When a data breach occurs at a company, not only is customer data vulnerable but so is employee information. But what obligations do employers owe their employees?

This issue was recently decided in part, at least with respect to Pennsylvania employers, in Dittman v. UPMC, 43 WAP 2017, 2018 WL 6072199, at *14 (Pa. Nov. 21, 2018).  In Dittman, a group of employees sued their employer, the University of Pittsburg Medical Center, for failure to take reasonable care to protect their personal private information.  On appeal, the Supreme Court of Pennsylvania overturned the decision of the lower court and held that an employer owes a common law duty of care to its employees to use reasonable care to safeguard their sensitive data as stored on the employer’s internet-accessible computer system. Notably, the employees’ position was not that the employer engaged in any misfeasance, but nonfeasance for failure to prevent the harm from occurring. The Supreme Court found that the mere fact that third parties committed the wrongdoing – the data breach – did not negate the duty of the employer to safeguard the employees’ sensitive information that they were required to provide the employer as a condition of employment.

The Dittman case is certainly not the first time a group of employees sued an employer based upon a data breach of the employer’s computer system that resulted in the disclosure of the employees’ personally identifiable information. In Sackin v. TransPerfect Global, Inc., 278 F. Supp. 739 (S.D.N.Y. 2017), the employer moved to dismiss a class action filed by the employees, which motion was denied, in part. Among other things, the district court found that the complaint sufficiently stated a cause of action for breach of common law duty of care and that the employer violated its duty to take reasonable steps to protect the employees’ data. The court also found that a viable cause of action existed for breach of the implied contract between the employer and employees, but not for breach of the terms of the employment contract. With respect to the former, the conduct and course of dealing between the parties was deemed to rise to the level of an implied contract because, as a prerequisite of employment, the employees were required to provide the employer with certain sensitive data, and given how commonplace data and identity theft are in the current day and age, the court found an implied assent by the recipient to protect that data. Continue Reading Employers Beware and Take Reasonable Care

As the number of data breaches increases, so do the number of data breach-related lawsuits, whether styled as class actions or individual lawsuits. To the extent these lawsuits are commenced in the federal courts, it gives rise to the question of what satisfies Article III standing. Merely because a data breach may have occurred and personally identifiable information may have been exposed, or is at risk of being exposed, does not necessarily confer standing of the party whose information has been compromised in the absence of actual harm. As with most litigations, the answer also depends, at least in part, in what jurisdiction the lawsuit is commenced.

In Gilot v. Equivity, 18-CV-3492 (WFK), 2018 WL 3653150, at *1 (E.D.N.Y. July 31, 2018), the district court reinforced the Second Circuit’s position on what is required for a plaintiff to have Article III standing. In Gilot, an action commenced by an individual was dismissed for lack of standing where it was only alleged that the unauthorized release of her personally identifiable information to a third party without her consent could lead to potential identity theft. The words “could” and “potential” are important because in the Second Circuit, as in the First, Third and Eighth Circuits, having been put at risk, without actual harm, is insufficient to confer Article III standing upon a plaintiff.

The Eleventh Circuit generally follows the First, Second, Third, and Eighth Circuits; however, the threshold for damages to confer standing is lower. In Muransky v. Godiva Chocolatier, Inc., 905 F.3d 1200 (11th Cir. 2018), the plaintiff alleged that the merchant violated the Fair and Accurate Credit Transactions Act (FACTA) by printing an untruncated receipt with more than five digits of the customer’s credit card number. This statutory violation was sufficient to withstand a motion to dismiss for lack of standing since it constituted damages in the form of the plaintiff needing to bear the cost of safely keeping or disposing of the receipt to avoid someone obtaining the credit card number. Continue Reading Standing Considerations in Federal Data Breach Litigation

On October 18, 2018, the Food and Drug Administration (“FDA”) released draft guidance outlining its plans for the management of cybersecurity risks in medical devices. Commenters now have until March 17, 2019, to submit comments to the FDA and get their concerns on the record. More information about submitting comments can be found at the end of this post.

This FDA guidance revision will replace existing guidance released in 2014, which as you can see, includes recommendations, but does not attempt to classify devices. The recent draft guidance takes a more aggressive posture and separates devices into those with a Tier 1 “Higher Cybersecurity Risk” and those with a Tier 2 “Standard Cybersecurity Risk.”

Tier 1 devices are those that meet the following criteria:

1) The device is capable of connecting (e.g., wired, wirelessly) to another medical or non-medical product, or to a network, or to the Internet; and

2) A cybersecurity incident affecting the device could directly result in harm to multiple patients.

Tier 2 devices are any medical device that does not meet the criteria in Tier 1.

The FDA has varying guidance for devices depending on the Tier of the device. The FDA provides guidance for Tier 1 and Tier 2 devices on applying the NIST Cybersecurity Framework, providing appropriate cybersecurity documentation, and adhering to labeling recommendations.

