T&K Cybersecurity Blog

June 11, 2019

The Weakest Links – Vendors in the Spotlight, Again

Last week brought news of two more companies reporting the potential compromise of financial and medical information of millions of Americans. The headlines sound familiar, as does the attack vector – compromise of a third-party vendor with access to patient information.

On June 3, Quest Diagnostics Incorporated reported that a breach at one of its vendors, American Medical Collection Agency (AMCA), may have compromised the personal information of approximately 11.9 million of its patients. The compromised information includes credit card numbers, bank account information, Social Security numbers, and unspecified medical information, among other things. Quest stated that it has not yet obtained detailed or complete information from AMCA and has not received a list of the affected individuals, but that according to AMCA, an unauthorized person had access to AMCA’s system for up to seven months.

On June 4, Laboratory Corporation of America Holdings reported that approximately 7.7 million of its patients were affected by the AMCA breach. For LabCorp patients, the compromised information includes credit card numbers and bank account information, but not Social Security numbers or lab test results. LabCorp is also awaiting more detailed information from AMCA but unlike Quest, LabCorp reported that AMCA is notifying some LabCorp patients directly.

News reports have already identified a third victim of this incident, and there could be more to come. According to its website, AMCA is “the leading recovery agency for patient collections,” and its clients include “Laboratories, Hospitals, Physician groups, Billing services and Medical providers all across the country.” AMCA also operates under the “Retrieval Masters” brand and services “Direct Marketers, Telecom, Toll Agencies, and Debt Buyers,” further expanding the scope of potential victims. Quest and LabCorp are both public companies that reported the breach in filings with the Securities and Exchange Commission, but many of AMCA’s other clients are not subject to SEC reporting requirements.

Quest and LabCorp now face the familiar dilemma of responding to a cyber event resulting not from a breach of their own systems, but from a breach at a third-party vendor. Vendor breaches raise different issues than other breaches, including the following:

Understanding what occurred, what information was compromised, and who must be notified: A company that obtains personal data from its customers is generally the party subject to notification and other obligations under applicable state and federal laws, even when the breach occurs in a vendor’s system. However, the ability of that company to obtain the information needed to provide notifications is often limited by the vendor’s ability and willingness to share information about the incident. For example, it was Quest, not AMCA, that received two separate letters from U.S. senators requiring the company to respond within 10-14 days to detailed questions regarding its cybersecurity policies and procedures and this breach in particular.
Compliance with privacy policies: Companies should ensure that they are complying with their privacy policies when they share information with vendors. For example, LabCorp’s privacy policy (as published on its website) states that it may share information with contractors, but Quest’s published policy promises that no information will be shared with vendors unless the patient has authorized Quest to do so. Presumably, Quest obtained patient consent in some other way, such as a consent formed signed when the patient visited the Quest facility.
Insurance coverage: Many cyber insurance policies cover notification costs and other losses only if the breach occurred in the insured’s systems. For losses arising from a vendor’s breach, a company often must rely on contractual indemnification rights, if any. Companies typically require their vendors to have certain levels of insurance coverage, but in many cases a vendor’s insurance policy will not cover the vendor’s contractual indemnification obligations to its customers. Indeed, contractually assumed indemnity is typically subject to a specific coverage exclusion.

Thompson & Knight’s Cybersecurity Practice Group routinely advises clients regarding vendor relationships. Some general suggestions include the following:

Legal review: Ask knowledgeable legal counsel to review contracts with vendors to identify cyber issues and conformity with market terms. Vendor contracts often include provisions regarding data protection requirements, reporting requirements in the event of a breach, insurance coverage, and other matters.
Data segregation: Limit the data shared with a vendor to just the information required for the vendor to fulfill its contract. For example, a medical collection agency might need information relating to the status of a patient’s account, but might not need the patient’s medical information.
Data access: In cases where the vendor has access to computer systems, ensure that the access is restricted to the data the vendor needs to fulfill its contract, and that the vendor does not have rights to move throughout a client’s network.
Monitoring of vendor activity: Where possible, employ tools to monitor vendor activity on your network. Earlier this year, criminals used phishing attacks to gain access to the computer networks of major IT outsourcing firms such as Wipro, and used that access to attack the networks of the IT firms’ customers. In many cases, the customers identified the rogue activity before significant damage could be done.

Comprehensive cybersecurity includes not only the integrity of your system, but also the integrity of any other system which may have access to your system or on which your data may be stored. Heightened diligence should be exercised whenever vendor relationships are established or evaluated.

Posted at 11:18 AM in Data Breach Notification | Permalink | Comments (0)

February 08, 2019

Rethinking Password Management

Posted by Justin Cohen

Hackers have compiled a database of over 2.2 billion records of our login credentials (i.e., usernames/email addresses and passwords) by cobbling together records taken from dozens of data breaches. And they are sharing these stolen credentials through various websites. Out of curiosity, I used the Hasso-Plattner Institut’s online tool to see whether my personal and work email addresses were included in the leaked databases. Guess what? They both were. I then used the “have i been pwned?” password search tool to see if one of my old passwords was exposed. Unsurprisingly, it was. If you have employees who have created online accounts with Facebook, Marriott, eBay, LinkedIn, Yahoo!, Orbitz, Quora, Reddit, or any number of other websites or systems, it’s likely that your employees’ credentials have also been exposed.

The problem we have today is that many people use the same or similar credentials (e.g., email address and password) for their personal websites as they do to log in to their company’s enterprise accounts. While your company’s systems may not have been breached, it is likely that at least some of your employees’ credentials have been. So even if your organization has complex password requirements—and requires users to change those complex passwords often—those requirements don’t prevent hackers from finding users’ credentials on other sites, or using those passwords to guess the password for a user’s enterprise account (since many only use slight variations).

