Data Security and Privacy

By the Data Security & Privacy Team

Introduced by Senator Brian Schatz (D-HI), the ranking member of the Communications Technology Innovation and Internet Subcommittee of the United States Senate, the Data Care Act of 2018 (the “Act”) seeks to enact Federal privacy legislation that will incentivize “online service providers” to protect certain types of personal data or risk civil penalties brought by both Federal and State agencies.[1]

Introduced to the Senate on December 12, 2018, the Bill was succinctly designed to “establish duties for online service providers with respect to end user data that such providers collect and use.”  The bill defines “online service provider” as any entity that is both “engaged in interstate commerce over the internet…” and “in the course of its business, collects individual identifying data about end users…”  The term “end users” is further defined as any “individual who engages with the online service provider or logs into or uses services provided by the online service provider over the internet or any other digital network.” In other words, anyone that logs into any online network, is now an “end user.” And, almost any entity that affords the opportunity to log into a network becomes an “online service provider” who is now tasked, under threat of concurrent state and federal criminal penalties, with protecting certain types of data. [2]

The following types of information are protected from disclosure under the Act and referred to as “sensitive data:”

  • Social security numbers;
  • First and last names or first initial and last name accompanied by the following:
    • The individual’s year of birth;
    • Mother’s maiden name; or
    • Individual’s geolocation.
  • Biometric data (example: thumb print);
  • User name and password or email address and password;
  • Financial account numbers (example: credit or debit card number);
  • Personal information of minor children (as defined in section 1302 of the Children’s Online Privacy Protection Act of 1998);
  • Driver’s license number, military identification number, passport number or any number issued on a similar item of government identification;
  • Information relating to an individual’s mental or physical health; and
  • Nonpublic communications or user-created content by an individual. [3]

The Act imposes not only a duty of care to “reasonably secure individual identifying information from unauthorized access,” but also a duty of “loyalty,” that “will prevent the reasonably foreseeable material from physical or financial harm to the end user.” The duty of confidentiality further prohibits the “online service provider” from selling or disclosing any information that it keeps on its “end users” and imposes the duty to take reasonable steps to ensure a “duty of care” by entities to which the online service provider discloses or sells information.[4] In the event of the breach, the online service provider must inform the Federal Trade Commission in accordance with 5 U.S.C. § 553. Thus, the Act looks to “online service providers” to police each other.

Consistent with the growing pressure on businesses to institute cybersecurity measures, the Act codifies the ability of multiple states and multiple state agencies to bring civil actions against offenders.  Specifically, the Act permits both state Attorney General’s offices, as well as any other state consumer protection agency, to bring civil actions against any offender without much limiting language.  Accordingly, an online retail distributor qualifying as “online service provider” could face civil and criminal penalties from all 50 states, as well as simultaneous penalties from the Federal Government for the same offense.

If passed, this Act will go into effect within 180 days of its enactment.  With a Federal Government shutdown currently in place without an anticipated opening date, it is unknown when the Act will be signed into law.  However, the political blogs are not anticipating substantial opposition to the act if addressed this year.[5]  Therefore, the Act (along with six similar privacy-specific proposals) is essentially giving a 6 month warning to businesses with an online presence that their failure to stringently protect and adhere to a “duty of loyalty” to their customers could very well result in federal charges and penalties, as well as lawsuits in multiple (if not all 50) states.

*****************************************************

[1] https://www.congress.gov/bill/115th-congress/senate-bill/3744.

[2] https://www.congress.gov/bill/115th-congress/senate-bill/3744.

[3] https://www.congress.gov/bill/115th-congress/senate-bill/3744.

[4] https://www.congress.gov/bill/115th-congress/senate-bill/3744.

[5]https://www.fastcompany.com/90288030/inside-the-upcoming-fight-over-a-new-federal-privacy-law

By Jessica C. Engler, CIPP/US

Whether you keep up with the Kardashians or you are just a casual Instagram user, you have probably been exposed to social media influencer posts. Due to social media’s increased marketing importance, companies will offer free products, money or other compensation to social media “influencers”, i.e. users that boast at least 2,000 or more genuine followers. “Macroinfluencers” with millions of followers can often command $10,000 or more for a single product endorsement on Instagram. Influencers have been used by industries including hotels and travel services, fitness, cosmetics, clothing and accessories, food and beverage, restaurants, dietary supplements, and a litany of other consumer products and services. Similar to celebrity brand ambassadors, these influencers provide “peer” recommendations to their followers with the intent of directing the followers to purchase the endorsed products and services. These posts are often successful and have led to increased profits for many brands.

