Download the full PDF of the alert.
Data breaches and cybersecurity events have grabbed the headlines in the past few months. As companies’ responses to these incidents have played out in the news, state legislatures and state and federal regulators have continued to add requirements to the data security race course. Congress is also exploring new laws that may address the patchwork of state data breach notification laws, but that may also impose new requirements.
The recent high profile incidents will likely result in increased data security and breach notification requirements in 2018, as well as heightened expectations from consumers, lawmakers, and others for companies to improve their data security programs and data breach response plans. The first quarter of 2018 has already seen some fast and furious developments. This alert surveys some of these recent developments at both the state and federal level and addresses what companies should be doing now in response to these developments to ensure they keep their data privacy engines (and their data privacy compliance programs) in gear.
Data Breaches in the News
Despite ever-increasing investment in cybersecurity infrastructure, technology, and employee training by companies, data breaches continue to hit companies in all industries. More than 600 data breaches were publicly reported in 2017 and more than 100 have already been reported in the first few months of 2018. Some of these reported data breaches are highlighted below.
Three breach-related events in 2017 highlight the scope, complexity, and cost of data breach responses and also the varying responses by companies to these incidents. In June 2017, Anthem, Inc. reached a record $115-million class action settlement stemming from a 2015 breach that compromised the data of 80 million consumers. In September 2017, Equifax Inc. disclosed a breach exposing the names, Social Security numbers, birthdates, home addresses, and driver’s license numbers of more than 140 million consumers. Two months later, Uber Technologies Inc. disclosed it had paid a $100,000 ransom to a hacker to destroy the data the hacker had stolen from the company in 2016, including the telephone numbers, email addresses, and names of 57 million Uber drivers and riders. As part of the deal, the hacker allegedly signed a nondisclosure agreement to remain silent about the breach and the company’s payment. Although “bug bounty” programs, which are designed to give security researchers an incentive to report weaknesses they uncover in a company’s software, are not unusual, rewarding a cybercriminal who has both hacked into a company’s system and stolen data is highly unusual. Also, the use of “bug bounty” programs by companies does not relieve companies of their obligation to comply with state breach notification laws.
This year has already seen even more reported data breaches. On April 1, 2018, Hudson Bay Company confirmed that cybercriminals had obtained credit and debit card data on more than 5 million Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor store customers. On April 2, 2018, Panera Bread announced that a security flaw in its online ordering website may have exposed customer records, including names, email and physical addresses, birthdates, loyalty card numbers, and the last four digits of stored credit card numbers, for at least eight months. The vulnerabilities may have also extended to Panera’s commercial division, which serves catering companies. On April 4, 2018, Sears Holding Corp. and Delta Air Lines reported that some of their online customer payment information may have been exposed in a breach at a software service provider.
Unfortunately, data breaches can and will continue to happen at companies of all sizes and in all industries. Companies need to be prepared to proactively respond to these incidents.
Security Incidents in the News
Some contend that “big data” has ushered in a management revolution because it allows companies to translate quantitative knowledge into improved decision making and financial results. However, the use of such consumer data by companies and their third-party vendors has also come under scrutiny in recent months.
The recent revelations about how Cambridge Analytica, a U.K. data analytics firm, leveraged data contained within the virtual profiles of approximately 87 million Facebook users without their consent has forced the social media company to publically address user privacy issues and whether it exceeded its Terms of Service in allowing a third-party app called “thisisyourdigitallife” to harvest the personal data of Facebook users and their friends. On March 26, 2018, the Federal Trade Commission confirmed an open, but non-public investigation, into Facebook’s privacy policies and a number of state attorneys general have launched investigations into the social media company’s user privacy practices.
Ransomware remains a threat to all companies because the barriers to entry are low, the payout is immediate, and it offers an ongoing revenue stream to cyberthieves. The FBI estimated that $24 million was paid to ransomware hackers in 2015 and $1 billion in 2016.
The latest ransomware targets in the news have been municipal governments. In late March 2018, the city of Leeds, Alabama paid $12,000 in bitcoin to ransomware hackers to regain control of its municipal computer systems. On March 22, 2018, the city of Atlanta, Georgia was hit with a ransomware attack. As of April 1, 2018, the city had not paid the $51,000 ransom and was still trying to restore its municipal computer systems.
Atlanta’s ransomware woes should serve as a wake-up call to other municipalities and to companies in all industries that cyberthreats can hit anyone at any time. The motive in the next attack may not be monetary.
State Law Developments
For years, the state data breach notification law chart had shown two outlier states that had not adopted data breach notification laws – until this year. Alabama and South Dakota adopted data breach notification laws in the first quarter of 2018. Although the map is now complete, there are now 51 different requirements that companies must navigate in their data breach notification response programs. In addition, other states are considering expanding the scope of the requirements under their existing data breach notification laws or are becoming more active in enforcing their existing laws relating to data security.
On March 28, 2018, the Alabama governor signed into law the Alabama Data Breach Notification Act of 2018 (AL Act). The AL Act will take effect on June 1, 2018.