To address this problem, Google has launched a new extension to its Chrome browser to tell you if your password has been exposed. But for many, that may not be enough to address the risk of exposed credentials.

It may be time to start encouraging employees to utilize a password management tool, like Keeper, LastPass, or 1Password. These tools store credentials for various websites, apps, and portals so users don’t have to memorize each one (or, as some unfortunately do, store credentials in documents or spreadsheets). A user of these tools creates one complex passphrase, which gives them access to an encrypted database of their stored credentials. These tools can also test your password strength, and give you a score on your password security. For example, LastPass will give you a lower overall score if you’re using the same or similar password across multiple websites.

For many of us who have used and re-used the same or similar passwords over dozens of websites for years, it may be time to allow the password manager both to create new complex passwords and to store all of those credentials. Many of these tools also allow users to share credentials, and allow emergency access to one’s “vault” of credentials. These features are useful for employees that may need to share access to third-party websites for work. The tools enable users to share credentials with other employees in a more secure manner than email or notes. Plus, once shared, if one user changes the password, the tools enable the updated password to be shared automatically. Some also offer “emergency access” to a user’s vault of credentials, which may help avoid business interruption if an employee becomes ill or leaves the company without providing all of their credentials to work-related websites.

Encouraging your employees to use distinct, complex passwords for each personal website, enterprise system, and work-related website can significantly reduce the risk to your organization posed by these exposed passwords. A password management tool can help your organization promote that type of behavior. And if none of those reasons is particularly persuasive, perhaps you may want to read about what happened when the only person with the password to a company’s Bitcoin wallet worth over $190 million died.

Posted at 11:08 AM in Data Breach Notification | Permalink | Comments (0)

October 22, 2018

FDA Releases New Cybersecurity Initiatives for Connected Medical Devices

Posted by Tim Hudson

To kick off National Cybersecurity Awareness Month, the FDA released a statement regarding the agency’s continued emphasis on medical device cybersecurity. As cyber attacks have become more and more prevalent, the increasing number of medical devices connected to hospital networks creates a greater possibility that cyber criminals could exploit vulnerabilities in medical devices. Recognizing that medical device cybersecurity incident preparedness is fundamental to protect patients, the FDA announced new initiatives, updates, and collaborations.

To learn more, please click here to read Thompson & Knight's recent Client Alert, which provides an overview of the significance of cybersecurity awareness and preparedness for connected medical devices and practical tips and recommendations for protecting sensitive medical data and patient privacy in the digital age.

Posted at 02:27 PM in Regulatory Updates | Permalink | Comments (0)

September 24, 2018

Hindsight Is Not Wisdom: Timeliness of SEC Cyber Disclosures

Posted by Paul Stafford

The U.S. Securities and Exchange Commission (“Commission”) states as its mission the protection of investors; the maintenance of fair, orderly, and efficient markets; and the facilitation of capital formation. In furtherance of this mission, the Commission requires public companies to timely disclose information about the security of the public company’s cyber infrastructure and data, as well as information about material incidents and breaches that may affect shareholders’ investment decisions in those companies. Consequently, the Commission has promulgated a series of cyber security pronouncements and documents, including the CF Disclosure Guidance: Topic No. 2 – Cybersecurity (“2011 Guidance”, Oct. 13, 2011) issued by the Commission’s Division of Corporation Finance (the “Division”), and the Commission Statement and Guidance on Public Company Cybersecurity Disclosures (“2018 Guidance”, February 26, 2018). The 2018 Guidance reinforces and expands upon the 2011 Guidance by providing “interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents”.

When there is a “material cybersecurity risk or incident”, the Commission considers public companies to have a duty to disclose the material cybersecurity risk(s) or incident(s) to the Commission, and therefore to the public and the company’s investors and potential investors. The Commission encourages companies to “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack” (2018 Guidance, p.4), and believes that public companies should disclose “the most significant factors that make investments in the company’s securities speculative or risky” (2018 Guidance, p.13). But what constitutes “timeliness” for purposes of cyber incident, breach, or risk disclosures to the Commission? Although not a public company, can guidance as to the interpretation of “timeliness” be gleaned by examining was has occurred in most recent years in instances in which the government itself has been the subject of a cyber incident, breach, or risk? Are these incidents instructive as to how the Commission may interpret timeliness within the cybersecurity context?

For instance, in June 2015, the U.S. Office of Personnel Management announced a data breach involving approximately 21.5 million records and approximately 4 million people, including Social Security numbers and detailed security-clearance-related background information. The “data breach” involved two incidents. The first incident was purportedly discovered on March 20, 2014 - over fifteen months before the announcement. The second incident was purportedly discovered on April 15, 2015 - two months before the announcement.

In January 2016, the National Aeronautical and Space Administration (NASA) acknowledged a cyber breach of over 2000 NASA personnel, as well as flight logs and videos recorded by NASA aircraft. In addition, the hackers were able to alter the flight path of a $222M NASA drone before the ground crew was able to restore the flight path by accessing the drone using satellites. According to NASA, the hackers had been inside of NASA’s systems since 2013 – approximately three years before the announcement.

In February 2016, the Internal Revenue Service acknowledged a cyber breach of over 700,000 Social Security Numbers and other sensitive information occurring over a number of years through an online portal that permitted users to view their tax history. The U.S. Justice Department also was breached in February 2016 with the publication of personal information for 20,000 FBI employees. More recently, the FBI and Custom and Border Agents were among thousands of law enforcement personnel impacted by a breach involving the Advanced Law Enforcement Rapid Response Training (reported in June 2018).

