Insurance Carrier Must Defend Its Insured Who Inadvertently Published Private Medical Records on the Internet

The Fourth Circuit Court of Appeals affirmed a Virginia Federal District court’s decision that examined the language of a commercial general liability (CGL) policy and held that an insurance carrier was required to defend its insured medical records company in a class-action lawsuit when its insured inadvertently published private patient medical records on the Internet. See Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C., No. 14-1944 (4th Cir. Apr. 11, 2016).

Both the Virginia District Court and the Fourth Circuit rejected the insurance company’s argument that there cannot be a “publication” unless its insured intended to communicate information to others. In so doing, the courts reasoned that the insurance carrier had a duty to defend because its CGL policy did not provide clear enough language as to what conduct constituted a “publication.”

This decision shows that there may be coverage for data breaches outside of the policies written specifically for data breach scenarios, i.e., cyber liability insurance policies. To this extent, the Travelers opinion should be limited to inadvertent publications by an insured, rather than a hacker breaking into a network and then publishing information on the Internet.

Plaintiffs in P.F. Chang’s Data Breach Litigation Survive Standing Challenge

In response to an April 2014 data breach, P.F. Chang’s Bistro, Inc. effected a rapid response plan in an attempt to minimize potential injury to its consumers. The restaurant announced that its computer system had been hacked and card data had been stolen, conceding that it did not know how many consumers were affected, whether the breach was limited to certain locations, or how long the breach lasted. As an additional precautionary measure, P.F. Chang’s also switched to a manual card-processing system and encouraged all customers to monitor their credit reports for new activity.

Last week, in Lewert v. P.F. Chang’s China Bistro, Inc., No.14-3700, (7th Cir. Apr. 14, 2016), the Seventh Circuit Court of Appeals again held that two plaintiffs who filed a class action suit against it had the Article III standing required to survive dismissal. Citing to its July, 2015 decision in Remijas v. Neiman Marcus Group, LC, 794 F.3d 688 (7th Cir. 2015)), the Court concluded that the P.F. Chang’s plaintiffs’ alleged injuries were sufficient to support a lawsuit – the consumers were at an increased risk of fraudulent charges and identity theft.

In reaching its decision, the Seventh Circuit pointed to P.F. Chang’s remedial efforts to prevent consumers’ exposure to the breach. Specifically, P.F. Chang’s addressed customers who dined at all of its restaurants in its initial press release, and advised consumers to monitor their credit reports, “rather than simply the statements for existing affected cards.” The court explained that by doing so, the company implicitly acknowledged that there could be a substantial risk of harm from the data breach. P.F. Chang’s eventually determined that only thirty-three of its restaurant locations had been affected, an argument which the court stated could create a factual dispute on the merits, but that would not destroy standing.

The Seventh Circuit’s decision underscores that the initial Article III hurdle for data breach plaintiffs is not high, and should serve to mold a company’s public reaction to a potential breach.

EU-US Privacy Shield: US Companies Should Adopt and Apply Its Data Privacy Principles

The EU and US have announced another agreement requiring US companies to self certify that they are compliant with certain data privacy principles in order to conduct transatlantic data transfers. This agreement is called the EU-US Privacy Shield (“Privacy Shield”) and is similar to its predecessor Safe Harbor program, but requires US companies to conform to more stringent data privacy standard. Although EU-US have announced this deal, the Privacy Shield has not yet been finalized or enacted, as the authorities are still negotiating a final version of this agreement.

During this interim, US Companies should consider adopting the Privacy Shield’s published Privacy Principles into their business practices in order to commit to doing business long-term in Europe. If they do so, then they would not only put themselves on a fast track to self-certification under the Privacy Shield, but they would also be minimizing their exposure to data privacy/breach liability in the US.