In addition to or in lieu of traditional social media influencers, companies are also looking to their own employees to serve as online brand ambassadors, participate in ad campaigns, and to share content on social media about the company. Since the advertising budget for “employee influencers” is relatively low, many companies are implementing employee advocacy programs and incentivizing employees to be spokesmen for the company in their own circles. Certain commentators have listed employee advocacy as one of the social media strategies to watch in 2019.[1]

This young, alternative form of advertising and endorsement has caught the attention of federal agencies. Starting in March 2017, the Federal Trade Commission began notifying companies using compensated influencers that the relationship between the company and the influencer needed to be made clear in a disclosure. The FTC’s Endorsement Guidelines state that if there is a “material connection” between an endorser and an advertiser (i.e., a connection that might affect the weight or credibility that a customer would give the endorsement), then that connection must be clearly and conspicuously disclosed.[2]  The FTC has stated that these guidelines apply to social media, and both marketers and endorsers are required to comply.[3] In April 2017, the FTC sent letters to almost 100 celebrities, athletes and other influencers, as well as the marketers of the brands endorsed, regarding the disclosure obligations.[4] Since that time, the FTC also settled its first formal complaint against social media influencers—gaming influencers Trevor “TmarTn” Martin and Thomas “Syndicate” Cassell.  These men were charged with failing to properly disclose that: (1) they owned the online gambling company that they were promoting; and (2) they paid other well-known online gaming influencers to promote the platform without disclosing the financial relationship.[5] Despite the additional FTC “educational notifications” to influencers[6] and complaints to the FTC by watchdog groups,[7] some marketing commentators claim that the majority of influencer posts are still not compliant.[8]

Most recently, the Securities and Exchange Commission entered the influencer realm when it charged boxer Floyd Mayweather Jr. and music producer DJ Khaled.  Mayweather and Khaled were promoting investing in Centra Tech, Inc.’s initial cryptocurrency offerings (ICO) on social media without disclosing that they had been paid for the promotions.[9] The SEC had previously warned that cryptocurrency sold in ICOs may be securities and that those who offer and sell securities in the U.S. must comply with federal securities laws— including disclosure of payment for promotional statements.[10] The SEC has since settled with Khaled and Mayweather, requiring them to return the $350,000 they collectively received from Centra Tech (who is currently under SEC investigation for fraud).[11] Mayweather also agreed to pay a $300,000 fine to the SEC, abstain from promoting other investments for three years, and to cooperate with the SEC’s investigation. Khaled also agreed to a $100,000 fine to the SEC and to abstain from similar promotions for two years.

The FTC’s continued letters and notifications shed light on the agencies’ interest in helping influencers and brands to be more transparent about their relationships. These educational letters are often the first step in an FTC crackdown, so influencers and brands would be well advised to ensure their posts are compliant. As businesses set their marketing plans for 2019, now would be the time to ensure that any arrangements with influencers or employee advocates are appropriately detailed. While the FTC regulations (or SEC for financial products) provide more specific guidance, the below items offer some general tips and considerations.

  1. Confirm whether social media posts need to include FTC disclosures. The FTC requires a clear and conspicuous disclosure if there is a “material connection” between an influencer and brand that might materially affect the credibility of the endorsement (meaning, where the connection is not reasonably expected by the audience).[12] Material connections can include, but are not limited to, a business or family relationship, employment relationship, monetary payments, or free products.

Disclosure is not required when the material connection between the endorser and the marketer is expected. For example, if a doctor was featured in a television advertisement claiming that an anti-snoring product is, in his opinion, the best he has ever seen, a viewer would reasonably expect the doctor to be compensated for appearing in the ad and a disclosure would not need to be made. However, a viewer may be unlikely to expect that the doctor is an owner in the company or that the doctor received a percentage of the product sales, so the advertisement should clearly and conspicuously disclose such a connection.[13]

The time when the incentive is promised is also a factor. If a restaurant asks its patrons to post pictures and honest reviews of its food on Instagram, and the patrons have no reason to expect compensation or benefit from the restaurant before making the post, then the restaurant’s later decision to send the posters a free dessert coupon will likely not require a disclosure. However, if patrons were specifically informed that a social media post would result in being given the coupon or that their pictures and reviews may be used in the restaurant’s advertising, then those opportunities may be seen as having value and may need to be disclosed.

  1. The disclosure must be clear. Disclosures must be clear enough that an ordinary reader understands the relationship between the poster and the brand. The FTC has cautioned against vague references like “Thank you [Brand Name]”, “#ambassador”, “#[Product]_Rocks”, and similar language that shows just an appreciation of the product/company. Instead, the FTC encourages clear statements like “[Brand] gave me this product to try”, “Thanks [Company] for the free product”, “Sponsored”, “Promotion” or “Paid ad”. For platforms like Twitter that limit the number of characters you can use, the FTC recommends starting the tweet with “Ad:” or “#ad.”
  1. The disclosure must be conspicuous. The FTC advises that the disclosure should be: (1) close to the claims to which they relate; (2) in a font that is easy to read; (3) in a font shade that stands out against the background; (4) for video ads, on the screen long enough to be noticed, read, and understood; and (5) for audio disclosures, read at a cadence that is easy for consumers to follow and in words the listener will understand.

