Alabama has joined the “crazy quilt” of state data breach notification laws with the governor’s signature of the Alabama Data Breach Notification Act of 2018.

Things to take note of under the Alabama law:

  • The law requires entities to “implement and maintain reasonable security measures” and includes a granular list of what such security measures should include.   An interesting component of reasonable security measures is “keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.”
  • Notification to residents within 45 days after a breach has been discovered if it is reasonably likely to cause substantial harm.
  • The definition of “personal information” is expanded to include health information and user name or email address in combination with a password.
  • Notice to the Alabama Attorney General if notice is provided to more than 1,000 individuals at a single time.
  • No private right of action, but the AG may enforce violations of the Act as a deceptive trade practice.
  • The Act provides for civil penalties of not more than $5,000 per day for each consecutive day that a covered entity fails to take action to comply with notice provisions.  “Knowing” violations of the Act (including a “reckless disregard in failing to comply with notice requirements”) could subject a covered entity to civil penalties of up to $500,000 per breach.

 

 

 

 

 

 

Beware of March Madness!  Scammers and phishers take advantage of increased web traffic by impersonating popular March Madness websites, including bracket sites and game live streams.  Will your employees take the bait?

Last year, it was reported that traffic activity from users streaming games and checking brackets for updates increased by 100% during the first round of the NCAA tournament.    Monitoring sites also observed an increase in malicious activity related to this category and discovered a clear upward spike in malicious activity, such as phishing pages, adware downloads, improper handling of user data, and attempts at domain squatting.   All of this is likely going on again this year, and it will be on your corporate networks.

  • Have you implemented solutions to limit the impact of nefarious phishing campaigns?
  • Have you trained employees to recognize phishing emails?
  • Do you remind employees about the dangers of falling victim to click bait in emails?
  • Do you remind employees about simple password hygiene and to not reuse corporate passwords outside the network?

The best advice we can offer is only use NCAA-sanctioned bracket applications through your web browser. There are many third-party sites out there that attempt to probe the user to create login credentials. In 2017, it was observed that one such application collected a username and password and then transmits it in the clear. This plain text credential transfer makes the connection vulnerable to sniffing attacks. Since users commonly set the same login credentials for multiple websites, the attackers might gain access to users email accounts, bank accounts, tax preparation accounts etc., or even worse, your corporate network.

Good luck!

Mintz Levin Benefits attorney Patricia Moran recently authored an article for  the Society for Human Resources Management’s latest publication describing the cybersecurity risks involved with 401(k) Plan sponsorship.  The article is a great resource for employers who sponsor 401(k) or other retirement plans, especially those who share employees’ sensitive information with third party administrators. For the full story, click here.

We’ve discussed privacy compliance with regulations, legal requirements, etc. in the space since this blog’s inception.   “Privacy by design” – while not a new concept – is certainly enjoying a new spot in the sunshine thanks to the European Union’s General Data Protection Regulation (“GDPR”) (93 days and counting…) and its codification of “privacy by design and default” in Article 25.

Privacy can also be a key differentiator and a competitive advantage.  Read on for some points that can help drive your data privacy/data management program. Continue Reading How to Leverage Privacy as a Key Competitive Advantage

Recently, there has been a lot of discussion regarding the Spectre and Meltdown vulnerabilities. This alert provides a simple overview of what these vulnerabilities are, what systems could be affected, as well as steps that companies can take to reduce the risks that these vulnerabilities create.

 

  • What Are The Spectre And Meltdown Vulnerabilities?

Spectre and Meltdown are the names of two flaws that can affect a computer’s central processing unit (“CPU”). Certain CPU chips made by Intel and other manufacturers are vulnerable to the Spectre and Meltdown flaws. The CPU allows the computer to carry out instructions provided by a computer program. Unfortunately, security flaws that affect the CPU permeate the functionality of the computer system. As the CPU is a core aspect of the computer system, most every aspect of system functionality is at risk.Both the Spectre and Meltdown flaws work by causing issues with system memory, which computers use to store data. The way that system memory stores information and how it is accessed is crucial to system performance and security.   Security researchers have created a page explaining the different aspects of Spectre and Meltdown in more detail. “Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, [potentially malicious] applications can access system memory.” Meanwhile, “Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.”

 

  • Which Systems Are Impacted By The Spectre And Meltdown Vulnerabilities?

 

Any systems that use or rely upon CPU chips that are vulnerable to the Spectre and Meltdown flaws could be impacted. Unfortunately this is a vast swath of potentially vulnerable systems. Most companies will use some physical computers locally, such as laptops, desktops, tablets, smart phones and others, as well as leveraging certain remotely provided computing resources, maintained by another portion of the same entity or by an external vendor.

As such, every company that leverages computing resources will need to ascertain which systems are exposed to the Spectre and Meltdown vulnerabilities. This will involve:

  1. Identifying and understanding any local physical computing resources that the company allows employees, contractors or others to use on behalf of the company.
  2. Working with qualified personal to identify which of these devices contain CPUs subject to the Spectre or Meltdown vulnerabilities.
  3.  Identifying all externally provided computing resources, such as cloud computing resources leveraged by the company.
  4.  Working with each identified provider of the externally provided computing resource to understand whether the provided computer resource leverages CPUs that are subject to the Spectre or Meltdown vulnerabilities.
  • What Steps can Companies Take to Reduce Spectre and Meltdown Risk?

