Illinois Court of Appeals: Statute of Limitations for Most Biometric Privacy Claims Remains at Five Years

Photo of Jacob GoldbergPhoto of Maggie DaltonPhoto of Hunter FergusonBy Jacob Goldberg, Maggie Dalton and Hunter Ferguson on Posted in Law/Regulation Update, Privacy

In Illinois, the Biometric Information Privacy Act (“BIPA”) regulates the collection and use of “biometric information” such as fingerprints, facial images, and voice records.  It imposes significant penalties and has generated a cottage industry of class action litigation—hundreds of cases have been filed and millions of dollars in liability have been assessed.  It is also the most well known and heavily litigated of a slew of newly enacted, or soon to be passed, state and local laws aimed to regulate biometric information.

Many Illinois defendants had hoped that their liability under BIPA could be limited because, they argued, a one-year statute of limitations should apply to BIPA claims.  But, in a recently issued decision, Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, the Illinois Court of Appeals rejected this position for a majority of BIPA claims.  It held that a five-year statute of limitations applies to the most frequently cited sections of the statute. Continue Reading

The Only Bi-Partisan Show in D.C.: The U.S. Supreme Court Issues a Decisive Opinion Concerning TCPA Liability in Facebook, Inc. v. Duguid, et al.

Photo of Thomas WoodsBy Thomas Woods on Posted in Announcements

In a widely anticipated ruling, the U.S. Supreme Court today ruled that just because a business has calling technology that has the capacity to store and dial multiple numbers – such as a cell phone — does not automatically subject that business to Telephone Consumer Protection Act (“TCPA”) liability for calls (and texts) to consumers that otherwise lack consent.

Beyond other aspects of what constitutes a robo-call, this ruling is likely to limit the number of class actions brought against businesses under TCPA.  Still, for businesses required to comply with consumer protection laws, obtaining and retaining evidence of consumer consent for calls and texts remains the primary business action to limit risk.  Where businesses use vendors to administer call campaigns, we recommend discussing with vendors the impact this decision may have on campaign practices.  As always, contacting experienced counsel to investigate whether creative steps can be taken to incorporate aspects of today’s ruling into your relationships is a wise step to better protect your business.

In an 8-0 opinion, with Justice Alito concurring in the judgment for unanimity, the U.S. Supreme Court reversed and remanded the Ninth Circuit’s decision in Facebook, Inc. v. Duguid, et al.  Slip Op. No. 19-511, 592 U. S. ___ (2021).  In the context of consumer protections ensconced in the TCPA, the Ninth Circuit held that any company maintaining a database that stored consumer phone numbers that could also be programmed to automatically call the numbers stored therein, were operators of “automatic telephone dialing systems” (“ATDS”).  Among other things, the TCPA prohibits unsolicited telemarketing and other calls and text messages from users of an ATDS.  The Ninth Circuit’s conclusion created a rift.  The TCPA’s definition of what constitutes an ATDS was more narrow than the Ninth Circuit’s interpretation.  As Facebook pointed out to the Supreme Court, the Ninth Circuit’s interpretation not only appeared to ignore the TCPA’s complete definition of what constitutes an ATDS – it made ubiquitous forms of technology previously untouched by the TCPA open to that liability. Continue Reading

Seattle & Portland Virtual Cybersecurity Summit Begins Tomorrow

Photo of Jon WashburnBy Jon Washburn on Posted in Announcements, Events

Join me, Stoel Rives’ Chief Information Security Officer (and Global Privacy & Security Blog® author) Jon Washburn, for a panel discussion in which I will partner with top industry CISOs and CIOs to address the most pressing cybersecurity challenges of 2021. Register now for free for the Seattle & Portland Virtual Cybersecurity Summit, March 31 and April 1, 2021, for CPE credits, educational briefings, and three amazing keynote presentations. For more info or to register visit: https://www.dataconnectors.com/events/2021/march/seattle-portland/?=affCISODM.