Certain platforms like Instagram limit the amount of text on photostreams when viewed on a smartphone, so longer descriptions are truncated with only the first few lines viewed unless the user clicks “more”. The FTC requires that the disclosure be presented without having to click “more”. It is not sufficient for an influencer to make a general disclosure on the influencer’s profile page or through links to a separate disclosure page; rather, a disclosure must appear on each endorsement post. Similarly, the FTC cautions that the disclosure should not be buried in a long string of hashtags.

In response to the FTC’s enforcement, platforms like YouTube and Instagram have added a feature where posts can be tagged as “paid”. While these can be helpful tools, they are not foolproof.  For example, the paid tag could be sufficient when only one product is pictured in an Instagram post. But if the sponsored product appears with other products—some compensated and others not compensated—then additional disclosures may need to be made. The brand and influencer need to carefully evaluate whether the tags are sufficient or if additional statements need to be made, as it is the brand or influencer that will be responsible for the failure to properly disclose—not the platform.

  1. The endorsement must be true. This requirement is true of all advertising. An influencer cannot provide a review of a service or product that the influencer has not personally used. The influencer also cannot post that the sampled product or service is amazing and #newfavorite when the influencer hated it and would never use it again. A brand looking to use influencers should not require the influencer to make a positive post if the influencer did not have a positive experience.
  1. Monitor the influencer. Even if the influencer claims they follow legal requirements, the brand or company is still responsible for ensuring that the influencer is true to their word. Brands should regularly monitor or review the influencer’s post(s) to ensure that the posting is compliant, as the brand can still be responsible for the failure to disclose.

These above tips provide some initial considerations to brands that are using influencers and the influencers make the posts. Any written agreement between the brand and influencers should include obligations to comply with FTC guidelines. Companies that are considering an employee advocacy program would be well advised to ensure that their employee social media policies carefully detail the requirements for employee endorsements online. Consultation with an attorney to prepare these agreements or social media policies or to review proposed influencer posts are a good step towards avoiding unwanted regulatory attention.

***************************************************

[1] See Lilach Bullock, “5 Social Media Strategies That Will Grow Your Business in 2019”, Forbes (Dec. 20, 2018) (available at https://www.forbes.com/sites/lilachbullock/2018/12/20/5-social-media-strategies-that-will-grow-your-business-in-2019/). See also Ryan Erskine, “The Key to Increasing Your Brand’s Reach by 561%? Your Employees.”, Forbes (Jun. 30, 2018) (available at https://www.forbes.com/sites/ryanerskine/2018/06/30/the-key-to-increasing-your-brands-reach-by-561-your-employees/#3331b89429bb); Steve Cocheo, “Employee Advocacy in Banking: Aligning Culture & Content in Social Media Channels”, The Financial Brand (Nov. 15, 2018) (available at https://thefinancialbrand.com/76838/social-media-employee-trust-consumer-banking-postbeyond/).

[2] 16 C.F.R. § 255; “The FTC’s Endorsement Guides: What People Are Asking”, Federal Trade Commission (Sept. 2017) (available at https://www.ftc.gov/tips-advice/business-center/guidance/ftcs-endorsement-guides-what-people-are-asking).

[3] “FTC Staff Reminds Influencers and Brands to Clearly Disclose Relationship”, Federal Trade Commission (Apr. 19, 2017) (available at https://www.ftc.gov/news-events/press-releases/2017/04/ftc-staff-reminds-influencers-brands-clearly-disclose). One survey done in May 2017 showed that at least 90% of celebrity influencer posts were not compliant with the FTC guidelines. “93% of Top Celebrity Social Media Endorsements Violate FTC Guidelines”, Mediakix (May 31, 2017) (available at http://mediakix.com/2017/05/celebrity-social-media-endorsements-violate-ftc-instagram/#gs.SHytKyU).

[4] Lesley Fair, “Influencers, are you #materialconnection #disclosures #clearandconspicuous?”, Federal Trade Commission (Apr. 19, 2017) (available at https://www.ftc.gov/news-events/blogs/business-blog/2017/04/influencers-are-your-materialconnection-disclosures).

[5] “CSGO Lotto Owners Settle FTC’s First-Ever Complaint Against Individual Social Media Influencers”, Federal Trade Commission (Sept. 7, 2017) (available at https://www.ftc.gov/news-events/press-releases/2017/09/csgo-lotto-owners-settle-ftcs-first-ever-complaint-against).

