This month, the Federal Trade Commission (FTC) issued guidance for businesses operating websites and online services looking to comply with the Children’s Online Privacy Protection Act (“COPPA”). COPPA addresses the collection of personal information from children under 13.  Importantly, the determination of whether a business’s website is “directed to children under 13” (and thus subject to certain COPPA requirements) is based on a variety of factors – thus even website that do not target children as its primary audience may nonetheless be subject to COPPA’s requirements based on the website’s subject matter, visual and audio content, ads on the site that may be directed to children, and other factors.

The FTC’s guidance notes that updates to the COPPA regulations were made in July 2013 to reflect changes in technology, and reminded businesses that violations can result in law enforcement actions as well as civil penalties.  The compliance guidance sets out steps to (1) determining whether your business is covered by COPPA; (2) if so, what steps need to be taken to ensure compliance, including privacy policy provisions, notifying and obtaining verifiable consent from parents, (3) providing methods for parents to review, delete, or revoke consent, and (4) implementing reasonable security procedures. Finally, the guidance provides a chart describing limited exceptions to the parental consent requirement.

  • Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.
  • Step 2: Post a Privacy Policy that Complies with COPPA.
  • Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.
  • Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.
  • Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.
  • Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.
  • Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement

The six COPPA compliance steps are described below. To view the FTC’s full guidance webpage, click here.

NOTE:  In addition to COPPA, it may be worth determining whether California’s state version of COPPA, the California Online Privacy Protection Act (“CalOPPA”) applies to your business and, if so, whether additional compliance measures may be necessary. CAlOPPA broadly applies whenever a website or app collects “personally identifiable information” or PII (as defined in the state’s business code) from a California resident, and thus applies to the vast majority of online businesses, even if not based in California.

 

 

 

 

On June 9, 2017, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) released a cyber-attack “Quick Response” checklist (the Checklist) for the benefit of HIPAA covered entities and business associates.

This checklist and the accompanying info-graphic is part of the ongoing HHS campaign to get out ahead of cyber-attacks in the healthcare sector. Rather than the HHS merely reacting to HIPAA-related fallout that can occur as a result of a breach, this checklist is meant to preemptively explain the steps for a HIPAA covered entity or its business associate to take in response to a cyber-related security incident. This preventative campaign by HHS has been spurred on by the increasing prevalence of cyber-attacks, particularly the May 2017 WannaCry ransomware attack in May 2017 which “rapidly affected numerous organizations across over one hundred countries.” The Checklist contains response, reporting, and assessment / notice requirements for covered entities and business associates.

1) Response: The entity must execute its response and mitigation procedures in addition to its contingency plan. See HIPAA Security Rule, 45 C.F.R. § 164.308(a)(6)−(7) (requiring the establishment of contingency plans and the entity’s response to and mitigation of security incidents). This requires that the entity immediately identify the problem, fix it, and mitigate any impermissible disclosure of public health information (PHI).

2) Report: The entity should report the crime to law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigations, or the Secret Service. This report should not include any PHI.

The entity should report all cyber threat indicators to federal and information sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs.

3) Assessment and Notice: If the breach affects 500 or more individuals, the entity must report it to OCR as soon as possible, but no later than 60 days after the discovery of the breach. The entity must also notify the individuals affected by the breach and the media unless a law enforcement officer has requested a delay in the reporting.

If the breach affects less than 500 individuals, the entity must notify the affected individuals without unreasonable delay, but no later than 60 days after discovery and OCR within 60 days after the end of the calendar year in which the breach was discovered.

If the PHI was encrypted or the entity determines through a written risk assessment that there was a low probability that PHI was compromised during the breach, this would not constitute a breach that would have to be reported to OCR.

In recent testimony to Congress, HHS officials testified that its cybersecurity push is meant “to engage the broader healthcare sector and ensure that IT security practitioners ha[ve] the information they need,” while additionally providing guidance and support regarding “how to manage cybersecurity incidents in this era of heightened consequences….” (See Congressional Testimony, Steve Curren, Division of Resilience in the Office of Emergency Management, HHS Office of the Assistant Secretary for Preparedness and Response). In the Checklist release, HHS specifically refers to HIPAA-related penalties, noting that “in determining the amount of any applicable civil penalty, OCR may consider mitigating factors,” including compliance with the actions encouraged by the Checklist. (See also 45 C.F.R. §160.408 (describing mitigating and aggravating factors in determining civil penalties)). The release of this “Quick Response” checklist follows the HHS establishment of the Health Cybersecurity and Communications Integration Center, demonstrating the serious commitment of the HHS to combating the occurrence and effect of these cybersecurity breaches.

