Articles Posted in Cybersecurity and Privacy

Posted
By

Be careful what you’ve promised your customers … or what has been promised about data you buy!

In today’s world, consumer data is a huge asset for companies across all industries, in particular those in technology-focused spaces like social media, apps, wearables, and retailers involved in e-commerce. The value of such data, however, is at least partly dependent on the extent to which the data can be transferred to third parties without restrictions on use. The ability of a company to sell or otherwise transfer its consumer data, whether in a merger, acquisition or otherwise, typically ties back directly to statements made in the company’s privacy policy. As illustrated by RadioShack’s recent bankruptcy sale, the latest in a series of high-profile examples over the years on this topic, promising not to share consumer information can create a significant obstacle for future asset sale transactions.

For more information, check out our Client Alert.

Posted
By

As more and more companies of all sizes ranging across a wide spectrum of industries have been exposed to network and data security breaches in recent years, the market for insurance products dedicated to cover cyber risks has grown just as fast. With policies sold under names like “cyberinsurance,” “privacy breach insurance,” “media liability insurance” and “network security insurance,” the market for this coverage often seems chaotic, with premiums and terms varying dramatically from one insurer to the next.

For more information, please read our Client Alert.

Posted
By

Part 2: How are Limits of Liability Evolving, with Respect to the Issue of Data Breaches?

Ten years ago, most “buyers/customers” expected their suppliers to absorb unlimited contractual liability if the supplier was responsible for a breach affecting the customer’s data. Today, while customers may continue to insist upon such a position at the beginning of negotiations, they frequently expect that market-leading suppliers will ask for some sort of limit to the supplier’s potential liability for data breaches.

When customers are forced to negotiate a liability cap applicable to breaches of data (including PII and PHI), they usually insist that such liability cap be an amount that is greater than the “standard” limit of liability under the Agreement (i.e., greater than the standard financial cap applicable other contract breaches).

Continue reading

Posted
By

Part 1: Contractual Protections With Respect to Data Breaches

Given the unrelenting, it seems, news reports of cyber attacks and data breaches affecting customer records and data, the issue of what are the appropriate contractual provisions that should govern data breaches in a contract between customers and suppliers remains timely, sticky, and constantly-evolving. Below are several observations regarding contractual language and protections with respect to data breaches, where a supplier has access to and/or could cause or allow a customer’s data to be breached.

  • Customers continue to insist upon strict terms and conditions requiring their suppliers to protect the customer’s confidential information, including with respect to the customer’s (i) data (i.e., information stored in equipment and software), (ii) Personally Identifiable Information (PII), and (iii) Protected Health Information (PHI).
Continue reading

Posted
By

Any company that uses information technology is a potential target for data theft, advanced malware and other cyber threats.  Cyber threats have emerged as a growing systemic risk particularly to the financial sector in which Financial Market Infrastructures (“FMIs”) are increasingly under attack from a wide range of players, at greater frequency and growing levels of sophistication.   Regulators, standards bodies and other authorities around the world are giving a high priority to cybersecurity for these reasons.  This post summarizes what regulators are doing in the Europe to address these threats and describes some of the actions companies everywhere can take to minimize their exposure.

What are EU regulators proposing to improve FMI cybersecurity?

The European Commission has initiated a push to “protect open internet and online freedom and opportunity” by 2020. This initiative includes combatting cyber-attacks against information systems, establishing an EU cybercrime centre and coordinating Emergency Response teams, cyber-attack simulations and national alerts among all EU Member States. These efforts are also intended to align with the international fight against cybercrime. The next five years will see an increase in costs as FMIs and regulators pay to rapidly update single FMIs and solidify an EU-wide cybersecurity structure.

Continue reading

Posted
By

The security community has been abuzz this week with the US. District Court of New Jersey’s April 7 ruling in Federal Trade Commission v. Wyndham Worldwide Corporation, et al. (see http://www.adlawaccess.com/wp-content/uploads/sites/137/2014/04/Opinion.pdf). Wyndham had asserted in a motion to dismiss that the Federal Trade Commission (“FTC”) did not have the authority to pursue enforcement actions against the hotelier related to data security. The District Court denied the motion and held that the FTC may in fact pursue claims related to data security under Section 5(a) of the FTC Act’s prohibition on unfair or deceptive acts or practices affecting commerce (see 15 U.S.C. 45(a)). While the significance of the holding is being debated in the legal community, this week’s decision highlights the Federal Government’s increasing emphasis on requiring certain baseline cybersecurity practices by the private sector.