[6] Id.; see also Sam Sabin, “DeGeneres, Minaj Among Celebrities Whose Social Posts Drew FTC Interest in Past Year”, Morning Consult (Oct. 5, 2018) (available at https://morningconsult.com/2018/10/05/degeneres-minaj-among-celebrities-whose-social-posts-drew-ftc-interest-in-past-year/).

[7] See, e.g., “TINA.org Files FTC Complaint Against Diageo for Deceptive Influencer Marketing of Ciroc”, Truth in Advertising, Inc. (Dec. 11, 2018) (available at https://www.truthinadvertising.org/ciroc-press-release/).

[8] See Sam Sabin, “A Year After Major Actions, FTC’s Influencer Marketing Guidelines Still Overlooked”, Morning Consult (Oct. 4, 2018) (available at https://morningconsult.com/2018/10/04/a-year-later-ftcs-influencer-marketing-guidelines-still-largely-ignored/).

[9] Ahiza Garcia, “DJ Khaled, Floyd Mayweather Jr. charged with promoting cryptocurrency without disclosing they were paid”, CNN Business (Nov. 30, 2018) (available at https://www.cnn.com/2018/11/29/tech/dj-khaled-floyd-mayweather-coin-crypto-sec/index.html). Part of the increased scrutiny by the SEC is likely due to the SEC’s criminal charges of fraud against Centra Tech, which allege that Centra Tech “sold investors on false promises of new technologies and partnerships with legitimate businesses.” Frances Coppola, “SEC Fines Floyd Mayweather and DJ Khaled for Illegally Promoting a Fraudulent ICO”, Forbes (Nov. 29, 2018) (available at https://www.forbes.com/sites/francescoppola/2018/11/29/floyd-mayweather-and-dj-khaled-were-paid-to-promote-a-fraudulent-ico/#9c4b6c14665e).

[10] “Two Celebrities Charged with Unlawfully Touting Coin Offerings”, U.S. Securities and Exchange Commission (Nov. 29, 2018) (available at https://www.sec.gov/news/press-release/2018-268).

[11] Nathaniel Popper, “Floyd Mayweather and DJ Khaled Are Fined in I.C.O. Crackdown”, The New York Times (Nov. 29, 2018) (available at https://www.nytimes.com/2018/11/29/technology/floyd-mayweather-dj-khaled-sec-fine-initial-coin-offering.html).

[12] 16 C.F.R. § 255.5.

[13] 16 C.F.R. § 255.5.

By Jessica C. Engler

Canada’s new data breach law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), became effective on November 1, 2018. The Office of the Privacy Commissioner of Canada released new guidance providing explanations of the breach reporting requirements for private-sector businesses that operate in Canada or do business with Canadian customers. The new requirements of this law, particularly the breach notification requirements, should be on the radar of any United States-based businesses that also do business in Canada.

Under PIPEDA, organizations must report security incidents to the Privacy Commission of Canada if an incident carries “a real risk of significant harm” to consumers.[1] Regardless of the size of the breach or number of affected persons, the breach must be reported if the business determines that there is a real risk of significant harm resulting from the breach. The guidance provided by the Privacy Commissioner clarifies that the organization that controls the data is the organization required to report and notify individuals of a breach. Even when an organization has transferred the data to a third party processor, the organization is still responsible for reporting and notification.

Naturally, a standard such as “real risk of significant harm” is a standard that is open to some level of subjectivity and interpretation; however, the Privacy Commissioner has offered guidance to assist businesses in their review. Significant harm is defined as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record and damage or loss of property.” Factors to be considered in determining whether the breach creates a real risk of significant harm include: (1) the sensitivity of the personal information involved in the breach; and (2) the probability the personal information has been/is/will be misused. “Sensitivity” is not defined by PIPED, but the concept is discussed in Principle 4.3.4 and provides some general considerations:

Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a news magazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.

Notification must be given “as soon as feasible” after the organization has determined a breach occurred. The notification must be conspicuous, understandable, given directly to the individual, and include several pieces of information including:

  • A description of the breach circumstance and, if known, its cause
  • The day or time period when the breach occurred
  • A description of the personal information subject to the breach
  • A description of the organization’s risk mitigation measures
  • A point of contact
  • The number of individuals affected
  • A description of how the organization will notify individuals

Organizations are required to maintain records of each data breach for at least 24 months after the date on which the breach was discovered. The records must contain sufficient information to allow the Office of the Privacy Commissioner to confirm that the organization has complied with the law.

The new law, which has been in the works for quite some time, includes extensive requirements and regulations in the event of a breach. In the event that a business determines that the sensitive information of a Canadian customer has been breached, the business would be well advised to consult with an attorney knowledgeable about PIPEDA and Canada’s data security laws.

