Recently, a Google researcher discovered a serious flaw with the content delivery network (CDN) provided by CloudFlare.  This vulnerability has now become known as Cloudbleed, in a nod to the earlier Heartbleed SSL vulnerability.  The Cloudfare CDN allows users of the service to have their content stored at Cloudflare Network Points of Presence (PoPs) rather than a single origin server.  This reduces the amount of time it takes to serve websites in disparate geographical locations.  The service is popular, with Cloudflare having over five million customers, including Uber, OkCupid, and FitBit.

The Cloudbleed vulnerability involved a situation where sensitive data was inadvertently displayed or “leaked” when visiting a website that used certain Cloudflare functionality.  Cloudflare has estimated that the leak was executed 1,242,071 times between September 22nd and February 18th.  Search engines such as Bing, Yahoo, Baidu and Google also cached the leaked data.  The researcher who discovered the leak found all sorts of sensitive data being leaked, including private messages from major dating sites, full messages from a well-known chat service, online password manager data and hotel bookings, passwords and keys.

The Clouldbleed vulnerability is a reminder that companies that leverage external vendors to receive, process, store, or transfer sensitive data must find ways to reduce the risk created by the relationship to an acceptable level.  We have three steps that companies should consider taking to accomplish this.  

First, companies should understand how external vendors will interact with their data flows.  Companies that leverage Cloudflare services have given it access to sensitive data, including private messages, passwords, and keys.  The risks of providing this data to external vendors cannot be understood if the company itself does not understand at a senior organizational level what is being transferred.  Ask questions about the proposed procurement of vendor-provided services to understand what interaction the service/vendor has with your data.

Second, companies should make sure that they have permission to transfer user data to third parties, based on its existing terms of use and privacy policy documents that the relevant data subjects have agreed to.  Generally speaking, in most cases, the company collecting the data from the data subject will remain responsible for any issues that occur downstream, including loss or breach of the data through a third party vendor relationship.

Third, companies should carefully negotiate their vendor contracts in light of their own risk tolerance.  The contract should contemplate the data at issue, including by type and category, such as private messages and passwords, and should to the extent feasible transfer all risk of a breach on the vendor side to the vendor.  In many cases, it will be appropriate to require that the vendor carry insurance to satisfy its obligations under the agreement, including data breach remediation should it become an issue.

Companies with any questions regarding this process should not hesitate to contact the Privacy and Security team at Mintz Levin.

 

Counsel for a class of card-issuing banks filed a settlement agreement on March 8 proposing a class settlement to resolve claims arising from the 2014 theft of payment card data from Home Depot point-of-sale terminals.  The contemplated $27.25 million class settlement follows in the wake of over $140 million already paid by Home Depot to settle issuer bank claims through card association settlement processes.  The revelation that Home Depot was able to use private means to settle the vast majority of the bank claims outside of the class action raises significant questions about whether the proposed settlement class satisfies the requirement under Rule 23(b)(3) that a class action provide a superior means to resolve class members’ claims. Continue Reading Does Class Settlement Of Bank Claims In Home Depot Data Breach Litigation Pass The “Superiority” Test?

The European Union’s General Data Protection Regulation (the “GDPR”) goes into effect in a little over fourteen months and from a quick glance at our bullet points analysis you can see there is a lot to consider.  One crucial aspect you need to be thinking about now is how your organization collects and manages consents from individuals for processing their personal information.  Without a strong understanding of what valid consent means under the GDPR, before long you may find yourself holding valuable data that you are not able to process as you need to for your business.

To this end, the Information Commissioner’s Office (the “ICO”), the data protection authority for the UK, last week published a consultation draft of its GDPR consent guidance.  This is a practical resource meant to help organizations get to grips with the GDPR’s consent requirements and align their internal procedures and processing activities, as well as their customer-facing websites, marketing materials, and product infrastructure.   Although the UK ICO cannot speak for the other EU data protection authorities, they have a good track record of producing practical guidance set out in accessible language, which makes the ICO website a good first stop for US companies seeking to understand their obligations in the EU.  We encourage you to review this helpful resource and provide feedback to the ICO using their comment form by March 31.  We also offer this high-level snapshot of a few key points: Continue Reading It’s Not Too Early! ICO Guidance Regarding Consent Under GDPR

 