Don’t let Cyber Insurance be Your Cybersecurity Plan

Photo of Jon WashburnPhoto of Hunter FergusonBy Jon Washburn, Hunter Ferguson and Jeff Jones on Posted in Announcements, Cyber Crime, Data Breach, Disaster Recovery, Insurance Coverage, Security

In a recent letter to insurers, the New York State Department of Financial Services (“NYDFS”) acknowledged the key role cyber insurance plays in managing and reducing cyber risk – while also warning insurers that they could be writing policies that have the “perverse effect of increasing cyber risk.” If a cyber insurance policy does not incentivize the insured to maintain a robust cyber security program, the insurer can end up bearing excessive risk when the customer leans on the policy as their business continuity plan.

You may be wondering “What does this have to do with my business? I don’t do any business in NY state.” However, your insurer might be subject to the NYDFS cybersecurity regulation (23 NYCRR 500) and, if so, likely received this letter.

According to NYDFS, every cyber insurer should have a formal strategy that incentivizes their insureds – through more appropriately priced plans – to “create a financial incentive to fill [cybersecurity] gaps to reduce premiums.” Below is our take on five of the key practices outlined in the NYDFS letter that have potential implications for insureds.

  • Manage and Eliminate Exposure to Silent Cyber Insurance Risk. Up to now, many organizations have leveraged clauses in standard policies to cover ransomware attacks, such as those covering general liability, theft, malpractice and errors. NYDFS advises that “insurers should eliminate silent risk by making clear in any policy that could be subject to a cyber claim whether that policy provides or excludes coverage for cyber-related losses.”  When you next renew your policy, read the fine print carefully to determine if there are any exemptions for cyber-related losses – even if you have a standalone cyber insurance policy. An insurer that was left ‘holding the bag’ for covering a ransomware attack under a policy that wasn’t priced to cover cyber losses is incentivized to update that policy language at the soonest opportunity.
  • Evaluate Systemic Risk. Here, insurers are being advised to “stress test” their coverage to ensure they would remain solvent while covering potentially “catastrophic” cyber events impacting multiple insureds. If you are a cloud or managed services provider and/or are part of other organizations’ supply chains, you should expect to receive more scrutiny from your insurer on the strength of your cyber security program.
  • Rigorously Measure Insured Risk. No surprises here, unless you haven’t been filling out detailed questionnaires about your cyber security program. Expect more scrutiny of your program, and possibly the involvement of auditors to validate your claims. Check your insurance policy to see if investing in a certification program – such as ISO 27001 or HITRUST – might improve your policy premium.
  • Educate Insureds and Insurance Providers. This practice states that “insurers should also incentivize the adoption of better cybersecurity measures by pricing policies based on the effectiveness of each insured’s cybersecurity program.” Take advantage of any educational opportunities your provider offers on cybersecurity best practices and improvements. They might be trying to tell you how you can lower risk – and your rates.
  • Require Notice to Law Enforcement. While this is a best practice, NYDFS is recommending this be more formally required in the policy language.  Involving law enforcement is important when responding to cyber incidents, especially when it comes to investigating the incident and attempting to recover funds. Make sure you involve legal counsel and have a plan for engaging law enforcement in the event of a breach.

Even if your insurer hasn’t received this guidance, they are certainly aware that cyber risk, and the cost of underwriting cyber insurance, continue to increase.  With the cyber insurance market estimated to exceed $20 billion by 2025, and the risk that intermediaries – including insurers – can be liable for ransom payments made to entities sanctioned by the Office of Foreign Assets Control, business leaders should expect that their insurers will be more closely scrutinizing their cyber security plans and controls. Rebuilding encrypted systems and restoring from backup, as opposed to paying ransoms, will need to be the first plan of action.

If your organization is still struggling with the decision whether to invest more in IT security and architecture improvements or continue to rely on insurance as your cyber security plan, the guidance in the NYDFS Cyber Insurance Risk Framework merits a closer look.