***********************************************

[1] “What you need to know about the mandatory reporting of breaches of security safeguards”, Office of the Privacy Commissioner of Canada (available at https://www.priv.gc.ca/en/privacy-topics/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/#_Part_1).

By the Data Security & Privacy Team

On November 1, 2018, Senator Ron Wyden, a democrat from the state of Oregon, introduced a bill that attempts to create a stronger consumer privacy act.[1] The draft legislation, referred to as the Consumer Data Protection Act, SIL18B29 (the “Bill”), amends and increases the powers of the Federal Trade Commission (“FTC”).[2]

According to Senator Wyden’s webpage, he drafted the Bill due to “[t]he explosive growth in the collection and sale of consumer information enabled by new technology poses unprecedented risks for Americans’ privacy,” which he believes the Federal Government continually fails to address. [3]  Therefore, Senator Wyden’s Bill both imposes greater security protection standards and sharpens the FTC’s teeth in terms of enforcement.

The Bill permits the FTC, as the “nation’s main privacy and data security regulator” to fine and yes, even jail, American executives for failure to protect consumer information. Specifically, the Bill proposes the following powers and tools for the FTC, which Senator Wyden hopes will give Americans greater privacy and control over their own personal data:

  1. Establish minimum privacy and cybersecurity standards.
  2. Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives.
  3. Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized.
  4. Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
  5. Hire 175 more staff to police the largely unregulated market for private data.
  6. Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.”[4]

Additionally, businesses with annual revenue exceeding $1 billion, which also store data of more than 50 million consumers, will have to submit an annual data protection report to the FTC detailing its compliance with relevant security regulations. What’s more, in proposed §1352(b), entitled “Failure of Corporate Officers to Certify Data Protection Reports,” Chief Executive Officers, Chief Information Security Officers, and Chief Privacy Officers may be jailed for failure to certify and file annual reports to the FTC that document company efforts to comply with the Bill.

An executive’s first offense of this section will result in a fine “not more than the greater of $1,000,000.00 or 5 percent of the largest amount of annual compensation the person received during the previous 3-year period…imprison[ment] not more than 10 years, or both[.]” The same section prescribes that “intentional[ly]” certifying false statements for annual reports will result in a fine of “not more than the greater of $5,000,000.00 or 25 percent of the largest amount of annual compensation the person received during the previous 3-year period” or imprisonment “not more than 20 years, or both[.]”[5]

If passed, the Bill would represent a massive overhaul and increase in the FTC’s powers and available punishments. Generally, the FTC currently only has privacy protection powers under theories of “unfair trade practices.”

*****************************************************

[1] https://www.wyden.senate.gov/news/press-releases/wyden-releases-discussion-draft-of-legislation-to-provide-real-protections-for-americans-privacy

[2] https://www.wyden.senate.gov/download/11012018-wyden-privacy-bill-discussion-draft

[3] https://www.wyden.senate.gov/news/press-releases/wyden-releases-discussion-draft-of-legislation-to-provide-real-protections-for-americans-privacy

[4] https://www.wyden.senate.gov/download/11012018-wyden-privacy-bill-one-pager

[5] https://www.wyden.senate.gov/download/11012018-wyden-privacy-bill-discussion-draft

By the Data Security & Privacy Team

While an ocean away, supermarket Morrisons’ loss in the United Kingdom’s appellate court should act as a warning to all United States-based and international companies. On October 22, 2018, Morrisons lost its recent appeal in a landmark high-court ruling, being held vicariously liable for a former employee, Andrew Skelton’s intentional actions that lead to the leak of more than 100,000 of its employees’ personal information. This decision came down despite Morrisons’ demonstration that it had lawfully discharged its obligations under the United Kingdom’s Data Protection Act of 1998. In July 2015, Skelton was sentenced to eight years in prison.

This decision represents the United Kingdom’s warning that organizations have a significant duty to protect the personal data of their customers and employees that is beyond the applicable data breach protection rules issued by varying countries. And with 5,558 members of the Class Action, it is expected that Morrisons will face a hefty compensation ruling. According to Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represented the class, “Large corporations take responsibility when things go wrong in their own business and cause harm to innocent victims.   It is important to remember that data protection is not solely about protecting information – it is about protecting people.”  A spokesperson for Morrisons publicly stated that they will now appeal this decision to the Supreme Court.

Going forward, compliance officers for various corporations should anticipate legal responsibility for any type of data breach under the legal theory of vicarious liability if the Morrisons decision crosses the Atlantic. This is yet another signal of the importance to improve security protocols for company data, as well as additional screening for employees entrusted with that data.