It is undisputed that these public agencies are not subject to the regulatory and disclosure requirements of public companies. It is also certainly arguable that these cyber incidents and breaches involving government entities and agencies may not have been widely publicized, and perhaps not announced in what some would consider a timely manner; however, in contrast, the Equifax breach became widely publicized on September 7, 2017 when Equifax announced that hackers had accessed data including Social Security Numbers and drivers license numbers and addresses for approximately 145 million Americans. The cyber attack purportedly began in May 2017 and was detected in July 2017 – and was announced approximately two months later. In the wake of Equifax’s disclosure, on September 20, 2017, the Commission issued a statement emphasizing the importance of cybersecurity and detailing the SEC’s approach to cybersecurity … as well as confirming a 2016 intrusion (purportedly discovered in August 2017) involving unauthorized access to the EDGAR test filing system, which is the system used by companies to make their legally required filings to the SEC – this after a July 2017 report released by the Government Accountability Office that found deficiencies in the SEC’s information systems. Would the SEC’s cyber breach have become apparent and been announced but for the Equifax breach?

Understanding that the government is by the public and for the public but is not a “publicly held” company per se, it is evident that although the government may disclose cyber incidents, breaches, and risks when it deems appropriate after considerations of materiality, national security, and pragmatism, publicly-traded companies do not share this same deference in determining the timeliness of disclosures to regulatory or reporting bodies such as the Commission. Accordingly, the interpretation of “timeliness” should be examined within other legal contexts, as well as within the Commission’s 2018 Guidance itself.

For example, within the 14th Amendment constitutional desegregation context, timeliness is defined as “with all deliberate speed”, which was a purposefully vague and slow standard meant to ease the political and cultural ramifications of societal change. See Brown v. Board of Education II, 349 U.S. 294 (1955).

Within the context of the sale of previously occupied single-family residential real property, and pursuant to Section 5.008 of the Texas Property Code, the seller must timely disclose to the purchaser material facts and the condition of the property, known to the seller as of the date the notice (disclosure) is completed and signed by the seller. This “seller’s disclosure” is legally interpreted as a representation rather than a warranty, with serious penalties and potential liabilities for misrepresentations.

And, within an insurance context, “timeliness” is often characterized by the standard form insurance language “as soon as practicable”. In insurance cases alleging the breach of a material term by an insured, such as lack of notice in a policy, Texas courts have employed a “notice-prejudice” rule, which first examines whether notice was provided to the insurer, then examines when the insurer was provided notice, and finally examines whether a lack of what the insurer claims as “timely” notice in accordance with the “as soon as practicable” or other applicable standard form policy language resulted in prejudice to the insurer. See PAJ, Inc. v. Hanover Insurance Co., 243 S.W.3d 630 (Tex. 2008) and Prodigy Communications Corp. v. Agricultural Excess & Surplus Lines Ins. Co., 288 S.W.3d 374 (Tex. 2009). Unless the court answers in the affirmative (i.e. – a finding of prejudice to the insurer due to lack of timely notice) the insured is determined not to have violated a material term of the insurance contract. This creates an incentive on the part of the insured for timely notice (disclosure) of an occurrence (incident) to the insurer, but provides some protection to the insured from the subjectivity associated with an insurer’s unilateral determination of the term “timeliness” or the contractual phrase “as soon as practicable”.

In contrast to desegregation jurisprudence, real estate sales contracts, and the insurance law context, the Commission has no such mechanism for determination of “timeliness” in disclosures pertaining to cyber incidents, breaches, or risks, instead employing a standard based on “expectations” placed upon public companies to determine when disclosure should occur. So, as with “materiality”, a determination of the timing of disclosures to the Commission of cyber incidents, breaches, and risks is the responsibility of the public company, with the Commission and courts reserving the right to question the timing of disclosures as circumstances develop or additional facts and factors become known with the passage of time. The Commission’s authority to exercise retroactive determinations of “timeliness” could reasonable lead to the invocation of a phrase famously stated in President George W. Bush's 2006 State of the Union Address, “Hindsight alone is not wisdom, and second-guessing is not a strategy”.

In the years since President Bush’s assertion, lots has occurred in the realm of cybersecurity, and hindsight and second-guessing have been refined to a legal art form. For instance, the well-publicized cyber attacks (by Russian Federation hackers) on Yahoo included breaches in 2013 and in 2014. The 2014 breach, discovered in July 2016 and reported in September 2016, affected over 500 million Yahoo user accounts. The August 2013 breach, discovered in July 2016 and reported in December 2016, was originally believed to have affected approximately 1 billion accounts; however, Yahoo later affirmed in October 2017 that the breach affected every Yahoo account that existed at that time – which is 3 billion accounts. In 2018, as a result of the 2014 breach, Yahoo agreed to pay a $35 million fine to the Commission as part of a settlement in the first enforcement action by the Commission for failure to timely disclose a cyber incident, breach, or risk.

In hindsight, it is easy to inquire as to why the Yahoo of just a few year ago did not disclose the full nature of its cyber breach in a more timely manner; however, it is worth noting within this “timeliness” context that in January 2018, the U.S. Department of Homeland Security disclosed a cyber breach it discovered in May of 2017 involving the personal information for approximately 240,000 employees employed by DHS in 2014, as well as “subjects, witnesses, and complainants” associated with DHS Office of Inspector General investigations between 2002 and 2014. DHS did not begin notifying affected employees until November 2017, with DHA stating that this delay was due to “a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed.” “The investigation was complex given its close connection to an ongoing criminal investigation,” a notice posted on the DHS website read. “These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.”

