Data Breach

The FTC announced today that it has reached a settlement with the operators of AshleyMadison.com (Ashley Madison) for alleged data security deficiencies and deceptive trade practices.  According to the FTC, Ashley Madison, a dating website for married individuals, was hacked in July 2015, leading to the release of 36 million users’ account and profile information.  FTC Chairwoman Edith Ramirez referred to the case as “one of the largest data breaches that the FTC has investigated to date.”

According to the FTC’s complaint, despite Ashley Madison’s representations that it was “100% secure” and “risk free,” the website failed to implement reasonable data security practices.  Specifically, the FTC cited several data security failures, including the lack of a written information security policy, reasonable access controls, employee data security training, or oversight over third-party service providers, and a failure to use “readily available security measures” to monitor its systems.  The complaint also alleged that Ashley Madison staff deceptively created fake profiles as a way to attract users, with no way for users to tell real profiles from fake ones.
Continue Reading Ashley Madison Settles Data Security and Deception Charges

On Tuesday, the FTC issued new guidance for businesses on responding to data breaches, along with an accompanying blog post and video.  The data breach response guidance follows the issuance of the FTC’s “Start with Security” data security guidance last year and builds upon recent FTC education and outreach initiatives on data security and cybersecurity issues.  The FTC’s data breach response guidance focuses on three main steps:  securing systems and data from further harm, addressing the vulnerabilities that led to the breach, and notifying the appropriate parties. 
Continue Reading FTC Issues Guidance for Responding to Data Breaches

On October 11, 2016, the finance ministers and central bank governors of the Group of 7 (G-7) countries announced the publication of the Fundamental Elements of Cybersecurity for the Financial Sector, a non-binding guidance document for financial sector entities.  The publication  describes eight fundamental “elements” of effective cybersecurity risk management to guide public and private sector entities in designing cyber security programs based on their specific risk profile and culture.  The goal of the G-7 is to provide a common framework for the financial sector to develop security programs that will “help bolster the overall cybersecurity and resiliency of the international financial system.”

The eight elements describe the core components of a comprehensive cybersecurity program, while leaving the strategic and operational details to each entity.  The publication is not intended to serve as a binding, one-size-fits-all set of requirements; rather, it describes high-level programmatic “building blocks” that each entity can customize to its own security strategy and operating structure.  Each entity should tailor its application of the elements based on an evaluation of its “operational and threat landscape, role in the sector, and legal and regulatory requirements,” and be informed by its specific “approach to risk-management and culture.”Continue Reading G-7 Publishes Fundamental Elements of Cybersecurity for the Financial Sector

Today, our colleagues Susan Cassidy, Ashden Fein, and John Sorrenti posted an article on Inside Government Contracts about the Department of Defense (DoD) issuing a Final Rule implementing mandatory cyber incident reporting requirements for DoD contractors and subcontractors. The article can be read here.
Continue Reading DoD Finalizes Rule on Policies for Cyber Incident Reporting

On October 5, 2016, the UK Information Commissioner’s Office (“ICO”) fined telecoms company TalkTalk a record £400,000 for failing to put in place appropriate data security measures and allowing a cyber-attacker to access TalkTalk customer data “with ease.”  The ICO highlighted several  technical and organizational deficiencies as justification for issuing its largest fine to-date.  Many of these failings are unlikely to be unique to TalkTalk; organizations across all sectors should take note.

Background

Between October 15 and 21, 2015, a cyber-attacker took advantage of technical weaknesses in three of TalkTalk’s webpages.  As is often the case with weaknesses in cyber defences, the relevant infrastructure had been inherited as part of a previous acquisition.

The attacker accessed the personal data of over 150,000 customers, including their names, addresses, dates of birth, phone numbers and email addresses.  The attacker also accessed bank account details and sort codes in over 15,000 cases.

The attack has been subject to widespread media and even led to a Parliamentary inquiry and report.  TalkTalk decided to go public early.  Its CEO, Baroness Dido Harding, appeared on major news outlets globally, including the BBC’s flagship evening program, to warn customers about the potential attack.  (This was a risky strategy: Baroness Harding initially suggested the attack may have impacted over 4,000,000 customers — this turned out to be a 95% over-estimation — and came under fire for not knowing whether the data had been encrypted.)
Continue Reading Inherited Infrastructure, Outdated Software, And Other Failings That Led To TalkTalk’s Record Fine

On August 30, 2016, a major UK telecoms company (TalkTalk) lost its appeal against a fine imposed on it for failing to report a personal data breach to the UK national data protection authority (the Information Commissioner) within 24 hours of its receipt of a customer’s complaint.

Commission Regulation No 611/2013 (“the Notification Regulation”) and the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), require telecommunication service providers to report personal data breaches within 24 hours of their “detection.”  TalkTalk’s appeal focused on the extent to which an internal investigation can take place before it is deemed to have “detected” a breach.Continue Reading UK Telco Loses Appeal; Should Have Reported Data Breach Within 24 Hours Of Customer Complaint, Not Fuller Investigation

On September 13, 2016, New York Governor Andrew Cuomo announced a proposed regulation that would require financial service institutions to develop and implement cybersecurity programs to prevent and mitigate cyber-attacks.  The proposed regulation will be subject to a 45-day comment period once it is published in the New York State
Continue Reading New York State Proposes Cybersecurity Regulation for Financial Services Institutions

Cyber insurers commonly require insureds to complete detailed applications, often including extensive technical disclosure and risk self-assessments. The complaint recently filed by the insurer in Columbia Casualty Co. v. Cottage Health System illustrates the pitfalls in these requirements.

Cottage Health, an operator of a hospital network, suffered a data breach in 2013 resulting in thousands of its patients’ private medical information being publicly disclosed. In addition to other losses, Cottage Health paid $4.125 million to settle a putative class action in 2014 and faces additional proceedings arising from the breach. Columbia’s lawsuit denies all coverage for the breach and seeks to rescind its policy due to the insured’s alleged failure to comply with the cybersecurity practices described in its application.
Continue Reading Cyber Insurer Seeks to Void Data Breach Coverage Because of Purported Misstatements in Policy Application

Data breaches suffered by retailers and other businesses that handle payment cards can result in substantial assessments by card brands such as MasterCard and Visa. Retailers typically do not process payment card transactions directly with the banks that issue their customers’ cards. Instead, they contract with an intermediary—called an acquiring or servicing bank—to process their customers’ card transactions with the card-issuing banks. In the event of a payment card data breach, the card brands typically impose assessments on the retailer’s acquiring bank, which in turn pursues indemnification under its service contract with the retailer.

That was the situation in P.F. Chang’s v. Federal Insurance Co., in which a federal district court in Arizona recently held that Chang’s had no cyber coverage for over $1.9 million in credit card assessments that it had to pay as a result of a data breach. The Chang’s court found that the Federal cyber policy’s “Privacy Injury” coverage did not respond to an acquiring bank’s claim against Chang’s for reimbursement of card brand assessments, because the Federal policy’s definition of “Privacy Injury” required that the compromised confidential records at issue be the claimant’s. As is typical, the payment card information stolen by the hackers belonged to Chang’s customers and the card-issuing banks, not the acquiring bank that made the actual claim for reimbursement by Chang’s.
Continue Reading P.F. Chang’s Ruling Highlights Potential Pitfalls of Cyber Insurance