Indeed, on October 26, 2018, the Middle District of North Carolina approved a class-action settlement for a 2016 disclosure of personal identifying information of employees of HAECO Americas, Inc. (“HAECO”), after W-2 statements were leaked in response to a phishing scheme. See David Linnins, et al v. HAECO Americas, Inc., 2018 WL 5312193 (M.D.N.C., 2018). The class action plaintiffs “asserted claims for negligence, invasion of privacy, and violation of the North Carolina Unfair and Deceptive Trade Practices Act[,] which included an alleged violation of the North Carolina Identity Theft Protection Act.” Id. at *1. According to published details of the settlement agreement, HAECO agreed to the following terms:

  • Provide affected parties with 2 years of Experian Protect MyID Elite services;
  • Reimbursement of $350 for members of the class that previously purchased similar identity theft monitoring programs;
  •  Establish a claim fund in the amount of $312,500 to compensate class members for damages, expenses, and inconveniences they incurred; and
  • HAECO agreed to take data and cyber security steps, including mandatory cyber security training for all employees, for at least three years. Id. at *1-*2.

The Middle District of North Carolina further ordered that the Plaintiffs’ counsels’ request for $150,000.00 in additional attorneys’ fees was reasonable. Id. at *4.

By the Data Security & Privacy Team

Adding publicity to the recent string of security breaches, Gemalto’s Breach Level Index released information on October 9, 2018 stating that for the first half of 2018, approximately 291 records were stolen or exposed every single second.[1]  Gemalto estimates that 945 data breaches led to the release of 4.5 billion data records being compromised worldwide, which increased approximately 133% in the last year.  These data breaches came from varying industries, with health care representing 27% of data breach incidents and the financial sector following with an estimated 14% of the data breach incidents.  Of all the data and records stolen, it is estimated that just 1% of this data was encrypted and only 9% of the security breaches were the result of an accidental loss.

This information comes as more than just a P.S.A. Both threatened and actual data security breaches pose a significant legal threat to all types of businesses – large and small, global and local. Therefore, many forward thinking organizations are increasing their security systems and updating policies to mitigate potential legal claims for security breaches.

While the question of whether or not the fear of identity theft following a data breach is sufficient to constitute standing for a class action is largely undecided in the United States, the United Kingdom’s High Court already answered in the affirmative. More than 5000 current and former employees of Morrison’s, an online supermarket, are suing their former employer in a class action for damages related to a data leak that resulted in exposure to potential identity theft and financial losses. In 2014, a former Morrison’s employee leaked 100,000 names, addresses, bank account details and salaries of his co-workers online and sent it to a newspaper.[2] While Morrison’s spent more than 2 million pounds to mitigate the effects of and remedy the breach, the issue of monetary damages that it may owe its former employees remains outstanding.

The Morrison’s matter was the first data leak class action in the United Kingdom.[3] In 2017, the High Court ruled that Morrison’s was vicariously liable for this criminal data breach by its former employee and allowed those affected by the data breach to claim compensation for distress. Morrison’s is presently appealing this ruling.[4]

No similar legal battle has yet played out so openly in the United States, as Target’s 2017 data breach resulted in a multi-million dollar settlement with the affected customers.  However, with the ongoing and ever increasing number of cyber threats and attacks on both private and public organizations, it is expected that victims of data breaches may become the next wave of class action plaintiffs.

____________________________________________

[1]https://www.gemalto.com/press/Pages/Data-Breaches-Compromised-4-5-Billion-Records-in-First-Half-of-2018.aspx

[2] https://www.bbc.com/news/uk-england-42193502

[3] https://www.theregister.co.uk/2018/10/09/morrisons_data_breach_appeal/

[4] https://www.bbc.com/news/uk-45793598

 

By the Data Security & Privacy Team

On September 27, 2018, Gov. John Bel Edwards declared October to be Cybersecurity Awareness Month in the State of Louisiana, signing a Proclamation in front of members of the Louisiana Cybersecurity Commission.  By signing this Proclamation, Gov. Edwards is simultaneously kicking off a Cybersecurity Awareness Campaign promulgated by the Louisiana Cybersecurity Commission.   The goal of the Louisiana Cybersecurity Commission, the Proclamation, and Cybersecurity Awareness Month Campaign is to enhance and improve Louisiana’s cybersecurity ecosystem.  Gov. Edwards stated at the Proclamation signing that, “There is no doubt that Louisiana is a leader in cybersecurity.”  He emphasized that “No state has more protections for its citizens and its businesses than Louisiana.”  Gov. Edwards referenced upcoming proposed legislation concerning cybersecurity protections for Louisiana citizens and businesses during his remarks following the Proclamation signing.  The Proclamation signing and the formation of the Louisiana Cybersecurity Commission follow Louisiana’s recently updated data breach notification laws that went into effect earlier this year. Copies of both the Proclamation and Cybersecurity Awareness Campaign Model can be found on the Louisiana Cybersecurity Commission’s website found here.

