., it might be more than you think! One of the world’s largest sellers of “smart” televisions has recently paid a $2.2 million settlement following charges by the Federal Trade Commission and the Office of the New Jersey Attorney General that it was unlawfully tracking and selling 11 million consumers’ viewing data. The resulting court order has important repercussions for both consumers and smart TV producers.  Continue Reading Who is Watching you Watch TV? If You Have VIZIO … Your TV Might Be Watching You

 

It’s that taxing time of the year.   Employees have received W-2 forms and the tax filing season has begun in earnest.  And, as night follows day, last year’s W-2 spear-phishing scam has returned.  The IRS and state tax authorities have issued a new alert  to HR and payroll departments to beware of phony emails intended to capture personal information of employees.   The emails generally appear to be from a senior executive (typically the CEO or CFO) to a company payroll office or HR employee and request a PDF or list of employee W-2 forms for the tax year.   Those forms contain all the information any cybercriminal needs to file a fraudulent tax return for a tax refund.   That scam cost the US taxpayer about $21 billon in 2016.  Over 70 companies fell victim to the 2016 scam and hundreds of thousands of employee records, including Social Security numbers, were compromised.

To refresh your memory, here are some of the details that may be contained in the emails:

  • Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

We’ve already seen some activity on this front being reported from around the country.  These incidents not only create angst for employees, but they constitute data breaches reportable under state law because personal information has been exposed to an unauthorized (and unknown) individual and the risk of identity theft is high.   Last year’s incidents also resulted in class action lawsuits by employees against some of the victimized companies.

Employees Are Front Line of Defense

These emails look absolutely legitimate.  That is what makes them so effective.  The header of the email may look exactly as one would expect, mirroring the company fonts, duplicating automated signature blocks, and containing the actual email address of the spoofed executive in the “From:” line. Often, the return email address won’t even be visible until after the reply is sent unless the user specifically expands the address field. If you look carefully, it is likely that the domain name is a few characters “off” from the company’s legitimate domain name, such as substituting the number one (1) for the letter “l” or replacing a “.org” with a “.com”.   The more sophisticated attacks may utilize information obtained from LinkedIn® or social media designed to lull the target into a false sense of trust.

Awareness of these attacks and the problem is the key for employees.   

Train employees — particularly HR and payroll employees — who handle sensitive information to be wary of direct requests for personal information from company executives.   Send out samples of such emails and establish a campaign to raise employee consciousness.  A bit of skepticism goes a long way in protecting against this type of attack.  Confirmation of this type of request should be standard operating procedure, no matter who appears to have sent it.   Your company’s IT department should also be monitoring for phishing trends and remaining on the alert for suspicious outgoing activity, including large files or attachments.

Ask.  Since we have already seen reports of these attacks very early in this tax year, it is time to check in and insure that your company has not already fallen victim.   It’s important to respond quickly to reduce total damage to the organization, and most importantly, to your employees.  Affected individuals can protect themselves with certain forms filed with the IRS – but it’s only effective if they know soon enough.

 

The Mintz Levin Privacy team is here to help with employee training or preparing a plan to respond to an incident.

The Securities and Exchange Commission (SEC) is investigating whether Yahoo! should have reported the two massive data breaches it experienced earlier to investors, according to individuals with knowledge.  The SEC will probably question Yahoo as to why it took two years, until September of 2016, to disclose a 2014 data breach that Yahoo has said affected at least 500 million users.  The September 2016 disclosure came to light while Verizon Communications was in the process of acquiring Yahoo.  As of now, Yahoo has not confirmed publically the reason for the two year gap.  In December of 2016, Yahoo also disclosed that it had recently discovered a breach of around 1 billion Yahoo user accounts.  As Yahoo appears to have disclosed that breach near in time to discovery, commentators believe that it is less likely that the SEC will be less concerned with it.

After a company discovers that it has experienced an adverse cyber incidents, it faces a potentially Faustian choice: attempt to remediate the issue quietly and avoid reputational harm, or disclose it publically in a way that complies with SEC guidance, knowing that public knowledge could reduce public confidence in the company’s business and could even prove to be the impetus for additional litigation.

Part of the issue may be that while the SEC has various different mechanisms to compel publically traded companies to disclose relevant adverse cyber events, including its 2011 guidance, exactly what and when companies are required to disclose has been seen as vague.  Commentators have argued that companies may have a legitimate interest in delaying disclosure of significant adverse cyber incidents to give law enforcement and cyber security personnel a chance to investigate, and that disclosing too soon would hamper those efforts, putting affected individuals at more risk.

Even so, many see the two year gap period between Yahoo’s 2014 breach and its September 2016 disclosure as a potential vehicle for the SEC to clarify its guidance, due to the unusually long time period and large number of compromised accounts. As a result of its investigation, it is possible that the SEC could release further direction for companies as to what constitutes justifiable reasons for delaying disclosure, as well as acceptable periods of delay.  As cybersecurity is one of the SEC’s 2017 Examination Priorities, at a minimum, companies should expect the SEC to increase enforcement of its existing cybersecurity guidance and corresponding mechanisms.  Whatever the SEC decides during its investigation of Yahoo, implementing a comprehensive Cybersecurity Risk Management program will help keep companies out of this quagmire to begin with.

