Data and Security Dispatch

There were consequences to saying no. News of the attack had caused the stock price to drop sharply, and the developer admitted there would be a short-term impact on its development roadmap. And once CDPR refused to pay the ransom, the data was put to auction on the dark web where—and this is where things get murky—it was either sold to a mystery buyer or removed from auction by the threat actors under that pretense to save face because of a lack of interest from bidders.

We may never know exactly what really happened to the stolen data, but CDPR’s decision to say “no,” while bold, should not be surprising. In fact, it is becoming an increasingly common tactic. Following a steady rise in payments, more and more organizations started refusing to pay ransoms in 2020. Part of this may be due to increasing distrust that payment guarantees the safe and secure restoration of operations, but an organization can also feel confident about refusing to pay a ransom if it has the proper policies and protocols in place before an incident occurs to ensure the resulting damage can be contained and controlled.

Now, not every organization can just say “no” to a ransom demand. A hospital has to consider very different factors than a dry-cleaner. But all organizations should be proactive in ensuring they are able to act nimbly to respond to a breach, to mitigate damages and preserve that option to walk away from the threat.

To be prepared, an organization should, before an incident even occurs:

1. Have insurance coverage that can apply to cybersecurity incidents. Organizations will have to determine the level of risk they are comfortable with, but a good policy should account for direct and consequential expenses, including the costs of forensic investigators and legal counsel. Knowing the requirements of the policy is also important. Some policies require the insurer to sign off on major decisions, including legal counsel, and that can be a roadblock during a crisis if it isn’t anticipated.

2. Maintain an up-do-date IT environment and robust backup solutions. Organizations will have to balance the costs and risks when determining what works for them. But at minimum, ensuring personnel are adhering to best practices in using the organization’s equipment, and patching known exploits as soon as possible can significantly reduce the risk of the organization suffering an incident at all.

3. Identify the key assets of the organization (the “crown jewels”), such as intellectual property and other proprietary assets, and ensure this data is stored and backed up separately. To the extent public disclosure of any of the crown jewels can have a business impact (for instance trade secrets or unpatented inventions), this should be identified in any incident response.

4. Identify relevant stakeholders who need to be informed of an incident. There will often be privacy-related reporting obligations, which can vary across jurisdictions. There may also be contractual requirements with vendors or clients to keep them apprised of any breach. Having an up-to-date list of what needs to be reported and to whom can save critical crisis-response time for the organization.

5. Have a roadmap of what to do if an incident occurs, including a pre-authorized decision-making structure that can move quickly in making authorizations that would not be part of the business’s normal operations.

If an incident occurs, organizations must be prepared to move quickly to corral the key information and act on it. Some of the facts an organization should turn its mind to immediately include:

1. What happened? Has data only been encrypted, or has it been extracted? Are threat actors still actively in the IT environment and monitoring communications? Can the encrypted data be restored independently of the threat actors?

2. Who needs to know what, and when? If data has been ex-filtrated or frozen, who needs to be alerted immediately and who can be informed later? Does the insurer need to be involved, and to what extent?

3. What is the business and legal risk? What is the business loss if the data remains encrypted or is exposed? What legal jeopardy will the organization be in if the data has been exposed? From whom?

Dealing with a ransomware attack can be a surreal experience. Organizations that are used to making decisions over days or weeks must act within hours. CDPR knew within a day that it would refuse to pay the ransom. It had already identified what types of data were likely breached [link]. Having an internal crisis-response plan that clearly delegates authority and helps personnel find the relevant information as quickly as possible can put the organization in a good place to assess and respond to the situation.

And it is important to note that organizations that suffer a breach do not need to fend for themselves. There is an entire service industry that has grown in response to the rise in cybersecurity incidents. Breach coaches (who are often lawyers), as well as forensic investigators and negotiators, can offer immediate advice and expertise to organizations to help orient them in the crisis. Law enforcement and regulators are also often prepared to offer assistance when asked. But these resources are reactive, and the better prepared an organization can be in advance of a crisis, the easier it can be to know when to say “no.”