Kean Miller attorneys will continue to update their clients on relevant cybersecurity news and changes in any relevant legislation and regulations.  If you have any questions concerning this, please contact Sarah Anderson and Jessica Engler from Kean Miller.

By James R. “Sonny” Chastain, Jr.

In a recent Supreme Court decision involving the Fourth Amendment, Justice Roberts noted that there are 396 million cell phones accounts in the United States for a nation of only 326 million people.  The cell phone provides numerous functions including access to contacts, data, information and the internet.  Some studies suggest people check cell phones every ten minutes and are less than five feet away from the phone most of the time.  It seems the cell phone has become an integral part of daily living. While the development may be productive in terms of the overall access to information, it also creates certain risks that employers should consider.

In many instances companies operate on a platform of bring your own device to work (“BYOD”).  Employers should consider what business information may be available to that employee on his or her personal cell phone.  An employer is vulnerable if an employee is connected to the employer’s computer system and can access valuable confidential information through the cell phone.   The risk is that the employer’s business information may “walk” out the door with the employee.  Moreover, if the information gets comingled with the employee’s personal information, there could be a problem in terms of “unscrambling” or wiping the phone on departure.   Certainly one approach is to not permit the employee to have access to the information on the phone.   However, an employee may need access in order to perform his or her job responsibilities.  Employers should consider whether to have a cellular phone policy that addresses how employees should use the phone, any issues regarding expectation of privacy, ownership of information, and wiping upon termination.

Additionally, a cell phone may cause distracted driving. Whether ringing, beeping, vibrating – the cell phone may cause drivers to lose focus.  A driver’s perceived belief that the ever important text/email may have just come in can create an overwhelming desire to check/respond.  To the extent an employee is on the road, the temptation to text, call or open an app may create serious risks.   Distracted driving is alleged to be a contributing factor in 80% of the automobile accidents on the road today.  Employers need to recognize this risk and be proactive in addressing it.  Employers should consider having a policy regarding the use of cell phones while driving.

Cell phones are integrated into our daily activities – just look around at any restaurant, getting on an elevator, or at a stop light.  No matter the time, place or circumstances, staying connected seems to be of utmost importance.  A cell phone is certainly very beneficial in terms of facilitating access to people and information.  However, cell phones may also bring about certain risks.  Employers may want to consider the risks which that may be applicable to it and any policies to put in place to address them.

By the Data Security & Privacy Team

Companies using Apache Struts 2.0 should be aware of a possible security breach risk that could give rise to breach notification duties.  On August 22, 2018, the Apache Software Foundation posted updates regarding the correction of a vulnerability recently found in its web application platform called Apache Struts.

Apache Struts is an open source web application framework that uses model-view-controller architecture. A security bulletin was placed on https:\\cwiki.apache.org by Man Yue Mo from the Semmle Security Research team, which noted a flaw in the Struts 2 application that would allow a hacker to perform a remote code executive “attack when namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace[.]”[1] There is a similar possible attack “when using [an] url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.”[2]  This web application and vulnerability may affect any entity using Apache Struts, from small businesses to Fortune 100 companies.

The description of the vulnerability has been posted online, and this “blueprint” is suspected to provide an easy “how-to” guide for attackers. Attackers may exploit websites running the Struts 2.0 program by sending requests to hosted sites, to which the web servers will respond by running code commands of the attacker’s choosing. This would allow cyber attackers to undertake malicious acts such as copying and/or deleting consumer data or initiating other malware. Indeed, Equifax was forced to disclose a similar vulnerability in its Apache Struts software in 2017 after 143 million people had their sensitive information compromised in a July 29, 2017 security breach.

If you suspect that your company uses Apache Struts 2.0 and security has been breached in Louisiana, please review and consider your potential obligations under the recent changes to Louisiana’s Database Security Breach Notification Law and contact your data security attorney.

******************************************

[1] https://cwiki.apache.org/confluence/display/WW/S2-057.

[2] https://cwiki.apache.org/confluence/display/WW/S2-057.

By Jessica C. Engler, CIPP/US

To say that privacy regulations have been in the news lately is a bit of an understatement. The European Union’s new General Data Protection Regulation has had privacy professionals and businesses scrambling to meet the May 25, 2018 deadline for compliance. While the GDPR may be dominating the national news circuits, the EU is not the only one making changes to their privacy laws. The Louisiana Legislature has passed, and Governor Edwards signed on May 20, 2018, amendments to Louisiana’s Database Security Breach Notification Law (Louisiana Revised Statutes 51:3071, et seq.), at Act 382.[i] Act 382 becomes effective on August 1, 2018.

