Cybersecurity

Subscribe to Cybersecurity via RSS

Following an April 11 ruling by the Fourth Circuit in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, Travelers must defend its policyholder, Portal Healthcare, in a class action lawsuit concerning a security breach.  For years, courts have wrestled with whether traditional commercial general liability (CGL) policies provide coverage in event of a data breach.  The results have been mixed.  This most recent decision highlights the uncertainty that remains over whether traditional insurance policies cover cyber liabilities and, if so, under what circumstances and to what extent.  This case appears to have been driven by specific policy language and the facts of the cyber incident, particularly the conduct of the policyholder, but highlights the increasing prevalence of cyber insurance issues.

Travelers had issued two CGL policies to Portal Healthcare, a medical records company.  In April 2013, a class action was filed in New York state court alleging that, as a result of Portal Healthcare’s failure to properly protect its server, confidential medical records for patients at a New York hospital were accessible on the Internet to unauthorized individuals.  The class action complaint  asserts counts for alleged negligence, breach of warranty, breach of contract, and also seeks injunctive relief against Portal Healthcare, the hospital, and others. 

In July 2013, Travelers filed the coverage action at issue here in the U.S. District Court for the Eastern District of Virginia.  Travelers sought a declaration that it was not obligated under its CGL policies to defend or indemnify Portal Healthcare against the underlying class action lawsuit.  Specifically, Travelers argued that it was entitled to declaratory judgment because the underlying class action does not allege “personal injury,” “publication of material,” “advertising injury” or “website injury,” as defined in the Travelers policies. Continue Reading Fourth Circuit Affirms Carrier’s Duty to Defend Against Security Breach Claims Under Traditional Insurance Policy

FCC Adopts a NPRM for Privacy Proposal; FTC Chairwoman Wants IoT Threat Addressed; Consumer Reports Hit with Privacy Class Action; DOJ Accesses Shooter’s Phone and Drops Apple Suit

FCC Adopts a NPRM for Privacy Proposal

On Thursday, March 31 in a 3-2 party-line vote, the FCC advanced a Notice of Proposed Rulemaking (NPRM) for broadband privacy. The proposed rules would restrict ISP’s use of basic consumer data and require consumer consent for certain types of data collection.  Although ISPs under the rule could still collect basic consumer data to market communications- related services to subscribers, ISPs would have to allow users to opt-out of that data collection.  On the other hand, ISPs would have to allow used to opt-in to the use and sharing of other types of data, such as browsing history and physical location.  Under the proposed rules, providers are also required to share how data is used or shared with consumers.  Some have criticized the proposed rules, arguing that they have the potential to create an uneven enforcement regime as companies have the potential to face varied FCC and FTC standards.

FTC Chairwoman Wants IoT Threat Addressed

On Thursday, March 31, FTC Chairwoman Edith Ramirez urged manufacturers of Internet of Things (IoT) devices to “design devices that take into consideration unexpected uses of their IoT data, and the potential for misuse.” In a speech at the American Bar Association’s conference on IoT in Washington, DC, Chairwoman Ramirez outlined a series of steps that she recommends manufacturers take as they develop new IoT technology.  Drawing on common privacy practices, Chairwoman Ramirez advised manufacturers to provide consumers with clear notice of data collection practices and to allow consumers to opt in or out of particular data collection practices.  She also encouraged manufacturers to build security into devices from the outset and keep track of issues through a device’s life cycle.   The FTC plans to hold a series of workshops this fall to look at a series of issues arising from new technology, such as smart televisions and UAVs.Continue Reading Privacy & Cybersecurity Weekly News Update

OCR Launches Next Round of HIPAA Audits; French Privacy Office Levies € 100,000 Fine on Google; SEC Reaches $18 Million Settlement for Alleged Hacker-Trader Conspiracy; FTC and Canadian Regulator Execute Anti-Spam MOU; FTC Commissioner Announces She Will Step Down

OCR Launches Next Round of HIPAA Audits

Last Monday, following much anticipation, the Department of Health and Human Services OCR announced Phase 2 of its audit program to measure compliance with the patient privacy provisions of HIPAA. This audit follows OCR’s pilot audit of 115 Covered Entities and will likely examine 200 additional Covered Entities. For more information about what entities can expect, read Elliot Golding’s March 23 post.

