It’s been awhile since last we published for our firm blog Media & Privacy Risk Report, and one thing is largely to blame: ransomware attacks on our clients have been keeping us very busy. We’ve learned many lessons from these attacks that we plan to share over the coming months with our readers. But the focus of this post is recent guidance from the Office of Civil Rights of the Department of Health and Human Services (OCR) indicating that any ransomware attack involving protected health information PHI) could be a data breach with Health Insurance Portability and Accountability Act (HIPAA) reporting obligations.

Often in ransomware matters, a hacker encrypts data and demands that a ransom be paid (usually in Bitcoin) before the hacker will decrypt the data and make it once again accessible to the data owner (or covered entity) or maintainer (or business associate). But just because a hacker has frozen your data, does that mean that the hacker has accessed, acquired or exfiltrated your data? Isn’t it possible that a hacker could freeze your data without accessing, acquiring or exfiltrating it? By analogy, couldn’t someone render the locks on your house unusable (and thus your house inaccessible to you without a forced break-in) without actually accessing your house, acquiring anything within your house, or taking anything out of your house? It would seem that the answer would be yes. But if the OCR is asked that question, the presumption is that the answer is no, at least in the realm of ransomware attacks.
Continue Reading OCR: Ransomware Attack Often Is a Data Breach

On Wednesday, President Obama signed the federal Defend Trade Secrets Act of 2016 (the “Act”) that passed both houses of Congress in late April.  The statute is the first federal statutory protection afforded to trade secrets and could have a significant impact on trade secrets litigation nationwide.  The passage of the law comes as no surprise, and much has already been written about what it means for the future of these disputes.  But what about those who are currently involved in trade secrets litigation —could the Act change the course of those cases?  There is not a definitive answer, but it is something that all litigants should consider now that the Act has become law.

The first question is whether the Act applies at all in such instances. The Act applies to “any misappropriation of a trade secret (as defined in section 1839 of title 18, United States Code, as amended by this section) for which any act occurs on or after the date of the enactment of this Act.” S. 1890, 1144th Cong. § 2(e) (emphasis added). “Misappropriation” is defined as “(A) acquisition of a trade secret of another by a person who knows or has reason to know that the trade secret was acquired by improper means; or (B) disclosure or use of a trade secret of another without express or implied consent.  18 U.S.C. § 1839(5).  So, in litigation where the “use” of trade secrets is ongoing, there may be an argument that the Act applies.
Continue Reading Impact of Defend Trade Secrets Act on Pending Cases is Unclear

On May 11, 2016, President Obama signed into law the Defend Trade Secrets Act (DTSA). Unlike other forms of intellectual property, trade secrets issues have been addressed mainly through state law. The DTSA provides a new federal court civil remedy for acts of trade secret misappropriation, among other key provisions:

Ex Parte Seizure of Property

The most controversial aspect of the DTSA is the ex parte seizure provision, which permits a court to order the seizure of property if deemed necessary to prevent the propagation or dissemination of the trade secret. A party seeking an ex parte seizure will have to demonstrate that “extraordinary circumstances” exist warranting the seizure. The ex parte provision also allows a defendant to seek damages for abusive or wrongfully-acquired seizure orders.

Jurisdiction

The DTSA provides that the U.S. district courts have original jurisdiction over civil actions brought under the law. Such jurisdiction is not exclusive. To establish jurisdiction in federal court, a plaintiff will have to show that the trade secret is “related to a product or service used in, or intended for use in, interstate or foreign commerce.”
Continue Reading President Obama Signs the Defend Trade Secrets Act into Law: What You Need to Know Now

Audit. A simple enough word, which basically means “to count.” Yet few words can evoke fear as much as this one word. No one asks their love “How do I love thee? Let me audit the ways,” nor do we tell our children to “Audit your blessings.” And while audits are not inherently unreasonable, their use should be reasonable and relevant. And due to the negative connotation of the word, many IT vendors are even couching their audit notices in “kinder” terms, characterizing the reviews as customer-benefitting and the like. But just as Shakespeare noted about misnamed flowers, an audit by any other name doesn’t change anything, and still holds risk.

Software audits are on the rise, and with most users reporting some under-licensing situations (and the requisite payment of additional license and support fees), this upward trend will only continue as more IT providers focus on this “low hanging fruit” revenue source. An increasing number of IT solutions providers are asking (or sometimes just telling) their customers to submit to an audit, albeit many times called by a different name, and taking increasingly aggressive approaches. The IT industry and the industries of its customers are taking notice, as in many cases, what is portrayed as a simple review will end up with tens or hundreds of thousands of dollars of exposure in the form of license and maintenance fees.
Continue Reading Software Audits: A Rose by any Other Name…

Last week, the European Commission unveiled the latest documentation related to the EU-U.S. Privacy Shield intended to restore trust in transatlantic data transfer and establish a mechanism for U.S. companies to once again transfer data from the EU with confidence. We wrote last month about the initial announcement of the Privacy Shield but expressed caution

In a February 19th speech at the annual SEC Speaks conference, Stephanie Avakian, Deputy Director of the SEC’s Division of Enforcement, explained what the SEC expects of entities that experience a cyber intrusion and how the SEC decides whether to investigate such entities.