If you have any questions regarding compliance with SEC cyber incident guidance, please do not hesitate to contact the team at Mintz Levin.

With Inauguration Day upon us, it’s time for a #MLWashingtonCyberWatch update.   President-elect Donald Trump has vocalized his support for the future of “cyber” throughout his campaign – but how will members of his cabinet act, or refuse to act, on his vision for that future?

During the past two weeks, the United States Senate has been holding confirmation hearings for Mr. Trump’s cabinet selections. Pointed questioning from senators has surfaced many issues of critical importance to the American people, among them the future of privacy and cybersecurity. The incoming administration will confront significant issues in these areas such as the use of back-door encryption, mass data collection and surveillance, and international cybersecurity threats. The nominees for Attorney General, Secretary of the Department of Homeland Security (“DHS”), and Director of the Central Intelligence Agency (“CIA”) were each questioned about how they will navigate these concerns as part of the Trump Administration. In this installment of #MLWashingtonCyberWatch we are discussing highlights from these hearings. Continue Reading #MLWashingtonCyberWatch: Nominees Discuss Future of Cybersecurity

The U.S. Federal Trade Commission (“FTC”) has filed a lawsuit against device manufacturer D-Link for allegedly deceiving the marketplace about the security of its products and, in turn, unfairly placing customer privacy at risk.

Overview

Taiwan-based manufacturers D-Link Corporation and D-Link Systems, Inc. (collectively, “D-Link”) design a variety of home network devices, such as routers, IP cameras, and baby monitors. Devices such as these are susceptible to hacking when they are connected to each other and to the internet (in what is often referred to as the “Internet of Things” or “IoT”), and weak security measures therefore pose a significant security concern. Judging from D-Link’s advertisements for its products, the company is certainly aware of these risks. D-Link boasted that its routers are safe locked from hackers thanks to “Advanced Network Security,” its baby monitors and cameras assure a “Secure Connection” to protect the livestream view of a sleeping child, and promises of an “easy” and “safe” network appear repeatedly during the set up process for a D-Link device with an online interface. As the FTC explains in its lawsuit, claims like those made by D-Link are not only misleading but also dangerous.

Despite an apparent awareness of consumers’ cybersecurity concerns, the FTC alleges that D-Link neglected to build common security measures into the devices it sells. The allegations are startling: mobile app credentials were stored unsecured in plain text on consumer devices; a private company key code was accidentally made viewable online for six months; hard-coded login credentials in camera software left video feeds vulnerable to unauthorized viewers. And that’s just the beginning. More details are listed in the FTC’s complaint filed in a U.S. District Court in California on January 5, 2017. These lapses, and D-Link’s deceptive advertising, prompted the FTC to charge the company with a violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45.

As of January 10th, D-Link has denied the allegations outlined in the complaint and has retained the Cause of Action Institute as counsel to defend against the action.

The growing IoT problem

In recent years, the FTC has tried to keep pace with mounting concerns over the IoT industry by filing a handful of complaints focused on consumer protection. For example, it went after the company TRENDnet after the firm’s faulty software allowed hundreds of personal security cameras to be hacked. It also filed an action against computer parts manufacturer ASUS after its cloud services were compromised and the personal information of thousands of consumers was posted online. These isolated mistakes add up; when millions of unsecured and seemingly innocuous Wi-Fi-enabled devices join the global network, they can serve as a massive launchpad for crippling cyber-attacks like the one that overwhelmed internet traffic operator Dyn and shut down several major websites in October 2016. The efforts of the FTC are aimed at mitigating such attacks and encouraging technology developers to invest effort and resources in order to secure their IoT devices before they hit the marketplace.

Search for solutions

Both the FTC and the National Institute of Standards and Technology (NIST) have released reports offering guidelines and technical standards for building reliable security into the framework of new systems and devices. As we wrote about recently, the Obama administration had also left the Trump administration an extensive report on cybersecurity recommendations. Achieving these standards will require a combination of regular agency enforcement and greater market demand for safe, secure devices. In the meantime, some digital vigilantes are working to stop cyber-attacks before they start. Netgear, for instance, has launched a “bug bounty program” offering cash rewards of $150-$15,000 for eager hackers to track and report security gaps in its devices, applications, and APIS. Indeed, incentivizing solutions rather than quietly overlooking mistakes, and searching for loopholes in our laws, will make a substantial difference in safeguarding the IoT landscape.

It’s a new year, and time for the Financial Industry Regulatory Authority (FINRA)’s annual Regulatory and Examination Priorities Letter (the “2017 Letter”)    We remind regulated entities of this list of examination priorities every year, because cybersecurity appears high on the list every year.  2017 is no exception.

The 2017 Letter

FINRA has been increasing its on-site examinations and enhanced risk-based surveillance “to apply a nationally consistent approach to identify and focus on material conduct at firms…”   Among the operational risks listed in the 2017 Letter, Cybersecurity is listed first, and according to FINRA, “remain[s] one of the most significant risks many firms face, and in 2017, FINRA will continue to assess firms’ programs to mitigate those risks.”