Under the first published draft of the Privacy Shield, US companies must adopt and implement certain Privacy Principles in order to collect, store and transfer EU personal data. These Privacy Shield’s Privacy Principles are generally good data privacy and security policies and procedures, that when implemented, would help a company minimize its exposure to data breach liability here in the United States (e.g., Section 5 of the Federal Trade Commissions Act, the Fair Credit and Reporting Act, the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act of 1996 (HIPAA), state data breach notification laws, etc.).

In fact, if US law has not already required some of the Privacy Shield’s Privacy Principles to be adopted by US companies, most of these principles have been found to be good practices in administrative and judicial decisions that have considered these US privacy and data breach laws in their rulings.

A closer look at these Privacy Shield’s Privacy Principles clearly show how they can minimize US companies’ liability exposure while building goodwill with their consumers.

The Privacy Shield requires US companies that collect, store and transfer EU personal data to adopt and implement into their business practices and policies, the following:

(1)   Notice. US Companies must provide Notice to their data subjects of how they process their data that they collect, store and transfer under 13 subjects. Such Notice requirements include:

  • the type of data they are collecting,
  • the purpose of processing their data,
  • the right of access their data,
  • the right to choose whether the US companies can continue to collect, store and transfer their data (i.e., opt-out),
  • the conditions for onward transfers of their data, and
  • who is liable and what remedies are available to them for security breaches involving their data.

US Companies should Notice these privacy principles as part of their Privacy Policy on their websites for their data subjects to review. Included in their website Privacy Policy, US Companies must include links to the US Department of Commerce’s website for additional information on self-certification, the rights of data subjects and available recourse mechanisms. US Companies must also include the self-certification Privacy Shield and an appropriate alternative dispute settlement provider (see Recourse, Enforcement and Liability below).

(2)   Choice. US Companies must allow their data subjects a Choice to opt-out of any collection, storage and transfer of their data, especially if a US company changes its data privacy principles. If a US company is a direct marketer, then there are special opt-out rules that the US direct marketer must implement in order to allow their subjects to opt-out at any time from the use of their personal data.

(3)   Security. US Companies collecting, storing and transferring personal data must take “reasonable and appropriate” security measures to minimize the data security risks involved in the collection, storage and transfer of such personal data. “Reasonable and appropriate” security measures must be implemented US companies because their security measures will be the key subject investigated and litigated with any data security breach. If US Companies are subcontracting any of their security obligations under the Privacy Shield, then such subcontracted security services must be materialized in an executed agreement where the subcontractor guarantees the same level of protection as provided by the Privacy Shield (i.e., the Privacy Principles) and guaranty the implementation of such privacy measures.

(4)   Data Integrity and Purpose Limitation. US Companies must limit their collection, storage and transfer of personal data via a means that is compatible to a purpose that is Noticed in their Privacy Policy practice, which includes whereby using data while maintaining its integrity.

(5)   Access. US companies must provide Access rights to EU data subjects to their data as follows:

  • provide Access to their data without justification (i.e., for any reason),
  • respond to Access requests without an excessive fee,
  • respond to Access requests within a “reasonable” time frame,
  • provide confirmation that they are processing their data, and
  • provide Access to correct, amend or delete personal information where it is inaccurate or has been processed in violation of these Privacy Principles.

There are a few limited exceptions to these Access rights stated above that only apply in a few exceptional circumstances. Otherwise, US companies have the burden that these Access rights are being provided to EU data subjects.

(6)   Accountability for Onward Transfer. When transferring EU personal data from controllers or processors, US companies must be accountable in such onward transfer by:

  • limiting such transfer for a specified purpose;
  • under the terms of an executed agreement;
  • only if the executed agreement provides the same level of protection as the one guaranteed by the Privacy Principles; and
  • controllers being accountable for all compliance problems unless some act(s) of gross negligence by the a processor.