French Privacy Office Levies € 100,000 Fine on Google

The French data protection authority (CNIL), one of the most active privacy regulators in Europe, fined Google € 100,000 for “failure to comply with the obligation to respect the rights of individuals to erase data” under the European “right to be forgotten.”  In May 2014, the European Court of Justice ruled that the compilation of Google search result links were “data processing,” and, as such, search engines should remove links at the request of data subjects.  The CNIL faulted Google for only removing links from searches that originated from EU IP address and not delisting all “Google Search” extensions.

SEC Reaches $18 Million Settlement for Alleged Hacker-Trader Conspiracy

The SEC secured settlements, totaling almost $18 million, with seven defendants accused of participating in a scheme to trade on hacked newswire information. These seven defendants are part of a larger alleged scheme of 32 defendants who, over five years, hacked newswires to obtain earnings announcements before they were released and then distributed and traded on those stolen statements. The government has also brought a parallel criminal action against some of the 32 defendants in the District of New Jersey and has stayed a massive civil suit based on the same hacking scheme.  The $18 million in recent SEC settlements come on the heels of a $4.2 million SEC settlement with Concorde Bermuda Ltd., also accused of taking part in the scheme.Continue Reading Privacy & Cybersecurity Weekly News Update

On March 2, 2016, the National Association of Insurance Commissioners (NAIC) Cybersecurity Task Force proposed a new model law intended to “establish the exclusive standards for data security and investigation and notification of a breach of data security” in the insurance industry.

The model law requires licensed insurers and producers to:

  1. Develop, implement and maintain an information security program to ensure confidentiality of personal information, and protect against anticipated threats to and unauthorized access of such information.
  2. Provide for board of directors oversight of the information security program (if applicable) and annual reporting to the board of directors regarding the data security program.
  3. Include provisions in all third-party service provider contracts regarding (a) third-party safeguards, (b) post-breach notification, (c) post-loss indemnification, (d) cyber-security audits, and (e) representations and warranties regarding compliance.
  4. Provide certain information to consumers regarding the types of personal information collected and stored, and the applicable privacy policy.
  5. Investigate a suspected data breach and take steps to restore the security and confidentiality of compromised systems.
  6. Provide notice of a data breach to (a) the appropriate Federal and state law enforcement agency, (b) the insurance commissioner, (c) consumers, and (4) consumer reporting agencies.
  7. Implement protections for consumers after a data breach as prescribed by the commissioner but not less than twelve months of identity theft protection for affected consumers paid for by the insurer/producer.

Continue Reading NAIC Announces Insurance Data Security Model Law

US Changes Stance on Wassenaar Arrangement Hacking Amendment; FCC Proposes Privacy Rules for Internet Providers; New Jersey Supreme Court Unanimously Approves Roving Wiretaps; FTC Commissioner Opposes Encryption Backdoor Legislation

US Changes Stance on Wassenaar Arrangement Hacking Amendment

Last week, the U.S. executive branch announced that it will change its stance on the 2013 amendment to the Wassenaar Arrangement that closely regulates the international export of cyber hacking and surveillance technology.  This is a big win for the private sector.  Indeed, industry has long been critical of this amendment to the Wassenaar Arrangement, a multilateral export control regime with 41 participating states, because of its potential to chill and stifle innovation in the cybersecurity.  The controversy over this rule has highlighted the difficulty of applying export controls, which are usually restricted to physical items, to the virtual world.   Now, the U.S. faces the daunting task of convincing the 40 other countries on the Arrangement to agree with its new position before the controversial amendment can be formally changed.

FCC Proposes Privacy Rules for Internet Providers

After much anticipation, on March 10 the FCC unveiled its proposed broadband privacy rules, which will be voted on by the full commission at its March 31 open meeting.  According to the fact sheet published alongside the rules, the FCC sought to emphasize customer choice, transparency, and security. Generally, the proposed requirements parallel requirements of other consumer privacy efforts, such as the proposed SPY CAR Act, where lawmakers have sought to require industry to better inform consumers about the use and collection of their data.

Among other things, the proposed rules would oblige providers to obtain customer consent via an “opt-in” to use customer data outside of marketing for “communications-related services.”  The proposed rules also require ISPs to take “reasonable steps” to safeguard customer information.   Those reasonable steps include, “at a minimum,” adopting risk management practices, instituting personnel training practices, adopting strong consumer authentication requirements, identifying senior management responsible for data security, and taking responsibility for the use and protection of customer information when shared with third parties.  Providers must also notify consumers, the Commission, the FBI, and the Secret Service in the event of some breaches.Continue Reading Privacy & Cybersecurity Weekly News Update