While cyber insurance can be essential to helping your organization recover from a data breach, it should not take the place of a strong cyber security program.  At minimum your cyber security program should include a Cyber Security Plan, Business Continuity and Disaster Recovery Plan and an Incident Response Plan. These plans should be tested, reviewed and updated at least annually, preferably in conjunction with a penetration test and vulnerability assessment from a qualified third party.

If you have any questions or would like any additional information about the topics raised in this post, please contact Hunter Ferguson, Jeff Jones or Jon Washburn.

Portland’s New Facial Recognition Ban Increases Litigation Risk, Creates Uncertainty

Photo of Maggie DaltonPhoto of Jacob GoldbergPhoto of Hunter FergusonBy Maggie Dalton, Jacob Goldberg and Hunter Ferguson on Posted in Privacy, Security, Software

Is your business using or thinking of using facial recognition technology for activities in Portland, Oregon? Think again.

That’s the message to businesses operating in Portland in a new ordinance that broadly bans the use of facial recognition technology in the city, subject to certain exceptions. The ordinance, which took effect January 1, 2021, restricts private businesses from using automated or semi-automated processes to identify an individual by comparing an image of a person captured through a camera with images of multiple individuals in a database. Due to the expansive language contained in the final version of the ordinance, routine business practices used to support or improve operations are no longer permitted. For example, retailers may have previously used software that compares surveillance video images of individuals as they enter a store with a cloud-based photo database to identify suspected shoplifters. The ordinance now prohibits use of this software.

The law also has teeth. It creates a private right of action, statutory damages of $1,000 per day for each violation, and allows for recovery of attorneys’ fees. Similar to other biometric privacy laws, this ordinance has the potential to trigger a wave of costly class action litigation and upend business operations. This ordinance creates significant risk with use of facial recognition technology, and organizations should proceed with this awareness. The law also raises numerous unanswered questions, as noted below. Continue Reading

Digital Transformation – Cybersecurity Lessons from Recent Lawsuits

Photo of Romaine MarshallPhoto of Jon WashburnPhoto of Jose AbarcaBy Romaine Marshall, Jon Washburn and Jose Abarca on Posted in Cyber Attack, Privacy, Security

Digital transformation,[1] the process of leveraging technology, people and processes to innovate, requires an “all-in, ongoing commitment to improvement.”[2] But the main drivers of digital transformation – data and profits – don’t always mesh seamlessly.

As shown by recent class actions filed against Blackbaud and Morgan Stanley, and a settlement with the New York Attorney General by Dunkin’ Brands, digital transformation has numerous cybersecurity issues that present legal obligations and potential liability.

Blackbaud

In May, Blackbaud, Inc., a company that provides cloud software services to thousands of non-profits including hospitals, suffered a ransomware attack.[3]  In July, it began informing its users of the attack, many of whom used Blackbaud to process personal and sensitive information.

On August 12, the first of many lawsuits was filed against Blackbaud.  Among the allegations in the lawsuit, Blackbaud is accused of failing to properly monitor its computer network and systems, failing to implement policies to secure communications, and failing to train employees.

The five years prior to the attack are telling.  In that timeframe, Blackbaud underwent a digital transformation that involved acquiring numerous other software platforms including a predictive modeling platform, and a software provider focused solely on corporate giving.

Since the ransomware attack, Blackbaud has published cybersecurity improvements that support adherence to industry standards for incident management, employee training, systems and network testing, risk assessments, application security, encryption, and end-user authentication.[4] Continue Reading

Digital Transformation – Regulator Issues $80 Million Penalty for Not Doing It Right

Photo of Romaine MarshallPhoto of Jon WashburnPhoto of Jose AbarcaBy Romaine Marshall, Jon Washburn and Jose Abarca on Posted in Announcements, Cyber Attack, Cyber Crime, Data Breach, Regulators, Security

Digital transformation refers to the process of leveraging technology, people and processes to innovate or stay competitive.  The main driver of this process is often data.  For a vivid illustration see Data Never Sleeps, an infographic released by Domo, a leading business analytics company.