(7)   Recourse, Enforcement and Liability. If bad things happen to EU personal data while being collected, stored or transferred, then US companies must have in place an effective redress mechanisms to deal with such complaints, which includes:

  • US Companies must publish their Data Privacy/Security Contact Person in their Privacy Policy, who is either within or outside of the company but handles all data privacy/security complaints. This is required in order to allow individuals to file complaints directly with Privacy Shield companies.
  • Within 45 days upon receipt, US Companies must respond to all data privacy/security complaints.
  • Such responses to complaints must “provide an assessment of the merits of the complaint and, if so, information as to how the organization will rectify the problem.”
  • US Companies must “retain their records on the implementation of their privacy polices and make them available upon request in the context” of a data privacy/security investigation or complaint.

EU data subjects can also bring complaints to independent EU data protection authority (DPAs) to investigate and attempt to resolve individual complaints and provide such appropriate recourse to EU data subjects free of charge.

Third, Privacy Shield companies must also offer alternative dispute resolution via an independent dispute resolution mediator free of charge. As a last resort, EU data subjects may invoke binding arbitration by a “Privacy Shield Panel” arbitrator who is appointed by the US Department of Commerce and the EU Commission.

The US Department of Commerce, Federal Trade Commission and other data protection authorities will also have the authority to investigate and prosecute US companies for non-compliance with the EU-US Privacy Shield.

(8)   Self-Certify. US companies must annually self certify that they are compliant with the Privacy Shield’s principles and practices. “This can be done through a system of self-assessment, which must include internal procedures ensuring that employees receive training on the implementation of the company’s privacy policies and that compliance is periodically reviewed in an objective manner, or outside compliance reviews, the methods of which may include auditing and random checks.” Additionally, US companies must file their self-certification of adhering to the Privacy Principles with the Department of Commerce, who will then publish self-certifying US companies via a “Privacy Shield List.”

Like all legal matters, there are exceptions to some of these Privacy Shield rules identified above. Additionally, there are other unidentified provisions of the Privacy Shield that may be applicable to US companies under worse case data security breach scenarios.

As discussed in our last blog article, the EU Commission’s subcommittees are now reviewing the Privacy Shield with the purpose of submitting comments to the EU Commission. Once these comments are received, then the EU Commissions will either approve the Privacy Shield or require additional edits to it. Simultaneously through this EU review period of the Privacy Shield, there will likely be new laws required to be enacted in the US in order to authorize and facilitate such required privacy authority and procedures as set forth Privacy Shield. Expect another update on edits to the current draft of the Privacy Shield. It may be another 6 to 12 months before the Privacy Shield has been enacted and fully effective.

In the interim, adopting the above Privacy Shield rules into your business practices would put you on a fast track to comply with the EU-US Privacy Shield once it has been enacted, and it would also build goodwill with your consumers and minimize your exposure to data breach liability under the Privacy Shield and US federal and state laws.

FBI’s Demand for an Apple iPhone Hack Could be Turning Point for Business

We’ve all heard of Apple’s refusal to provide a “back-door” to bypass the security features on an iPhone belonging to the perpetrator of the terrible terrorist attack in California. That law enforcement wants to investigate the data does not concern me. But the subpoena directs Apple to create a program that will bypass its own security to unlock the phone to retrieve data not captured in the last iCloud backup.

Many think the government’s actions are justified, and see no reason why the data on this phone should be protected. The FBI is proceeding pursuant to a lawfully obtained court order, and therefore argues that its request will only effect this one investigation, into this one phone and could save additional lives. But where will government’s ability to reach into a private business lead?

Although Apple has cooperated with law enforcement on numerous occasions in the past, for a myriad of reasons, Apple refuses to create this “hack” of its own software. I find it troubling that the subpoena requires Apple to affirmatively build a new program. This is not a case where the technology is available, and they just need Apple to access or apply it. How far may the government go in requiring a business to devote time, resources and expertise to developing a technology for use in a “single” investigation?

And that begs the question is this really a single use instance? A program that would be able to crack open this phone, will also able to open all phones running the same operating system. Will law enforcement then regularly issues subpoenas to Apple to hack other phones, in less compelling circumstances? Or will they subpoena other businesses, directing them to devote their assets to assist in investigations, arguing that the precedent is set.