 

Given the widespread nature of the Spectre and Meltdown vulnerabilities companies may wish to focus on using their limited resources effectively to reduce their risk in the most effective manner possible, while understanding that completely eliminating all Spectre and Meltdown vulnerability risk may not be possible. After performing the steps above to identify which computing systems leveraged by the company are at risk, companies will want to consider taking the steps below:

  1. Run vendor provided software management tools to identify and update applicable computer systems with appropriate released vendor patches to reduce Spectre and Meltdown exploit risk. Ensure that appropriate personnel are aware that system testing should occur after this process runs, as performance and stability issues could be created.
  2. Review and update applicable security policies, incident response, and business continuity plans if these documents are not effectively providing guidance and empowering appropriate stakeholders to identify and remediate Spectre and Meltdown vulnerability risk.
  3. Identify any systems where particularly sensitive data is kept and engage with appropriate internal or external personnel to identify and implement appropriate compensating controls due to any increased risk of data exfiltration as a result of potentially latent Spectre or Meltdown vulnerability risk.
  4. Consider working with appropriate legal counsel to identify whether Spectre and Meltdown present legal risks to the company, as potentially informed by the data being stored, or any products or services being offered by the company to external entities. Companies will likely want to be particularly concerned as to any increased data breach risk, or the risk that products and services being offered to others are subject to known Spectre or Meltdown vulnerabilities that have not been effectively addressed and disclosed.

If you have any questions regarding these issues, please do not hesitate to contact the team at Mintz Levin.

 

The National Association of Insurance Commissioners (NAIC) has approved its draft of the Insurance Data Security Model Law (Model Law) via a meeting of its Executive and Plenary Committees.  This important development follows New York Department of Financial Services (“DFS”) Cybersecurity Requirements for Financial Services Companies regulation that took effect on March 1, 2017 (DFS Cybersecurity Regulation) that we have covered previously.

NAIC likely recognizes that the numerous data breaches that have occurred over the past year have created an opportunity to build upon the momentum created by the DFS Cybersecurity Regulation, and provide an environment of comprehensive compliance requirements to protect Licensees and Consumers.  Indeed, the Model Law even contains Drafting Note stating that:

The drafters of this Act intend that if a Licensee, as defined in Section 3, is in compliance with N.Y. Comp. Codes R. & Regs. tit.23, § 500, Cybersecurity Requirements for Financial Services Companies, effective March 1, 2017, such Licensee is also in compliance with this Act.

In many cases, model laws approved by NAIC, a U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories, are approved within these jurisdictions as binding law.  Below is a high level overview of particularly salient points of the Model Law. Continue Reading Insurance Commissioners Approve Data Security Model Law

 

Recently proposed legislation in Ohio could provide businesses with special protection from lawsuits in the event of a hack under certain circumstances. Senate Bill 220 would shelter businesses that have been proactive in instituting defenses to guard against data breaches. The idea is to encourage firms to voluntarily enact privacy protections by promising them the ability to later claim an affirmative defense in court should a hack still occur.

Other states already require businesses to meet specific standards with regard to providing cyber security protections and preventing data breaches. In New York, businesses licensed by the Department of Financial Services (DFS) must meet compliance standards in accordance with DFS cybersecurity regulations. These standards require licensees to have a written cybersecurity program in place, maintain a cybersecurity policy that covers 14 regulation-specific areas, designate a qualified employee as a Chief Information Security Officer, and implement an incident response plan, among additional imperatives. Similarly, states differ with regard to their requirements of businesses in providing data breach notices. For example, in Massachusetts, notices must be provided to the affected resident, the Attorney General’s office, and to the Office of Consumer Affairs and Business Regulation (OCABR).

Ohio’s Senate Bill 220 is interesting in that it does not lay out a minimum set of standards that, if not met, could serve as grounds for litigation in the event of a breach. Businesses will be tasked with instituting their own cybersecurity programs using one of eight industry-specific frameworks developed by the National Institute of Standards and Technology. The legislation provides for an evolving standard, which means lawmakers won’t have to continually revisit the issue to update a minimum set of standards. Whether or not a business qualifies for the safe harbor provision will be up to a judge to determine if such business has met its burden. Ultimately, the key takeaway is that this new legislation will provide for compliance as an affirmative defense for businesses facing a lawsuit as a result of a data breach.

The Mintz Levin team will continue to monitor this pending legislation and update our readers as it develops.

As data breaches dominate national headlines it remains important as ever for businesses to invest in security and to be ready to respond if a breach occurs.  Part of your preparedness program should be staying current on data breach legislation at the state level and we are here to help with a new installment of our “Mintz Matrix,” a detailed survey of U.S. state data breach notification laws.

There have been a few notable developments since we last published an update of the Mintz Matrix and below we have provided a snapshot of these changes.  Before reading on please download a copy of our September 2017 edition of the Mintz Matrix by clicking here. Continue Reading The Mintz Matrix – September 2017

 Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data….This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”  

–Acting Federal Trade Commission Chair Maureen K. Oldhausen, In the Matter of Uber Technologies, Inc., Consent Order

To read more about this important FTC Consent Order and its implications for all companies with respect to privacy policies and the promises made to users/consumers, check out this Mintz Levin Privacy Alert.