Last week, Snap Inc. (“Snap” or the “Company”) – the parent company of the wildly popular app Snapchat (“Snapchat” or the “App”) – became a publicly traded company on the New York Stock Exchange in the biggest tech IPO since Alibaba in 2014.  Priced at $17 per share, the Snap stock opened at $24 per share on Thursday morning and closed at $24.48 per share, bringing the Company’s market capitalization to approximately $28 billion. In today’s post, we’re taking a closer look at Snap’s S-1 filing (“Snap S-1”) with the U.S. Securities and Exchange Commission (SEC) with a particular focus on the Company’s disclosures of risk factors associated with cybersecurity and privacy risks.  Continue Reading A Deep Dive into Privacy/Security Disclosures in Snap’s S-1

In an effort to combat the growing prevalence of large-scale corporate cyberattacks, the New York Department of Financial Services (“NYDFS”) is rolling out a revamped cybersecurity regulation for financial services companies to take effect TODAY (March 1, 2017). This ambitious regulation is broadly drafted and carries a heavy compliance burden intended to protect consumers and ensure the safety and soundness of New York State’s financial services industry.   Even if you are not directly in banking or insurance, read on to see how these regulations may affect your company. Continue Reading It’s March 1: The Cybersecurity Goal Post Has Been Moved

Five Things You (and Your M&A Diligence Team) Should Know

Recently it was announced that Verizon would pay $350 million less than it had been prepared to pay previously for Yahoo as a result of data breaches that affected over 1.5 billion users, pending Yahoo shareholder approval. Verizon Chief Executive Lowell McAdam led the negotiations for the price reduction.  Yahoo took two years, until September of 2016, to disclose a 2014 data breach that Yahoo has said affected at least 500 million users, while Verizon Communications was in the process of acquiring Yahoo.  In December of 2016, Yahoo further disclosed that it had recently discovered a breach of around 1 billion Yahoo user accounts that likely took place in 2013.

While some may be thinking that the $350 million price reduction has effectively settled the matter, unfortunately, this is far from the case. These data breaches will likely continue to cost both Verizon and Yahoo for years to come.  Merger and acquisition events that are complicated by pre-existing data breaches will likely face at least four categories of on-going liabilities.  The cost of each of these events will be difficult to estimate during the deal process, even if the breach event is disclosed during initial diligence.

Continue Reading Data Breaches Will Cost Yahoo and Verizon Long After Sale

Last week, the HHS Office for Civil Rights (OCR) disclosed a $5.5 million settlement with Memorial Healthcare Systems (MHS) for HIPAA violations affecting the protected health information (PHI) of 115,143 individuals. The Resolution Agreement, which can be found here, also contains a detailed corrective action plan (CAP).

The Florida-based health system reported to OCR that the PHI had been impermissibly accessed by MHS employees and impermissibly disclosed to affiliated physician office staff. The PHI consisted of names, dates of birth, and social security numbers.

According to OCR, the login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by HIPAA. The health system also failed to regularly review records of information system activity for its applications that maintain electronic PHI and which are accessed by workforce users and users at affiliated physician practices. To make matters worse, the health system failed to review the audit information despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.

“Access to ePHI must be provided only to authorized users, including affiliated physician office staff” said Robinsue Frohboese, Acting Director, HHS Office for Civil Rights. “Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

While hacking incidents typically garner more media coverage, this case highlights the increasing threat posed by those inside a HIPAA-regulated organization. According to a Protenus report, nearly 60% of the breaches that occurred this past January involved insiders. Organizations would be well-served by reviewing recent OCR guidance on the importance of audit controls.

Originally posted in Mintz Levin’s Health Law Policy Matters

As our readers know we maintain a summary of U.S. state data breach notification laws, which we refer to as the “Mintz Matrix.”   Our latest update is available here, and it should be part of your incident response “toolbox” and part of your planning.

 During 2016, amendments to breach notification laws in five states went into effect (California, Nebraska, Oregon, Rhode Island and Tennessee).  And by the end of last year, well over twenty states had introduced or were considering new regulations or amendments to their existing security breach laws.  We expect there to continue to be significant regulatory activity in the data security space during 2017.  As always, we will keep you abreast of changes and will release updated versions of our Mintz Matrix to keep pace with developments in the states.

We are keeping an eye out for signs of support for a national breach notification law.  So far, there does not appear to be much political motivation for undertaking this effort.  A key sticking point is anxiety among a number of states that a federal law would offer less protection than their existing state law.  This is a valid concern since a national standard will only alleviate the significant burden of complying with the present patchwork of state laws if it has broad pre-emptive effect.  Only time will tell if state and federal lawmakers can work together to develop a comprehensive nationwide regime for security breach notification and remediation.