For the official Checklist from the HHS on June 9, 2017, click here. For the HHS info-graphic that accompanied the Checklist, click here.

On May 31, 2017, the Federal Financial Institutions Examination Council (FFIEC) released an update to its Cybersecurity Assessment Tool.

The Cybersecurity Assessment Tool was originally released by the FFIEC in June of 2015 to help financial institutions identify their risks and assess their cybersecurity preparedness.  The Cybersecurity Assessment Tool is intended to be used by financial institutions of all sizes to perform a self-assessment and inform their risk management strategies. Upon the release of the original Cybersecurity Assessment Tool, the FFIEC noted its plan to update the Cybersecurity Assessment Tool as threats, vulnerabilities, and operational environments evolve.

According to the FFIEC’s May 31st press release, the update to the Cybersecurity Assessment Tool “addresses changes to the FFIEC IT Examination Handbook by providing a revised mapping in Appendix A to the updated Information Security and Management booklets”. The updated Cybersecurity Assessment Tool also provides “additional response options, allowing financial institution management to include supplementary or complementary behaviors, practices and processes that represent current practices of the institution in supporting its cybersecurity activity assessment.”

Financial institutions can find the updated version of the Cybersecurity Assessment Tool here.

Today, on June 1, 2017, China’s new cybersecurity law, entitled the “Network Security Law”, goes into effect.  The law was passed in November 2016.  It now becomes legally mandatory for “network operators” and “providers of network products and services” to: (a) follow certain personal information protection obligations, including notice and consent requirements; (b) for network operators to implement certain cybersecurity practices, such as designating personnel to be responsible for cybersecurity, and adopting contingency plans for cybersecurity incidents; and (c) for providers of networks.

The law focuses on protecting personal information and individual privacy, and standardizes the collection and usage of personal information. Companies will not be required to introduce data protection measures, and sensitive data (e.g., information on Chinese citizens or relating to national security) must be stored on domestic servers.  Users now have the right to ask service providers to delete their information if such information is abused.  In some cases, firms will need to undergo a security review before moving data out of China. One of the challenges is that the government has been unclear on what would be considered “important or sensitive data”, and which products may fall under the “national security” definition.

Penalties vary, but can include (1) a warning, injunction order to correct the violation, confiscation of proceeds and/or a fine (typically ranging up to $1 million Chinese yuan (~$147,000); (2) personal fines for directly responsible persons up to $100,000 Chinese yuan (~$14,700); and (3) under some circumstances, suspensions or shutdowns of offending websites and businesses and revocations of operating permits and business licenses. Such sanctions would take into account the degree of harm and the amount of illegal gains. (Fines could include up to five times the amount of those ill-gotten gains).

While draft implementing regulations and a draft technical guidance document have been circulated by the Cyber Administration (China’s internet regulator) the final versions of these documents are still forthcoming.  These documents are expected to clarify obligations regarding restrictions on cross-border transfers of “personal information” and “important information”, including a notice and consent obligation. They may also include procedures and standards for “security assessments”, which are necessary to continue cross-border transfers of personal information and “important information”.  Under the draft regulation, “network operators” would not be required to comply with the cross-border transfer requirements until December 31, 2018.  It is expected that the final draft will contain a similar grace period.

Although large multinational corporations are typically accustomed to adapting to new laws and regulations in various countries and are already accustomed to tight internet and content controls in China, there remains concern about the potential cost impacts as well as the enforcement risk of the ambiguous language.  It is also unclear on whether the new law may alienate small or medium sized businesses otherwise looking to enter the Chinese market.  While Beijing is touting the law as a welcome milestone in data privacy, companies both large and small are concerned that the law is both vague and exceptionally broad, thus potentially putting companies at undue risk of regulatory enforcement unrelated to cybersecurity.

For an official press release from the state run website, China Daily, on May 31, 2017, click here.

Target Corporation has reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the investigation into the retailer’s 2013 data breach, officials announced on May 23, 2017. The 2013 data breach incident triggered various state consumer protection and data breach laws when hackers accessed consumer data for over 110 million Target customers. In response, state attorneys general from across the country joined in an investigation led by Connecticut and Illinois. The investigation has culminated in the largest multistate data breach settlement to date.