Kavi Sivasothy is an associate in Gowling WLG’s Toronto office practicing commercial litigation. In addition to helping resolve commercial disputes in judicial and private forums, Kavi assists clients in addressing cybersecurity and privacy-related issues.

In re Sunday Riley dealt with a cosmetics brand that sold high-end cosmetics primarily through social media channels. According to the FTC’s complaint, the company’s employees (at the direction of the company’s eponymous CEO) faked product reviews on retailer Sephora’s website, attempting to increase the average rating. The CEO’s guidance to employees was bold: “Tidal and Good Genes [two of the company’s brands] are 4.2 and I would like to see them at 4.8+.” Complaint at 4, In re Sunday Riley Modern Skincare, LLC, No. 192-3008 (F.T.C. Oct. 21, 2019) (quoting instructions from CEO to staff). Eventually, a whistleblower stepped forward and revealed the scheme. Lateshia Beachum, Skin-Care Company Sunday Riley Settles FTC Charges of Fake Product Reviews, Wash. Post (Oct. 22, 2019, 7:44 PM).

The FTC approved a proposed consent order that prohibits the company and its employees from misrepresenting endorsers’ status. It requires them to disclose any connections between endorsers and the company and requires them to instruct employees and agents of their responsibility to make such disclosures. Agreement Containing Consent Order at 6–7, In re Sunday Riley Modern Skincare, LLC, No. 192-3008 (F.T.C. Oct. 21, 2019). The order includes no disgorgement of gains nor any admission of fault. Two commissioners dissented from the proposed settlement, explaining that, in their view, the absence of any monetary penalty meant that “the proposed settlement is unlikely to deter other would-be wrongdoers.” Statement of Commissioner Rohit Chopra Joined by Commissioner Rebecca Kelly Slaughter at 3, In re Sunday Riley Modern Skincare, LLC, No. 192-3008 (F.T.C. Oct. 21, 2019).

FTC v. Teami, LLC addressed representations regarding the effectiveness of specific dietary supplements. In that case, Teami, its employees, and its agents were prohibited from representing its nutritional supplements and teas as treating or preventing a variety of illnesses, helping cause weight loss, or producing other health benefits without reliable scientific evidence that the representation was accurate. Stipulated Order for Permanent Injunction and Monetary Judgment at 5-8, FTC v. Teami, LLC, No. 8:20-cv-518-T-33TGW (M.D. Fla. Mar. 17, 2020). If the company uses any human clinical tests, it must preserve all records of those tests. Id. at 8–9. The order prohibits misrepresentations about endorsers’ status and requires disclosure of material connections between endorsers and the company. Id. at 10–11. The decision includes a judgment against the company and two officers in the amount of $15.2 million. All but $1 million is suspended (the officers granted liens on, and security interests in, real estate), and there are a variety of additional restrictions on compliance and reporting to ensure that Teami does not make further misrepresentations. Id. at 13–23.

Three celebrities and seven other social media influencers received letters from the FTC warning that their posts on Instagram about the tea did not adequately disclose their connections to Teami. Lisa W. Rosaya & Rebecca B. Lederhouse, Celebrity Influencers Receive Warning Letters from Federal Trade Commission, Baker McKenzie (Mar. 11, 2020). The letters reminded each influencer that she could face enforcement action and asked each to provide the FTC to explain how she would make sure her posts complied with disclosure requirements relating to endorsements.

In re UrthBox, Inc., examined endorsement incentives. In return for posting positive reviews on the Better Business Bureau website and social media, UrthBox offered free snack boxes to reviewers, who, frequently, did not disclose they were receiving incentives for their participation. Complaint at 5–6, In re UrthBox, Inc., No. C-4676 (F.T.C. May 14, 2019). The stipulated order requires UrthBox to make appropriate disclosures about its endorsers and make sure that its endorsers likewise disclose that the company provides them with incentives to write positive reviews. Decision and Order at 5–6, In re UrthBox, Inc. UrthBox also must pay the FTC $100,000. Id. at 9.

