F. Marshall Wall Cranfill Sumner & Hartzog LLP€¦ · Snapchat when its promise that messages would “disappear forever” but in fact ... information (PII) of approximately 100,000

F. Marshall [email protected]@NCCyberLawyer

F. Marshall Wall

Cranfill Sumner & Hartzog LLP


“[I] am convinced that there are only two

types of companies: those that have been

hacked and those that will be. And even

they are converging into one category:

companies that have been hacked and will

be hacked again.”

Robert S. Mueller, III, Former FBI Director


NC Identity Theft Protection Act

What is a

"security breach"?


What is a security breach?

• Unauthorized access to AND acquisition of

• Unredacted AND unencrypted records or data

• Containing personal information

• Where illegal use of this data has occurred OR is reasonably likely to occur

• Creating a reasonable risk of material harm to a consumer


NOT a Breach

• If only encrypted data is taken and the

encryption key is not with the data, it is not

a data breach

• If the data was accessed but not

“acquired”, it is not a data breach

• If there is no risk of material harm to a

customer, it is not a data breach



What is the legal standard for

my company’s protection of

personal information?



• The Act requires that “reasonable care” be

used to protect data

• No further definition is given

• No published cases have evaluated what

is reasonable under North Carolina law


What is “personal information”?

A person's first name or first

initial and last name in

combination with other

information such as:


What is “personal information”?

• Social Security number

• Driver's license number

• Passport number

• Checking or savings account number

• Credit or debit card number

• PIN code

• Biometric data

• Passwords


How quickly must notice be given?

• There is no specific deadline for notice

• Notice must be “made without

unreasonable delay, consistent with the

legitimate needs of law enforcement.”


Who Gets Notice?

• Everyone whose personal information was

contained in the records

• The Consumer Protection Division of the

Attorney General’s staff

• If more than 1,000 people are affected by

the breach, notice must also be given to

the three major credit bureaus


What if customers live in other

States?

• Data protection statutes are specific to the

States where your customers live

• All 50 States – Alabama became the last

in March 2018 – the District of Columbia,

and Puerto Rico have their own statutes

• Notice requirements, including the time to

give notice, vary significantly


What if customers live in other

States?

THE BOTTOM LINE – if your customers are

in other States, you have to give notice

based on their State’s law


Who can sue?

• North Carolina allows a private right of

action, but only if the consumer can show

injury

• A cause of action under the Act cannot be

assigned

• A violation of the Act is an unfair or

deceptive trade practice under N.C. Gen.

Stat. § 75-1.1


Federal Trade Commission

• FTC has brought more than 50

enforcement actions

• Typically relies on Section 5 of the FTC

Act, which prohibits unfair and deceptive

trade practices


FTC

• Focus on whether companies are living up

to their stated privacy policies

– Ex) Wyndham Hotels case (Third Circuit

2015)

– https://www.ftc.gov/system/files/documents/ca

ses/150824wyndhamopinion.pdf


FTC

• Also examines what data companies keep,

how long they keep it, where they keep it,

and whether they should keep it in the first

place


FTC Enforcement Action

Examples• Pursued BJ’s Wholesale for keeping

customer credit card data for as long as 30

days – long after their transaction had

been processed


FTC Actions

• Brought an action against Twitter for

failing to suspend user’s access after a

certain number of failed log in attempts

and for allowing almost all of its

employees “administrative” access to

information in its system


FTC Actions

• Alleged that shoe retailer DSW failed to

segment its network by allowing stores to

connect with other stores and access data

there


FTC Actions

• Brought an enforcement action against

Snapchat when its promise that

messages would “disappear forever” but in

fact they did not


FTC Actions

• Pursued both CVS and Rite Aid for failing

to properly dispose of prescription

information


Securities and Exchange

CommissionWashington D.C., Sept. 22, 2015 — The Securities and Exchange Commission today announced that a St. Louis-based investment adviser has agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.


SEC

• This is the first enforcement action from SEC

• Found that the firm failed to have policies and procedures, failed to have a firewall, failed to encrypt data, and failed to have a response plan

• $75,000 fine

• Censure

• Cease and desist order


SEC

• Enforces the Gramm-Leach-Bliley Act

– Title V governs when non-public consumer

information may be disclosed

– Requires notice of privacy policies to customers

• Regulation S-P governs privacy of consumer

financial information

• Oversees broker-dealers and advisers,

among others


US Department of Health and

Human ServicesSeptember 2, 2015

$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies

Cancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).


US DHHS

• Enforces compliance with HIPAA and

HITECH through the Office of Civil Rights

• HIPAA privacy rule applies to Protected

Health Information (PHI)


Avoiding Data Breach Incidents

• Prevent

• Detect

• Respond



• Assess your systems, policies, and

procedures routinely

• Educate your employees – most cyber

incidents are the result of human error

• Outside testing of your security

• Determine what data you collect, where

and for how long you keep it, and why



• Have an incident response plan and

PRACTICE it

• Restrict access

• Encrypt data

• Back up data continually

• Update your software



• Require strong passwords and frequent

changes

• Segment your network

• Monitor network activity

• Remember – a data breach is not always

a cyber incident!


Cyber Liability Insurance

• Generally policies are designed to cover at least some of these risks:

– Hacking

– Denial of service attacks

– Web content liability

– Data breaches

– Damage to your network


What’s Covered?• MORE LIKELY

– Third-party claims and costs

Example – personal data for customers is accidentally released

• LESS LIKELY

– First-party claims

Network damage to your systems from a hacker attack may be insurable

Reputational damage to your company probably cannot be insured

Loss of intellectual property is often not covered by these policies

– Business interruption coverage for “cyber-losses”

Often capped or limited

• EXCLUDED

– State-sponsored attacks by other governments, usually


Questions?

Documents

F. Marshall Wall Cranfill Sumner & Hartzog LLP€¦ · Snapchat when its promise that messages would “disappear forever” but in fact ... information (PII) of approximately 100,000