Donate   |   Search   |   Contact Us   |   Sign In
Community Search
Data Breach, Privacy & Cyber Insurance Law Content
Share |


 

 

 

November 2017

Submitted by: F. Marshall Wall

 

If you haven’t heard of the GDPR, it is time to learn something about it – at least for the sake of your clients. For starters, what does GDPR stand for?  It is the European Union’s General Data Protection Regulation.  You may be saying to yourself, “Wait, I practice in the US, why do I care about this?”  If you represent companies that sell products or offer services inside the EU, then this regulation matters to your clients. 

 

For some time the EU has taken a very different approach to privacy than the United States.  The EU is far more supportive of the idea that individuals should have control over what is done with their personal information.  The GDPR is a result of this focus on protecting individuals’ privacy rights.  Since the regulation runs to more than 260 pages, this article will necessarily discuss only a few of the highlights.

 

The GDPR applies both to organizations within the EU and also to those “located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”  Given the connected nature of our world and the size of the EU, the GDPR will apply to a great many companies in the US.

 

Key terms within the GDPR include “controller”, which is an entity that determines the purposes and means of the processing of data, and “processor”, which is an entity that processes data on behalf of a controller.  The term “processing” includes the storage, dissemination, or use of personal data.

 

The GDPR definition of personal data is much broader than in typical state data breach statutes in the US.  According to guidance from the EU, personal data includes, “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

 

Data subjects have the “right to be forgotten” under the GDPR, meaning a data controller must erase the subject’s data and cease any further dissemination of it.  People will also have rights to learn what personal data an entity has about them, including obtaining a copy of the data and learning where it is stored and how it is being used. 

 

Breach notification rules under the GDPR are strict.  Notification must be given to a supervisory authority in each applicable member state of the EU within 72 hours of discovery of the breach and to any data subject “without undue delay” in any situation where “the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.”

 

The GDPR also requires that consent agreements with data subjects use simple language and cannot be filled with legalese.  While these agreements can and will be used to allow entities to use, sell, and disseminate data, the typical boilerplate click-wrap agreements that we have become used to with every download or update likely will not pass muster.

 

Another significant feature of the GDPR is that many entities will be required to designate a Data Protection Officer (DPO). A DPO is mandatory wherever the data processing is carried out by a public authority or a company (controller or processor) whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a “large scale.”  These terms are not well defined and subject to interpretation. 

 

Penalties for violation of GDPR can be severe.  Data processors can be fined up to four percent (4%) of “annual global turnover” or €20 million, whichever is greater. 

 

Since the regulation is not yet in place, there is no precedent for enforcement or the level of penalties that will be applied in specific circumstances.  Many terms and provisions will require interpretation.

 

The GDPR was passed in April 2016 and becomes effective on May 25, 2018.  If companies have not started to prepare for compliance, there is no time like the present.

 

To learn more, and to see the countdown clock for enforcement of the GDPR, take a look at this link: http://www.eugdpr.org/.  At this writing your clients have 196 days, six hours, and 41 minutes to comply!

 

 

 

OCTOBER 2017

Advisen Cyber Risks Insight Conference Coming Up

 

There is still time to register for the Advisen Cyber Risks Insight Conference in New York City on October 26. It’s a one-day conference that I have attended for several years. It’s quite likely the preeminent industry cyber insurance and risk conference. Attendance is expected at around 1000—it is held always at the Grand Hyatt Hotel in Manhattan. Here is a link to the agenda.

 

The keynote this year is being given by Rudolph W. Giuliani, Chief of Cybersecurity, Privacy and Crisis Management Practice at Greenberg Traurig. The remaining speakers read like a who’s who in the cyber insurance field and range from underwriters, claims personnel brokers and forensic experts. They included Stephen Caitlen, founder of XL Caitlen, a leading cyber insurer, Martin South, President, US and Canada Division, Marsh and numerous others.

There will be three tracks going on simultaneously: a rack on the cyber product, a track on quantifying the insuring risk and a track on defining the risk (aka, “the threat track”). It was at this conference some three years ago that the General Counsel of Allstate stated from the podium that he believed litigation over the meaning of cyber polices was something he would be dealing with the rest of his career…and he was a pretty young guy!!

