Information Governance and Risk Management

This month, the Federal Trade Commission (FTC) issued guidance for businesses operating websites and online services looking to comply with the Children’s Online Privacy Protection Act (“COPPA”). COPPA addresses the collection of personal information from children under 13.  Importantly, the determination of whether a business’s website is “directed to children under 13” (and thus subject to certain COPPA requirements) is based on a variety of factors – thus even website that do not target children as its primary audience may nonetheless be subject to COPPA’s requirements based on the website’s subject matter, visual and audio content, ads on the site that may be directed to children, and other factors.

The FTC’s guidance notes that updates to the COPPA regulations were made in July 2013 to reflect changes in technology, and reminded businesses that violations can result in law enforcement actions as well as civil penalties.  The compliance guidance sets out steps to (1) determining whether your business is covered by COPPA; (2) if so, what steps need to be taken to ensure compliance, including privacy policy provisions, notifying and obtaining verifiable consent from parents, (3) providing methods for parents to review, delete, or revoke consent, and (4) implementing reasonable security procedures. Finally, the guidance provides a chart describing limited exceptions to the parental consent requirement.

  • Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.
  • Step 2: Post a Privacy Policy that Complies with COPPA.
  • Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.
  • Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.
  • Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.
  • Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.
  • Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement

The six COPPA compliance steps are described below. To view the FTC’s full guidance webpage, click here.

NOTE:  In addition to COPPA, it may be worth determining whether California’s state version of COPPA, the California Online Privacy Protection Act (“CalOPPA”) applies to your business and, if so, whether additional compliance measures may be necessary. CAlOPPA broadly applies whenever a website or app collects “personally identifiable information” or PII (as defined in the state’s business code) from a California resident, and thus applies to the vast majority of online businesses, even if not based in California.

 

 

 

 

On June 9, 2017, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) released a cyber-attack “Quick Response” checklist (the Checklist) for the benefit of HIPAA covered entities and business associates.

This checklist and the accompanying info-graphic is part of the ongoing HHS campaign to get out ahead of cyber-attacks in the healthcare sector. Rather than the HHS merely reacting to HIPAA-related fallout that can occur as a result of a breach, this checklist is meant to preemptively explain the steps for a HIPAA covered entity or its business associate to take in response to a cyber-related security incident. This preventative campaign by HHS has been spurred on by the increasing prevalence of cyber-attacks, particularly the May 2017 WannaCry ransomware attack in May 2017 which “rapidly affected numerous organizations across over one hundred countries.” The Checklist contains response, reporting, and assessment / notice requirements for covered entities and business associates.

1) Response: The entity must execute its response and mitigation procedures in addition to its contingency plan. See HIPAA Security Rule, 45 C.F.R. § 164.308(a)(6)−(7) (requiring the establishment of contingency plans and the entity’s response to and mitigation of security incidents). This requires that the entity immediately identify the problem, fix it, and mitigate any impermissible disclosure of public health information (PHI).

2) Report: The entity should report the crime to law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigations, or the Secret Service. This report should not include any PHI.

The entity should report all cyber threat indicators to federal and information sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs.

3) Assessment and Notice: If the breach affects 500 or more individuals, the entity must report it to OCR as soon as possible, but no later than 60 days after the discovery of the breach. The entity must also notify the individuals affected by the breach and the media unless a law enforcement officer has requested a delay in the reporting.

If the breach affects less than 500 individuals, the entity must notify the affected individuals without unreasonable delay, but no later than 60 days after discovery and OCR within 60 days after the end of the calendar year in which the breach was discovered.

If the PHI was encrypted or the entity determines through a written risk assessment that there was a low probability that PHI was compromised during the breach, this would not constitute a breach that would have to be reported to OCR.

In recent testimony to Congress, HHS officials testified that its cybersecurity push is meant “to engage the broader healthcare sector and ensure that IT security practitioners ha[ve] the information they need,” while additionally providing guidance and support regarding “how to manage cybersecurity incidents in this era of heightened consequences….” (See Congressional Testimony, Steve Curren, Division of Resilience in the Office of Emergency Management, HHS Office of the Assistant Secretary for Preparedness and Response). In the Checklist release, HHS specifically refers to HIPAA-related penalties, noting that “in determining the amount of any applicable civil penalty, OCR may consider mitigating factors,” including compliance with the actions encouraged by the Checklist. (See also 45 C.F.R. §160.408 (describing mitigating and aggravating factors in determining civil penalties)). The release of this “Quick Response” checklist follows the HHS establishment of the Health Cybersecurity and Communications Integration Center, demonstrating the serious commitment of the HHS to combating the occurrence and effect of these cybersecurity breaches.

For the official Checklist from the HHS on June 9, 2017, click here. For the HHS info-graphic that accompanied the Checklist, click here.

On May 31, 2017, the Federal Financial Institutions Examination Council (FFIEC) released an update to its Cybersecurity Assessment Tool.

