New California Privacy Laws: U.S. Meets GDPR-Like Consumer Rights

For any U.S. business that has spent 2018 gearing up to comply with the EU’s new privacy rules General Data Protection Regulation (GDPR), which took effect in May, your time and effort were well spent. One month after the GDPR took effect, California rushed through a new law, the California Consumer Privacy Act (CCPA) that clearly took inspiration from broad aspects of the GDPR. 

Continue reading New California Privacy Laws: U.S. Meets GDPR-Like Consumer Rights ›

Vendor Management and Cyber Planning: Why Equifax Shows “What Not to Do”

If you’ve ever wondered why all the hullabaloo about cyber planning, here is a great example:

Equifax has said that it “owed no duty to safeguard the personal information of millions of consumers and financial institutions” affected by its massive 2017 data breach, and has asked to have the resulting lawsuits dismissed. (Daily Report, 24 July 2018.)

The claims of the affected financial institutions are, in essence, vendor management claims. Their success in court, and the likelihood that those banks can look to Equifax to make whole their losses, may depend in part on how good their contracts were with Equifax. The losses the banks suffered likely include costs of customer relations (phone, email, and other support), continued anti-fraud efforts in the aftermath of the breach, issuance of new cards or accounts or credentials to replace compromised accounts, and other direct costs.

To gain an idea of the scope of the potential loss to the banks, keep in mind that Target settled most of the claims relating to its 2013 data breach, for about $100 million total. Of that money, $10 million went to consumers. $60 -$70 million went to credit card issuers like Visa and MasterCard.

The comparative commercial losses after a massive data breach usually dwarf the losses to consumers personally. Target was breached when an HVAC vendor left open a hole to a single store in the Midwest. Equifax was breached when it failed to install a single routine software patch recommended by its IT vendor.

How good are your contracts with your vendors? Could they make you whole if you were fighting about whose responsibility it was to restore your business operations, buy new computer equipment, replace or rebuild your business data, handle your customer and client relations, pay the PR firm and lawyers, and more? Planning is easy, relatively inexpensive, and can flag many “little” details like standard contractual language. Taken together, these efforts can prevent greater losses later. #CyberForGrowth

Cyber Insurance: A Common Exclusion Tested in Court

A recent court dispute makes clear that there are many elements to cyber planning and protection for any company to consider. Although some do involve technical bells and whistles, many or most are merely business operation decisions involving non-technical matters. Just like other operational decisions, the success of these planning measures can have a direct impact on your bottom line.

The Spec’s Family Partners Ltd. v. The Hanover Insurance Co. case involves insurance coverage for a data breach. The insured retailer sought insurance coverage of losses incurred under its merchant account with a payment card processor. Because that account and those losses are governed by a merchant account agreement, the insurer denied coverage under the retailer’s cyber policy, citing the policy’s “contractual exclusions” clause. In other words: the insurer refused to pay for losses the retailer suffered because of the terms of its merchant account agreement. In the case, the appeals court ruled in favor of the retailer, saying that there are several non-contractual theories relating to the losses (costs), and that the trial court must consider those before ruling that the insurer may decline payment. The appeals court did NOT require that the contractual claims be considered, and so in effect it has implicitly endorsed the validity of the exclusion in the policy.

What does this mean for insureds, i.e., ordinary business operators?

First: vendor management is a critical part of cyber planning. 

Where you can, try to negotiate for your vendors to take on part of the losses following a data breach; and if the breach is of their system, have your agreement specify that you are entitled to full coverage and remedies from the vendor. Where, as here, the vendor is likely a large market power and you have little basis to negotiate, at least understand what losses the contract apportions to you, so that you can tailor your insurance and other planning appropriately.

Second: cyber insurance. 

The main rule of thumb is to have a policy. The corollary is to understand what it covers. They are not comprehensive, and not all policies cover all losses; in this way, they resemble the homeowner’s policy that may cover flooding but NOT sewage backup, depending on what you bought.

This “contractual claims” exclusion is common, and it generally means that the insurer will not cover any costs or losses you bear in a cyber-breach that are the result of a contractual provision with a third party. Thus, if you have a weak vendor contract and end up carrying the costs of a data breach because of that weak contract, you cannot count on your insurance to make you whole. In other words, you will have lost two chances to spread the risk and losses to third parties.

Although a contractual claims exclusion is common, they are by no means non-negotiable. There are carriers that do not use such exclusions, or that use them sparingly. Because so many breaches end up involving some form of third-party contractual dispute, it is worth shopping around on the front end to avoid finding that you are self-insuring all your contractual losses on the back end.