 

And here the good thing about the conference… (shhh)…. there is not many outside lawyers that attend. So, if you want to chat with the AIG head of cyber claims, you can just walk right up to him. No fighting off hordes of other lawyers trying to scarf up business.

 

If any of you are thinking of going, give me a shout, would love to meet up. Advisen publishes a daily cyber risk blog by the way if you would like to subscribe. Here is a link. It has some timely articles and news in it. And they welcome articles from outside lawyers and experts as well-I’ve had pretty good luck getting things published there.

Want more information on the now infamous Equifax breach? Here is a link to an article on the breach, the legal issues it will likely present and the impact.

 

 

AUGUST 2017

The FDCC’s newest section—Data Breach, Privacy, and Cyber Insurance—has planned an active year for 2017-18. Our section is led by Chair Steve Embry and Vice Chairs Chris Holecek, John Sinnott, and Marshall Wall. Feel free to contact any of the section leaders throughout the year to offer input or get involved.

 

We are planning a plenary presentation for the winter meeting in Amelia Island on cyber threats. Stay tuned for more information about this as the date approaches. The winter meeting is February 24-28, 2018 at the Omni Hotel and Resort in Amelia Island, Florida.

 

Here are some recent developments in the data breach, privacy, and cyber insurance:

  • The Internet of Things to Come in Cybersecurity: The Internet of Things is fraught with risk. The monetization of health care data has been a significant threat since as early as 2015. We are all endangered by such exploitation because pieces of anyone’s information can be sold for a handsome profit on the Dark Web.
  • Outsider or Insider: Who Will Cause Today’s Data Breach?: In today’s cybercrime landscape, threats come not only from all sides, but also from within.
  • How a Potent Defense Can Stifle Data-Breach Lawsuits by BusinessesConsumers aren’t the only plaintiffs in data-breach litigation. Businesses sue, too. When they do sue, businesses can be strong plaintiffs. This is because, unlike consumers, businesses usually can establish standing, since they’re more likely to have suffered direct financial loses that can be readily identified. This doesn’t mean, however, that a data-breach business plaintiff can waltz untouched through the Rule 12(b)(6) stage.
  • What to Know About Risk, Coverage Before You Buy Cyber Insurance: If a healthcare organization decides to insure itself against cyber-attacks, how do C-suite executives and others go about evaluating potential cybersecurity risks and insurance coverage in today’s chaotic threat landscape?
  • Data Breach Class Action Reinstated: Must plaintiffs allege actual identity theft from a data breach to avoid dismissal of their class action lawsuit? No, according to a recent opinion from a three-judge panel of the United States Court of Appeals for the District of Columbia Circuit. 

One way to stay up to date on these issues is to participate in our section’s Slack page.

 

 

JULY 2017

The Anthem $115 Data Breach Settlement: A Tipping Point?

Seven years ago, a Texas jury awarded a woman name Melinda Ballard $32 million in what was touted as a toxic mold lawsuit. Almost overnight, a cottage mold litigation industry sprang up. Seminars on how to litigate a mold case from plaintiffs’ and defendants’ perspectives proliferated and were standing room only (I know, I spoke at some). Plaintiffs lawyers advertised their mold expertise in a massive hunt for clients. Lawsuits galore. Experts and consultants came out of the woodwork as moon suits and containment centers like those used for asbestosis abatement became the norm for wiping down common mold with bleach from ordinary walls. Never mind that the Ballard case was really an insurance bad faith case. Never mind that mold was and is ubiquitous. Never mind that the causal relationship between mold and serious illness is, at best, sketchy. Millions of dollars spent in costs and legal fees until the hysteria burned itself out.

Have we reached a Melinda Ballard moment with data breach litigation?  Last month, Anthem agreed to settle a class action over the health insurer’s massive January 2015 data breach. In that breach, hackers obtained and compromised the data of some 78.8 current and former Anthem insureds and employees that led to a probe by the Federal Bureau of Investigation and massive publicity. The information compromised included names, birthdates, Social Security numbers, medical IDs, street and e-mail addresses and employee data, including income.

