*written with assistance from co-author and W&L law student, Isabella Gray.

On May 28, 2019, the Cyberspace Administration of China (“Cybersecurity Administration”) released a set of draft Measures for Data Security Management (the “Draft Measures”).  The Draft Measures provide articles governing how network operators, defined as someone who owns and administrates a network or a network service provider, can collect, use, and store different types of data.

The articles contained in the Draft Measures were developed to expand China’s existing Cybersecurity Law and to safeguard national security and the public interest while also protecting the rights of Chinese citizens, legal persons, and other organizations in cyberspace. The Draft Measures apply to the collection, storage, transmission, process, and use of data as well as the protection, supervision, and administration of cybersecurity within the territory of China.

Required Consent for Data Collection or Use

Under the Draft Measures, each network operator must develop and disclose separate rules for the collection of data and the subsequent use. The developed rules for collection and use may both be presented in a privacy policy but must be specific, easy to understand, and presented in a clear and obvious way to encourage reading. Additionally, the rules must highlight:

  • general information about the network operator;
  • the name and contact information for the network operator’s main person responsible for data security;
  • how data is collected and used;
  • how data is stored;
  • a summary of the rules the network operator must comply with when disclosing collected data to others;
  • how the collected data is protected by the network operator;
  • how users can withdraw consent to collection and can access or delete collected personal information;
  • how users can file complaints; and
  • any additional information required by other laws or regulations.

A network operator may only collect data after a user acknowledges the rules for collection and use and gives express consent to those actions. If a user is under the age of 14, consent from a parent or guardian is required prior to collecting data. Additionally, network operators cannot mislead users into consenting to data collection or discriminate against users who do not consent.

Means of Collecting Data

The Draft Measures further prescribe what network operators must do after collecting two types of data: important data and personal information. “Important data” is defined as the kind of data that, if divulged, may directly affect national security, economic security, social stability, or public health and security. “Personal information” is defined as data which could be used to identify a person specifically, such as their name, date of birth, or telephone number.

If a network operator is collecting important data or personal information, the network operator must file information about its collection and use of such data with the Cybersecurity Administration.  The network operator must describe the purpose of its data collection, the scope and type of data collected, and how long it will retain the data.

Additionally, a network operator collecting important or personal data must specify the person responsible for data security. Such designated person must:

  • create data protection plans and ensure proper implementation of such plans;
  • conduct data security risk assessments and rectify potential risks;
  • report data security incidents to the Cybersecurity Administration; and
  • oversee the resolution of complaints and reports from users.

In addition to cooperating with data users, the Draft Measures require that network operators cooperate with website owners.  If a network operator uses automatic means to collect website data, the means must not interfere with the normal operation of the websites. If a website owner requests that the network operator stop collecting data from its site, the network operator must stop.

Use and Storage of Data

Data collected by network operators can be used for a variety of purposes such as more effectively displaying advertisements. In some instances, network operators must tell users how that are using certain data. For example, when conducting targeted pushes of information, network operators must clearly identify that the information presented to a user is a “targeted push” and give the user the option to reject the targeted push information.  Additionally, network operators must identify when they are synthesizing information.

Under the Draft Measures, network operators are permitted to publish, share, and sell data after assessing potential security risks. Approval from the Cyberspace Administration is required to publish, share, or sell data internationally. The uses for data prohibited by the Draft Measures include publishing market predictions, statistics, credit, or any other information that would endanger national security or damage the lawful rights and interests of any person.

A network operator generally needs consent from a user to share collected data with a third party. However, consent is not required for a network operator to share data where:

  • the data was collected from legal public channels;
  • the data was voluntarily disclosed by the user;
  • the data was anonymized so that it could not be traced back to any specific user;
  • sharing the data is necessary for compliance with law enforcement agencies in accordance with the law; or
  • sharing the data is necessary for safeguarding national security, public interest, or the life of the user.

Under the Draft Measures, a network operator may only keep data for the retention period specified in its filing with the Cyberspace Administration. Should a user request that its data be deleted prior to the end of the retention period, the network operator must comply. Network operators must also take steps to urge users to be responsible with their network behavior and encourage self-regulation.