As one of its periodic reviews of rules and guides, in February 2020, the FTC announced that it was seeking public comment on its Endorsement Guides. FTC Seeks Public Comment on Its Endorsement Guides, Fed. Trade Comm'n (Feb. 12, 2020). The announcement gives several examples of the sorts of issues the FTC is interested in, including “whether the practices addressed by the Guides are prevalent in the marketplace and whether the Guides are effective at addressing those practices,” “whether consumers have benefitted from the Guides and what impact, if any, they have had on the flow of truthful information to consumers,” and “how well advertisers and endorsers are disclosing unexpected material connections in social media.” Id.

While some of these enforcement actions provide more incentive than others, there is no doubt that social media influencers are on the FTC’s radar, and these examples are good reminders to our clients with large social media presences that they need to think carefully about their posts and product endorsements.

Richik Sarkar is a partner at Dinsmore & Shohl directs commercial, consumer, and cybersecurity litigation for clients of all sizes. He is a nationally recognized class action and commercial litigation and cybersecurity expert. A former Chief Privacy Officer for a $100,000,000 company, Richik counsels companies and boards about their cybersecurity and data privacy duties, risks, and protocols and advises clients of all sizes on legal and business issues and strategy (e.g., ESG, governance, shareholder disputes, real estate, access to capital, trademarks, patents, etc.).

I. Modern Trend in Cyber Legislation

A. The Necessity for Cyber Legislation, Generally

Technology has changed how we interact, conduct business, and even think about ourselves and the world around us. Look no further than COVID-19’s effect on the legal industry—a glaring exemplar of how technology instantaneously reconfigured the status quo from the orthodox ways of the past. Who would have thought that twenty years of legal transformation could have been shoehorned into such a small timeframe!

But in this brave new world (pun intended), it is unsurprising that bad actors and their nefarious conduct has morphed and expanded, as well. As COVID life has made us more tethered to cyberspace and technology, bad actors have ramped up innovative tactics to obtain and utilize confidential, proprietary information to the detriment of the United States, its companies, and its citizens. If you never received a robot call from the “IRS” or an autonomous voicemail in Mandarin—well, consider yourself lucky. These are obvious, micro examples of cyber infiltration attempts. But from a macro level, cyber-attacks are broaching the targeted sophistication and consistency to be considered full-fledged proxy warfare. This is made apparent by the recent, high-profile cyber-attacks against the United States and its companies (e.g., SolarWinds, Microsoft, and Colonial Pipeline), which may have significantly compromised national security. These well-documented cyber-attacks, and others, have cost U.S. companies billions of dollars and provided hackers and foreign state regimes with masses of personal identifiable information. Undeniably, cyber-attacks are increasing with frequency, sophistication, and scale.

But our modern cyber issues don’t end at international espionage and corporate pillaging (if that isn’t bad enough). Rather, they are exacerbated by broader privacy concerns and the ever-growing collection and use of personal data. Individuals, consumer watch groups, and other advocates have become increasingly worried with how the emergent “Internet of Things” makes it more difficult to be left alone. Recently, the Pew Research Center published a study, which revealed a majority of Americans believe their online and offline activities are being tracked and monitored by companies and the government with some degree of regularity. Let’s be honest—if you use the internet, you have probably experienced that eerie moment when you see advertisements about a product that was recently discussed around friends and family. Unlike our neighbors across the pond, American citizens share no Constitutional right to “data” or “information” privacy at present. And any regulations in place are impeded by a systemic conundrum: technological developments are outpacing legislative responses.

B. Influential Cyber Legislation

With all these new challenges, domestic and foreign legislative bodies have responded to these emerging cyber issues by enacting laws and regulations reinforcing data privacy and security. Most notably, the European Union’s (EU) General Data Protection Regulation (GDPR) provides EU citizens with total control over the collection and use of their data. Touted as the “toughest privacy and security law in the world,” this framework applies to any entity that collects, stores, or processes the personal data of EU residents or citizens—regardless of the size of the company. Thus, the GDPR is legally binding on international companies—like insurance carriers—with global operations that offer goods or services to EU residents or citizens, or which monitor the activities of individuals within the EU. The GDPR is predicated on reinforcing individual rights, including the right to erasure (i.e., “to be forgotten”) and the right of access to information stored and used by companies.