Demystifying the Rules Surrounding GDPR and Your Business

If you have received a deluge of emails regarding updated privacy policies from services you use, you are not alone. They relate to a new set of data privacy rules that went into effect across the European Union on May 25, known as the General Data Protection Regulation (GDPR). The new rules have sweeping implications for businesses around the world. In fact, Facebook and others have already been sued for non-compliance with the GDPR.

If you do business in the EU (including the UK, which has said it will honor the rules) in any way, it would be a good idea to check with counsel regarding whether your business must comply. Although the rules are designed to cover consumer privacy, the way they are written is very broad; B2B as well as B2C customers are affected.

Common facts that can subject you to the GDPR include having European sales or facilities, using cloud-based storage for your website or portal, performing services in the EU, serving customers located there, having employees there, having vendors there, and having European employees who work in the United States temporarily.

The fact that your company is US-based does not matter: the rules explicitly apply to any company handling the personal information of persons in the EU, regardless of the company’s location. In addition, if you serve customers who pass you EU data, they may ask you to certify your security practices or to sign a “Data Processing Agreement” that makes certain assurances about your practices.

In addition to their operational implications, the rules require notice of a breach of any EU personal data within 72 hours – a huge hurdle unless you have conducted some advance planning. Many companies are reviewing their privacy policies, work flows, employee policies, cyber preparedness planning, vendor agreements, and other matters in connection with the GDPR. Not all companies have to conduct a “scorched earth” approach to privacy, but nearly all companies would do well to consider their business and privacy practices and make adjustments where they can.

The rules as drafted leave a great deal of room for the regulators to maneuver; they are very ambiguous. The very clear part of the GDPR, however, is this: fines for non-compliance can be assessed up to the greater of €20 million or 4% of global revenue.

Taylor English’s Data Security & Privacy Team is assisting the firm’s clients with assessment of the client’s exposure to the rules, policy drafting and review, contractual terms relating to the new rules, and liaison with security and technical resources. Our team has extensive in-house compliance experience, internationally and domestically, as well as broad expertise in the legal aspects of information security planning and incident response.

#CyberForGrowth

How New EU Data Privacy Rules May Apply to Your U.S. Business

If you use any online services such as Facebook or Google, you may have seen new tools and products relating to your account privacy settings recently, along with a tweak to privacy policies and terms of use.

Continue reading How New EU Data Privacy Rules May Apply to Your U.S. Business ›

Five Lessons from Equifax

The continuing fall-out from the Equifax breach reported last month makes great headline fodder, and is really good for Congressional representatives eager to show themselves hard at work protecting voters.

Continue reading Five Lessons from Equifax ›

National Cybersecurity Month: Protect Your Assets

It’s National Cybersecurity Month. You’d hardly know this momentous occasion was coming: in September of 2017, we kept waking up to headlines about hacks at major outfits such as Equifax, Deloitte, and the SEC.

Continue reading National Cybersecurity Month: Protect Your Assets ›

GDPR: Good Defense = Prepared + Responsive!

If you have any business dealings outside the U.S., you may have heard about shifting data privacy laws in the European Union.

The General Data Protection Regulation (GDPR), the new EU-wide privacy rule, comes into effect in May 2018. Anyone who does business with residents of the EU will have to be cognizant of the GDPR’s provisions and pitfalls.

Continue reading GDPR: Good Defense = Prepared + Responsive! ›

Apple's Secret Team Working on Diabetes Solution Through Wearables

Yesterday's news about Apple's secret effort to find the 'holy grail' for treating diabetes is just the tip of the iceberg.  

The data-mining and communications solutions that are made possible by the Internet will make it possible for future entrepreneurs to launch solutions that we find hard to imagine today.

Wearable devices, once configured with the right technology to enable the monitoring of blood sugar levels, blood oxygen levels and other health data in combination with data-mining and simultaneous communication to health care providers hold great potential for guiding patients to make healthy choices and to seek medical help when appropriate.

There are obvious data privacy and cyber-security implications, of course, but even these challenges are opportunities in disguise for the entrepreneurs who can develop market-friendly solutions. 

FTC Suing Router Company Without Underlying Data Loss

The new Administration may stand for regulatory rollback in many areas, but consumer privacy is (so far) not one. Trump's Federal Trade Commission (FTC) is pursuing a router manufacturer whose equipment hasn't caused any consumer harm yet: no data leaks, no identity fraud, no damages. Companies hoping to escape scrutiny under a relaxed privacy watchdog should consider themselves on notice. 

As a best practice, it is a good idea to review your privacy policies and the marketing of your services or goods. Any claims you make about security and privacy of consumer data are fair game for scrutiny and investigation. The FTC so far has been unchecked by the courts, and this router case signals that the agency intends to continue vigorous enforcement—even under an anti-regulatory President.

Continue reading FTC Suing Router Company Without Underlying Data Loss ›