Finally, security is a large issue with data collection, use, and storage. To address this, the Draft Measures require that network operators categorize, back-up, and encrypt data to strengthen the protection of it. In the event of a security incident where data is divulged, a network operator must immediately take remedial measures to inform users about the incident and additionally report the incident to the Cyberspace Administration.

Penalty for Noncompliance

A network operator’s violation of any of the Draft Measures could result in disciplinary actions, such as confiscating income received as a result of the violation, suspending the network operator’s business operations, or revoking the network operator’s business permit. If the violation amounts to a crime, the network operator could be subject to applicable criminal punishments.

The Draft Measures will remain open for comment until June 28, 2019.

In our Southeast Financial Litigation Monitor, our own Lindsey Catlett posts about a recent opinion in Southern Independent Bank vs. Fred’s Inc., in which the Middle District of Alabama denied class certification following a data breach which allegedly affected over 2,000 financial institutions across the country. Southern Independent, a community bank located in south Alabama, brought a class action complaint against Fred’s in response to a data breach in which hackers, using malware installed on servers, harvested payment data from consumer debit cards used at Fred’s stores.  The issuing banks claim damages stemming from Fred’s alleged negligent failure to maintain adequate cybersecurity in compliance with the PCI-DSS standards. To view Lindsey’s post, click here.

In an opinion issued today (January 25, 2019), the Illinois Supreme Court found that a Six Flags season pass holder can claim a violation of the state’s biometric privacy law by collecting the thumbprint of plaintiff Stacy Rosenbach’s son without permission, even without alleging any actual harm.  This is an important ruling that could impact hundreds of similar pending cases.

In a unanimous decision, the court wrote that Rosenbach’s son can be considered an “aggrieved person” under the state’s Biometric Information Privacy Act (“BIPA”) based on a technical violation of the statute and without alleging that her son’s data was stolen or misused.

Under the statute, “aggrieved persons” may file a right of action and recovery for each violation the greater of $1000 liquidated damages or actual damages, reasonable attorney fees and costs, and any other relief, including an injunction, that the court deems appropriate.  The central issue was whether one qualifies as an “aggrieved person” if he or she has not alleged some actual injury or adverse effect, beyond violation of his or her rights under the statute.  In the lower appellate court’s view, “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person”. 2017 IL App (2d 18-317, P 23). Today, the Illinois Supreme Court reversed and remanded the appellate court’s decision for further proceedings.

The Six Flags fingerprinting system involved two steps. First, the pass holder went to a security checkpoint, where he was asked to scan his thumb into the biometric data capture system. After that, he was directed to a nearby administrative building, where he obtained a season pass card.  The card and his thumbprint, when used together, enabled him to gain access as a season pass holder.  Upon returning home, the son was asked by plaintiff Rosenbach for the booklet or paperwork he had been given in connection with his new season pass. The son responded that Six Flags did “it all by fingerprint now” and that no paperwork has been provided.  The complaint alleged that neither the son, who was 14 years old and thus a minor, nor the plaintiff mother Rosenbach, were informed in writing or any other way of the specific purpose and length of term for which his finger print had been collected or that they sign any written release regarding taking of the fingerprint. Moreover, neither of them consented in writing “to the collection, storage, use, sale, lease, dissemination, disclosure, redisclosure, or trade of, or for [defendants] to otherwise profit from, [son’s] thumbprint or associated biometric identifiers or information.”

The defendants sought dismissal, among other grounds, that the plaintiff had suffered no actual or threatened injury and therefore lacked standing to sue.  In rejecting this position, the court noted that, “[w]hen the General Assembly has wanted to impose such a requirement in other situations, it had made that intention clear”, citing Illinois’s consumer Fraud and Deceptive Business Practices Act, which requires actual damage to bring a private right of action. See 815 ILCS 505/10a(a) (Action for actual damages).  In contrast, Illinois’s AIDS Confidentiality Act (410 ILCS 305/1) did not require proof of actual damages in order to recover. The court noted that Section 20 of the Act in question, followed the latter model, providing simply that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”