In stark contrast to the GDPR framework—the American cyber paradigm supports Big Data practices. Traditionally, the burden of protecting one’s personal privacy has been placed on the individual. However, attitudes about Big Data practices are changing and lawmakers are trying to respond. In 2018, the GDPR’s individualistic, pro-privacy principles made their way into American legislation vis-à-vis enactment of the California Consumer Privacy Act (CCPA), which has muddied the waters for entities that became subject to, but were unfamiliar with, these new compliance regulations. Drawing from the GDPR’s underling policies, the CCPA created an overt, consumer-friendly cyber framework, which provided Californians the right “to be forgotten.” The CCPA applies to companies doing business in California that buy, share, or sell the personal data of more than 50,000 California residents, that earn more than 50 percent of their revenue from the sale of personal data, and which have an annual revenue of over $25 million. Thus, while the CCPA’s regulatory reach is not as broad as the GDPR, it shifted the status quo of American cyber legislation.

The CCPA’s data privacy and cybersecurity policies have gained traction in other U.S. jurisdictions. As of April 1, 2021—at least 38 states (including Washington D.C. and Puerto Rico) had introduced or considered more than 280 bills or resolutions that deal significantly with cybersecurity. States are rapidly proposing digital privacy legislation, as well. As of April 30, 2021—Nevada and Virginia followed California’s lead by passing comprehensive consumer-friendly data privacy laws. New York is following suit.

II. Cyber Legislation in New York

New York’s foray into its current cyber framework is traceable to the “Information Security Breach and Notification Act” (ISBNA), which became effective in December 2005. The ISBNA merely provided New York residents the right to know when a security breach resulted in the exposure of their private information and enabled minor penalties to be imposed against non-compliant entities. Certain provisions of the ISBNA were amended in 2013, but the amendments did not alter the legislation’s substantive impact—which was sparse in toto.

A. New York Department of Financial Services Cybersecurity Regulations

New York’s first significant cyber development occurred in February 2017, when the New York Department of Financial Services (NYDFS) issued a sweeping set of cybersecurity regulations, which were aimed at the ever-growing threat posed to financial systems by cyber criminals and were designed to ensure businesses effectively protect their customers’ confidential information from cyber-attacks. See 22 NYCRR 500 et seq. These cybersecurity regulations are directly applicable to financial institutions, including, but not limited to: insurance companies, state-chartered banks, licensed traders, private bankers, foreign banks licensed to operate in New York, mortgage companies, and other service providers. Now, these institutions must implement risk assessments, create audit trails, develop incident-response plans, and impose limitations on data access and data retention. Further, they must train cyber staff, designate a chief information security officer, protect and encrypt consumer data in transit and at rest, and oversee the compliance of third-party organizations. Additionally, they must notify NYDFS within 72 hours of identifying an attempted material breach of their systems. If your entity qualifies as a financial institution under New York law, or more significantly, if you work as an outside vendor for a financial institution (i.e., a lawyer who does work for insurance companies), you have likely encountered and complied with these regulations.

B. Stop Hacks and Improve Electronic Data Security Act (SHIELD)

New York’s next significant response to evolving cyber concerns occurred in July 2019 vis-à-vis enactment of the SHIELD Act, which amended existing laws and added new ones. The SHIELD Act reinforced data privacy and security by increasing the regulatory requirements for certain market actors.

i. Expanded Regulatory Scope and Application for Breach Notifications

Before the SHIELD Act, the breach notification requirement promulgated by the ISBNA only applied to persons or businesses that conducted business in New York. Now, this compliance obligation is imposed against any person or business that owns or licenses the private information of a New York resident. Thus, the SHIELD Act substantially expanded the territorial scope of the data breach notification requirement.

