Financial institutions that are subject to the Gramm-Leach Bliley Act (GLBA) can find practical tips that address their unique data security challenges in the 2019 Data Security Incident Report (DSIR). It appears that money remains a strong motivating force for many threat actors. According to the 2019 report, finance and insurance remain among the sectors most heavily impacted by data security incidents, with 19% of data at risk involving a financial account. Phishing (responsible for 37% of all incidents, according to our DSIR) and credential stuffing are among the primary ways that hackers can obtain the keys to a consumer’s financial kingdom – the username and password to an individual’s financial accounts. Armed with these credentials, threat actors can purchase goods or wire, transfer or otherwise move funds out of those accounts with remarkable speed and efficiency. Although multifactor authentication has become increasingly standard for money movement and other higher-risk financial account activity at major financial institutions, as reflected in GBLA regulatory guidance relating to authentication in an internet banking environment, threat actors have proven increasingly cunning, often taking over email accounts and spoofing mobile device IDs where financial institutions send one-time-PIN codes, in order to render these multifactor safeguards ineffective. Continue Reading
There is always significant negotiation around caps on liability when negotiating a contract with a technology vendor. If the vendor will have access to the personal information of its customers’ end users (regardless of whether the end users are employees or customers), treatment on caps on liability take on heightened importance. In fact, limitations of liability are a key indicator of the allocation of risk between the parties. Both parties are seeking to insulate themselves from liability and minimize the financial harm in the event of a data security incident. Vendors have become increasingly reluctant to provide unlimited liability to protect customers against harms caused by security incidents, going to great lengths to narrowly tailor the situations under which the vendors will bear risk. Customers have been increasingly reluctant to have a data security incident classified as a regular contract breach and subject to regular contract damages. The resulting compromise, in many instances, is the “super cap.” The super cap is a number greater than the general cap on liability, but less than unlimited liability. It can exist in many forms; for example, as a multiple of fees paid, a multiple against 12 months’ fees paid, a number tied to insurance coverage or a flat dollar amount. Continue Reading
After passing the Senate nearly unanimously, the Washington Privacy Act (SB 5376) has stalled in the House of Representatives. The bill failed to achieve passage out of committee by the April 17 deadline for consideration of bills originating in the opposite house, and was returned to the Senate on April 28. As a result, SB 5376 is unlikely to pass this year.
SB 5376 gained early support from Washington’s technology industry, which helped it achieve easy passage in the Senate. Upon reaching the House, however, the bill met with strong resistance from individual rights groups. The Washington ACLU announced that it would make privacy legislation a focus of the group’s 2019 legislative agenda, sponsoring legislation to place limitations on the use of automated decision-making systems employed by public agencies (see HB 1655 and SB 5527). The group opposed SB 5376 after the ACLU’s legislation failed to gain traction, arguing that exemptions in the bill would create loopholes that would render the legislation’s privacy protections toothless. Opponents also took issue with the fact that the bill lacked a private right of action, leaving enforcement authority exclusively with the Attorney General’s Office. Additionally, detractors worried that the bill’s protections for facial recognition technology were insufficient, noting that the use of facial recognition could lead to law enforcement inequities due to the fact that such technologies can have disparate results when applied to different racial and ethnic groups. Just a day before SB 5376 died in committee, the ACLU, the Electronic Frontier Foundation and four other civil liberty groups issued a joint statement opposing the legislation. Continue Reading
On April 26, 2019, the U.S. Department of Health & Human Services (HHS) issued an announcement that the annual penalty cap for three of the four tiers of HIPAA violations would be reduced significantly to match what HHS called a “better reading” of inconsistent language found in the Health Information Technology for Economic and Clinical Health Act’s (HITECH) penalty scheme. Continue Reading
Last Tuesday, the California Assembly’s Committee on Privacy and Consumer Protection (Assembly Privacy Committee), which has jurisdiction over matters related to privacy, the protection of personal information and information technology, held a committee hearing in which it voted in favor of advancing eight industry-backed bills that would amend the California Consumer Privacy Act (CCPA), set to take effect on Jan 1, 2020. To the benefit of businesses, the bills, which now move on to the Assembly’s Appropriations Committee, would clarify the text and limit the scope of the unprecedented, sweeping privacy law that grants consumers a great degree of transparency and choice with respect to their personal information, defined broadly under the act. If the bills survive the Assembly’s Appropriations Committee, they will come before the full Assembly before advancing to the California Senate, and would ultimately become law if signed by the governor. Also of note, two CCPA amendment bills, discussed further below, have been withdrawn from advancement to committee consideration. Continue Reading
Healthcare was the industry most affected by data breaches in 2018. We worked on nearly 200 healthcare matters involving multispecialty academic medical centers, hospital systems, small and large physician practices, small and large health insurers, and biotech and pharmaceutical companies.
