backYahoo Announces Large Data Breach – On September 22, 2016, Yahoo issued a statement confirming that hackers infiltrated its systems in late 2014 and lifted account data tied to at least 500 million users. In its press release, Yahoo said that a recent investigation revealed that a copy of information “associated with at least 500 million user accounts” had been stolen from its network in late 2014 by what the company believed to be a “state-sponsored actor.” According to Yahoo, the stolen information includes names, email addresses, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers. Yahoo does not believe that the stolen information includes unprotected passwords, payment card data, or bank account information, which are stored in a different system.
Yahoo is working closely with law enforcement on the matter, and there is no evidence that the state-sponsored hacker is still accessing Yahoo’s network. Yahoo is also in the process of notifying potentially affected users and has taken steps to secure their accounts. Yahoo asked users to change their passwords and to review their online accounts for suspicious activities, and to change passwords and security questions for any other accounts that may rely on the same or similar information as their Yahoo account.
Yahoo’s data breach may lead to stricter disclosure requirements for companies. U.S. Senator Mark Warner (D-VA), a member of the Senate Intelligence and Banking Committees and a cofounder of the bipartisan Senate Cybersecurity Caucus, and U.S. Senator Richard Blumenthal (D-CT) both released statements calling for Congress to enact relevant legislation.
Sen. Warner criticized Yahoo for not reporting suspicions of a breach sooner. He stated that, although the scale of the data breach was among the largest on record, he was “most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today.” While Yahoo has not disclosed when it first learned of the breach, available information suggests that it was uncovered as part of an ongoing internal investigation that began in August of this year. Sen. Warner called on the federal government to impose stricter disclosure requirements for companies. Companies are currently subject to a patchwork of state disclosure laws, but there is no federal standard for reporting breaches. “Action from Congress to create a uniform state breach notification standard so that consumers are notified in a much more timely manner is long overdue,” Sen. Warner said in his statement.
Sen. Blumenthal’s statement was even more critical of Yahoo. According to Sen. Blumenthal, “[i]f Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust.” Sen. Blumenthal also observed that this data “breach demonstrates the urgent need for Congress to enact data breach and security legislation – only stiffer enforcement and stringent penalties will make sure companies are properly and promptly notifying consumers when their data has been compromised.” Such criticism is being levied, however, before Yahoo has publicly disclosed all of the facts surrounding the incident.
Finally, some commentators are wondering whether Yahoo’s data breach may be the first to publicly derail a potential merger or acquisition. In July of this year, Verizon Wireless Inc. agreed to purchase Yahoo’s core business for $4.83 billion, but that transaction has not been completed. Although major data breaches have become a routine event for corporate America, in this instance, Sen. Blumenthal has called on law enforcement and regulators to “investigate whether Yahoo may have concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon.”
Reporter, Ashley B. Guffey, Atlanta, + 1 404 572 2763, aguffey@kslaw.com.
New York Attorney General Announces Settlement With Trump Hotel Over Two Data Security Incidents – On September 23, 2016, New York Attorney General Eric T. Schneiderman announced a settlement with Trump International Hotels Management LLC, d/b/a Trump Hotel Collection (“THC”), imposing $50,000 in penalties and ongoing obligations to maintain certain security policies and procedures. According to the New York Attorney General, THC (i) failed to timely notify its customers of the first security incident, and (ii) failed to timely implement THC’s forensic investigator’s remediation recommendation before the second security incident. The two incidents resulted in the exposure of over 70,000 credit card numbers.
The New York Attorney General’s announcement stated that, in late May 2015, THC learned of “common point of purchase” reports indicating that it might be the source of a credit card compromise. Common point of purchase reports are a commonly used method by which banks analyze fraudulent credit card transactions and determine the last merchant where legitimate transactions took place, suggesting the source of a compromise. According to the New York Attorney General, within a few weeks, a preliminary forensic investigation confirmed the existence of malware at multiple THC locations. THC notified affected customers approximately four months later, in late September 2015, which the New York Attorney General claimed violated New York General Business Law § 899-aa by failing to provide notice to customers “in the most expedient time possible and without unreasonable delay.” New York General Business Law § 899-aa tasks the New York Attorney General with enforcing any violations of the statute, including through monetary and injunctive penalties.