The court then discussed the historical and popular use of the term “aggrieved”, concluding that it was sufficient that the plaintiff’s legal rights were adversely affected. Specifically, the Act codified that individuals possess right to privacy in and control over their biometric identifiers, and when a private entity fails to comply with one of those requirements, that violation “constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach.” Therefore, such a person or customer would “clearly be ‘aggrieved’ within the meaning of Section 20 of the Act” and entitled to seek recovery.  The court added that the appellate court’s characterization of the violation as merely technical in nature “misapprehends the nature of the harm our legislature is attempting to combat through this legislation”, noting that these procedural protections “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers – identifiers that cannot be changed if compromised or misused.”  When a private entity fails to adhere to these statutory procedures, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.”  For these reasons, the court stated, the procedural injury is “real and significant”.

To view the court’s opinion, click here.

On January 21, 2019, the French Data Protection Authority, the Commission Nationale de L’Informatique et de Libertés (“CNIL”) announced a sanction of 50 million euros against Google.  On May 25 and 28, 2018, the CNIL received complaints from two different associations, asserting that Google did not have a valid legal basis for the processing of personal data of the users of its services, particularly with respect to ad personalization.  The complaints were brought by “None of Your Business”, a nonprofit organization chaired by Max Schrems (yes, that Max Schrems), and “La quadrature du Net”, a French digital rights advocacy group. The decision is significant for at least two reasons: (1) because it reveals CNIL’s analysis in how it was permitted to issue the decision and sanction despite Google’s European headquarters and (2) because it is the first time the CNIL has leveraged its new powers under GPDR to issue a sanction greater than its € 20 million pre-GDPR limits.

Coordination of Enforcement

The GDPR establishes a “one stop shop mechanism”, providing that an organization with a main establishment in the European Union shall have only one interlocutor, the Data Protection Authority (“DPA”) in the country where its main establishment is located, which shall serve as the “lead authority”.  In Google’s case, their European headquarters is in Ireland.  The lead authority must coordinate the cooperation between the other DPAs before taking any decision about cross-border processing carried out by the company. The CNIL cited the definition of “main establishment” in Article 4(16)(a):  “as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment …”.  It then discussed several elements of Google’s European headquarters in Ireland,

After lengthy discussion, the CNIL concluded that the restricted training taking place at Google’s European headquarters reveals that it could not be considered as a main establishment within the meaning of Article 4(16) when it is not established that the Ireland headquarters had decision making power as to privacy policies presented to the user during the creation of this account during the configuration of the Android mobile phone.  In the absence of a main establishment, therefore, the CNIL was competent to initiate this procedure and to exercise its powers. The CNIL therefore asserted authority to make decision regarding Google’s processing operations, and implemented the new European framework interested by all European authorities in the EDPB’s guidelines.

CNIL’s restricted committee carried out online inspections in September 2018 to verify the compliance of the processing operations implemented by Google with the French Data Protection Act and the GDPR by analyzing the browsing pattern of a user and the documents he or she can have access to when creating a Google account during the configuration of Android mobile equipment. On the basis of its inspections, the CNIL’s restricted committee observed two types of breaches of the GPDR.

Violation of Transparency and Information.

First, the CNIL noticed that the information provided by Google was not easily accessible for users:

“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have complete information on his or her data collected for the personalization purposes or for the geo-tracking service.”

The restricted committee also observed that some information is not always clear or comprehensive:

“Users are not able to fully understand the extent of the processing operations carried out by Google. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), and the amount and the nature of the data processed and combined. The restricted committee observe[d] in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data.”

Violation of the obligation to have a Legal Basis for ads Personalization Processing.

Although Google stated that it obtained user consent to process data for ads personalization purposes, the committee considered that the consent was not validly obtained for two reasons:

“First, the restricted committee observed that the users’ consent was not sufficiently informed.   The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.”