Once created, it will be virtually impossible to prevent unauthorized access or prohibit inappropriate use of the hacking tool. Anything used in the cyberworld is at risk. As we have seen time and again, even the most sophisticated corporations are breached by talented hackers looking for a way in. The fact of a lawfully ordered subpoena in this case is of little consequence. China is Apple’s second largest market.  Will the Chinese government seek a Court order from an American Court, consistent with due process principles before demanding that Apple provide access to iPhone there?  Doubtful.

The government has a compelling argument that they are acting for the safety of the American people. Apple has a legitimate interest in protecting its technology, the privacy of its customers, and its ability to do business in other countries, all to preserve its bottom line. It will be interesting to see which market powerhouse – the U.S. Government or the world’s richest company – prevails.

Wendy’s May Face Liability for Failing to Upgrade Payment Systems

As was previously reported, October 1, 2015 signaled a fraud “liability shift” between credit card issuers and merchants, in which liability for fraudulent credit card transactions began falling on whichever party used the lower level of security and compliance with EMV standards. While merchants are not required to adopt EMV technology (which reads chip cards, as opposed to the less secure magnetic strip cards), in the event of a data breach, their failure to do so can now render them responsible for the costs associated with the fraudulent use of stolen credit card information. This liability shift has created a very strong incentive for merchants to implement EMV chip card readers.

For companies that have not opted to make the EMV transition, lawsuits may begin to abound. One of the first suits targeting a retailer for its failure to keep up with industry standards was filed on February 8, 2016, in the wake of a possible data breach at the nationwide fast food chain, Wendy’s.

On January 27, 2016, Wendy’s announced that it was investigating a possible breach of its point of sale systems, after the company was alerted of “unusual activity” involving customers’ credit or debit cards at some of its locations. Wendy’s hired a cybersecurity firm to investigate the potential breach – which involved transactions in late 2015 – who discovered malware designed to steal customer payment data on computers that operate Wendy’s payment processing systems in certain locations.

An Orlando, Florida man purporting to be a victim of the Wendy’s breach initiated a class action lawsuit against the company on February 8, 2016, claiming that Wendy’s “lackadaisical” and “cavalier” security measures allowed his debit card data to be stolen and used to purchase nearly $600.00 of merchandise from various retailers. The lawsuit alleges that Wendy’s could have prevented the breach, yet maintained a system that was insufficient and inadequate to protect customers’ data. An attorney representing the plaintiff suggested that Wendy’s failed to incorporate technology allowing for use of chip-enabled cards, and that the lawsuit may expose the danger of failing to adopt such a system.

The threat of similar class action litigation may serve as a wake-up call for retailers who have failed or otherwise delayed in implementing up-to-date security measures. The suit, Jonathan Torres vs. The Wendy’s Company, can be found here.

EU-US Privacy Shield: What Does this Mean for the Private Sector?

Its déjà vu all over again, the EU and US have announced that they have reached an agreement in principle on new rules governing transatlantic data transfers. They are now finalizing their agreement, which will be called the EU-US Privacy Shield. The EC announced that it will prepare a draft “adequacy decision” on the Privacy Shield in the upcoming weeks (ETA: end of February).

At this time, deal terms of this agreement related to the private sector are slowly being disclosed, such as:

  • “Strong obligations” on companies that handle Europeans’ personal data, coupled with “robust enforcement”.
  • US companies will be required to declare that based on their interpretation of the Privacy Shield and related laws, they are complaint with it. Companies that broke their terms of the agreement would face escalating sanctions, up to and including “removal from the list” of those firms legally allowed to collect EU citizens’ data and transfer it to the U.S.
  • The Department of Commerce and the FTC will have significant roles in enforcing the terms of the agreement. It appears that the US Department of Commerce will be monitoring what companies publish as their commitments to protect and secure personal data, and the FTC will be in charge of enforcing data privacy enforcement under US law.
  • There will be regulations for companies handling human resource data from Europe, requiring at a minimum that they comply with decisions by EU’s data protection authorities.
  • There will be new complaint procedures for EU citizens to utilize to complain about misuse of their personal data in the US, from making initial complaints to the particular US company, all the way to complaint procedures involving the US Department of Commerce and FTC.