In relying upon the Commission’s guidance of today, the Commission acknowledges (just as in the DHS example) that “some material facts may be not available at the time of the initial disclosure”, that a company “may require time to discern the implications of a cybersecurity incident”, and that the necessity of cooperating with law enforcement and any ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding the incident; however, the Commission states that “an ongoing internal or external investigation … would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident”(2018 Guidance, p.11).

In addition, and more specifically, 2018 Guidance, Note 15 references the NYSE Listed Company Manual Rule 202.05, which requires listed companies to “release quickly to the public any news or information which might reasonably be expected to materially affect the market for its securities.” 2018 Guidance, Note 15 also references Nasdaq Listing Rule 5250(b)(1), which requires listed companies to “make prompt disclosures to the public of any material information that would reasonably be expected to affect the value of its securities or influence investors’ decisions.” 2018 Guidance, p.19 states that “A company’s disclosure controls and procedures should not be limited to disclosure specifically required, but should also ensure timely collection and evaluation of information potentially subject to required disclosure, or relevant to an assessment of the need to disclose developments and risks that pertain to the company’s businesses.” And 2018 Guidance, p.11 states that, in accordance with Section 7 and 10 of the Securities Act: Sections 10(b), 13(a) and 15(d) of the Exchange Act; and Rule 10b-5 under the Exchange Act [15 U.S.C. 78j(b); 15 U.S.C. 78o(d); 17 CFR 240. 10b-5], “Where a company has become aware of a cybersecurity incident or risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders who were aware of these matters) from trading its securities until investors have been appropriately informed about the incident or risk.”

The disclosure requirements in Commission Regulation S-K and Regulation S-X make no specific mention of cybersecurity risks and incidents; however, public companies must make every effort to adhere to the Commission’s reporting requirements, and may find guidance or specific instruction as to timeliness in the particular requirements for each category of report. Examples include: periodic reports, including Form 10-K annual reports, Form 10-Q quarterly reports (to be submitted every ninety days), and Form 20-F disclosures by foreign private issuers (within four to six months, depending on when the fiscal year ends); current reports, including Form 8-K (which require disclosure within four business days after discovery of a reportable condition) or Form 6-K reports (“promptly after the material contained in the report is made public”); and, Securities Act and Exchange Act obligations, including registration statements that (consistent with Section 11, 12, and 17 of the Securities Act, as well as Section 10(b) and Rule 10b-5 of the Exchange Act) must adequately and timely disclose all material facts required to be stated therein or necessary to make the statements therein not misleading.

Accordingly, given the Commission’s Guidance, and the realities of commerce in a digital world, public companies must make every effort to develop policies, procedures, and protocols designed to comply with the Commission’s expectation of timeliness in the disclosure of material information, incidents, breaches, or risks.

Posted at 11:43 AM in Regulatory Updates | Permalink | Comments (0)

August 24, 2018

Whose Material Is This? Objective Subjectivity in SEC Cyber Disclosures

Posted by Paul Stafford

The U.S. Government, through several agencies and in conjunction with state governments and international governing bodies, has assumed the duty to regulate and to facilitate various aspects of commerce in a matter that minimizes economic uncertainty and promotes fairness in the market. As part of the government’s regulatory “contract” with the public, investors, and potential investors, the U.S. Securities and Exchange Commission (“Commission”) states as its mission the protection of investors; the maintenance of fair, orderly, and efficient markets; and the facilitation of capital formation. To carry out this mission, the Commission requires public companies to disclose information about the security of the public company’s cyber infrastructure and data, especially personally identifiable information, as well as information about incidents, and breaches that are “material” and that may affect shareholder decisions about investing in those companies.

Consequently, the Commission has promulgated a series of cybersecurity pronouncements and documents, including the CF Disclosure Guidance: Topic No. 2 – Cybersecurity (“2011 Guidance,” Oct. 13, 2011) issued by the Commission’s Division of Corporation Finance (the “Division”), and the Commission Statement and Guidance on Public Company Cybersecurity Disclosures (“2018 Guidance,” February 26, 2018). The 2018 Guidance reinforces and expands upon the 2011 Guidance by providing “interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.” The 2018 Guidance also addresses two topics not developed in the Division’s 2011 Guidance: the importance of cybersecurity policies and procedures, and the application of insider trading prohibitions in the cybersecurity context to deter selective disclosures and to prevent directors, officers, and corporate insiders from trading in a public company’s securities while in possession of “material non-public information.” But what is “materiality”?

When there is a “material cybersecurity risk or incident,” the Commission considers public companies to have a duty to disclose the material cybersecurity risk(s) or incident(s) to the Commission, and therefore to the public and the company’s investors and potential investors. The Commission encourages companies to “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack” (2018 Guidance, p.4), and believes that public companies should disclose “the most significant factors that make investments in the company’s securities speculative or risky” (2018 Guidance, p.13). Such interpretive guidance on the term “material” not only encourages companies to develop procedures for determining “materiality” for disclosures of actual risks and incidents, but also protocols for determining prospective risks. As the 2018 Guidance (p.11) states, “[T]he materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations,” and such information may include “personally identifiable information, trade secrets or other confidential business information, the materiality of which may depend on the nature of the company’s business, as well as the scope of the compromised information.”