Second, the committee observed that consent collected by Google was neither “specific” nor “unambiguous”.  Admittedly, when a user creates an account he or she can modify some account options by clicking on the button <<More options>>, accessible above the button <<Create Account>>.  It is notably possible to configure the display of personalized ads.  However, the use not only has to click on <<More options>> to access the configuration, but the display of ads personalization is pre-checked. However, the GDPR requires that consent is “unambiguous” only with a clear affirmative action from the user (e.g., opting in by ticking a non-pre-ticked box for instance, as opposed to opting out by clearing a pre-ticked box). Finally, before creating an account, the user is asked to tick the boxes << I agree to Google’s Terms of Service>> and “I agree to the processing of my information as described above and further explained in the Privacy Policy” in order to create the account.  In other words, the user gives his or her consent in full for all of the processing operations purposes carried by Google based on this consent (e.g., ads personalization, speech recognition, etc.). However, GDPR requires that consent is “specific” only if it is given distinctly for each purpose.

Sanctions.

As a result of its findings, the committee publicly imposed a financial penalty of 50 million euros against Google, representing the first time that the CNIL applied the new sanction limits provided by the GDPR.  CNIL stated that the amount and publicity of the sanction was “justified by the severity of the infringements observed regarding the essential principles of the GDPR:  transparency, information, and consent.”

Despite the measures implemented by Google (documentation and configuration tools), CNIL stated that the infringements observed “deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services, and almost unlimited possible combinations.”  The committee recalled that the extent of the processing operations in question “imposes to enable the users to control their data and therefore to sufficiently inform them and allow them to validly consent.”  Moreover, the committee, stated, the violations were continuous breaches of the regulation as they are still observed to date; it Is not a one-off, time-limited infringement.  The CNIL also noted the important place the Android operating system has on the French market, with thousands of French citizens creating Google accounts everyday when using their smartphone. Finally, the restricted committee points out that the economic model of the company is partly based on the ads personalization.

Google Response.

In a statement obtained by ABC News, a Google spokesperson said the company is “studying the decision” to determine its next steps:

“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”

To view the CNIL press release, click here.

To view the CNIL decision (in French), click here.

On July 19, 2018, the Federal Energy Regulatory Commission (FERC) issued a final rule (Order No. 848) directing the North American Electric Reliability Corporation (NERC) to develop and submit modifications to NERC Reliability Standards related to Cyber Security Incident reporting. FERC recognized that, under the current Cyber Security Incident reporting Reliability Standard, incidents are only required to be reported if they have compromised or disrupted one or more reliability tasks. FERC issued Order No. 848 to strengthen Cyber Security Incident reporting requirements.

The Commission’s directive consists of four elements:

  • Responsible entities must report Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or Electronic Access Control and Monitoring Systems (EACMS) associated with an ESP;
  • Required information in Cyber Security Incident reports should include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information;
  • The filing deadline for Cyber Security Incident reports should be established once a compromise or disruption to reliable BES operation, or an attempt to compromise or disrupt, is identified by a responsible entity; and
  • Cyber Security Incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Finally, NERC must file an annual, public, and anonymized summary of the reports with the Commission.

FERC also suggested that NERC develop a flexible reporting timeline that reflects the severity of a Cyber Security Incident to help address the administrative burden of reporting attempted compromises.

NERC is required to develop modifications to the Reliability Standards within six months. The final rule will take effect 60 days after publication in the Federal Register.

To view FERC’s final rule, click here.

The Federal Financial Institutions Examination Council (FFIEC) has issued a joint statement providing guidance for financial institutions about the role of cyber insurance in risk management of informational technology systems. The FFIEC comprises the principals of the following: The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.

On April 10, 2018, the FDIC, as a member of the FFIEC, issued statement FIL-16-2018, applicable to all FDIC-supervised institutions. Similarly, on April 11, 2018, the Office of the Comptroller of Currency (OCC) issued a similar bulletin (OCC Bulletin 2018-8) on the FFIEC’s joint statement, noting that the joint statement applies to all institutions supervised by the OCC.  The joint statement and associated FDIC letter and OCC bulletin include the following highlights:

  • FDIC-supervised institutions are not required to maintain cyber insurance. However, cyber insurance could offset financial losses from a variety of exposures—including data breaches resulting in the loss of confidential information—that may not be covered by more traditional insurance policies.
  • Traditional general liability insurance policies may not provide effective coverage for all potential exposures caused by cyber events.
  • Cyber insurance does not replace a sound and effective risk management program.
  • Cyber attacks are increasing in volume and sophistication and that traditional general liability coverage insurance policies may not provide effective coverage for potential exposures caused by cyber events
  • Cyber insurance may help reduce financial losses from a variety of exposures, such as data breaches resulting in the loss of sensitive customer information.
  • Cyber insurance does not diminish the importance of a sound control environment; rather, cyber insurance may be a component of a broader risk management strategy.
  • As institutions weigh the benefits and costs of cyber insurance, considerations may include: (a) involving multiple stakeholders in the cyber insurance decision; (b) performing proper due diligence to understand available cyber insurance coverage; and (c) evaluating cyber insurance in the annual insurance review and budgeting process.

The FFIEC’s statement is not intended to contain new regulatory expectations, but instead to provide awareness of the potential role of cyber insurance in financial institutions’ risk management programs.  Financial institutions ultimately remain responsible for maintaining a control environment consistent with the guidance outlined in the FFIEC IT Examination Handbook.

Click here to see the FFIEC press release.

Click here to see the full 3-page joint statement.

Over a dozen lawsuits have been filed by users and investors against Facebook after it was revealed last month that Cambridge Analytica, a political research firm, obtained personal information on millions of Facebook users. Cambridge Analytica obtained the data through a personality test app linked to Facebook accounts. Many of the lawsuits claim the information was used to create profiles and target audiences for purposes of categorizing voters in the 2016 presidential election. Most of the lawsuits accuse Facebook of failing to protect users’ personal information despite stating in its privacy policy that Facebook users own and control personal information posted on Facebook. Some of the lawsuits go beyond allegations of privacy violations and accuse Facebook of negligence, consumer fraud, unfair competition, securities fraud and racketeering. On March 16, Facebook announced that it was suspending Cambridge Analytica for violating Facebook’s policies on data gathering

Starting April 9, Facebook will begin alerting users whose data may have been harvested by Cambridge Analytica. As part of this process, the company plans to post a link at the top of users’ news feeds that will allow them to see which apps are connected to their Facebook accounts and what information those apps are permitted to see. Additionally, Facebook CEO Mark Zuckerberg is scheduled to testify before U.S. Congress on April 10 and April 11. Zuckerberg will appear before the Senate Judiciary and Commerce committees on April 10 and the House Energy and Commerce Committee on the morning of April 11. Zuckerberg’s testimony will hopefully shed more light into how this alleged violation occurred and its broader implications on data privacy in general.

 

 

On Wednesday, March 28, 2018, the Alabama Data Breach Notification Act of 2018 (SB318) was signed into law by the Governor, making Alabama round out the roster of 50 states with data breach notification laws.  (South Dakota’s data breach notification was signed by its governor on March 21, 2018, making it the 49th state.)  The new law will be effective on June 1, 2018.  Below is a more detailed summary of the Alabama law:

Definitions.

The Alabama law defines a security breach as the “unauthorized acquisition of data in electronic form containing Sensitive Personally Identifying Information (“Sensitive PII”).  As is typical, a breach does not include either: (a) good faith acquisitions by employees or agents unless used for unrelated purposes; (b) the release of public records not otherwise subject to confidentiality or nondisclosure requirements; or (c) any lawful investigative, protection or intelligence activities by a state law enforcement or intelligence agency.

“Sensitive PII” is defined to include: (a) an Alabama resident’s first name or first initial and last name in combination with one or more of the following regarding the same resident:

  • A non-truncated SSN number or tax identification number;
  • A non-truncated driver’s license number, state ID number, passport, military ID, or other unique identification number issued on a government document;
  • A Financial account number, including bank account number, credit card or debit card, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account.
  • Any information regarding an individual’s medical history, mental or physical conditions, or medical treatment or diagnosis by a health care professional.
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individuals.
  • A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain Sensitive PII.

Notification Requirements.