In March 2016, according to the New York Attorney General, THC received additional common point of purchase reports about a potential second incident, which was subsequently confirmed by a forensic investigation. THC notified affected customers approximately two months later. The announcement does not indicate whether the office viewed the second notification as untimely under General Business Law § 899-aa, but the New York Attorney General took issue with THC’s alleged failure to timely implement two-factor authentication for remote access to THC’s network as recommended by the forensic investigation report from the first breach. The New York Attorney General claimed that the remediation recommendation might have prevented the March incident, but THC’s April implementation came too late.
In addition to the $50,000 penalty imposed on THC, the New York Attorney General stated that THC has agreed to maintain reasonable security policies and procedures designed to protect personal information, for an unannounced period of time, including:
- Designation of an employee or employees to coordinate and supervise THC’s program designed to protect the privacy and security of personal information;
- Annual employee training to at a minimum inform employees who are responsible for handling personal information about data security, the importance of consumer privacy and their duty to help maintain its integrity;
- Responding to events involving unauthorized acquisition, access, use or disclosure of personal information including training all staff who are responsible for inputting, entering, maintaining, storing or transferring personal information on data breach notification law;
- Identifying material risks to the security and confidentiality of personal information that are reasonably likely to result in the unauthorized disclosure of such information, including through the regular review of security industry news sources for newly identified security vulnerabilities;
- Designing and implementing reasonable safeguards to control the risks identified through risk assessment, including use of two-factor authentication for remote access to computer systems;
- Regular testing of the effectiveness of the safeguard’s key controls, systems, and procedures, including through reasonable and appropriate software security testing; and
- Developing and using reasonable steps to select and retain service providers capable of maintaining security practices consistent with the agreement and requiring service providers by contract to implement and maintain appropriate safeguards.
These injunctive provisions are in line with what are commonly imposed from other data security and privacy regulators, including those commonly imposed by the Federal Trade Commission.
The settlement with THC reflects the increasing role state attorneys general play in investigating and enforcing data security and privacy laws. In addition, many data breach notification statutes are worded similar to New York’s, and the THC settlement provides rough guidance on the inherently subjective determination of what constitutes “unreasonable delay” in providing affected individuals notification of a data security incident.
Companies that handle customers’ personal information should ensure that they have appropriate data security and privacy governance and compliance programs, and that they respond to data security incidents consistently with incident response best practices.
Reporter, Nick Oldham, Washington, D.C., +1 202 626 3740, noldham@kslaw.com.
Bill Proposes Tax Incentives For Data Breach Insurance – On September 14, 2016, U.S. Representative Ed Perlmutter (D-Colo.) introduced the “Data Breach Insurance Act,” which would incentivize private industry to enhance its cybersecurity posture by providing federal income tax credits. Specifically, the bill would reward companies that obtain data breach insurance coverage and adopt the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Framework”).
The new tax credit would expire five years after enactment, and thus appears intended to jumpstart adoption while cybersecurity coverage is still in its early stages. This approach shows merit, with the National Association of Insurance Commissioners ( “NAIC”) reporting in August that U.S. insurers offering standalone cybersecurity policies encountered loss ratios ranging from zero to five hundred percent under these policies in 2015. If this wide variation in insurers’ experience results from immature underwriting models, encouraging more widespread coverage could spur standardization and a more efficient pooling of cyber risks.
To be eligible for the credit under the bill, taxpayers would not only need to obtain an eligible policy, but would also need to adopt and comply with the NIST Framework. This provision appears intended to require actual changes in insureds’ behaviors. This should, in theory, promote a virtuous cycle, whereby insurers can count on, and in turn further incentivize, a more standardized approach to cybersecurity and data breach readiness. However, the bill does not define “compliance” with the NIST Framework, and the NIST Framework itself is designed to apply flexibly to a variety of organizations and needs, without a preset measure of effectiveness or a mandated assessment program. This could leave significant uncertainty about the credit’s applicability. (Similarly, the bill would give the Secretary of the Treasury a degree of influence in setting private cybersecurity policies, by allowing the Secretary (in consultation with the Secretaries of Homeland Security and Commerce) to approve alternative standards as sufficiently “similar” to the NIST Framework.)