After the predicable litigation commenced and ran its course, Anthem agreed to pay $115 million to resolve consumer claims over the attack in the largest data-breach settlement in history. As part of the proposed settlement, Anthem agreed to set aside some $15 million to pay for out-of-pocket expenses incurred because of the data breach and to establish a fund to buy at least two years of credit monitoring services for the class to help protect them from fraud. For individual class members who already have their own credit-monitoring services and don’t want to enroll in the settlement’s plan, the settlement provides alternative compensation of as much as $50 per class member.

The proposed accord, which would end class-action lawsuits filed in several states, requires approval from a federal judge in San Jose, California.

Data breach suits have had mixed success in the courts. Substantial Article III standing issues exist since often the damages are only possible or threatened, not actual. Where the breach is compromised financial information, fraudulent changes resulting from compromised account information are reversed by card issuing banks, and only a small percentage of people are actually victimized by identity theft. And even if plaintiffs get past a motion to dismiss for lack of standing, there remain lots of procedural and substantive hurdles. So while other breach cases have outright failed in proving standing (as with Barnes & Noble’s data breach), others have settled for relatively modest sums, such as Target’s recent $18.5 million settlement over its 2013 breach with state attorneys general and a $10 million settlement with consumers.


But some believe the announcement of a $115 million settlement could suggest to the plaintiffs bar that these cases are now lucrative, initiating a feeding frenzy similar to that which occurred after the Ballard case. After all, data breach cases are costly to defend and, if successful, could pose significant exposure particularly if the numbers involved are large. And there are regulatory and attorney general potential liabilities. Not to mention the publicity and complicated nature of responding to data breaches prelitigation and the multitude of often inconsistent state laws which make the chance for errors in the initial handling process possible.

But before we all gear up for another wild litigation ride, there are several points to keep in mind. First, the Anthem breach involved a huge number of people and tons of data. Much of the data was health records, some of the most sensitive and valuable information on the black market. The possibility for mischief with a person’s health records is pretty significant. The regulatory framework involving health records is daunting. So from a standing perspective, it would be easier for a court to conclude that the data has value and/or the threat of harm is “imminent”.  Stolen health records increase the “anger factor” that often drives huge verdicts. These factors all make the Anthem case pretty unique.

Damages in most run of the mill data breach cases not involving health data, though, remain hard to show with any certainty. Given the number of data breach incidents that have already occurred, more and more people already have credit monitoring in place reducing the value of this as damage element. In financial breaches, consumers at least are fairly well protected and knowledgeable.

And unlike the mold situation, the threat of data breach is not one to a person’s health as much as it is to their convenience, making individual damages in most cases pretty low. So that means to succeed, plaintiffs must pursue class actions with uncertain recoveries in an area the law relating to which is still uncertain. From the plaintiffs perspective, a proverbial long shot that could be expensive to bet on.

 

 

JUNE 2017

WannaCry: An Aptly Named Beginning to Large-Scale Ransomware Attacks?

 

On Friday, May 12, 2017, the ransomware attack known as WannaCry began.[1] Within a day, the malware infected more than 230,000 computers in over 150 countries.[2] Thankfully, on May 15, 2017, a web security researcher discovered a mistake in the malware’s code.[3] The web security researcher was then able to disable the further spread of the malware by exploiting the coding mistake. But future cyberattackers may not make the same mistake that WannaCry’s coders did.

 

WannaCry is classified as a ransomware attack. It was unique in that it spread in a devastating fashion. All ransomware attacks target vulnerabilities in a victim computer’s software. Through those vulnerabilities, attackers then spread malware that scrambles and encrypts the victim’s computer. The attackers then offer to unscramble and decrypt the victim’s computer for a fee/ransom. Many ransomware attacks are limited in scope because when software developers become aware of vulnerabilities in their programs, they issue patches that eliminate those weaknesses. However, every so often, cyberattackers discover a vulnerability in software that had never been found before so when the cyberattackers target that vulnerability, everyone who uses that software is at risk. These vulnerabilities are known as zero-day vulnerabilities because there is no time to patch the vulnerability prior to an attack. The WannaCry attack targeted a zero-day vulnerability in Microsoft’s software. Therefore, all computers that ran Microsoft were at risk until Microsoft could issue a patch.