The AL Act imposes requirements similar to the requirements under other state data breach notification laws. The AL Act requires covered entities doing business in the state to, among other things:
- Notify state residents within 45 days if their sensitive personally identifiable information has been compromised in a data breach; and
- Notify the state Attorney General and consumer reporting agencies if more than 1,000 state residents have been impacted.
The AL Act also requires third-party agents, entities that have been contracted to maintain, store, process, or otherwise access sensitive personally identifying information in connection with providing services to a covered entity, to notify the covered entity of a breach of security “no later than 10 days following the determination of the breach of security or reason to believe the breach occurred.” The AL Act gives the state Attorney General the authority to prosecute a covered entity or third-party agent for failing to disclose a data breach as an unlawful act or practice under the Alabama Deceptive Trade Practices Act, which can result in daily penalties of up to $5,000. However, an entity that follows the consumer notice requirements of industry-specific state or federal laws or regulations is exempt from the AL Act, provided the entity:
- Maintains appropriate data breach response procedures;
- Provides notice to state residents as required under the industry-specific state or federal laws or regulations; and
- Timely provides a copy of the notice sent to state residents to the state Attorney General when the number of residents notified exceeds 1,000.
Companies that do business in Alabama or have customers in Alabama should review the AL Act and ensure that their data breach response policies and procedures and third-party vendor contracts and audit or review programs reflect these new requirements. In addition, third-party vendors that serve covered entities should review the AL Act to ensure they can comply with the new statutory notification and other requirements. A data breach response program can no longer drive by Alabama.
The governor of South Dakota signed Senate Bill 62 into law on March 21, 2018 adding data breach notification requirements to the state’s existing identity crimes statute. The law will take effect on July 1, 2018 and establishes data breach notification requirements similar to those found in other states. However, none of the state data breach notification laws are entirely similar. For example, unlike the new Alabama law, the new South Dakota law requires notification to affected individuals within 60 days of discovery of the breach and notification to the state Attorney General of any breach that exceeds 250 state residents. As noted above regarding Alabama, companies should ensure that their data breach response programs incorporate the requirements under this new South Dakota law.
The North Carolina Attorney General has proposed legislation to amend the state’s existing data breach notification law. Although the bill has not yet been introduced in the state legislature, a summary of the proposal was released in January 2018 and the bill is expected to be introduced in May 2018.
The proposal would revise the definition of “security breach” to include ransomware attacks. North Carolina law currently requires companies to notify individuals impacted by a data breach without “unreasonable delay,” but the law does not prescribe a fixed deadline. The proposal would tighten the notification timeline by requiring companies to notify individuals affected by a security breach within 15 days after discovering a breach. This change would make North Carolina’s laws one of the toughest state data breach notification laws in the country. Such a short notification deadline will be difficult, if not impossible, for most companies to meet. Companies with a physical footprint and/or customers in the state should monitor the progress of this bill.
The stringent cybersecurity regulation from the New York Department of Financial Services (NYDFS) became effective in March 2017 and covered entities were required to certify compliance with the regulation on February 15, 2018. The regulation imposes a broad range of requirements on financial institutions regulated by the NYDFS, including requirements to maintain cybersecurity programs, conduct risk and vulnerability assessments, and use certain types of encryption and authentication. The regulation also requires covered entities to notify NYDFS within 72 hours after determining that a data breach has occurred.
Although NYDFS hailed the regulation as the “first in the nation,” the requirements are similar to existing standards provided by the National Institute of Standards and Technology and in guidance from the Federal Financial Institutions Examination Council. Other state regulators will likely look to the NYDFS regulation as a reference point in considering their own comprehensive cybersecurity regulations. Although meeting this high bar is not yet required for all companies, many parts of the regulation are increasingly being seen as a best practice by financial services companies.
On March 5, 2018, the Pennsylvania Attorney General sued Uber for violating Pennsylvania’s Breach of Personal Information Notification Act (BPINA) because of its failure to disclose the 2016 breach discussed above. The complaint alleges that the data breach included nonpublic information of at least 13,500 state residents and that Uber failed to provide timely notice to these residents. The BPINA requires companies to provide notice to affected individuals “without unreasonable delay” and the Attorney General alleges that Uber failed to meet this standard by waiting until November 2017 to disclose the 2016 incident. Among other remedies, the Attorney General is seeking a civil penalty of $13.5 million. The BPINA allows civil penalties of $1,000 or $3,000 per violation depending on the consumer’s age.
State Enforcement of Data Breach Laws
Despite the differences among the state data breach notification laws, many of the state attorney generals’ offices have something in common; they are becoming more active in the data privacy area. The offices are hiring dedicated privacy and data security staff to enforce their state data breach notification laws. In an annual data breach report released on October 11, 2017, the Washington state Attorney General recommended that businesses work to identify and resolve data breaches more quickly and that policymakers investigate whether to require even faster notice to the Attorney General and affected consumers after a breach.