The Commission’s 2018 Guidance (p.11) also states that “[T]he materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause,” with footnote 34 indicating that a company’s materiality analysis “should consider the indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of the company activity Basic v. Levinson, 485 U.S. 224, 238 (1988) (citing SEC v. Texas Gulf Sulphur Co., 401 F.2d 833, 849 (2d Cir. 1968))” and that within this analysis, “no ‘single fact or occurrence’ is determinative as to materiality, which requires an inherently fact-specific inquiry. Basic, 485 U.S. at 236.”

The Commission’s 2018 Guidance clearly illustrates that the legal construct of “materiality” is, by its nature, imprecise and flexible. The concept of “materiality” is contextual, requiring what the Commission terms a “tailored” approach (2018 Guidance, p.13) – and perhaps even, at times, subjectivity on the part of public companies based upon the factors, procedures, and protocols utilized in preventing and responding to cybersecurity incidents or in determining a company’s susceptibility to cybersecurity risks. Stated differently, for SEC purposes, an event that is material for one company may not be material for another.

Such subjectivity becomes more apparent when comparing and contrasting the disclosure obligations of the Commission with contract law or tort law principles. For example, the Restatement (2d) of Contracts Section 1 defines a “contract” as a “promise or set of promises for the breach of which the law gives a remedy, or the performance of which the law in some way recognizes a duty.” The determination of whether there is a breach is a question of law; however, a breach must be “material” to be actionable and compensable for foreseeable injuries or equitable relief. Some breaches are “material” as a matter of law (e.g., when a contract specifies that time is of the essence, failure to timely perform is a “material breach”); however, in most instances, the determination of whether a breach is “material” is a question of fact, and non-performance may be excused or damages may be awarded based upon a finding of materiality. As the court stated in Henderson v. Wells Fargo Bank, N.A., 974 F.Supp.2d 993, 1005, 1006 (N.D.Tex.2013), the question of whether a breach was sufficiently material to excuse a party’s performance under a contract is a question of fact for a jury to decide based on an analysis of the factors set out in the Restatement Second of Contracts 241 and 242. Accordingly, materiality in contract law is often determined by a finder of fact within a narrow context that considers performance, acts, and omissions precipitating the alleged material breach and tends towards a presumption of permitting the contract to survive and the contracting parties to perform.

By contrast, a determination of materiality within the context of disclosures to the Commission is the responsibility of the public company that is subject to the cyber risk(s) or incident(s), with the Commission and the courts serving as the ultimate arbiters (i.e., “finders of fact”) of the materiality of those cyber risk(s) or incident(s). The disclosure requirements in Commission Regulation S-K and Regulation S-X make no specific mention of cybersecurity risks and incidents; however, several of the requirements impose an obligation (i.e., “duty”) on public companies to disclose such risks and incidents depending on a company’s particular circumstances. Examples include: periodic reports, including Form 10-K annual reports, Form 10-Q quarterly reports, and Form 20-F disclosures by foreign private issuers; current reports, including Form 8-K or Form 6-K reports; and Securities Act and Exchange Act obligations, including registration statements that (consistent with Section 11, 12, and 17 of the Securities Act, as well as Section 10(b) and Rule 10b-5 of the Exchange Act) must adequately disclose all material facts required to be stated therein or necessary to make the statements therein not misleading. In addition to the information expressly required (or interpreted to be required) by Commission regulations, a public company is required to make a subjective determination and to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading,” pursuant to Rule 408 of the Securities Act, Rule 12b-20 of the Exchange Act; and Rule 14a-9 of the Exchange Act. This interpretation of materiality regarding omissions is akin to the Texas Deceptive Trade Practices-Consumer Protection Act, Section 17.46 (b)(24), which addresses the “failure to disclose information concerning goods or services known at the time of the transaction if such failure to disclose such information was intended to induce the consumer into a transaction into which the consumer otherwise would not have entered had the information been disclosed.”

The Commission considers omitted information to be material “if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.” (This is the standard established by the U.S. Supreme Court in TSC Industries v. Northway, 426 U.S. 438, 449 (1976)). The Commission’s articulation of materiality of omitted (non-disclosed) information illustrates that when determining materiality the Commission adopts a less subjective, and perhaps arguably objective, approach.

So the inquiry as to “materiality” then becomes not only, “What is material?” but “Who is asking?” and “Who is determining?” Accordingly, through the Commission’s articulated 2018 Guidance, the determination of “materiality” within the context of disclosures to the Commission can be seen as subjective when determined by the public company and perhaps objective when determined by the Commission, particularly regarding omitted (non-disclosed) information. Consequently, and in contrast to a contractual, tort, or litigation context, in a public company’s continuing effort and duty to timely provide the Commission information available as to the company’s actual or potential cyber risk(s) and incident(s), public companies should consider determining and defining “materiality” more broadly when providing disclosures to the Commission.

Posted at 03:32 PM in Regulatory Updates | Permalink | Comments (0)

July 31, 2018

Developments from Recent Cases Involving Computer Fraud Insurance

Posted by John Atkins

For this month, we have a couple of computer fraud insurance coverage developments for regular readers to think about.

First, on July 6, a Second Circuit panel held in favor of the insured in a dispute over the computer fraud provisions of a crime policy. In Medidata Solutions, Inc. v. Federal Insurance Company^[1]the appellate court found that a scheme in which bad actors, via a “spoofing” scheme, hijacked a business’s email system and thereby induced fraudulent payments by the company fell within the scope of coverage of a computer fraud provision in a crime policy.