The Cybersecurity Assessment Tool was originally released by the FFIEC in June of 2015 to help financial institutions identify their risks and assess their cybersecurity preparedness.  The Cybersecurity Assessment Tool is intended to be used by financial institutions of all sizes to perform a self-assessment and inform their risk management strategies. Upon the release of the original Cybersecurity Assessment Tool, the FFIEC noted its plan to update the Cybersecurity Assessment Tool as threats, vulnerabilities, and operational environments evolve.

According to the FFIEC’s May 31st press release, the update to the Cybersecurity Assessment Tool “addresses changes to the FFIEC IT Examination Handbook by providing a revised mapping in Appendix A to the updated Information Security and Management booklets”. The updated Cybersecurity Assessment Tool also provides “additional response options, allowing financial institution management to include supplementary or complementary behaviors, practices and processes that represent current practices of the institution in supporting its cybersecurity activity assessment.”

Financial institutions can find the updated version of the Cybersecurity Assessment Tool here.

On March 10, 2017, the White House Office of Management and Budget (“OMB”) released its 2016 Federal Information Security Modernization Act (“FISMA”) Annual Report to Congress. The FISMA Report describes the current state of Federal cybersecurity. It provides Congress with information on agencies’ progress towards meeting cybersecurity goals and identifies areas that need improvement. Additionally, the report provides information on Federal cybersecurity incidents, ongoing efforts to mitigate and prevent future incidents, and progress in implementing adequate cybersecurity programs and policies.

According to the FISMA report, agencies reported over 30,899 cyber incidents that led to the compromise of information or system functionality in 2016. However, only sixteen of these incidents met the threshold for a “major incident” (which triggers a series of mandatory steps for agencies, including reporting certain information to Congress). The report categorizes the types of agency-reported incidents. The largest number of reported incidents (more than one-third) was “other,” meaning the attack method did not fit into a specific category or the cause of the attack was unidentified. The second largest was loss or theft of computer equipment. Attacks executed from websites or web-based applications were the third most common type of incident.

Despite these incidents, the report notes that there were government-wide improvements in cybersecurity, including agency implementation of:

  • Information Security Continuous Monitoring (“ISCM”) capabilities that provide situational awareness of the computers, servers, applications, and other hardware and software operating on agency networks;
  • Multi-factor authentication credentials that reduce the risk of unauthorized access to data by limiting users’ access to the resources and information required for their job functions; and
  • Anti-Phishing and Malware Defense capabilities that reduce the risk of compromise through email and malicious or compromised web sites.

Federal agencies will look to continue these cybersecurity improvements in 2017.

To view the Report, click here.

Vintage toned Wall Street at sunset, NYC.

Today, acting FTC Chairman Maureen K. Ohlhausen and FCC Chairman Ajit Pai issued a joint statement on the FCC’s issuance of a temporary stay of a data security regulation for broadband providers scheduled to take effect on March 2.  In their statement, they advocate for a “comprehensive and consistent framework”, so that Americans do not have to “figure out if their information is protected differently depending on which part of the Internet holds it.”

The Chairmen stated that for this reason, they disagreed with the FCC’s 2015 unilateral decision to strip the FTC of its authority over broadband provider’s privacy and data security practices, and believed that jurisdiction over broadband providers’ privacy and data security practices should be returned to the FTC, thus subjecting “all actors in the online space” to the same rules.

Until then, the joint statement provides, the two chairmen “will work together on harmonizing the FCC’s privacy rules for broadband provider with the FTC’s standards for other companies in the digital economy.”  The statement provides that the FCC order was inconsistent with the FTC’s privacy framework. The stay will remain in place only until the FCC is able to rule on a petition for reconsideration of its privacy rules.

In response to concerns that the temporary delay of a rule not yet in effect will leave consumers unprotected, the Chairmen agree that it is vital to fill the consumer protection gap, but that “how that gap is filled matters” – it does not serve consumer’s interests to create two separate and distinct frameworks – one for Internet service providers and another for all other online companies.

Going forward, the statement says, the FTC and the FCC will work together to establish a uniform and technology-neutral privacy framework for the online world.

To view the joint FTC and FCC statement, click here.

To view the FCC Order staying the regulation, click here.

In a recent announcement today, Verizon and Yahoo have announced that they are amending the existing terms of their agreement for the purchase of Yahoo’s operating business.  Under the amended terms, Verizon and Yahoo have agreed to reduce the price Verizon will pay by $350 million.  In addition, Yahoo will be responsible for 50% of any cash liabilities incurred following the closing related to non-SEC government investigations and third-party litigation related to the breaches.  Liabilities arising from shareholder lawsuits and SEC investigations will continue to be the responsibility of Yahoo.  Finally, the amended terms provide that the data breaches or losses arising from them will not be taken into account in determining whether a “Business Material Adverse Effect” has occurred or whether certain closing conditions have been satisfied.  Verizon’s acquisition – now valued at approximately $4.48 billion subject to closing adjustments, is expected to close in Q2 of 2017.