The background facts of the case are fairly straightforward. The FTC brought suit against Wyndham Worldwide, Corp. in the wake of three separate security breaches that occurred between 2008 and 2011 and resulted in the theft of guests’ personal information (e.g., payment card account numbers, expiration dates, and security codes). The FTC alleges that after the initial two security incidents, Wyndham failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access and resulted in consumer injury. Specifically, the FTC alleges that there were several problems with the Wyndham’s information security practices including wrongly configured software, weak passwords, and insecure computer servers.

So what does the Court’s holding mean for the private sector? Since, up until this case, the FTC’s data security actions have been settled out of court, this case marks the first time that the courts have ruled on the merits of the FTC’s authority related to data security actions. Fundamentally, the decision affirms that the FTC has the power to pursue enforcement actions for unreasonable cybersecurity practices under existing laws. The Court, however, cautioned that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” It is also important to note that the Court’s decision did not include a verdict on Wyndham’s liability in the matter (interested parties should continue to watch as the matter continues).

Continue reading

Posted
By

Much has been said about the EU “Cookie” laws introduced by an amendment to the Privacy and Electronic Communications Directive in 2011.  Companies with European customers (including those in the US) have grappled with the law’s requirement to obtain informed consent from visitors to their websites before cookies can be used.

Not only being the subject of much academic debate, European regulators have also issued a series of guidance papers on the issue, including recent publications from the UK’s Information Commissioner’s Office and from the Article 29 Working Party, the group made up of representatives from the various EU privacy regulators.  These provide layers of at times arguably conflicting commentary on how to comply with the law.

Whilst question marks hang over key issues (e.g.

Continue reading

Posted
By

This article was originally published on February 27, 2014 and is reprinted with permission from Corporate Compliance Insight.

lookout-300x187.jpg
Managing third-party suppliers presents significant compliance challenges that often span an organization, raising legal, insurance, human resources and technology concerns, to name just a few. Corporations will continue to wrestle with these risks in the year ahead, but the convergence of external threats, abundance of valuable corporate data and the current regulatory environment has highlighted the importance of corporate cybersecurity practices. Cybersecurity is perhaps one of the hottest topics being discussed in boardrooms today.  The Cybersecurity Framework,

anticipated legislation and litany of high-profile data breaches have resulted in even more heightened scrutiny.

Continue reading

Posted
By

On February 12, 2014, the National Institute of Standards and Technology (“NIST“) released the final version of its Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework” or “Framework“)

and the companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity (the “Roadmap“).

The final version is the result of a year-long development process which included the release of multiple iterations for public comment and working sessions with the private sector and security stakeholders. The most significant change from previous working versions is the removal of a separate privacy appendix criticized as being overly prescriptive and costly to implement in favor of a more general set of recommended privacy practices that should be “considered” by companies.

Continue reading

Posted
By

Customers increasingly are taking advantage of Software as a Service (SAAS) and other cloud-based solutions available in the marketplace. There are of course many legal and commercial issues that customers should consider when evaluating contracts provided by suppliers of these solutions. This post focuses specifically on issues arising when SAAS or other cloud solutions will be provided from an offshore location. For example, data hosting, help desk/service desk, implementation, and disaster recovery services are often provided from India, the Philippines and other offshore locations in support of solutions that are delivered in North America and Europe.

  • Transfer of Customer Data Offshore. Customers should consider whether there must be restrictions on the transfer of data offshore (whether due to internal security policies, industry standards, obligations within downstream customer contracts, or applicable laws and regulations). If the data contains personally identifiable information (PII), protected health information (PHI) or similar types of data covered by data privacy laws, the data most likely should remain onshore. A customer may decide that other data may be transferred offshore, but only if additional safeguards, contract restrictions or liability provisions are added to the contract with its service provider.
  • Access to Customer Data or Systems from Offshore. This issue turns the item above on its head, a bit: even when customer data and systems remain onshore, customers should consider whether personnel from the SAAS or cloud service provider should have access to such data or systems from offshore. For example, offshore personnel who are accessing service desk records or performing break-fix services may request the ability to access a customer’s onshore systems. This may or may not be acceptable in any case, or it may be acceptable only if certain agreed-upon restrictions are followed.
Continue reading