In the meantime, we must keep tabs on the forty-seven states (along with the District of Columbia, Guam, Puerto Rico and the Virgin Islands) with their own security breach laws.  Here is what’s been happening since our previous update in the Fall:

 California

 California amended its security breach law in order to require disclosure to affected residents (and to the Attorney General if more than 500 Californians are affected) when encrypted personal data is acquired by an unauthorized person together with an encryption key or security credential that could render the personal data readable or useable.

We note also that former Congressman Xavier Becerra recently took over as Attorney General in California, replacing Kamala Harris who aggressively pursued regulation in the privacy arena during her tenure as AG and who now serves California as one of its U.S. Senators.  Given this change in leadership, it will be interesting to see if the state continues to be a leader in pushing for stringent data security and privacy measures at the state and federal level.

 Illinois

Last summer Illinois passed an amendment to its Personal Information Protection Act (“PIPA”) that significantly broadened protections for personal information and the obligations imposed on businesses that handle such data.  The amendment became effective on January 1, 2017 and made several key changes to PIPA:

  • Definition of Personal Information. PIPA’s definition of “personal information” has now been expanded to include medical information, health insurance information, and unique biometric data used for authentication purposes (examples cited in the statute are a fingerprint, retina or iris image, or unique physical representations or digital representations of biometric data). The amended definition also encompasses a user name or email address in combination with a password or security question and answer that would permit access to an online account when either the user name or email address, or password or security question and answer, are not encrypted or redacted.
  • Encryption Safe Harbor. While PIPA already provided a safe harbor for data collectors if data disclosed due to a security breach was fully encrypted or redacted, the amendment clarified that the safe harbor does not apply if the keys to unencrypt or unredact or otherwise read compromised encrypted or redacted data have also been acquired in connection with the security breach.
  • Nature of Notification. For security breaches involving a user name or email address in combination with a password or security question and answer, data collectors may now provide notice in electronic or other form to affected Illinois residents. Such notice must direct individuals to promptly change their user name or password and security question and answer, or to take other appropriate steps to protect all online accounts for which the affected resident uses the same user name or email address/password or security question and answer. The amended statute also provides an additional option for substitute notice when residents affected by a security breach are confined to one geographic area.
  • New Exemptions. The amendment added an exemption for data collectors who meet their obligations under applicable provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). Any data collector that provides notice of a security breach to the Secretary of Health and Human Services pursuant to its obligations under HITECH must also provide this notification to the Illinois Attorney General within five business days of notifying the Secretary. This exemption will primarily apply to certain entities operating in the healthcare space. The amended statute also deems financial institutions subject to applicable provisions of the Gramm-Leach-Bliley Act in compliance with PIPA’s data security requirements.
  • Security Requirements. Beyond addressing breach notification, the amendment requires covered entities to implement and maintain reasonable security measures to protect records containing personal information of Illinois residents and to impose similar requirements on recipient parties when disclosing such personal information pursuant to a contract. The amended statute also requires state agencies to report security breaches affecting more than 250 Illinois residents to the Illinois Attorney General.

 Massachusetts

 For those information junkies out there!  The Office of Consumer Affairs and Business Regulation (the “OCABR”) in Massachusetts has created a public web-based archive of data breaches reported to the OCABR and the Massachusetts Attorney General since 2007.  The data breach notification archive is available at www.mass.gov/ocabr and includes information about which entity was breached, how many Massachusetts residents were affected, if the breach was electronic or involved paper, and the nature of remediation services offered to affected residents.

 It is always a good time to review your incident response plan and data privacy policies to bring everything in line with changes happening on the state level. 

 And now for the disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of the Mintz Levin privacy team or other experienced legal counsel when reviewing options and obligations in responding to a particular data security breach.

Make sure to get your February 2017 Mintz Matrix!  Available here for downloading and always linked through the blog’s right-hand navigation bar.

Since September, the Mintz Levin Privacy Webinar Series has focused on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation. The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

This week’s webinar will consider companies’ obligations to give individuals access to their data and to correct or erase it.  We will also explore the new data portability requirements.  The webinar will conclude with some suggestions on how to make these requirements less burdensome. We hope you can join us!

Registration link is here.

 

What does your TV-watching history say about you? According to a recent lawsuit against VIZIO, Inc., it might be more than you think! One of the world’s largest sellers of “smart” televisions has recently paid a $2.2 million settlement following charges by the Federal Trade Commission and the Office of the New Jersey Attorney General that it was unlawfully tracking and selling 11 million consumers’ viewing data. The resulting court order has important repercussions for both consumers and smart TV producers.  Continue Reading Who is Watching you Watch TV? If You Have VIZIO … Your TV Might Be Watching You