The new bill is now pending before the House Committee on Ways and Means. Although the 114th Congress looks unlikely to take up the new proposal in its five remaining working weeks, its approach may resurface next year, either in standalone form or in connection with other cybersecurity measures.
Reporter, Daniel Ray, Silicon Valley, +1 650 422 6715, dray@kslaw.com.
State Attorneys General Urge FCC To Drop ISP Privacy Plan – The Federal Communications Commission (“FCC” or “Commission”) issued a Notice of Proposed Rulemaking in March of this year to assert the Commission’s regulatory reach over internet service providers (“ISPs”), specifically the manner in which those providers collect and use customer information. Sixteen State Attorneys General, including the Attorney General for the State of Georgia, Sam Olens, are now responding to the proposed rules. The Attorneys General are advising the FCC to drop its ISP plan to spare providers from regulatory confusion and unnecessary burdens.
According to the FCC, the proposed rules are meant to further protect consumers, particularly broadband subscribers, by giving them more control over how their information is used and shared by ISPs. The proposed rules would require providers to obtain “opt-in” consent from consumers before using any of their information for a non-communications-related purpose (i.e., third-party marketing purposes). The FCC assumed authority over ISP customer privacy issues in 2015 when it reclassified ISPs as common carriers. The Commission has emphasized, though, that the proposed rules will not apply to the privacy practices of “edge providers” like Google or Facebook, over which the Federal Trade Commission (“FTC”) has authority.
In their September 9th letter to the FCC, the State Attorneys General argue that the separate (yet overlapping) authorities of the FCC and FTC over ISPs create unnecessary confusion. According to the letter, “[c]rafting a patchwork of regulations imposes extra burdens on all who seek to protect consumer privacy, forcing them to navigate artificial distinctions before they can determine what rules do or do not apply in a particular circumstance.” In other words, it actually hurts consumers to create regulations over ISPs while exempting big tech companies, and vice versa. The letter explains, “[c]onsumers value their privacy and the security of their personal information, period. They do not differentiate between who has access to their information in the online environment.”
Moreover, the Attorneys General are concerned that the FCC’s rules could preempt state laws, which already “protect consumers’ privacy” on the internet. The letter states, “[i]t is of paramount importance that any federal regulations not impair states’ ability to vigorously protect their citizens.” State laws governing the practices of ISPs, the Attorneys General argue, have “distinct advantages over new prescriptive regulatory approaches.” Rather than create regulations piecemeal, the letter recommends that the FCC “engage with the [FTC] and state attorneys general to determine the most effective path forward to protect consumers and their privacy.”
The FCC is scheduled to address both these concerns at its next open meeting this Thursday, September 29th.
Reporter, Bethany Rupert, Atlanta, GA, + 1 404 572 3525, brupert@kslaw.com.
ALSO IN THE NEWS
King & Spalding Submits Comments To Draft Insurance Data Security Model Law – On September 16, 2016, King & Spalding, on behalf of its client the American Association of Independent Claims Professionals, submitted comments to the National Association of Insurance Commissioners (“NAIC”), regarding NAIC’s second revised draft model law pertaining to data security in the insurance industry (the “Draft Model Law”). The Draft Model Law includes data breach notification obligations and outlines data security standards that insurance companies and related licensees would be subject to in any state where it is enacted. King & Spalding’s comments focused on six “core elements” that the Draft Model Law must address, including: (i) effective preemption at least of the patchwork of applicable state laws; (ii) a reasonable scope; (iii) recognition that notification can only take place once an organization determines the scope of any incident and has taken key steps to remediate the incident; (iv) recognition of the importance of avoiding over-notification; (v) reasonable third-party requirements in light of the variation among third parties; and (vi) appropriate calibration of enforcement and penalties in light of the fact that in many cases the notifying organization is a victim as well. The most recent version of NAIC’s Draft Model Law can be found here, and King & Spalding’s comments are available here.