The Privacy Shield has already received criticism. Some are arguing that it is really not an agreement/treaty, but a letter of understanding or pledge. Others argue that it will be stricken down by European Court of Justice.

As this all works itself out over the next several months, the Article 29 Working Party, the body made up of representatives of individual European Member States’ data protection authorities (DPAs), has announced that it has agreed to allow more time for the EU and US to finalize the Privacy Shield and will not be taking enforcement action against companies that are using alternative transfer mechanisms (contracts) in the wake of last year’s Safe Harbor strike down (Schrems).

We will need to actually see the Privacy Shield language in order to provide compliance advice. However, in the interim, we will continue to monitor the finalization of this agreement (ETA: end of April) and provide updates to you.

The Use of Human Emotions

Organizations of all sizes, across all regions, and all sectors face an evolving risk from cyber criminals. Because businesses have become increasingly dependent upon technology, cyber criminals have shifted from theft of physical assets to the theft of electronic information. The growing use of technology-enabled processes exposes businesses to cybercrime – from direct theft of data (leading to financial assets) to the theft of personal data (that can be used to assemble an attack on financial assets). Cybercrime can threaten processes from point of sale purchases by debit/credit cards in the retail environment, to ATM transactions in the banking environment, to e-commerce or on-line sales, and to electronic business communications.

Cyber criminals have shifted their focus away from pure technological attacks and have increasingly attacked employees through techniques used to manipulate people into performing actions or divulging confidential information. Security is all about knowing who and what to trust. It does not matter how many locks you install if you trust the person at the gate lets in criminals. In the cyber world, the weakest link in the security chain is the human operator who accepts a person or scenario at face value. Thieves target this vulnerability. Securing hardware and software are relatively easy; it is the employees within an organization that sometimes fall prey to cyber attacks.

Criminals exploit human emotions (such as fear, curiosity, the natural desire to help, the tendency to trust, and laziness) to bypass the most iron-clad security measures and gain access to systems. The success of such schemes does not rely upon sophisticated technology. The success of these schemes depends upon human error. These schemes are one of the most difficult crimes to prevent, as it cannot be defended against through hardware or software.

Because there is no technology to protect against social engineering attacks, organizations should implement good security protocols. In order to build defenses against social engineering attacks, organizations need to design and implement comprehensive security practices:

  • Training Programs: Companies should invest in security training programs and update their employees on security threats.
  • Policies and Procedures: Well-defined policies and procedures provide guidelines for employees on how to go about protecting company resources from a potential cyber attack. Strong policies should include proper password management, access control, and handling of sensitive user information.
  • Risk Assessment: A risk assessment helps management understand risk factors that may adversely affect the company and track existing and upcoming threats. Determining security risks helps enterprises to build defenses against them.
  • Security Incident Management: To manage the incident, the help desk must be trained to track (among other things) the target, their department, and nature of the scheme. Such protocols will enable a company to actively manage the risk of the breach to mitigate potential losses.

EMV Chip Cards – Falling Behind the Curve Could Mean Liability for Merchants and Card Issuers Alike

During the holiday season, stores throughout the United States process millions of credit card transactions per day. Although this flurry of sales activity is good for business, it also comes with a potential risk of liability if the credit cards used in those transactions are equipped with the chip-card technology that the merchants’ payment processing machines are not capable of handling.