In an October 2016 article for Corporate Counsel highlighting M&A Lessons Learned from the Yahoo breach, we noted that such managed resolutions as a result of cybersecurity-related discoveries during the M&A process are not uncommon: “The buyer can insist that the problem be fixed and that the selling company indemnify the buyer for any future problems, or the buyer may adjust its valuation of the company based on the uncovered risk.”

Despite Yahoo’s recent troubles with data breaches and the associated amendments to the purchase agreements, the two companies remain optimistic about the acquisition.  In a recent press release, Ms. Marni Walden (Verizon EVP and president of Product Innovation an New Businesses), states that “[w]e have always believed that this acquisition makes strategic sense. We look forward to moving ahead expeditiously so that we can quickly welcome Yahoo’s tremendous talent and assets into our expanding profile in the digital advertising space.” Yahoo’s CEO, Marissa Mayer, stated that “[w]e continue to be very excited to join forces with Verizon and AOL.  This transaction will accelerate Yahoo’s operating business especially on mobile, while effectively separating our Asian asset equity stakes. It is an important step to unlock shareholder value for Yahoo, and we can now move forward with confidence and certainty.”

On January 10, 2017, NIST issued an update to the NIST Cybersecurity Framework (v.1.1).  After reviewing public comment and convening a workshop, NIST intends to publish a final version of this Version 1.1 in the fall of 2017.

Key updates the framework include:

  • Metrics.  A new section 4.0 on Measuring and Demonstrating Cybersecurity to discuss correlation of business results to cybersecurity risk management metrics and measures.
  • Supply Chain.  A greatly expanded explanation of using the framework for supply chain risk management purposes.
  • Authentication, Authorization and Identify Proofing.  Refinements to the language of the Access Control category to account for authentication, authorization, and identify proofing.  A subcategory has been added, and the Category has been renamed to “Identity Management and Access Control (PR.AC) to better represent the scope of the Category and corresponding subcategories.
  • Explanation of Relationship between Implementation Tiers and Profiles.  Adds language on using Framework Tiers in Framework implementation, to reflect integration of Framework considerations within organizational risk management programs, and to update Figure 2.0 to include actions from the Framework Tiers.

More detail on the changes can be found in Appendix D.  NIST seeks public comment on the following questions:

  • Are there any topics not addressed in the draft Framework Version 1.1 that could be addressed in the final?
  • How do the changes made in the draft Version 1.1 impact the cybersecurity ecosystem?
  • For those using Version 1.0, would the proposed changes impact your current use of the Framework? If so, how?
  • For those not currently using Version 1.0, does the draft Version 1.1 affect your decision to use the Framework? If so, how?
  • Does this proposed update adequately reflect advances made in the Roadmap areas?
  • Is there a better label than “version 1.1” for this update?
  • Based on this update, activities in Roadmap areas, and activities in the cybersecurity ecosystem, are there additional areas that should be added to the Roadmap? Are there any areas that should be removed from the Roadmap?

A redline version of the framework can be found by clicking here.  A clean version of the Framework may be found by clicking here.

Connected cars and autonomous cars conceptAfter its recent release of guidelines regarding self-driving cars, the National Highway Traffic Safety Administration released a set of “best practices” for cybersecurity in vehicles.  The 22-page document encourages auto manufacturers to proactively incorporation security in their efforts a matter of course (e.g., privacy by design).  The guidelines recommend a “layered approach” of protections, and encourage the industry to follow the NIST Cybersecurity Framework’s core principles of “identify, protect, detect, respond, and recover”.   The NHTSA recommends that the industry review and consider the IT security suite of industry standards, such as the ISO 27000 series and other best practices used by sectors such as the financial, energy, communications, and IT industries.  It also recommends information sharing related to cybersecurity events in “as close to real time as possible” using the Automotive Information Sharing and Analysis Center (“Auto- ISAC”).  Further, the guidelines encourage disclosure of potential vulnerability discoveries, as well as retention of data related to self-audits, which include attempts by car makers to test their own systems for vulnerabilities.

To view the entire report, click here.  For more NHTSA information on automotive cybersecurity, click here.

AftDeveloping new programer surveying nearly 200 regulated financial institutions to obtain insight into the industry’s efforts to prevent cybercrime and meeting with a cross-section of those surveyed, as well as cybersecurity experts, to discuss emerging trends and risks, as well as due diligence processes, policies and procedures governing relationships with third party vendors, the New York State Department of Financial Services (NYDFS) recently released its proposed cyber security regulation.  The proposed regulation, titled “Cybersecurity Requirements for Financial Services Companies”, if implemented, would be a first-in-the-nation provision that requires a mandatory cybersecurity program for financial institutions.

Continue Reading New York Department of Financial Services Proposes Cybersecurity Requirements