Firms should be prepared for FINRA reviews of methods for preventing data loss, including understanding of data (e.g., its degree of sensitivity and the locations where it is stored), and its flow through the firm, and possibly to vendors.  FINRA may assess controls firms use to monitor and protect this data, for example, through data loss prevention tools. In some instances, FINRA has been known to review how firms manage their vendor relationships, including the controls to manage those relationships, and this line of examination is expected to continue.  Importantly, the 2017 Letter recognizes the nature of the “insider threat” and expresses FINRA’s intent to inquire into what controls firms have in place to acknowledge and manage that “insider threat”.    According to the 2007 Letter:  “The nature of the insider threat itself is rapidly changing as the workforce evolves to include more employees who are mobile, trusted external partnerships and vendors, internal and external contractors, as well as offshore resources.”

The WORM Actions

As if to emphasize the seriousness of the inquiries, FINRA issued a series of Letters of Consent at the end of December, levying fines totaling $14 million against 12 firms, and discussed the record-keeping requirements at the core of the December regulatory actions in its 2017 Letter.

Specifically, Securities & Exchange Commission and FINRA rules require member firms to maintain certain electronic records in a non-erasable, non-rewritable format, known by the acronym WORM, for  “Write Once, Read Many”.  This format prevents the alteration or destruction of records stored electronically.

in its press release, FINRA explained that WORM format requirements were essential to FINRA’s investigative duties. FINRA noted how the volume of sensitive financial data stored electronically by members had risen exponentially in the past decade. This increase in the amount of sensitive information stored by FINRA members coincides with increasingly aggressive attempts to hack into electronic data repositories. “These disciplinary actions are a result of FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records. Ensuring the integrity of these records is critical to the investor protection function because they are a primary means by which regulators examine for misconduct in the securities industry.

FINRA found that the each of the 12 fined firms failed to follow required document retention regulations in various ways outlined in the Letters of Consent.

Brad Bennett, FINRA’s current chief of enforcement, will be stepping down shortly.  #MLWashingtonCyberWatch will be keeping an eye on what, if any, changes may come with the new administration in 2017. Only time will tell whether FINRA will continue its aggressive enforcement actions or if we will see a softening of FINRA’s actions.   Regardless of the regulatory inquiries, firms should continue to take actions to improve cybersecurity resilience and investor protection.   For a quick review of the FINRA Report on Cybersecurity Practices, check out our webinar recording.

The New York State Department of Financial Services has announced — much to the relief of the multitude of financial services companies and insurers regulated by DFS — that it will revamp its recently proposed cybersecurity rule.  After receiving more than 150 letters and taking into account recent public comments, the NYDFS has decided to revise its initial proposed rule to address public comments and concerns and to scale back some of the proposed standards.

As we previously wrote, the NYDFS had announced its original proposed rule in September.  The initial proposed rule, which was due to go into effect on January 1, 2017, has immediately received criticism from financial institutions.  The industry was concerned that the rule failed to distinguish between large and small financial institutions, and that it may further conflict with future federal regulations on cybersecurity.  In response to recent public comments, the department has agreed to ease certain requirements for encrypting data and breach notification, to name a few.   In particular, encryption requirements have been stepped back to provide that in the event encryption is found to be “infeasible” for some sensitive data, entities can provide an alternate method of security for the data, approved by the company’s Chief Information Security Officer.

Other notable revisions include:  A limited small business exemption, risk-based assessments, clarification with respect to the role and function of the Chief Information Security Officer, less strict audit trails requirement, and what triggers the 72-hour reporting period to notify the department of a cybersecurity event.  The full text of the proposed rule can be found here.

The rule will again be subject to a 30-day comment period.  The department will focus its final review on new comments not raised previously.

Once implemented, this will be the first rule of its kind in the United States.  All financial institutions under the jurisdiction of NYDFS—including banks, lenders, insurers, mortgage companies, and money services businesses—should carefully evaluate the requirements and consider submitting public comments.  Once the rule goes into effect on March 1, 2017, financial institutions will need to ensure compliance within 6 months to 2 years (depending on the applicable tier).

 

Google’s recent changes to its privacy policy are coming under fire from a complaint filed late last year with the Federal Trade Commission (“FTC”) that accuses the company of downplaying “transformational change” in its handling of user data.  #MLWashingtonCyberWatch will be keeping track of how the 2017 FTC addresses this complaint.

On June 28, 2016, Google notified its users of changes to its privacy policy that would “give you more control over the data Google collects and how it’s used, while allowing Google to show you more relevant ads.” However, a complaint submitted by advocacy groups Consumer Watchdog and Privacy Rights Clearinghouse on December 5th (the “Complaint”) alleges that not only are the changes themselves in violation of previous agreements between Google and the FTC as well as Section 5 of the Federal Trade Commission Act which prohibits unfair or deceptive acts or practices in or affecting commerce, but also that the announcement of these changes intentionally misled users who, in the words of the Complaint, “had no way to discern from the wording that Google was breaking from a nearly decade-old practice.” Continue Reading #MLWashingtonCyberWatch: 2017 FTC and Google Complaint