In that vein, the SHIELD Act’s regulatory reach has been expanded through the broadened definitions of what constitutes “private information” and a “breach of the security of the system.” Now, “private information” includes additional sets of key data elements that are subject to protection. With respect to “breaches,” the broadened definition now includes incidents involving “access” to private information. Before, only “acquisitions” of private information triggered the breach notification requirement. Thus, these expanded definitions will likely trigger more situations requiring a breach notification. For example, if you’ve used the ParkNYC app (a convenient, cashless parking application), you may have been notified about a data breach incident that resulted in the unauthorized “access” of general account information. This notice was likely precipitated because of the SHIELD Act’s expanded regulatory reach.

While the SHIELD Act significantly broadened its regulatory scope and reach, it also provides two important exceptions that obviate the need for a breach notification: (1) the “good faith employee” exception; and (2) the “risk of harm” exception. The “good faith employee” exception was retained from existing law. Under this exception, the good faith access or acquisition of private information by an employee or agent does not constitute a “breach of the security of the system.” Thus, data breach notifications are not necessary in these scenarios. The “risk of harm” exception is newly included in the SHIELD Act. Under this exception, notice to affected persons is not required if the exposure was inadvertent, and the person or business “reasonably” determines such exposure will not result in misuse, financial harm, or emotional harm. For a person or business to avail itself to this exception, certain documentation and reporting measures must be taken and complied with, which vary depending on the nature of the incident.

With respect to the breach notification obligations imposed on small businesses—the status quo is unchanged: there are no exceptions for small businesses in the breach notification rule. Small businesses that experience a data breach affecting the private information of New York residents must notify the affected persons (subject to the above exceptions). However, the SHIELD Act profoundly changed New York’s cyber laws by codifying new “data security protections,” which impacts businesses of all sizes.

ii. New Cybersecurity Safeguards

The SHIELD Act ushered in new requirements for businesses of all types to create plans for “data security protections.” “Compliant regulated entities” (i.e., businesses that are already regulated by and comply with certain requirements, such as HIPAA, HITECH, Gramm-Leach-Bliley, and 22 NYCRR 500, et seq.) will be deemed to comply with the SHIELD Act. All other businesses, however, must meet the SHIELD Act’s new data security requirements.

To comply with these new data security measures, businesses must now develop, implement, and maintain “reasonable safeguards to protect the security, confidentiality and integrity” of New York residents’ data, including data disposal. Particularly, there are three aspects to a company’s data security program that are considered into the “reasonable safeguards” calculus: (1) reasonable administrative safeguards; (2) reasonable technical safeguards; and (3) “reasonable physical safeguards.”

Considering these overwhelming new compliance measures, the SHIELD Act includes some relief for small businesses. Qualifying small businesses must still maintain a security program, but the sophistication and general nature of that program can be modified. Specifically, a small business’ security program is compliant with the law’s “reasonable safeguards” requirement if the measures adopted are appropriate for the size and complexity of the small business, and reasonable in light of the nature and scope of the business’s activities and the sensitivity of the personal information collected from or about consumers.

Any person or business that fails to comply with these data security protections will be deemed to violate the law, which provides the attorney general a cause of action on behalf of New York State. Penalties include injunctive relief and other civil penalties. Notably, New York residents do not currently have any affirmative rights under the SHIELD Act’s framework. However, proposed legislation is underway, which may provide such rights. This would be consistent with the modern trends of the GDPR and CCPA.

III. Proposed Cyber Legislation in New York

Turning to present—New York’s 2021–2022 legislative session kicked off with the introduction of additional, consumer-centric cyber bills.

A. Assembly Bill A680

Assembly Bill A680 (“New York Privacy Act”) would require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing, and to allow consumers to obtain the names of all entities with whom their information is shared. Some commentators have noted that this bill, as currently drafted, would make it nearly impossible for businesses to remain in strict compliance. This bill would also create a private right of action for technical noncompliance with the statute, enabling claimants and other injured “persons” to bring actions (including for injunctive relief). Thus, this proposed bill has significant implications for data-keeping businesses, whose failure to adhere to these new, strict compliance requirements would theoretically open the floodgate for litigation.