  • Notification to Individuals. If a covered entity determines that an unauthorized acquisition of Sensitive PII has or is reasonably believed to have occurred, and is reasonably likely to cause substantial harm, it shall notify affected individuals as expeditiously as possible and without unreasonable delay but no later than 45 days after the determination of both a breach and a likelihood of substantial harm. A federal or state law enforcement agency may request delayed notification if it may interfere with an investigation.  If an entity determines that notice is not required, it shall document the determination and maintain the documentation for at least 5 years.
    • Format and Content. Written notice can be by mail or email, and must include: (1) the estimated date or date range of the breach; (2) a description of the Sensitive PII acquired; (3) a general description of actions taken to restore the security and confidentiality of the personal information; (4) steps an affected individual can take to protect himself or herself from identity theft; and (5) contact information for the covered entity in case of inquiries.
    • Substitute Notice. Substitute notice can be provided if direct notice would cause excessive cost relative to the covered entity’s resources, if the affected individuals exceed 100,000 persons, or if there is a lack of sufficient contact information for the required individual to be notified.  Costs are deemed excessive automatically if they exceed $500,000.  Substitute notice may include both posting on the website for 30 days and using print or broadcast media in the major urban and rural areas where the individuals reside.   An alternative form of substitute notice may be approved by the Attorney General.
  • Notification to Attorney General. If the affected individuals exceed 1,000, the entity must notify the Attorney General as expeditiously as possible and without unreasonable delay, but no more than 45 days from receiving notice of a breach by a third party agent or upon determining a breach and substantial likelihood of harm has occurred. Notice must include: (1) an event synopsis; (2) the approximate number of affected individuals in Alabama; (3) any free services being offered by the covered entity to individuals and instructions on how to use them; and (4) contact information for additional inquiries.  The covered entities may provide supplemental or updated information at any time, and information marked as confidential is not subject to any open records or freedom of information laws.
  • Notification to Consumer Reporting Agencies. If the covered entity discovers notice is required to more than 1,000 individuals at a single time, it shall also notify, without unreasonable delay, all consumer reporting agencies.
  • Third Party Notification. Third party agents experiencing a breach of a system maintained on behalf of a covered entity shall notify the covered entity as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination (or reason to believe) a breach has occurred.

Enforcement

  • Enforcement Authority. Violating the notification provisions is an unlawful trade practice under the Alabama Deceptive Trade Practices Act (ADTPA), and the Attorney General has exclusive authority to bring an action for penalties. There is no private cause of action.  The Attorney General also has exclusive authority to bring a class action for damages, but recovery is limited to actual damages plus reasonable attorney’s fees and costs.  The Attorney General must submit an annual report.
  • Penalties. Any entity knowingly violating the notification provisions is subject to ADTPA penalties, which can be up to $2,000/day, up to a cap of $500,000 per breach.   (“Knowing” means willfully or with reckless disregard.)  In addition to these penalties, a covered entity violating the notification provisions shall be liable for a penalty of up to $5,000/day for each day it fails to take reasonable action to comply with the notice provisions. Government entities are subject to the notice requirements, but exempt from penalties, although the Attorney General may bring an action to compel performance or enjoin certain acts.

Other Requirements

  • While enforcement authority is limited to notification violations, the statute also instructs entities to take “reasonable security measures”, provides guidance on conducting a “good faith and prompt investigation” of a breach, and requires covered entities to take reasonable measures to dispose of Sensitive PII. It is unclear how these provisions might be enforced, except potentially to determine if a notification violation was willful or with reckless disregard.
    • Reasonable Security Measures”. Covered entities and third party agents must implement and maintain reasonable security measures to protect Sensitive PII, and the law provides guidance on what elements to include.  It also provides guidance on what an assessment of a covered entity’s security measures might consider and emphasize.
    • Breach Investigation. A covered entity shall conduct a “good faith and prompt investigation”, and the law lists considerations to include in the investigation.
    • Records Disposal. A covered entity or third-party agent must take reasonable measures to dispose of or arrange for the disposal of records containing Sensitive PII when they are no longer to be retained, and the law includes examples of such disposal methods.