A.  Expansion of “Personal Information”

The first major change is the expansion of the definition of “personal information” under the statute. Louisiana previously defined personal information for the purposes of the breach notification law as an individual’s first name or initial and last name in combination with any of the following additional data elements when the name or data element is not encrypted or redacted: (1) social security number; (2) driver’s license number; or (3) account number, credit or debit card number, in combination with the applicable password, security code, or access code that would allow access to an individual’s financial account. Act 382 adds the following additional pieces of data to this list: state identification card number; passport number; and “biometric data.” “Biometric data” is defined as “data generated by automatic measurements of an individual’s biological characteristics” and includes markers such as fingerprints, voice prints, eye retina or iris, or other unique biological characteristics that are used to authenticate an individual’s identity when accessing a system or account. In this change, Louisiana joins a growing trend of expanding personal data beyond ID numbers and financial accounts into more unique and personal identifiers. At the time of this writing, at least twelve other states have enacted laws that include biometric markers as personal information.[ii]

B.  New Data Protection Requirements

Act 382 imposes new requirements on Louisiana businesses to protect personal information. These changes affect companies that conduct business in the state of Louisiana or own or license computerized data that include personal information of Louisiana residents and for agencies that own or license computerized data that includes Louisiana residents’ personal information (collectively “Subject Entities”). Under Act 382, Subject Entities will be required to implement and maintain “reasonable security procedures and practices appropriate to the nature of the information” to protect the personal information from breaches, destruction, use, modification, or disclosure.

Subject Entities will also be under new requirements for data destruction. Subject Entities will be required to take reasonable steps to destroy or arrange for the destruction of records within its custody or control containing personal information that is no longer to be retained by the Subject Entity by shredding, erasing, or otherwise modifying the personal information to make the information unreadable or undecipherable.

C.  Data Breach Notifications

In the event of a breach, the revisions to Section 51:3073 have now implemented a time limit within which Subject Entities must notify the Louisiana residents’ whose data was affected. Originally, the statute provided that notice must be done “in the most expedient time possible and without unreasonable delay.” The revised statute retains that language, but now includes that notification must be made no later than 60 days from the discovery of the breach. The revisions maintain the original exception to this rule in the case of delay necessitated by the needs of law enforcement or measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. However, if a Subject Entity does delay notification for one of these reasons, it must provide written notice to the Louisiana Attorney General of this delay and the reasons for same within the 60 day period. Upon receipt, the Attorney General will grant a reasonable extension of time for notification.

The revisions preserve the ability for a Subject Entity to investigate whether the breach is reasonably likely to cause harm to Louisiana residents, and, if the breach is unlikely to cause harm, the Subject Entity is not required to notify affected Louisiana residents of the breach. This situation commonly arises when the breached data was encrypted, provided the encryption key was not also breached. If the Subject Entity decides not to report under this section, then the entity must document that decision in writing and retain the written decision and supporting documentation for five years from the date of discovery of the breach. The Attorney General can request a copy of this documentation and the written determination, and the Subject Entity must provide the documentation within thirty days of the Attorney General’s request.

Last, violations of these provisions are now deemed an unfair trade practice under R.S. 51:1405(A). During testimony on this bill, the Attorney General’s Office commented that their Office has already been treating violations as an unfair trade practice, so this language only codifies their current practice.

D.  General Comments

Many of the changes made to Louisiana’s data security laws echo similar revisions in other states. Several states have opened their data security laws to expand beyond notification procedures to now requiring “reasonable” security practices and destruction of outdated data. Unlike Alabama’s new data security law, Louisiana’s revised law does not define what security practices qualify as “reasonable”, which may cause some concern amongst Subject Entities looking for guidance when updating their security practices.

It is possible that the new revisions may lead to increased litigation for data breaches. The Attorney General currently is and remains the primary enforcer of the data breach laws; however, private rights of action are permitted. Codifying violations of these statutes as an unfair trade practice may lead to an increase in suits filed under these statutes. However, a potential plaintiff will likely still be required to provide that he or she was injured by the breach, which has been a difficult task for plaintiffs that have not suffered an identity theft.

The new law becomes effective on August 1, 2018. Until that time, Subject Entities that have not recently reviewed their data security policies and practices may want to consider an update.

***********************************************

[i] Act 382 of the 2018 Regular Session can be found at the following address: https://www.legis.la.gov/legis/ViewDocument.aspx?d=1101149.

[ii] These states include, but are not limited to Arizona, Delaware, Illinois, Iowa, Maryland, Nebraska, New Mexico, North Carolina, Oregon, South Dakota, Wisconsin, and Wyoming.