 

Usually ransomware spreads through phishing—fraudulently sending emails with infected attachments which when opened target a software vulnerability and thus encrypt the computer. WannaCry, however, was so effective because the vulnerability it targeted was Microsoft’s Server Message Block (SMB) protocol.[4] The SMB is an application-layer network protocol, meaning that it is the mechanism by which networked computers share access to files, printers, etc.[5] Thus, WannaCry was not dependent on phishing in order to spread, but rather spread automatically to all computers in a network. In other words, the vulnerability WannaCry targeted made it spread quickly, and uncontrollably.

 

Fortunately, WannaCry was not as devastating as it could have been. However, there is no reason to believe that similar cyberattacks will fail like WannaCry. There are many ways that law firms and businesses can reduce the likelihood of being the victims of cyberattacks, ranging from buying cyberattack insurance to hiring outside firms to supply security. In the meantime, it’s important to update your computers’ software when available, because those patches can prevent you from being the next ransomware WannaCry victim.



[1] Bill Brenner, “WannaCry: the ransomware worm that didn’t arrive on a phishing hook,” Naked Security by Sophos, May 17, 2017.

[2] “Unprecedented” cyberattack hits 200,000 in at least 150 countries, and the threat is escalating,” CNBC, May 14, 2017.

[3] Elizabeth Weise, “How a 22-year-old inadvertently stopped a worldwide cyberattack,” USA Today, May 13, 2017.

[4] Bill Brenner, “WannaCry: the ransomware worm that didn’t arrive on a phishing hook,” Naked Security by Sophos, May 17, 2017.

[5] “Microsoft SMB Protocol and CIFS Protocol Overview,” Microsoft, October 22, 2009.


MAY 2017

Data breach, privacy, and cyber insurance continue to be hot topics in the news. Here are some recent headlines:

We discuss these and other topics of interest to our section on our Slack page. Please join the discussion. Check your email for the invitation to join our Slack team or email one of the section leaders for more information.

 

 

APRIL 2017

IBM recently released its “X-Force Threat Intelligence Index” for 2017.  The report addressed security breaches during 2016 and noted that more than 4,000,000,000 records were leaked in 2016 – more than the total from 2014 and 2015 combined.  This number was influenced by the massive breach disclosed by Yahoo but even excluding that event, the volume of breaches continues to increase.

 

Distributed denial of service (DDoS) attacks continue to increase in size and in many cases the bots leading these attacks prey on unsecured Internet of Things (IoT) devices.  Malware attached to spam email continues to increase and ransomware, which can result in the infected system being locked until the target pays a ransom to the hacker, makes up a large majority of the malware.  2016 also ended with a record number of disclosures of software vulnerabilities by developers.

 

The top five industries breached in 2016 were: (1) Information and communications; (2) Government; (3) Financial services; (4) Media and entertainment; and (5) Professional services.  The last category serves as a reminder to attorneys of their obligations to clients to take care of the information entrusted to them. 

 

If you have an interest, the report can be accessed here:

https://www-01.ibm.com/marketing/iwm/dre/signup?source=urx-13655&S_PKG=ov57325

 

 

 

more Calendar

11/28/2017
Webinar - The FDCC, Your Firm and You

12/13/2017
Webinar - Succession Planning for In-House Counsel

2/24/2018 » 2/28/2018
2018 Winter Meeting - Amelia Island

4/6/2018 » 4/8/2018
TechU

5/20/2018 » 5/23/2018
Litigation Management College

5/20/2018 » 5/23/2018
Litigation Management Graduate Program

Featured Members
Melinda S. KollrossDefense Counsel, Clausen Miller PC, Chicago, IL
J. Eric MilesDefense Counsel North, Pursell & Ramos, PLC, Nashville, TN

Special Thanks

Membership Software Powered by YourMembership  ::  Legal