While executing digital transformation the right way can lead to great success (think Google, Facebook, and Amazon), overlooking pitfalls associated with potential legal obligations – most notably, cybersecurity and data privacy – can have the opposite effect, harming an organization’s reputation and its balance sheet.

On August 6, 2020, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million penalty against bank Capital One for what it determined was a failure to implement effective cybersecurity prior to migrating information technology to the cloud.  This failure was exposed in July 2019 when Capital One announced that an outside individual gained unauthorized access to information belonging to 100 million individuals in the United States and approximately six million in Canada.

Why This Penalty Is Important

While $80 million may not be a significant hit to Capital One’s balance sheet, the accompanying consent order is notable for pointing out the bank’s failure to

[E]stablish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.

The OCC also highlighted the bank’s failure to “identify numerous control weaknesses and gaps in the cloud operating environment” and the bank’s failure to correct the deficiencies in a timely manner.

The OCC then singled out the Board of Directors for failing “to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses.”  This focus on a board’s knowledge of cybersecurity issues is not new.  The Federal Trade Commission (“FTC”) focused on this last year. 

Maintain a Strong Risk Management Program

Last year, the FTC also mandated that as an industry standard, organizations that collect and handle consumer data must implement a comprehensive written information security program. The OCC seems to agree, requiring Capital One to implement a risk management program that at least includes:

  1. A continuous risk management process that helps identify “reasonably foreseeable internal and external threats” to the confidentiality, integrity and availability of information assets and systems.
  2. The right framework for determining the likelihood and potential impact of one of these threats on the information being protected.
  3. Reasonable policies and procedures and adequate technical controls to address these risks.

What Organizations Should Do

Before, during, and after any aspect of digital transformation, organizations should consider doing the following:

  1. Obtaining the support of executive leadership to ensure that risk management is a priority for your organization.
  2. Adopting an established framework such as the NIST RMF, COSO ERM or the ISO 31000 standard.
  3. Maintaining a Risk Register and revisiting risk treatment on a regular basis – not just once a year – to ensure your organization is mitigating risk to an acceptable level.

Even if you are a novice, any reasonable effort to identify, assess, treat and monitor risks to your organization should result in heightened awareness of threats and an improvement in policies, processes, and controls.

As for migrating information technology operations to the cloud, this digital transformation process is not just for sophisticated banks.  A day after the OCC assessed its $80 million penalty, Utah Governor Gary R. Herbert announced a statewide initiative to train and certify 5000 residents in cloud computing.

If you have any questions about cybersecurity and data privacy legal obligations that your organization should be considering in connection with its digital transformation processes, please reach out to Romaine Marshall, Jon Washburn, or Jose Abarca.

Securing Online Shopping has Never Been More Important

Photo of Jon WashburnPhoto of Fred StruveBy Jon Washburn and Fred Struve on Posted in COVID-19, Data Breach, Internet, Security, Software

In the wake of the COVID-19 pandemic, more consumers than ever before are shopping online – and they’re not likely to be very forgiving to any retailer that breaches their personal information. According to this recent survey from payment solutions provider PCIPal, 64% of people in the US would avoid a business following a COVID-19 related breach, and 17% would never return. While I imagine this sentiment would apply to any breach of personal information and not just one related to the current crisis, these numbers are a sharp step up from the estimated average customer turnover rate of 3.9% in last year’s 2019 IBM/Ponemon Cost of a Data Breach Report. While it’s just one survey, the significant increase in expected customer turnover rate in such a short time-period may represent a rapidly diminishing level of tolerance for websites that leak valuable personal information.

