Digital transformation,[1] the process of leveraging technology, people and processes to innovate, requires an “all-in, ongoing commitment to improvement.”[2] But the main drivers of digital transformation – data and profits – don’t always mesh seamlessly.

As shown by recent class actions filed against Blackbaud and Morgan Stanley, and a settlement with the New York Attorney General by Dunkin’ Brands, digital transformation has numerous cybersecurity issues that present legal obligations and potential liability.

Blackbaud

In May, Blackbaud, Inc., a company that provides cloud software services to thousands of non-profits including hospitals, suffered a ransomware attack.[3]  In July, it began informing its users of the attack, many of whom used Blackbaud to process personal and sensitive information.

On August 12, the first of many lawsuits was filed against Blackbaud.  Among the allegations in the lawsuit, Blackbaud is accused of failing to properly monitor its computer network and systems, failing to implement policies to secure communications, and failing to train employees.

The five years prior to the attack are telling.  In that timeframe, Blackbaud underwent a digital transformation that involved acquiring numerous other software platforms including a predictive modeling platform, and a software provider focused solely on corporate giving.

Since the ransomware attack, Blackbaud has published cybersecurity improvements that support adherence to industry standards for incident management, employee training, systems and network testing, risk assessments, application security, encryption, and end-user authentication.[4]

Morgan Stanley

On August 27, 2020, a class action lawsuit was filed against Morgan Stanley for cybersecurity incidents in 2016 and 2019 that the bank informed customers about in July 2020.  The lawsuit claims Morgan Stanley failed to secure personal information, among other things.

For digital transformation purposes, the incidents are instructive.  In 2016, Morgan Stanley closed two data centers as it moved “to improve – and improve faster – the issue of software development outside the realm of the IT floor.”[5]

As part of its closing of the data centers, Morgan Stanley contracted with a vendor to remove personal information of customers from the devices it was decommissioning.  Later, however, it was discovered that certain devices with unencrypted personal information had not been wiped.

In 2019, Morgan Stanley learned that after it had “disconnected and replaced a computer server in a local branch office,” it was unable to locate the server and that “a software flaw could have resulted in small amounts of previously deleted data remaining” unencrypted.[6]

In the class action, the plaintiff alleges that Morgan Stanley could have prevented the above incidents had it properly encrypted the equipment and files containing personal information.  Indeed, had it followed industry standards for decommissioning devices it might have.

In 2015, the National Institute of Standards and Technology (NIST) published Guidelines for Media Sanitation.  The guidelines are designed “to assist organizations and system owners in making practical sanitization decisions based on the categorization of their information.”[7]

As with all of NIST’s cybersecurity and data privacy guidance, the guidelines are thorough, thoughtful, and technical.  They include 64 pages describing three main sanitization types – clear, purge, and destroy – that would have helped Morgan Stanley (and its vendors).

Dunkin’

On September 15, 2020, the NYAG and Dunkin’ settled a lawsuit relating to cyberattacks that exposed the card account information of tens of thousands of customers in 2015.  The lawsuit alleged Dunkin lacked appropriate safeguards and violated data breach notification requirements.

Dunkin agreed to pay $650,000, notify customers about their accounts that had been compromised in 2015, and, in some cases, provide refunds.  The settlement papers include eight appendices that are sample letters to be sent to the customers.[8]

Specific to the compromises that occurred to its customers’ accounts, Dunkin agreed to implement reasonable measures to protect “against brute force and credential stuffing attacks” where hackers obtain account access by guessing passwords, as part of a cybersecurity program.[9]

Dunkin’s digital transformation mostly began in 2017 when it took a deeper dive into the science of its data and digital strategies.  In the months leading up to the settlement, it announced the creation of a chief digital officer role and upped its digital promotions, sales, and revenues.

What These Lawsuits Show

As if the “all-in, ongoing commitment to improvement” digital transformation requires isn’t challenging enough, without a comprehensive written information security program that is derived from industry standards, digital transformation becomes digital disruption.

Of the many technical requirements the FTC mandated organizations implement as cybersecurity “industry standards”[10] last year – by far its biggest year for cybersecurity enforcement – it was often the last requirement that is most pertinent to digital transformation:

Evaluate and adjust the [Written] Information Security Program in light of any changes to [your] operations or business arrangements, … or any other circumstances that [you] know or have reason to know may have an impact on the effectiveness of the [Written] Information Security Program. At a minimum, each [Covered Business] must evaluate the [Written] Information Security Program at least once every twelve months and modify the [Written] Information Security Program based on the results.[11]

There is much to learn from the pitfalls encountered by others.  For example, just as NIST has released guidance on media sanitation, it has guidance on cloud computing that would have benefitted Blackbaud,[12] and on incident reporting that would have benefitted Morgan Stanley.[13]

Organizations should seek to understand their legal obligations in connection with appropriate cybersecurity for digital transformation so that they don’t experience digital disruption.  If you have questions about these legal obligations, please reach out to one of our Global Privacy & Security Blog authors.