Although the panel’s decision is not precedential, the decision is nevertheless important. The scope of computer fraud provisions in crime policies has been in question for some time, after some recent decisions holding that merely incidental use of computer systems in connection with a fraud will not bring such fraud within the scope of computer fraud coverage. In Apache Corp. v. Great American Insurance Company^[2] in 2016, the Fifth Circuit found that a fraud that involved, in part, a spoofing scheme did not fall within the scope of coverage of a similarly worded provision. In 2017, the Ninth Circuit made a similar ruling in Taylor & Lieberman v. Fed. Ins. Co.^[3] and held that a spoofing scheme whereby an accounting firm was induced to pay client money to a bad actor was not covered by its computer fraud insurance. In those cases, the bad actors managed to send emails that were manipulated to appear as if they were sent by authorized employees. The Second Circuit in Medidata in fact discussed a similar ruling by the New York Court of Appeals.

The facts of Medidata were somewhat unique, however. The insurance provision at issue was relatively typical, extending coverage for losses resulting from fraudulent “entry of Data into” or “change to Data elements or program logic of” a computer system. But in this case, unlike other recent cases, the fraudsters introduced a malicious code into the email system of the target business, which caused the email system to misidentify the sender of emails. The fraudsters used this to send an email purportedly from the president of the company to an employee directing the employee to follow payment directions that would shortly be given to him via phone call. This modification of the email system of the victim was sufficient to put the claim within the scope of coverage. This result may give hope to insureds that spoofing attacks are not always excluded from computer fraud coverage, but it is usually dangerous to read a single court opinion more broadly than its facts permit.

Second, there is a new coverage dispute being litigated in Virginia involving two cyber intrusions against (and the theft of $2.4 million from) the National Bank of Blacksburg.^[4] Although the litigation is still in the early stages, the alleged facts are interesting. In this case there were two separate attacks, both via “phishing,” a technique whereby a link is embedded in an otherwise innocuous email which, when clicked, causes malware to be downloaded.

In the first attack, a phishing email hooked an employee of the bank, resulting in the installation of some malware on the employee’s computer. That malware infected another computer in the bank’s system—one that had the ability to handle debit card transactions. The thieves then proceeded to use their access to dispense more than $500,000 of funds from depositor accounts. The bank changed its policies after the first attack, but apparently not enough; a second attack, also by phishing, resulted in an even more extensive breach that gave the criminals almost complete control over many of the bank’s customer accounts, enabling the creation of millions of dollars of fake credits and the withdrawal of same from hundreds of ATMs across the continent.

The bank’s insurer (largely) denied coverage, and the bank sued. The bank’s policy provided significant coverage for electronic crime, but this coverage was subject to exclusions for crimes involving the use of debit or credit cards or ATMs. The bank’s policy offered very limited coverage for crimes involving stolen or modified debit cards, which the insurer tendered, but this left nearly all the loss uncovered. The litigation has not progressed far, but we will be monitoring this case going forward.

The first thing to note about these cases is this: the operative coverage is the computer fraud or crime coverage within a crime policy, not a dedicated cyber insurance policy. Email spoofing and other cyber risks are not always covered by a cyber insurance policy, and it is important to understand how various insurance policies interlock. The second thing to note is that the content and interpretation of computer fraud insurance is a hot topic at the moment, and as court opinions come in it is likely that both the state of the law, and the drafting of the provisions granting such coverage, will change. Thompson & Knight’s cybersecurity team will be following these and related cases as the insurance market continues to evolve.

[1] No. 17-2492-cv (2d Cir. July 6, 2018).

[2] 662 Fed. Appx. 252 (5th Cir. 2016).

[3] 681 Fed. Appx. 627, 629 (9th Cir. 2017).

[4] See Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M, Krebs on Security, www.krebsonsecurity.com, available at https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/ (last visited July 25, 2018).

Posted at 10:20 AM in Cyber Insurance | Permalink | Comments (0)

July 11, 2018

Equifax Signs Cybersecurity and Data Privacy Consent Order with Eight States

Posted by Marion Bachrach

Aristotle postulated that, in physics, nature abhors a vacuum. This principle applies to regulatory oversight as well.

In the absence of federal legislation mandating appropriate controls to deal with cybersecurity and data privacy, state regulators have stepped into the void and are taking action. On June 25, 2018, eight state agencies signed a Consent Order with Equifax, which requires Equifax to take immediate corrective actions regarding cybersecurity and data privacy following the alarming breach that took place in 2017. The eight agencies include the:

New York State Department of Financial Services;
Texas Department of Banking;
California Department of Business Oversight;
Georgia Department of Banking;
Alabama State Banking Department;
Massachusetts Division of Banks;
Maine Bureau of Consumer Credit Protection; and
North Carolina Office of Commissioner of Banks

The Consent Order requires that within three months, Equifax must approve written risk assessments that identify and assess foreseeable threats to the confidentiality of personally identifiable information (PII) of customers, potential damage to business operations, and controls for each threat.

The Order also requires immediate improvement, within 30 days, of oversight by the Audit Committee to ensure that sectors in critical risk areas are audited frequently. It mandates specific tasks and requires presentation of issue-tracking and issue-aging reports, and bars the Internal Audit sector from involvement in the daily operations of risk management.

It further requires that the Board and Management improve, within three months, the Information Security Program by taking specific steps, including: approving a written Information Security Program and Policy, enhancing the level of detail in Board and Committee minutes, and reviewing and approving information security policies to ensure they are up-to-date and function effectively.

Board and Management must now identify with clarity the roles and relationships of those involved with incident response relating to cyber threats, network operations, security monitoring, incident detection, and incident response teams. They must implement better patch management, with stricter controls for immediate updating and installation.

The Order enhances oversight of disaster recovery and business continuity plans; it requires that business continuity plans be reviewed independently by Internal Audit on a regular basis.