In November 2013, hackers breached Target’s gateway server using stolen credentials from a third-party vendor. The hackers were able to access a customer service database, install malware on the system, and capture consumer data. Customer payment card accounts for more than 41 million and contact information for more than 60 million, including full names, telephone numbers, email and mailing addresses, payment card numbers and verification codes, and encrypted debit PINs, were compromised in the breach.

Notably, Target has agreed to much more than the monetary payments to the states. Through Target’s compliance with the settlement agreement, various state attorneys general project Target will set industry standards for secure credit card processing and customer data maintenance. According to the settlement terms, Target must adhere to several requirements, including: (1) developing, implementing, and maintaining a comprehensive information security program within 180 days designed to protect customer personal information; (2) employing an executive or officer responsible for implementing and maintaining the information security program; (3) developing and implementing policies and procedures for auditing vendor compliance with its information security program; (4) maintaining encryption protocols and policies; (5) complying with the Payment Card Industry Data Security Standard (“PCI DSS”) with respect to its payment card system; (6) segmenting its payment card system from its larger computer network; (7) deploying and maintaining controls to detect and prevent the execution of unauthorized applications within its point-of-sale terminals and servers; and (8) adopting improved, industry-accepted payment card security technologies, such as chip and PIN technology.

Target has one year to obtain a third-party security assessment and report and provide the report to the Connecticut Attorney General’s Office.

A copy of the full settlement is available here.

On April 4, 2017, President Trump signed legislation repealing the Federal Communications Commission’s (FCC) privacy protections adopted in October 2016. The regulations, set to go into effect later this year, would have required internet service providers (ISPs) to adopt stricter consumer privacy protections than websites like Google and Facebook. Among other things, the regulations would have required ISPs to obtain consent before sharing sensitive customer proprietary information, take reasonable measures to secure customer proprietary information, provide notification to customers, the FCC and law enforcement in the event of data breaches, and not condition provision of service on the surrender of privacy rights.

The regulations were opposed by many ISPs who felt that they would be at a disadvantage to companies like Amazon, Google and Facebook, who are regulated by the Federal Trade Commission (FTC). Because these companies offer internet services, and do not provide internet connection, they are subject to the less restrictive FTC regulations. While many ISPs have promised not to sell proprietary customer information, these promises are voluntary. President Trump’s repeal leaves the states as the only real possible enforcer of ISP privacy regulations.

Earlier this month, the new cybersecurity regulation from the New York Department of Financial Services (“DFS“) took effect. The new regulation requires banks, insurance companies and other financial services institutions regulated by the DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

The final cybersecurity regulation is very similar to the proposed regulation, which we reported on in a previous post, but contains a few notable changes:

  • Record retention requirements for audit trails designed to detect and respond to Cybersecurity Events were reduced from five years to three years.
  • Clarification that Covered Entities’ policies and procedures regarding notice to be provided by Third Party Service Providers of Cybersecurity Events cover only Covered Entity’s Nonpublic Information being held by the Third Party Service Provider.
  • Clarification of the circumstances under which a Covered Entity must provide notice of Cybersecurity Event to the Superintendent.
  • The limited exemptions have been revised to specifically include the number of employees and the gross annual revenue of a Covered Entity’s affiliates located in New York.
  • Clarification on the exemptions available for companies regulated under New York’s Insurance Law.

Financial institutions in other states may wish to pay particular attention to this “first-in-the-nation cybersecurity regulation” issued by a state financial regulator, particularly as it may be only a matter of time before other states follow New York’s lead.

The DFS regulation, 23 N.Y.C.R.R. Part 500, is available here.

On March 10, 2017, the White House Office of Management and Budget (“OMB”) released its 2016 Federal Information Security Modernization Act (“FISMA”) Annual Report to Congress. The FISMA Report describes the current state of Federal cybersecurity. It provides Congress with information on agencies’ progress towards meeting cybersecurity goals and identifies areas that need improvement. Additionally, the report provides information on Federal cybersecurity incidents, ongoing efforts to mitigate and prevent future incidents, and progress in implementing adequate cybersecurity programs and policies.