In order to remain in business, many retailers had to rush to upgrade their online presence in order to compensate for store closures and reduced foot traffic in locations that were able to remain open; or for the more fortunate retailers, to simply manage an unprecedented increase in online purchasing. As we balance security risk against the need to maintain the health of the business, it would not be surprising if ‘speed to market’ concerns took priority over rigorous application security review in some of these instances – after all, a strong cybersecurity program is meaningless if there’s no organization left to protect. Nevertheless, it is still critical to complete the cycle of secure software development and thoroughly test any changes and integration of new solutions to verify they are secure.

If you are a retailer that has had to prioritize retooling your online presence over everything else, please be sure to circle back around and undertake these important tasks:

  • Conduct a code review that focuses on verifying that your site is not vulnerable to web application security risks, such as those included in the OWASP Top 10
  • Validate that any integration of new technology – such as payment processing, customer experience or even anti-fraud solutions – is still properly managing personal information in line with your security and privacy policies
  • If you don’t already offer it, consider offering two-factor authentication to your online customers
  • Confirm your web servers are still using strong security certificates and aren’t allowing weak protocols.  You can check this for free at ssllabs.com
  • Ensure everything is still running using the Principle of Least Privilege

Coast to Coast and Back Again – Cybersecurity and Data Privacy Rules

Photo of Romaine MarshallPhoto of Jose AbarcaPhoto of Jon WashburnBy Romaine Marshall, Jose Abarca and Jon Washburn on Posted in Privacy, Security

March 2020 will long be remembered as the month and year of en masse shutdowns.  But the pandemic has done little if anything to slow new cybersecurity and data privacy laws.  As highlighted below, regulations for one have been submitted (CA), another has gone into effect (NY), and yet another has been proposed (CA).

California Consumer Privacy Act (“CCPA”) Gets Confirmed by State Attorney General

After nine months, a lot of public input, and three proposed drafts, the regulations for enforcement of the CCPA have been submitted for approval.  The final text of the regulations demonstrates how granular enforcement could be.  Here are five examples:

  1.  A business’s required privacy policy must include the date it was last updated.
  2. A business must provide at least two methods for consumers to send requests for deletion of their information.
  3. A service provider can retain, use, or disclose information in certain circumstances, such as to detect security incidents even after a deletion request.
  4. A business must confirm within 10 days that it has received a request to know what it has collected from consumers.
  5. A business must have a documented policy for verifying the identity of a person making a request related to their personal information.

Continue Reading

Court Orders Disclosure of Capital One’s Incident Report

Photo of Romaine MarshallPhoto of Jose AbarcaBy Romaine Marshall and Jose Abarca on Posted in Data Breach

Last July, Capital One announced that an outside individual gained unauthorized access to information belonging to 100 million individuals in the United States and approximately six million in Canada.[1]  Within days, lawsuits were filed nationwide asserting an assortment of claims relating to the data breach.

Last week, in a class action filed in Virginia a federal magistrate ordered Capital One to provide its incident report for the data breach to counsel for the plaintiffs.  Capital One had contended that the report is protected attorney work product and that it shouldn’t have to.  The Virginia court disagreed, for reasons that are instructive.

When an Incident Report Is Not Attorney Work Product

Since 2015, Capital One had retained Mandiant to provide various cybersecurity services.  The data breach occurred in March 2019, but it was not confirmed until July 19 of that year.  A day later Capital One retained outside counsel which then retained Mandiant to assist with its investigation on July 24.  Then, on July 29 the public was notified about the data breach.

The issue the court decided last week was whether the Mandiant incident report was privileged and therefore protected from disclosure by the work product doctrine.[2]  This doctrine generally preserves the privacy of attorneys’ case materials, but it has limits.  To guide its decision in Capital One the court stated:

In order to be entitled to protection, a document must be prepared “because of” the prospect of litigation and the court must determine “the driving force behind the preparation of each requested document” in resolving a work product immunity question.[3]

Applying this standard, the court believed the incident report would have been prepared anyway even if the data breach had not occurred and determined that it needed to be disclosed.  In reaching this conclusion, after “considering the totality of the circumstances,” the court found these facts compelling: Continue Reading

LexBlog