Cybersecurity

Cybersecurity and Legal Due Diligence Considerations in M&A Transactions

By: Joshua Mooney, Lori Smith and Jeremy Miller

When prospective buyers conduct legal due diligence in merger and acquisition transactions the main focus is typically on the traditional items, such as financials, debt instruments, major contracts and other key metrics customarily analyzed. These items, among others, remain critical to evaluating a business. However, with technology continuing to advance at an exponential rate and hackers successfully breaching company information systems more frequently, as seen with Target, Equifax and many others, it is critical that prospective buyers thoroughly consider the risks associated with the target’s cybersecurity practices or lack thereof. …

Announced GDPR Fine Against Marriott Raises Reporting and Coverage Implications

By: Joshua Mooney and Andrew Lipton

Last week on July 9, 2019, the United Kingdom’s Information Commission Office (ICO) announced its intention to fine Marriott International £99.3 million (about $124 million), or 2.5% of Marriott’s worldwide annual revenue, in connection with the Starwood Customer loyalty program. Last November, Marriott announced a breach of the Starwood brand reservation database, potentially compromising the accounts of approximately 500 million guests. The compromise reportedly first took place in 2014 before Marriott had acquired Starwood in 2016. According to the ICO’s statement, the breach involved a variety of personal data found in approximately 339 million guest records, including 30 million records relating to residents of 31 countries in the European Economic Area (EEA) and 7 million records relating to UK residents.[1]

A Warning to Law Firms and Litigants: Unlawful Disclosure of PHI in Litigation Can Lead to Trouble

By: Joshua A. Mooney

The handling of sensitive data with appropriate care in litigation is a critical aspect of legal practice. Recent ABA Formal Opinions 477 and 483 discuss requirements for securing protected client information and lawyers’ obligations after a cyberattack. Conduct during litigation is no different. Unless stated otherwise by statute, the context of litigation does not effect a person’s legal duties when handling sensitive data. In Menorah Park Ctr. for Senior Living v. Rolston, 2019 Ohio App. LEXIS 2175 (May 30, 2019 Ohio Ct. App.), a plaintiff of a small-claims matter is learning this lesson the hard way.

The FTC Wants More Power to Investigate Corporate Data Privacy Violations: Will Cyber Insurance Cover the Costs of a Company’s Response?

On May 8, 2019, all five commissioners of the U.S. Federal Trade Commission (FTC) testified before a congressional hearing on data privacy regulation and enforcement. At the hearing, the FTC commissioners testified that the FTC seeks enhanced powers to investigate and prosecute privacy violations by large companies. According to the commissioners, fines are not enough. As FTC Commissioner Rohit Chopra noted during the testimony, “[the FTC] cannot change behavior without finding out who at the top caused those problems.” The clear takeaway from this testimony? Companies that collect, process and store personal data from their customers should prepare themselves for an increase in data privacy-related investigations, especially coming from the FTC.

Invasion of Privacy Exclusion in a Claims-Made Policy and Looking Ahead to Data Privacy Litigation

By: Joshua A. Mooney and Timothy A. Carroll

This week in Horn v. Liberty Insurance Underwriters, Inc., 2019 U.S. Dist. LEXIS 90194 (S.D. Fla. May 30, 2019), the Florida district court held that an invasion of privacy exclusion under a claims-made policy prohibited coverage for an underlying Telephone Consumer Protection Act (TCPA) lawsuit. The decision is of interest because of the court’s reasoning, and as it may foreshadow the direction of coverage litigation as more and more data privacy (as opposed to data security) laws and regulations are passed and enforced.

PCI SSC Issues New Standards for Payment Software

By: Michael Jervis

The Payment Card Industry Security Standards Council (PCI SSC) has issued a new Software Security Framework for secure payment software. The new framework includes both a Secure Software Standard and Secure Software Life Cycle (SLC). A key aspect of the framework focuses on the SLC, which makes security a consideration at all stages of payment software development, rather than simply during the testing phase at the end of the software lifecycle. The new standards result from the work of a Software Security Task Force and request for comment periods reaching out to industry stakeholders. …

The $29 Million Yahoo Derivative Data Breach Settlement: What Next?

By: Sedgwick Jeanite and Meryl Breeden

On January 4, 2019 a federal district court in California approved a $29 million settlement in a shareholder derivative lawsuit against former Yahoo directors and officers regarding high-profile data breaches at Yahoo between 2013 and 2016. The settlement is a noteworthy departure from other breach-related derivative suits – which have been largely unsuccessful. As the number of data breach derivative lawsuits against directors and officers continues to increase, the relatively large size of this settlement may create valuation expectations that will drive up the settlement costs of other pending and future data breach-related derivative cases.

Best Practices For Personal Data Security #DataPrivacyDay

By: Linda Perkins

January 28 is Data Privacy Day, a designated day to remind consumers, businesses and government agencies worldwide of the importance of personal data security and the need to protect it. It is true that, in many respects, we live in a world that can be accurately described as “data insecure.” It is also true, however, that if we remind ourselves often enough that personal data security and privacy is a critical concern for everyone, then perhaps we will improve our chances of becoming a more “data secure” world for individual consumers and businesses alike.

Health Data

HHS Issues Voluntary Cybersecurity Guidelines for the Healthcare Industry

By: Joshua Mooney and Sedgwick Jeanite

On December 28, 2018, the U.S. Department of Health and Human Services (HHS) released “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” a detailed set of voluntary guidelines illustrating best practices that healthcare providers may employ to combat five common and significant cyber risks. Those risks are: (1) phishing; (2) ransomware; (3) loss or theft of equipment or data; (4) insider, accidental, or intentional data loss; and (5) attacks against Internet of Things medical devices. The four-volume publication aims to provide voluntary cybersecurity practices to healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems. …

First Joint Cross-State HIPAA Breach Lawsuit Brought in Response to 2015 Cyberattack

By: Michael Jervis

A lawsuit has been filed by the attorneys general of 12 states against a company called Medical Informatics Engineering (MIE) arising out of a 2015 data breach involving stolen medical records for millions of individuals. The complaint generally alleges that MIE and its subsidiary NoMoreClipboard “failed to take adequate and reasonable measure to ensure their computer systems were protected.” The attackers compromised MIE’s WebChart application and as a result were able to obtain personal information for nearly 4 million individuals who were patients of affected providers that used the software. The information obtained included the kind of personally identifiable information typical for such breaches, including names, home addresses, birth dates, social security numbers, email addresses and passwords. …