With respect to responding to cyber intrusion, the SEC’s stated expectations are high level and axiomatic. Entities are expected to (1) assess the situation, (2) address the problem and (3) minimize the damage. Ms. Avakian emphasized the importance of quickly involving authorities such as the FBI or Department of Homeland Security.

Ms. Avakian also expressed awareness of the practical impediments to self-reporting cyber intrusions to the SEC. Specifically, entities may be hesitant to do so for fear of triggering an investigation and enforcement action regarding their policies/procedures and implementation thereof. To assuage this concern, Ms. Avakian noted that the SEC’s goals in the cybersecurity area are to prevent hacking, protect customer data and ensure the smooth operation of America’s financial system. In other words, the SEC—at least from a priority standpoint—is on the same side as the entities that may fall prey to a cyber intrusion. In the case of registrants, when investigating cyber intrusions the SEC will focus on whether a registrant had policies and procedures reasonably designed to protect customer data and related remediation action plans. In the case of public companies, the SEC is not looking to second-guess good-faith decisions regarding data privacy, and would likely not bring an enforcement action against a cyber intrusion victim absent a “significant” disclosure issue. Ms. Avakian also pointed out that entities who self-disclose cyber intrusions will be rewarded with cooperation credit.  
Continue Reading SEC Speaks: How the SEC Decides Whether to Investigate Breached Entities

Politicians in both the European Union and United States touted Tuesday’s agreement on a new “Privacy Shield” for EU-U.S. data transfers as a resolution to the data transfer quagmire that has faced companies since the EU-U.S. Safe Harbor was invalidated in October. While this new deal is a promising step in the right direction for companies that transfer data from the EU to the United States, there are still many questions about exactly what the requirements of the new Privacy Shield will be, how an American company can ensure compliance with those requirements and (perhaps most importantly) whether the European Court of Justice will validate the new rules.

Indeed, the deal heralded by politicians on both sides of the Atlantic appears to be only a high-level agreement—they expect to document the actual terms over the next few weeks (the Article 29 Working Party (WP29), the body made up of representatives of individual European Member States’ data protection authorities, has called for it to be fully documented by the end of February). Thus, we anticipate quite a bit more negotiation on the precise scope and language of the requirements. Meanwhile, WP29, which had been assessing data transfer mechanisms like standard contractual clauses and model contracts for possible flaws that would lead to enforcement actions, announced that it will not take enforcement actions based on its concerns about these mechanisms while it awaits the details of the new transfer deal.
Continue Reading Privacy Shield Offers Hope on EU-U.S. Data Transfer—For Now

In a well-reasoned and encouraging decision to Internet businesses, the Northern District of Illinois recently found that even operating one of the largest, most popular websites in the world is not enough to create personal jurisdiction everywhere the site can be accessed. See Gullen v. Facebook, Inc., Case No. 15-cv-07681 (Jan. 21, 2016

Brokers around the globe are proselytizing about insurance for cyber risks. They say gaps in typical business coverages leave companies exposed to high costs and potentially extraordinary liability without coverage specifically tailored to cyber risks (including, but not necessarily limited to, data breach). And these brokers are right. The brokers, however, are sometimes wrong in encouraging their clients to opt into cyber coverage policies that are far less than ideal.

Recently, a client asked me to review various cyber coverage options presented to it by its broker. The broker had told the client that the cheapest option was, fortunately from the broker’s perspective, the best option. But as I reviewed the various cyber coverage forms, I was reminded that you often get what you pay for.
Continue Reading Holy Cr*p! I Have an Insurance Gap for My Cyber Attack?

In 2014, we saw some of the largest, most expensive and most highly publicized data breaches in history. Unfortunately, the early forecast for 2015 does not appear to be any better. According to Experian’s 2015 Data Breach Industry Forecast, the risk of experiencing a data breach is higher than ever (almost half of all organizations have suffered at least one security incident in the last 12 months). In the Information Age, it has become increasingly clear that the question is when, not if, a company will have a cybersecurity incident. 

Speaking in June 2014 at a cyber risk conference at the New York Stock Exchange, SEC Commissioner Luis Aguilar emphasized the critical role that directors and officers must play in cybersecurity matters:

Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s oversight responsibilities. . . . [B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility do so at their own peril.

So what should directors and offers do to avoid becoming the “next Target” or the “next Home Depot?” 
Continue Reading Directors and Officers Ignoring Cybersecurity “Do So at Their Own Peril”