B. Senate-Assembly Bill S567, A3709

Senate-Assembly Bill S567, A3709 would grant a consumer the right to request for a business to disclose the personal information it collects about the consumer, such as the categories of sources from which information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared. As drafted, a consumer who suffers an injury in fact may recover the greater of statutory damages ($1000) or actual damages, and $3000 or actual damages for an intentional violation. Further, this bill provides: “any person who becomes aware, based on non-public information, that a person or business has violated this section may file a civil action for civil penalties.” Since a “person” is defined as “an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert” – this bill would also open the litigation floodgates by enabling various parties to bring suit (e.g., business competitors, consumer groups, vendors, and the like). Obviously, innumerable unintended consequences may result from this legislation as currently drafted.

C. Senate-Assembly Bill S2886, A405

Senate-Assembly Bill S2886, A405 (“Online Consumer Protection Act”) is a proposed amendment to New York’s General Business Law, which directly addresses interest-based advertising activities. It provides that an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities. This bill would prohibit “publishers” and “advertising networks” from collecting certain information for online preference marketing purposes, “unless the consumer is given an opportunity to opt-out.” This bill also appears to prohibit certain marketing techniques (i.e., widespread practice lists or audience matching), absent a consumer’s consent. As currently drafted, this bill does not provide a private right of action for non-compliance; rather, the attorney general has the sole discretion to bring actions under the law, including for injunctive relief and statutory damages of $250 per violation (with the prospect of an increased fine at the discretion of the court if the violation relates to the use of personally identifiable information for online preference marketing or the failure to provide an opt out).

D. Senate-Assembly Bill S1349, A400

Senate-Assembly Bill S1349, A400 (“Right to Know Act of 2021”) would restrict the disclosure of personal information by businesses. A “business” would be required to make available to a “customer” the categories of the customer’s personal information disclosed to third parties, including the names, contact information, and designated request address of all such third parties. This proposed bill is akin to new legislation in California, as it provides the right for customers to request access to their personal information. This bill would provide a private right of action for customers, while also authorizing actions initiated by the attorney general, district attorney, city attorney, or city prosecutor of competent jurisdiction.

E. Other Proposed Cyber Legislation

Other proposed cyber legislation includes: Senate-Assembly Bill S1933, A27 (“Biometric Privacy Act”) (requiring private entities in possession of biometric identifier or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information); Senate-Assembly Bill S301, A687 (imposing requirements for the collection and use of emergency health data and personal information and the use of technology to aid during the COVID-19 public health emergency); Senate-Assembly Bill S336, A713 (“Wellness Program Privacy Act”) (requiring employers and insurers to take certain measures to protect the security of wellness program participants’ private information); and Senate-Assembly Bill S893, A954 (directing the Director of the Office of Information Technology Services to conduct a study on the use of biometric identifying technology; prohibiting the use of biometric identifying technology in schools for a certain period of time).

Conclusion

Avoiding compliance violations in the modern cyber law landscape requires due diligence and proactive business management. This primer should have provided general clarity on modern cyber law trends, including how these trends have impacted current and prospective legislation in New York and other jurisdictions. If you are subject to these patch-work cyber laws and regulations (which is pretty much every lawyer and her/his clients), and especially given the uncertainty of a federal cyber standard, it is crucial to understand the law’s status quo and envisage what’s coming next. One way to help get there is to stay compliant with New York’s current laws and be prepared for the next sweeping set of regulations—whatever they may be. After all:

If I can make it there,
I’m gonna make it anywhere.
It’s up to you,
New York, New York.

Bob Cosgrove, a CIPP-US/CIPM, is a partner at Wade Clark Mulcahy, who practices from New York to Philadelphia.  John Amato is an associate at WCM.