Continue Reading FDA Releases Draft Guidance on Cybersecurity for Health Devices

Cathay Pacific recently disclosed that a data breach occurred exposing information for as many as 9.4 million people – the largest airline data breach ever. The extent of the information obtained varied from credit card information (although it is reported that only partial credit information was obtained or that the cards were expired), to telephone numbers, dates of birth, frequent flier numbers, passport numbers, government ID numbers, and past travel information.

Shortly after Cathay Pacific revealed its breach, British Airways announced that the data breach it incurred last month may have been included information for an additional 185,000 customers than initially disclosed (which last month was reported to be 380,000 customers – although British Airways is now claiming it is possibly less). While an investigation is ongoing, the breach is believed to have included, among other things, payment details, inclusive of – for at least some customers – the CVV number.

Our take

No sector is safe from data breaches and some are either more vulnerable and/or more attractive to cyber criminals than others because of the types of information stored. The airline industry is one where the companies are likely to have a treasure trove of personally identifiable information. This is a valuable reminder that, as a business, it is important to be sensitive and cognizant to the types of customer data in your possession and be sure to take the necessary steps to keep it secure.

Effective January 1, 2020, California will require manufacturers of “connected devices” to equip those devices with reasonable security features. An example of a reasonable security feature (provided in the bill) would be to assign each device a unique password or to prompt the user to generate a password on setup.

This new law follows a trend that has been gathering steam since 2015, when the FTC provided security guidance to Internet of Things device manufacturers. Just a year later, the Mirai botnet used a DDos attack to take down a number of popular web services, in one of the first major Internet of Things attacks. DDos attacks leverage the internet connections (bandwidth) of large numbers of unsuspecting persons. First, the bad-actor infects the person’s device with malware. Then these devices can be remotely-forced to connect simultaneously to various targets (think Netflix), overwhelming their ability to communicate and shutting down the service. These types of large-scale attacks are especially dangerous in the Internet of Things context, where otherwise innocuous devices such as light-fixtures, DVRs, toasters, pet-feeders, and countless others begin to come online.

While this new bill asks very little of manufacturers, it is a crucial first step that will force manufacturers of internet-connected devices to put in place at least some common-sense security features.

Our take

This new bill requires very little of manufacturers and provides very little in terms of security for consumers. To address Internet of Things security, both regulators and companies need to provide platforms and standards that are easy to integrate, update, and adopt.

As the lazy days of summer wind down slowly at first, and then all at once, now is a good time for a reminder that your own employees returning to work full steam may pose the biggest threat to your cybersecurity. According to the U.S. Department of Health and Human Services Office for Civil Rights, July was the worst month this year for healthcare data breaches. So far in 2018, more individual records have been exposed than for all of 2017, including 1.4 million individual records exposed in the biggest breach from July, which was attributed to a phishing attack. These statistics back up a Verizon report on PHI data breaches that came out earlier this year and found that 58% of PHI data breaches involved insiders, and that healthcare is the only industry in which internal actors post the biggest threat to organizations.

But that doesn’t mean healthcare alone is vulnerable to insider threats, as a Department of Justice criminal complaint filed in June and released earlier this month demonstrates. That complaint alleges that an $81 million bank heist suffered by a Bangladesh bank was carried out by North Korean cybercriminals and started with the criminals sending spearphishing emails to targeted individuals. In those emails, a purported job applicant would ask for a personal interview and attach a .zip file that the applicant claimed was a resume. When opened, the .zip file automatically downloaded malware to the recipient’s computer, which ultimately made its way to the bank’s IT system. This allowed the hackers to allegedly impersonate bank employees, access the SWIFT network, and transfer funds from the bank’s account to an account in the Philippines. Additional malware was used to cover their tracks.

Our take

While certain manipulation of a network as seen in the Bangladesh bank heist may take some skill and expertise, phishing and its targeted variant of spearphising are straightforward exploitations of human error. They demonstrate that allocating budget to pay for cybersecurity technology may not be enough, and resources also need to be spent on employee training and culture shifting. Certainly, layered technology solutions that address different weak points, including two-factor authentication, are important and helpful, but organizations need to take a wider view of cybersecurity and risk reduction to both account for, and attempt to correct, human error.

Although the legislation has not yet been formally introduced, sponsors, Representative Blaine Luetkemeyer (R-Missouri) and Representative Carolyn Maloney (D-New York), released a draft of the “Data Acquisition and Technology Accountability and Security Act” for public consideration on February 16, 2018.  This draft bill would establish a federal security and breach notification regime enforced by the Federal Trade Commission and state attorneys general.