Since many of the state laws require companies to notify the Attorney General’s office of data breaches impacting state residents, companies should not assume that these offices will simply park these reports in long term storage. Companies should expect to continue to see more state enforcement actions targeting companies in any industry that are not adequately protecting consumer data and promptly notifying consumers of data breaches. Companies should also expect to see more state Attorney Generals’ offices pushing for changes to existing data breach notification and other laws to add more protections for their state residents.
Federal Law Developments
The recent spate of large breaches could spur developments at the federal level, even though the charged political environment and conflicting authority over privacy matters among Congressional committees has stymied similar legislative efforts in the past. The Cyber Breach Notification Act of 2017 was introduced in the House in October 2017 and the Data Security and Breach Notification Act was introduced in the Senate in November 2017. Other proposals include H.R. 3816 introduced in September 2017, the Personal Data Notification and Protection Act of 2017 introduced in the House in September 2017, the Secure and Protect Americans’ Data Act introduced in the House on October 2017, and the Consumer Privacy Protection Act introduced in the Senate in November 2017. Most of the proposals would establish a nationwide standard for data breach notifications that would preempt the current patchwork of state breach notification laws. However, none of the proposals have gained substantive traction in Congress yet.
On February 21, 2018, the U.S. Securities and Exchange Commission (SEC) issued a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. Companies had previously relied on SEC staff-level guidance and although the new interpretive guidance is similar to the prior staff guidance, the new interpretation carries the greater authority of the SEC. Among other things, the guidance addresses the application of disclosure controls and procedures. Specifically, it provides guidance on what information regarding cybersecurity incidents companies must disclose, to whom, and how.
Case Law Developments
Legislators and regulators have not been the only agents for change in the data breach law landscape. There were at least two important decisions in 2017 addressing the application of the attorney-client privilege and work-product protections to a company’s data breach response. In litigation stemming from a data breach suffered by a health care company, an Oregon federal judge ordered the company to produce documents created by a computer forensic firm that the company had hired to assess the data breach. The court found that the documents created by the forensics firm were for a business purpose and not in order to obtain legal advice or in anticipation of litigation. In re Premera Blue Cross Customer Data Security Breach Litigation, Case No. 3:15-md-2633-SI, 2017 WL 4857596 (D. Or. Oct. 27, 2017).
Addressing a very similar situation, a California federal judge found that a data breach investigation report created by a computer forensic firm was protected under the work-product doctrine. In re Experian Data Breach Litig., No. 8:15-cv-01592, 2017 WL 4325583 (C.D. Cal. May 18, 2017). The deciding factor, and the distinction between the Oregon case, is that the computer forensic firm was hired by outside counsel in response to a data breach, rather than by the company itself. Since these forensic firm reports contain critical information making them a gold mine for plaintiffs lawyers following a data breach, judicial interpretation of the applicability of the work-product doctrine to these matters will be crucial.
Predictions for the Remaining Three Quarters of 2018
Although “Fast and Furious” may be a catchy title for a movie franchise, it is also an apt description of the current data privacy landscape. Lawmakers seldom relinquish the spotlight and the opportunity to push for reform, so we are likely to see more data breach requirements adopted in 2018. State regulators considering data breach law reforms, or even more comprehensive cybersecurity regulations, will likely refer to the NYDFS cybersecurity regulation. Although the states will continue to be active on the legislative, regulatory, and enforcement front, renewed legislative activity at the federal level may increase the prospect of a federal standard for breach responses that could preempt the patchwork of state requirements. In addition, companies that market to or process the personal information of European Union (EU) data subjects must prepare for the May 25, 2018 effective date of the EU’s General Data Protection Regulation (GDPR) and the Privacy Shield, a safe harbor-creating agreement between the EU and the U.S. to facilitate the transfer of such information from the EU to the U.S. in compliance with the GDPR requirements.
As all of these requirements continue to change, companies must ensure that they continue to properly balance required consumer protections and the logistical realities of responding to cyberincidents. Companies should monitor and learn from the data breach responses of other companies and continually refine their data breach response programs to ensure they stay on track to respond to a data breach in a timely manner, in compliance with the ever-changing legal requirements – and perhaps stay out of the headlines.
Just as practice helps professional drag racers drive faster on the track, companies should not wait until their first data breach to take their data breach response program out for a test drive. Regulators expect companies to timely notify their customers of a data breach and in order to do this, companies need to have a preplanned and practiced response program in place.
Companies should also carefully monitor their consumer data sharing programs to ensure that they both understand the nature and scope of these programs and that they are also providing appropriate disclosures to consumers regarding these programs. Data sharing programs will likely remain in the spotlight throughout 2018 due to the Facebook incident.
A yellow privacy caution flag will remain out for the remainder of 2018. Buckle up and make sure your company is prepared for the cyber-ride.
If you have questions about this alert, please contact one of the authors or any other member of the firm's Cybersecurity and Data Privacy Team or Consumer Financial Services Team.