According to the FISMA report, agencies reported over 30,899 cyber incidents that led to the compromise of information or system functionality in 2016. However, only sixteen of these incidents met the threshold for a “major incident” (which triggers a series of mandatory steps for agencies, including reporting certain information to Congress). The report categorizes the types of agency-reported incidents. The largest number of reported incidents (more than one-third) was “other,” meaning the attack method did not fit into a specific category or the cause of the attack was unidentified. The second largest was loss or theft of computer equipment. Attacks executed from websites or web-based applications were the third most common type of incident.

Despite these incidents, the report notes that there were government-wide improvements in cybersecurity, including agency implementation of:

  • Information Security Continuous Monitoring (“ISCM”) capabilities that provide situational awareness of the computers, servers, applications, and other hardware and software operating on agency networks;
  • Multi-factor authentication credentials that reduce the risk of unauthorized access to data by limiting users’ access to the resources and information required for their job functions; and
  • Anti-Phishing and Malware Defense capabilities that reduce the risk of compromise through email and malicious or compromised web sites.

Federal agencies will look to continue these cybersecurity improvements in 2017.

To view the Report, click here.

Vintage toned Wall Street at sunset, NYC.

Today, acting FTC Chairman Maureen K. Ohlhausen and FCC Chairman Ajit Pai issued a joint statement on the FCC’s issuance of a temporary stay of a data security regulation for broadband providers scheduled to take effect on March 2.  In their statement, they advocate for a “comprehensive and consistent framework”, so that Americans do not have to “figure out if their information is protected differently depending on which part of the Internet holds it.”

The Chairmen stated that for this reason, they disagreed with the FCC’s 2015 unilateral decision to strip the FTC of its authority over broadband provider’s privacy and data security practices, and believed that jurisdiction over broadband providers’ privacy and data security practices should be returned to the FTC, thus subjecting “all actors in the online space” to the same rules.

Until then, the joint statement provides, the two chairmen “will work together on harmonizing the FCC’s privacy rules for broadband provider with the FTC’s standards for other companies in the digital economy.”  The statement provides that the FCC order was inconsistent with the FTC’s privacy framework. The stay will remain in place only until the FCC is able to rule on a petition for reconsideration of its privacy rules.

In response to concerns that the temporary delay of a rule not yet in effect will leave consumers unprotected, the Chairmen agree that it is vital to fill the consumer protection gap, but that “how that gap is filled matters” – it does not serve consumer’s interests to create two separate and distinct frameworks – one for Internet service providers and another for all other online companies.

Going forward, the statement says, the FTC and the FCC will work together to establish a uniform and technology-neutral privacy framework for the online world.

To view the joint FTC and FCC statement, click here.

To view the FCC Order staying the regulation, click here.

Last month, the Financial Industry Regulatory Authority (FINRA) released its annual Regulatory and Examination Priorities Letter (the “2017 Priorities Letter”) which highlights the areas that FINRA plans to focus on in its 2017 examination of registered broker-dealers.

It should come as no surprise that cybersecurity is listed as one of the operational threats that FINRA intends to focus on in 2017. The 2017 Priorities Letter recognizes that “[c]ybersecurity threats remain one of the most significant risks many firms face.” As part of its examination, FINRA will assess a broker-dealer’s programs to mitigate cybersecurity risks, taking into consideration each broker-dealer’s business model, size and risk profile. More specifically, broker-dealers should be prepared for FINRA to (i) review the broker-dealer’s methods for preventing data loss, (ii) assess the controls the broker-dealer uses to monitor and protect its data, and (iii) review how the broker-dealer manages their vendor relationships.  Also, because FINRA understands that “[t]he nature of the insider threat itself is rapidly changing as the workforce evolves to include more employees who are mobile, trusted external partnerships and vendors, internal and external contractors, as well as offshore resources,” FINRA intends to examine a broker-dealer’s controls to protect sensitive information from insider threats.

Additionally, FINRA intends on focusing on two areas in which FINRA has noted repeated shortcomings in controls among the broker-dealers that it regulates: (1) poor cybersecurity controls at branch offices (for example, poor controls related to the use of passwords, encryption of data, use of portable storage devices, implementation of patches and virus protection, and the physical security of assets and data), and (2) failure to preserve certain records in a non-rewriteable, non-erasable format, commonly known as write once read many (WORM) format pursuant to Securities Exchange Act (SEA) Rule 17a-4(f).

The full text of FINRA’s 2017 Regulatory and Examination Priorities Letter can be found here.