Significantly, the Order requires strict oversight of third-party vendors. It demands that within three months, the Company improve oversight and documentation of critical vendors to ensure that sufficient controls are developed to safeguard information. Also included is the requirement that management develop guidance for when use of cloud-based services is permissible and the types of cloud services that are acceptable.

The Order requires the Board to submit for review a list of all remediation projects planned, in process, or implemented in response to the 2017 breach together with a third-party forensic report of the investigation of that breach. It further requires Management to have an independent testing of controls relating to remediation efforts and to report by year-end whether those controls function effectively.

The eight states have served notice to entities in the financial sector – whether banks, credit card companies, credit reporting agencies, or insurers – that they will not tolerate lax controls that could compromise cybersecurity or data privacy. Companies doing business in any one of these eight states should take heed.

Posted at 12:19 PM in Regulatory Updates | Permalink | Comments (0)

June 14, 2018

The Most Cost-Effective Strategy for Buying Cyber Insurance: Raise Response-Cost Limits to the Full Extent of Aggregate Policy Limits

Posted by David White

By now, all companies – large, small, and in between – know they are vulnerable to computer hacks, and the costs can be huge.^[1] Looking at the current trade talk, one sees a host of articles telling companies why they should purchase cyber insurance.^[2] Many discuss what limits to buy, and a good many describe the varieties of cyber insurance on the market.^[3] Not many, however, advise policyholders on the best strategy to maximize the value of the policy in return for the premium dollar they pay.

Cyber insurance is not cheap, and businesses must make hard choices about the type and amount of insurance they buy. It is impossible to insure against all risks and worst cases. Consider the military maxim, attributed to the Prussian king Frederick the Great, that to defend everything is to defend nothing. Limited resources, be they soldiers or dollars, must be carefully marshaled and applied where they will do the most good. In buying cyber insurance, our general advice – though it depends on each client’s circumstances – is to aim to make 100% of the aggregate limits of a cyber policy available to cover those initial costs necessary to respond to and manage a hacking intrusion.

The reason is simple: in almost all cases, if a business is hacked, the one loss it can be certain to face from day one is substantial response costs for such things as forensic experts to find and fix the intrusion, crisis management, legal services, notification expenses (where prudent or required by state and federal law), and perhaps regulatory fines. Other losses and liabilities resulting from the theft or destruction of data either may not materialize, or the insurance to cover them is not reasonably available or is prohibitively expensive. So, weighing a doubt against a certainty, a policyholder is often better off when the entire aggregate limit is available to cover response costs.

Consider the matter in light of the likely risks the company will suffer from a cyber attack. Usually, there are three: (1) response costs (described above); (2) liability to third parties who may be damaged from the hack; and (3) lost income if the attack forces the insured’s business to slow or shut down. Of course, there may be other risks, but these three are the most prevalent. Common sense might dictate that liability from lawsuits and the insured’s lost income are more serious risks than response costs. They may end up as the most expensive, but only if they materialize. In the past five years or so, plaintiffs in lawsuits against hacked companies have not made much headway in the courts because quantifiable damages have not been easy to prove. Thus, a defendant’s greatest fear after the Target data breach, a huge class-action from consumers, has not substantially materialized. As a rule, courts have been willing to approve monitoring costs, but not much more. Of course, that could change in the future.

Regarding first-party lost-profits, insureds face the opposite problem. The risk that a computer shutdown will cripple a business is patent, but the insurance industry has yet to offer robust business-interruption coverage for most insureds, particularly small and mid-size companies. Unless the hack results in bodily injury or physical damage to property, cyber business-interruption coverage is usually not readily available, or is not available in sufficient amounts, or is prohibitively expensive.

Most cyber policies on the market today offer a menu of coverages, each with its own sublimit, but all subject to a single aggregate limit, which is the most the insurer will pay under the policy regardless of the number of different claims or losses under the various coverages. So, for example, the policy may have a $5 million aggregate, which is more or less the average we see for small to mid-size businesses.^[4] Let’s assume the policy offers to cover response costs subject to a sublimit of $2 million; several different liability risks (such as network security, multimedia or intellectual property, regulatory, privacy, etc.), each subject to a sublimit of $2 million; and even business-interruption loss subject to a time-delay deductible and a sublimit of $5 million. In no event will the insurer pay more than the $5 million aggregate, even if all of the coverages are triggered.

All things considered, this is pretty good coverage for most companies. But the policyholder may benefit from requesting a revised quote from the insurer for a response-cost sublimit equal to the aggregate limit. Optimally for the insured, the policy would have no sublimits, and the insured would have the option to apply the aggregate limits to whichever loss or liability loomed largest. But Frederick the Great would tell us that if we must choose, we should consider making the full policy aggregate available for response costs because those are the losses the insured will most certainly face, if any; they will be the costs incurred from day one of the discovery of the hack; and they could well exhaust the aggregate limits of the average cyber policy.

[1] V. Lynch, Cost of 2013 Target Data Breach Nears $300 Million, hashedout, https://www.thesslstore.com/blog/2013-target-data-breach-settled/, last viewed June 5, 2018; Heller, Equifax Hack Could Cost ‘Well Over $600 Million’, CFO, http://ww2.cfo.com/data-security/2018/03/equifax-hack-cost-well-600m/, last viewed June 5, 2018.

[2] Heinan Landa, Does Your Business Need Cyber Liability Insurance?, The Business Journals, https://www.bizjournals.com/bizjournals/how-to/growth-strategies/2017/05/does-your-business-need-cyber-liability-insurance.html, last viewed June 5, 2018.

[3] Christiaan Durdaller, Cyber Insurance Trends with Small Businesses, Insurance Journal, MyNewMarkets.com, https://www.mynewmarkets.com/articles/183128/cyber-insurance-trends-small-businesses#, last viewed June 5, 2018.