On February 21, 2018, the Securities and Exchange Commission (SEC) published a release entitled “Commission Statement and Guidance on Public Company Cybersecurity Disclosures” (“Release”).  Designed to assist public companies in preparing disclosures concerning cybersecurity risk and incidents, the release expands upon the SEC’s previous guidance in 2011 to emphasize particular areas, including board oversight, disclosure control and procedures, insider trading and Regulation FD. In addition, the release addresses two topics not developed in the 2011 guidance: (1) the importance of cybersecurity policies and procedures, and (2) the application of insider trading prohibitions in the cybersecurity context.

The SEC’s Release covers the following major points:

Disclosure Guidance

  • Scope of Risk Disclosure Include Potential Incidents. The SEC stated it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.
  • Weighing Materiality in Disclosure Obligations. In determining disclosure obligations, “companies generally weigh, among other things, the potential materiality of any identified risk, and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.” Materiality may depend on the “nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations” and the range of harm incidents could cause, including harm to a company’s reputation, financial performance, customer and vendor relationships, and potential litigation or regulatory investigations or enforcement actions.  This includes regulatory actions by state and federal authorities as well as non-US authorities.
  • Timing and Content. The Release acknowledges the challenge of determining the appropriate timing for disclosures, as companies must have time to understand the incident’s scope and determine how much to disclose.
  • Risk Factors. The Release cites Regulations S-K and Form 20-F as requiring companies to disclose the most significant factors that make investments in the company’s securities speculative or risky. Companies should disclose cybersecurity-related risks if they are among such factors, including risks that arise in connection with acquisitions.  The Release states it would be helpful for companies to consider the following issues, among others, in evaluating cybersecurity risk factor disclosure:
    • The occurrence of prior cybersecurity incidents, including their severity and frequency;
    • The probability of the occurrence and potential magnitude of cybersecurity incidents;
    • The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
    • The aspects of the company’s business and operations that give rise to material cybersecurity risk and the potential cost and consequences of such risks, including industry-specific risks and third party suppliers and service provider risks;
    • The costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
    • The potential for reputational harm;
    • Existing or pending laws and regulations that may affect the requirements to which companies are subject to relating to cybersecurity and the associated costs to companies; and
    • Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
  • Content of Disclosure. Companies are not required to include disclosure that would provide a “roadmap” for how to breach a company’s security protections — such as technical information about systems, networks or devices — or other potential vulnerabilities in such detail as would make such assets more susceptible to an incident. However, the Commission does expect companies to disclose cybersecurity risks and incidents that are material to investors, to make appropriate disclosures timely and sufficiently prior to the offer and sale of securities, and to take steps to prevent officers, directors, and other insiders from trading securities until investors have been appropriately informed.  Companies should watch for situations in which they need to correct or update prior disclosures as additional information is learned.  In meeting their disclosure obligations, companies may need to disclose previous or ongoing incidents in order to place discussion of risks in the appropriate context.  For instance, if a company previously experienced a material denial-of-service attack, it likely would not be sufficient to merely disclose that there is a risk that a denial-of-service incident may occur.  Instead, the company may need to discuss the occurrence of that incident and its consequences as part of a broader discussion of the types of incidents that pose particular risks to the company’s business and operations.