The draft bill would apply to “covered entities,” which are defined as “any person, partnership, corporation, trust, estate, cooperative, association, or other entity that accesses, maintains, or stores personal, or handles personal information.”  In addition to requiring covered entities to develop, implement, and maintain security safeguards appropriate to the particular entity’s size, activities, and the sensitivity of the personal information maintained, the draft bill sets forth a federal standard for data breach response.  Notably, the draft bill would require that a covered entity conduct a preliminary investigation and determine whether there has been an unauthorized acquisition of personal information and whether there is a “reasonable risk that the breach of data security has resulted in or will result in identity theft, fraud, or economic loss to the consumers to whom the personal information involved in the incident relates.”  If this standard is met, a covered entity would be required to notify certain government agencies, such as the Secret Service or the FBI, and other agencies, such as payment card networks and consumer reporting agencies (depending on the type of breach), but only in the event the breach involves the personal information of 5,000 or more consumers.  Furthermore, a covered entity’s obligation to notify affected consumers is triggered only if the covered entity determines that “there is a reasonable risk that the breach of data security has resulted in identity theft, fraud, or economic loss to any consumer . . . .”  Notice to relevant agencies and affected consumers must be provided “immediately” and “without unreasonable delay.”  Finally, the draft bill exempts insurers and expressly preempts state data security and breach notification laws.  As further described below, this proposed breach response regime is much less stringent in comparison to existing state breach notification laws. Continue Reading Is a Federal Data Breach Notification Regime Forthcoming?

The PGA of America was hit with a troublesome ransomware attack in August ahead of golf’s final “major” tournament of the season, the 100th PGA Championship at Bellerive Country Club in St. Louis, MO.  The hackers were successful in locking many of the organization’s digital marketing files (e.g., logos, banners) specifically designed for the centennial tournament as well as for the upcoming Ryder Cup international tournament.

Based on the ransom message from the hackers, the main goal of the attack was a quick payday in light of the disruption in the critical days leading up to a major (highly televised) event.  With the organization’s servers encrypted, the hackers provided a bitcoin address and a promise to provide a decryption key, but curiously did not request a specific ransom amount.  Although it is unclear if the PGA of America ultimately regained control of its compromised files or mitigated the issue with backup servers, it appears the organization resisted the option to pay the hackers and was able to get through the PGA Championship with virtually no material impact on players or fans.

Our take

This ransomware event is a reminder that all types of data and information are vulnerable to cyberattacks.  Although the creative designs for marketing purposes were not particularly sensitive from a privacy perspective, the business risks of losing access to important intellectual property were front and center.  It could have been much worse for the PGA of America, particularly in terms of crisis response costs, reputational harm and “re-work,” but thankfully, it gets to pick up its ball and move on to the next tee.

On April 11, 2018, Arizona Governor Doug Ducey signed a bill into law that bolsters the state’s existing breach notification requirements. The revised law will take effect in July. One of the most notable amendments to the existing law is the expansion of the existing state law definition of “personal information” to also include an individual’s user name or e-mail address in combination with a password or security question and answer that allows access to an online account, as well an individual’s first name or first initial in combination with the following data elements: (i) an individual’s health insurance identification number; (ii) information about an individual’s medical or mental health treatment or diagnosis by a health care professional; (iii) an individual’s passport number; (iv) an individual’s taxpayer ID numbers; and (v) certain biometric data. Following Oregon’s lead, Arizona lawmakers also replaced the existing ambiguous notification timeframe language for notice to affected state residents with a definitive deadline of 45 days after a determination that a breach has occurred, unless a statutory exemption applies. The amendments also include a new requirement that the Arizona Attorney General and the three largest nationwide consumer reporting agencies be notified of the breach, in the event that the breach affects more than 1,000 state residents. Among other revisions, the amendments also prescribe the required content of the notices to impacted residents and clarify the available delivery methods for such notices. Continue Reading Arizona Strengthens its Data Breach Notification Law

In the wake of continuing data breaches flooding the news, state lawmakers are working to increase protections for consumers who are victims of a data breach. Several states have already enacted such legislation earlier this year, including Alabama, Oregon, and South Dakota. Among the states in the midst of proposing updates to their existing data breach notification laws are Colorado, Iowa, New York, North Carolina, and Rhode Island.

Although the North Carolina bill has yet to be introduced in the North Carolina House, if the bill were to pass as currently proposed, North Carolina would have the most rigorous breach notification requirements of any state on the books. The existing state law provides that notice of the breach to affected state residents must be provided “without unreasonable delay.” The proposed law would replace this language with a rigid 15-day deadline for notice to be provided to affected residents. Among other revisions, the proposed law would also revise the definition of a security breach to include ransomware attacks.

Our take

For those companies that have a nationwide presence, it is important to keep track of these proposed amendments to state breach notification laws so that you can revise your incident response plans accordingly. North Carolina’s rigorous bill demonstrates how state lawmakers are cracking down on data breaches and how important it is to determine the states of residence of impacted individuals early on in the breach investigation process. Stay tuned for updates on these proposed state bills and others.