[4] We are not recommending this or any other policy limit as adequate or reasonable for a particular company or industry. That is simply more or less what we observe.

Posted at 05:35 PM in Cyber Insurance | Permalink | Comments (0)

June 04, 2018

Are You Properly Engaged?

Posted by Michael Stockham

Will your data breach report be used against you? A recent article in the Spring 2018 Litigation News—published by the Section of Litigation of the American Bar Association—revisited what many consider best practices to preserve attorney-client privilege and work-product protection for materials related to internal investigations, including a company’s investigation of a data breach.¹

Who investigates the data breach, and when they begin investigating it, can be key factors weighed by any court when considering later discovery motions related to whether a company must produce materials from a data breach investigation. For example, a report detailing the strengths and weaknesses of the company’s cyber efforts may likely be discoverable in follow-on litigation if the company’s internal information technology group prepared that report but not under the direction of attorneys. In contrast, the same report prepared by the internal information technology group at the direction of an attorney would likely be considered privileged because the report is attorney-work product created by an attorney agent for the specific reason of rendering legal advice.

This blind spot in privilege exists because the work should be connected to attorney analysis and legal advice to protect privilege. That is, work conducted solely by business personnel (e.g., chief information officers or information technology staff) may have little or no nexus to attorney analysis or work product and, therefore, may not be protected by privilege. Specifically, unless all work performed by company personnel is directed by legal counsel, not only will it be difficult to defend claims of privilege or work-product protection, but privilege on conversations with counsel that might otherwise be protected may also lose privilege because the internal company employees (those not in management) might be considered third parties for privilege waiver analysis.

This may also be true for work performed by outside, non-attorney consultants. The company may accidentally waive privilege if, in an effort to cloak the consultants’ work with privilege, the company engages consultants directly but then includes them in the investigative process with attorneys. In that scenario, a court could also hold that the presence of an outside third party eliminated confidentiality and negated claims of privilege. Moreover, the privilege analysis is the most complicated when in-house attorneys are involved. Their dual business and legal role can make privilege analysis murky as courts struggle to ascertain if the communication from the in-house lawyer is legal advice or business advice.

There is a cleaner way to deal with policing privilege and work-product protections during a data breach and the ensuing investigation and report. Courts generally recognize attorney-client privilege and work-product protection when the attorney directly engages the consultant or directs the specific activity of internal personnel. In that case, courts are likely to see the consultant as an attorney agent working to help the attorney render legal advice. Said another way, so long as consultants, IT professionals and others who may help investigate a data breach are first engaged by, or report directly to, the attorneys hired by the company to investigate the data breach, then the consultants or personnel should fall within the parameters of the attorney-client privilege and work-product doctrine. This allows a company greater control of the information, so it can form a legal strategy while also limiting the potential that the information will be discoverable in subsequent litigation. As a result, having outside counsel involved from the very moment the company discovers a data breach, and then working closely with that counsel to engage consultants, provides the greatest protection and flexibility of the company, and would be considered a best practice in this area.

1 Kelso L. Anderson, "Data Breach Ruling Potentially Narrows Scope of Privilege and Work-Product Assertions," Litigation News, Spring 2018 at 14-15.

Posted at 05:02 PM in Data Breach Notification | Permalink | Comments (0)

April 25, 2018

GDPR Countdown: What To Do Before May 25

Posted by: Stephen E. Stein, Craig Carpenter

The EU will implement the new General Data Protection Regulation (“GDPR”) on May 25, 2018. The overall goal of GDPR is to enhance the protections afforded to EU residents for their personal data (under GDPR, the definition of “personal data” goes well beyond corresponding definitions in the United States).While GDPR has many detailed provisions governing the collection, cross-border transfer, processing, and deletion of personal data (including data collected online via websites), it is the potential liability under GDPR that has garnered the most attention: the greater of 10 million euros or 2% of global revenue for “technical non-compliance,” with these limits doubled to 20 million and 4% for a breach of GDPR’s fundamental principles.

The most common question we are asked is whether GDPR applies to U.S. companies. If a U.S. company is collecting or otherwise processing the personal information of EU residents (either as the data owner (“Data Controller”) or a data processing service provider (a “Data Processor”)), the answer may be “yes.” GDPR will likely apply to U.S. companies that process personal data of EU residents (in addition to companies with an EU presence).

What does GDPR require?

In a nutshell, GDPR requires that companies process data according to six data-protection principles, including:

Lawful, fair, and transparent processing (including sufficient notice)
Processing limited to specific, legitimate purposes
Processing limited to adequate, relevant, and necessary information
Data is kept accurate and current
Data is kept for only as long as necessary
Data is secure and confidential

GDPR also requires that companies establish, protect, and maintain their ability to demonstrate GDPR compliance.

What can a company do to start preparing?

While GDPR compliance is a complicated process that will vary greatly from company to company, there are some basic steps that companies can take to begin the process:

Data inventory and mapping – identify what data is collected and where it is stored.
Gap analysis – compare current data-protection practices to those required under GDPR.
Prioritization and action plan – develop a plan to address issues identified in the gap analysis.
Security – develop, implement, and maintain clear data-security policies and practices.
Documentation – maintain clear documentation of data privacy and security policies and practices, including efforts taken to comply with GDPR.
Lawful basis – identify the “lawful basis” for processing personal information.
Privacy notice – develop and implement a privacy notice that clearly explains the privacy practices and data subject rights.

Posted at 03:47 PM in Regulatory Updates | Permalink | Comments (0)