______________________

[1] https://www.stoel.com/legal-insights/legal-updates/digital-transformation-%E2%80%93-regulator-issues-$80-mill

[2] https://www.forbes.com/sites/markcohen1/2020/09/15/covid-19-is-transforming-the-legal-industry-macro-and-micro-evidence/#11d4dd823269

[3] For guidance on ransomware see https://www.stoel.com/legal-insights/blog-articles/utah-considers-a-cybersecurity-safe-harbor-as-ransomware-runs-riot, and https://www.stoelprivacyblog.com/2020/03/articles/cyber-attack/soon-all-ransomware-attacks-may-be-data-breaches/

[4] https://www.blackbaud.com/security

[5] https://www.morganstanley.com/ideas/new-software-stack-2019

[6] https://oag.ca.gov/system/files/MS%20-%20Template%20CA%20Consumer%20Notice.pdf

[7] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf

[8] https://ag.ny.gov/sites/default/files/proposed_consent_order_and_judgment.pdf

[9] https://ag.ny.gov/sites/default/files/consent_order_so_ordered_final.pdf

[10] https://www.stoelprivacyblog.com/2019/10/articles/privacy/achieving-industry-standards/

[11] Equifax Order at 19 (dated July 23, 2019) https://www.ftc.gov/system/files/documents/cases/172_3203_equifax_order_signed_7-23-19.pdf (emphasis added).

[12] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-210.pdf

[13] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Tags: cyberattacks, cybersecurity, data privacy, data security, digital transformation, lawsuits, NIST, ransomware
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Romaine Marshall Romaine Marshall

Romaine Marshall helps clients protect their data, businesses, and reputations from cybersecurity and privacy incidents.

As a cybersecurity and privacy lawyer, he works with clients to properly secure and use electronic data, develop industry-specific cybersecurity programs, conduct risk assessments and internal privacy audits…

Romaine Marshall helps clients protect their data, businesses, and reputations from cybersecurity and privacy incidents.

As a cybersecurity and privacy lawyer, he works with clients to properly secure and use electronic data, develop industry-specific cybersecurity programs, conduct risk assessments and internal privacy audits, and respond to regulatory investigations. He has represented clients in more than 100 incidents involving data breaches, ransomware, malware attacks, security misconfigurations, wire fraud, software vulnerabilities, social engineering, and other exploits.

Show more Show less
Photo of Jon Washburn Jon Washburn

Jon Washburn manages the firm’s information governance, compliance, and ISO 27001-certified information security programs and is a cybersecurity and technology resource for multiple Stoel Rives practice teams.

Click here for Jon Washburn’s full bio.

Read more about Jon Washburn
Photo of Jose Abarca Jose Abarca

Jose Abarca counsels companies on the many issues that could, and sometimes do, end up in court or before government agencies.

As a litigator, Jose has represented numerous companies in matters ranging from ownership disputes to bet-the-company litigation. In the energy, infrastructure and…

Jose Abarca counsels companies on the many issues that could, and sometimes do, end up in court or before government agencies.

As a litigator, Jose has represented numerous companies in matters ranging from ownership disputes to bet-the-company litigation. In the energy, infrastructure and natural resources practice areas, Jose focuses on resolving disputes involving engineering, procurement, master services, purchasing, development, and construction agreements.

Jose also assists clients in responding to cybersecurity incidents. As part of his cybersecurity practice, he works with technical consultants to conduct root cause analyses, counsels clients on their obligations to consumers, employees, and regulatory bodies, and helps design and implement written information security programs that meet relevant industry standards.

Read more about Jose Abarca
Show more Show less
Related Posts
THE CONFIDENTIALITY (OR NOT) OF CYBER-FORENSICS IN A DATA BREACH
January 11, 2024
Executives Personally Sued for Data Privacy Incidents
December 8, 2022
Don’t let Cyber Insurance be Your Cybersecurity Plan
February 24, 2021

About the Global Privacy & Security Blog

Learn More

Contracts, laws and regulations require privacy compliance, and good business practices demand it. This blog is designed to inform our clients and readers about developing privacy issues and regulatory updates, and provide alerts on cyber security stories and data breaches that impact various data privacy and security requirements.