In 2018, health information alone was just behind Social Security numbers (which can also be protected health information) as the most at-risk data.
Data security incidents are becoming more sophisticated in nature. We’ve noted an uptick in the number of targeted phishing attacks and network intrusion incidents affecting small and large organizations alike. And we’ve observed, along with this increased activity, intensified enforcement efforts by both federal and state regulatory agencies. Continue Reading
On April 16, 2019, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a risk alert, “Investment Adviser and Broker-Dealer Compliance Issues Relating to Regulation S-P – Privacy Notices and Safeguard Policies,” highlighting its data privacy and cybersecurity observations from recent examinations of registered firms.
By way of background, Regulation S-P is the SEC’s data privacy regulation that implemented the privacy provisions of the Gramm-Leach-Bliley Act. In particular, this regulation protects the nonpublic personal information of customers, including personally identifiable financial information and consumer lists or descriptions derived from nonpublic information. To protect this information, Regulation S-P requires firms to do two main things.
Forensics are a key component of many data incident investigations. The importance of forensics cannot be overstated. In fact, in 2018, 65% of the incidents we handled involved some type of forensic investigation.
Forensics firms can not only help determine what happened in a data incident but can also provide recommendations for containment and mitigation. Many of the key decisions in an investigation will be driven by forensics. Does the organization have notification obligations? Was there access to and/or acquisition or exfiltration of personal information or other sensitive data? Specifically, what data was accessed or exfiltrated? When did the compromise start and when did it end? Are the attackers still in the environment? Or in a business interruption event such as ransomware, how does the organization get back up and running and get back to work?
Over the past year, a host of new national, state and local laws have been introduced to regulate the collection and use of biometric information. Although these proposals vary in their requirements, certain elements appear to be inspired in part by the Illinois Biometric Information Privacy Act (BIPA), which has been the subject of significant litigation in recent years. Below we provide an overview of notable proposed legislation.
U.S. Federal Law
On March 14, 2019, Senators Brian Schatz (D-Hawaii) and Roy Blunt (R-Mo), introduced the Commercial Facial Recognition Privacy Act. The act focuses on providing notice and obtaining affirmative consent whenever facial recognition technology is used to collect or process facial recognition data for certain purposes.
- “Facial recognition data” is defined as “any unique attribute or feature of the face of an end user that is used by facial recognition technology to assign a unique, persistent identifier or for the unique personal identification of a specific individual.”
- “Facial recognition technology” is defined as technology that “analyzes facial features in still or video images” and is used “to assign a unique, persistent identifier” or “for the unique personal identification of a specific individual.”
We have previously written about California SB 561 here, introduced by Senator Jackson (D) and supported by the California Attorney General (AG), that among other things would vastly expand the CCPA’s private right of action and remove the right to cure before the AG can seek civil penalties. On April 9 the California Senate Judiciary Committee held a hearing on the bill, a recording of which is available here. The committee voted 6 to 2 to refer the bill to the Senate Appropriations Committee. There was concern expressed by some members of the committee, including some that voted in favor of moving the bill forward, as to the scope of the private right of action, its impact on businesses and the ambiguity of the current text. Senator Jackson promised to work with stakeholders to explore potential refinement of the private right of action so long as it maintained the ability for consumers whose CCPA privacy rights are violated (the current law restricts the private right of action to certain types of data security breaches) to seek meaningful redress and not have to rely on the AG to enforce the CCPA. It was noted that the restriction of the private right of action was fundamental to the compromise that lead to the bill, however, Senator Jacksons and others rejected that as not relevant, or at least not binding. We had previously encouraged further limitation of the private right of action. It appears that quite the opposite may be on its way to fruition. We will continue to monitor its progress.