During the past year, credit card issuers have been transitioning to the Europay, Mastercard, Visa (“EMV”) chip cards, which contain smart microprocessor chip technology. Using the chip reader in the credit card payment terminal, the chip serves as the communication conduit between the card issuer and the merchant’s bank to authenticate the card and complete the sales transaction. Unlike magnetic stripe credit cards, chip cards generate a unique transaction code that cannot be reused. This “dynamic” data technology helps to guard against credit card fraud arising out of data or security breaches where the credit card information is compromised. For some chip cards, the users may also be required to enter a PIN. This new chip card technology requires new payment processing terminals that many merchants have not yet implemented.

Although the card issuers themselves have not completed their issuance of EMV chip cards to replace existing magnetic stripe cards, the issuers imposed an October 2015 deadline on merchants and card payment processors to become EMV-ready. After October 2015, under the modified terms of their agreements with the credit card payment processors or networks (e.g., VISA, MasterCard, American Express, Discover), merchants who accept credit cards and who are not EMV-ready may be liable for any fraudulent transactions and possibly fined and/or sanctioned by the Payment Card Industry Security Standards Council, an industry organization that promulgates data and cybersecurity standards for the credit card sector. Liability will be shifted to the party who used the lower level of security and compliance with the EMV standards. This means that, for example, a merchant may be assigned liability for the fraudulent transaction if the purchase was made with a chip card but the merchant was not capable of processing the chip card payment, using instead the magnetic stripe method. Conversely, the card issuer may be assigned liability if the merchant was EMV-capable but the card issuer has not issued a chip card to the consumer.

Notably, the EMV standards do not apply to purchases where the cards are not physically presented, including online and telephone transactions.

Although they impose increased liability and breed disputes between potentially liable parties, EMV chip cards and their attendant standards and rules are intended to provide more consumer protection and create an incentive for merchants, card issuers, and payment processors alike to conform with best practices in an ever-evolving world of data and cybersecurity challenges.

Sony’s Interview Quagmire: A Watershed Moment for Cyberinsurance

Gordon & Rees Partner, Matthew Foy, recently co-authored an article published in DRI’s In-House Defense Quarterly, entitled “Sony’s Interview Quagmire: A Watershed Moment for Cyberinsurance.” The article addresses the implications of the November 2014 Sony data breach and discusses why companies of all sizes should be giving a hard look at the cyberinsurance market and not simply relying on their CGL policies. To learn more about this topic, please see the full article, which is available here.

Insurance Coverage for Social Engineering Losses

Cyber criminals employ a variety of tactics—such as hacking, phishing or baiting schemes—to steal a business’s money, property or proprietary information. The term “social engineering” is applied to schemes that use technology, not to steal directly from the business, but to manipulate employees unwittingly to perform acts, transfer assets or divulge confidential information. A common social engineering loss scenario involves a trusted employee who is induced, by a spoof email or forged written instructions from someone impersonating a customer, a vendor or a senior officer of the company, to instruct the employer’s bank to wire funds to the imposter’s account.

Many businesses mistakenly believe that traditional commercial crime policies cover all such cyber-related losses. Although commercial crime policies have traditionally included computer fraud and funds transfer fraud, courts interpreting the scope of such coverages have generally distinguished between: (1) losses where a thief hacks the insured’s computer systems; and (2) losses where the insured voluntarily transfers funds. Courts have generally allowed coverage for the first category of loss. In contrast, losses from the voluntary transfer of funds, including social engineering losses, are generally not covered because they do not arise “directly” from the use of a computer to fraudulently cause a transfer of property; they arise from an authorized transfer of funds.

Social engineering loss is difficult to prevent; it cannot be defended against through hardware or software. Insurance coverage against social engineering risks, however, is available, usually by endorsement to commercial crime policy forms. Such coverage typically covers direct loss resulting from the intentional misleading of an employee through electronic or written instruction sent by a person who purports to be a vendor, client or employee, that directs the employee to transfer, pay or deliver money or property, and contains a misrepresentation of material fact which is relied upon by the employee.