EU-US Privacy Shield Principles Released; No Insurance Coverage for Data Breach, New York Court Holds; CFPB Levies First Data Security Fine; New York Court Sides with Apple in 4th Amendment War; “I confirm that I am over 13 years old” Checkbox Ruled Not an Effective Age-Screener

EU-US Privacy Shield Principles Released

After years of negotiations that intensified after the U.S.-EU Safe Harbor program was invalidated late last year, the U.S. Department of Commerce (DOC) and the European Commission (EC) reached an agreement to replace Safe Harbor, called the EU-U.S. Privacy Shield. On February 29, the DOC formally published this agreement.  The EC also published the draft adequacy decision for the new framework.  This formal agreement largely tracks the priorities discussed in a press release issued earlier in February and will allow companies to plan for lawful data transmissions across the Atlantic. For more information about the differences between the previous framework (U.S.-EU Safe Harbor) and the new one, please join us on March 9 at Crowell & Moring in Washington, D.C. for a seminar on the EU-U.S. Privacy Shield and the forthcoming EU Data Protection Regulation (GDPR).

No Insurance Coverage for Data Breach, New York Court Holds

The New York Appellate Court for the Third Division upheld the trial court’s decision to deny insurance coverage for RVST Holdings (RVST), which operate fast food restaurants in the New York area. Trustco Bank, in another action, filed suit against RVST for failing to secure their customers’ credit card information after third parties obtained the credit card numbers from RVST’s network and made fraudulent charges.  RVST, in turn, filed suit against Main Street Assurance Company, its business insurance provider, seeking coverage.  This coverage was denied.Continue Reading Privacy & Cybersecurity Weekly News Update

In a recent Law360 publication, C&M attorneys Rachel Raphael and Ellen Farrell discuss how directors and officers (D&O) insurance coverage applies when a company experiences a data breach.  As they explain, D&O policies may provide some coverage when a company’s directors and officers are sued after a cyber incident, but there are often policy exclusions

On August 17, in the case of Carolina Casualty Insurance Company, et al v. Red Coats Inc., the Eleventh Circuit reinstated a suit brought by Admiral Security Services against two of its insurers, Continental Casualty and National Union, in the district court for the Northern District of Florida.  Admiral was seeking coverage under commercial general liability (CGL) polices issued by Continental Casualty and National Union for settlement payments that Admiral made to AvMed Inc. after AvMed suffered damages from a security breach.  The district court granted summary judgment in favor of the two insurers but the Eleventh Circuit reversed based on its conclusion that the availability of coverage under these policies turned on the state law applicable to the insurance contracts.  Given the relative paucity of cases involving coverage for security breaches, this case is one to watch, especially as the Eleventh Circuit has suggested that coverage may ultimately come down to which State’s law applies – an issue that can potentially “make or break” coverage in any case.

By way of background, Admiral had been hired by AvMed to provide security services at one of AvMed’s facilities, when one of Admiral’s security guards allegedly stole laptop computers from AvMed that contained personal information of AvMed members protected by the Health Insurance Portability and Accountability Act (HIPAA). The coverage action originated when one of Admiral’s carriers, Carolina Casualty, filed a declaratory judgment in a Florida district court seeking a judicial determination as to whether the Employment Practice Liability Policy that it had issued to Admiral provided coverage for the security breach suit filed by AvMed against Admiral.  Admiral filed an answer and a counter-claim, which brought three other of Admiral’s carriers into the suit – Continental Casualty, National Union and Travelers that had issued policies to Admiral.  Continue Reading Eleventh Circuit Holding Highlights Importance of Choice of Law on Insurance Coverage for Cyber Incidents

In a highly anticipated decision (FTC v. Wyndham Worldwide), the Third Circuit confirmed on Monday that the Federal Trade Commission (FTC) has statutory authority under Section 5 of the FTC Act to bring enforcement actions against defendants for allegedly “unfair” data security practices.  As we explain here, the decision will likely encourage

Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors.  Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts.  The Interim Rule proposes to significantly expand the scope of covered information and to require subcontractors to report cyber incidents directly to the DoD (in addition to prime contractors).  Together, these changes will likely increase the scope of potential liability for government contractors and subcontractors who fail to implement adequate cybersecurity measures.

The Interim Rule seeks to enhance cybersecurity protections primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate.  Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors.  First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls.  Second, they must report various cyber incidents to the DoD within 72 hours of their discovery.  These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application. 

The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI).  CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule.  But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information,  marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.”  Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes.  To keep up with its new application, the Interim Rule would change the name of Clause 252.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.”Continue Reading Interim Rule Could Expand Already Onerous DFARS Cyber Requirements