Policies and Procedures

  • Board Oversight. Under current Item 407(h) of Regulation S-K, companies must disclose the board of directors’ role in the risk oversight of the company, and the Release suggests specific discussion of the nature of its role in cyber risk management, especially if cyber risks are material to the company’s business.  The Release indicates that disclosing a company’s cybersecurity risk management program and how its board engages with management on cybersecurity issues “allows investors to assess how a board is discharging its responsibilities in this increasingly important area.”  As a response to this release, companies may wish to consider broadening or deepening their board’s engagement with these issues.
  • Disclosure Controls and Procedures. The SEC stated that it is “crucial” for a public company to have disclosure controls and procedures that provide an appropriate method of discerning the impact of such matters on the company and its business, financial conditions, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.  These controls and procedures must ensure senior management is promptly made aware of important cybersecurity issues to enable informed disclosure decisions regarding the substance of any issues and to facilitate appropriate officer certifications and disclosures regarding the effectiveness of the controls and procedures.  Companies should “identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors and make timely disclosure regarding such risks and incidents.”  In addition, a company should not limit its disclosure controls and procedures to only what is specifically required, but should also ensure timely collection and evaluation of information potentially subject to disclosure.
  • Insider Trading and Regulation FD. The Commission reminds companies that, in some circumstances,  cybersecurity risks and incidents may constitute material nonpublic information, and that existing insider trading and Regulation FD policies should already include any type of material nonpublic information.  However, the Commission states, companies should consider highlighting this possibility through training, or adding cybersecurity incidents to lists within these policies of examples of potentially material information. Policy administrators should establish processes to ensure they are aware of developing cybersecurity incidents when determining whether to close certain trading windows or approve specific trades.  Even when there has been no insider trading violation, companies may be subject to scrutiny if executives trade prior to disclosure of cyber incidents that develop into significant events.  Companies must be mindful of making selective disclosures of cybersecurity events to the persons enumerated under Regulation FD (namely, persons reasonably expected to trade on the basis of such information) before that information is publicly announced.  Policies and procedures for addressing a cybersecurity event should inform those handling the situation of the need to maintain appropriate confidentiality until a public announcement is ready to be made.
  • Conclusion.  The Release highlights the SEC’s increased attention to disclosures related to cybersecurity and concerns that investors may not be fully informed about the growing risks with cybersecurity. In response to this Release, publicly traded companies should:
    • Review and consider refreshing the disclosures in their periodic reports and registration statements, taking into account the detailed criteria contained in the Release and how the impact of incidents (and the risks of potential incidents) may be material to the information that must be presented.
    • Evaluate policies, procedures, and practices related to disclosure to consider whether they need to be updated or refreshed in light of this Release, and to ensure that their boards’ oversight is in line with the risks faced by the company;
    • Consider whether information regarding cybersecurity- and privacy-related risks and incidents is appropriately developed and communicated to result in accurate and timely disclosures and to avoid inadvertent insider trading and Regulation FD violations.

A Berlin regional court recently ruled that Facebook’s use of personal data was illegal because the social media platform did not adequately secure the informed consent of its users. A German consumer rights group, the Federal of German Consumer Organisations (vzvb) said that Facebook’s default settings and some of its terms of service were in breach of consumer law, and that the court had found parts of the consent to data usage to be invalid. One concern highlighted by the consumer rights group was that, in Facebook’s app for smartphones, a service was pre-activated that revealed the user’s location to the person they were chatting to.  Also, in the privacy settings, ticks were already placed in boxes that allowed search engines to link to the user’s timeline, meaning that anyone would be able quickly and easily to find a user’s profile.

A week after the ruling, Facebook promised to radically overhaul its privacy settings, saying the work would prepare it for the introduction of the upcoming General Data Protection Regulations (GDPR).  Facebook has faced repeated attacks from Germany and other European regulators over issues ranging from perceived anti-competitive practices to alleged misuse of customer data. In October, the Article 29 Working Party (WP29) launched a task force to examine the sharing of user data between WhatsApp and Facebook, which it says does not have sufficient user consent.  “Whilst the WP29 notes there is a balance to be struck between presenting the user with too much information and not enough, the initial screen made no mention at all of the key information users needed to make an informed choice, namely that clicking the agree button would result in their personal data being shared with the Facebook family of companies,” the group told WhatsApp in October.

Similarly, a Belgian court earlier this month ordered Facebook to stop collecting data on users or face daily fines of €250,000 a day, or up to €100million.  The court ruled that Facebook had broken privacy laws by tracking people on third-party sites. “Facebook informs us insufficiently about gathering information about us, the kind of data it collects, what it does with that data and how long it stores it,” the court said. “It also does not gain our consent to collect and store all this information.”  The court ordered Facebook to delete all data it had gathered illegally on Belgian citizens, including people who were not users of the social network.

With regards to the German suit, Facebook said it would appeal, releasing a statement that it had already made significant changes to its terms of service sand data protection guidelines since the case was first brought in 2015. In the meantime, Facebook stated it would update its data protection guidelines and terms of services so that they comply with the new EU-wide GDPR rules.