Category Archives: Risk Management

Litigation Management, Privacy, Risk Management

New Jersey District Court Denies Standing in FACTA Case

On October 20, 2016, Judge William J. Martini of the District of New Jersey ruled, in Kamal v. J.Crew, that actual evidence of fraudulent credit card use was necessary before a customer could properly assert Article III standing in a suit brought under Section 113(g) of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”). Given FACTA allows statutory damages of up to $1,000 in a private cause of action based on a willful violation, FACTA has been a very popular statute for class actual counsel. For example, in 2015, LabCorp agreed to fund an $11 million settlement – nearly $200 to each class member to settle FACTA charges, which included a nationwide class of plaintiffs comprising 665,000 consumers.

Relying on the May 2016 Supreme Court ruling in Spokeo v. Robins, Judge Martini dismissed a previously-stayed FACTA class action against J.Crew. Judge Martini ruled J.Crew’s printing of ten digits of a customers’ account does not meet or create a claim meeting Article III’s concreteness requirement.

Although FACTA precludes a retailer from printing more than five digits of a credit card number on a sales receipt, Judge Martini found that printing 10 digits instead of five did not raise the risk of fraud sufficiently to create a concrete injury for “case” or “controversy” standing purposes. According to the Court, without the risk of concrete harm, the court lacks subject matter jurisdiction and has no choice but to dismiss the case given Article III of the Constitution did not allow him to hear the case.

In dismissing, the Court essentially ruled that the mere exposure of more numerals of a credit card number did not compromise plaintiff’s security sufficiently to demonstrate actual harm.  Of most significance, the Court ruled: “Congress’ role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right.” Kamal v. J.Crew at 5 – 6.  See also Kamal v. J.Crew at 3 (“Spokeo did not disturb this circuit’s standing jurisprudence. See In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262, 273 (3d Cir. 2016).”).

Other courts interpreting Spokeo have been more tenuous. For example, in Carr v. Parking Solutions, the District Court ruled: “The Supreme Court did not offer a conclusive ruling, and instead remanded Spokeo to the Ninth Circuit for further consideration of Article III’s injury-in-fact requirements.” See also Spokeo, 136 S. Ct. at 1553 (Thomas, J., concurring) (“Congress can create new private rights and authorize private plaintiffs to sue based simply on the violation of those private rights. A plaintiff seeking to vindicate a statutorily created private right need not allege actual harm beyond the invasion of that private right.”).

No one can predict whether or not Judge Martini’s ruling will stand the test of time.  What is clear, however, is that his ruling has significance with future privacy actions beyond FACTA.  As previously pointed out, FACTA could have been an important stepping stone for privacy class counsel seeking to monetize a data breach.   As it currently stands in the Third Circuit, however, statutory damages would not even be enough to get the job done for class counsel.

Privacy, Risk Management

Microsoft wins data protection case before Second Circuit

Microsoft wins in Second Circuit

On the heels of a recent Third Circuit decision protecting the data collection practices of Google, the Second Circuit Court of Appeals ruled today that a U.S. law enforcement agency could not compel a provider of communications services to disclose the content of digital information stored outside the United States.

The Stored Communications Act (“SCA”) authorizes the Government to seek the contents of stored communications that are more than 180 days old, using a subpoena, court order, or warrant.  Relying on the SCA, the underlying warrant directed Microsoft “to seize and produce the contents of an e-mail account that it maintains for a customer who uses the company’s electronic communications services” after it “found probable cause to believe that the account was being used in furtherance of narcotics trafficking.” Opinion at 4 – 5.

Microsoft argued below that the issued search warrant would require an extraterritorial search and seizure of data stored in Microsoft’s data center in Ireland.  According to Microsoft, absent express authorization, statutes are presumed to have no extraterritorial effect and given the lack of such statutory authorization, the warrant should have been quashed.

On April 24, 2014, Magistrate Judge James Francis of the District Court for the Southern District of New York sided with the government, saying that the order to produce the emails stored in Ireland was “not a conventional warrant; rather, the order is a hybrid: part search warrant and part subpoena [and] It has long been the law that a subpoena requires the recipient to produce information in its possession . . . regardless of the location of that information.” Opinion at 12 – 13.  Microsoft successfully argued that given there was no such authorization, the Government could not execute a search and seizure in Ireland or otherwise force Microsoft itself to produce the data.

Given the recently implemented EU Privacy Shield, forcing U.S. service providers to turn over data stored abroad would have certainly led to new headaches for transnational corporations – which is likely why there were so many filing amicus filings in this case.   Notwithstanding the fact this case involved a narcotics case that could have benefited from the emails sought from Microsoft, the Second Circuit correctly interpreted the SCA and avoided potential turmoil for companies still looking to get solid footing for their international privacy programs.

Accounting Firm, Law Firm, Network Security, Privacy, Risk Management

The rise of Ransomware

Given credit card data and account information is now dirt-cheap to buy on the dark web; it no longer makes much sense for criminals to exclusively target financial information – especially since the data must also be sold after it’s stolen. Much more lucrative – and quicker to obtain, are the bitcoins deposited by ransomware victims into a thief’s account.

Welcome to the hottest cyber-criminal activity of today – ransomware.  Although ransomware such as PGPCoder has been around for a decade, this exploit only gained wide traction during the past several years. Combining the best of social engineering, e.g., well-crafted spear phishing using publicly available information, including emails of licensed professionals, with botnets usually tasked with promulgating spam, criminals have been able to re-purpose the latest Trojans for a much more lucrative job.

The most recent crop of ransomware scams have successfully targeted professionals. The Florida Bar recently warned its members these phishing exploits can use various subject lines, including “Florida Bar Complaint – Attorney Consumer Assistance Program”.   A scam email with “Lawyers and judges may now communicate through the portal” in the subject line uses information found in a June 1, 2016 Florida bar article. Preying on many lawyers’ natural tendency to help, the email asks recipients to “test the portal and give feedback.”

Florida Scam Email

During the past several weeks, Florida lawyers clicking on the masked link found in the above email notice were surprised to learn their entire computer network was held for ransom – automatically encrypted in one fell swoop by criminals half way across the world. Users only become aware of this exploit when they can no longer access their data and see a message on their screen demanding a ransom payment in exchange for a decryption key. The message also includes instructions on how to pay the ransom, usually with a widely traded anonymous digital currency such as Bitcoin or anonymous pre-paid cash vouchers such as MoneyPak and Ukash.

In the same way the IRS would never cold call you about an audit, no bar association would ever deliver a complaint simply by email.   Nevertheless, these scams succeed with a good number of professionals who are pressed for time, have computers systems that do not automatically filter executable content or simply just don’t have adequate training. Indeed, even if there is adequate training and sophisticated IT personnel running a firm’s network, law firms are never immune to hacking incidents.   This past March, it was reported by The Wall Street Journal that two blue chip firms, Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, were among a number of law firm hacking victims.  Law firms will always be vulnerable to a direct attack by a sophisticated hacker.  A panel of law enforcement specialists in 2015 put it best when they said law firms are seen as “soft, ripe targets for hackers.”

As reported by the Wisconsin Bar Association, the ABA’s Division for Bar Services has been monitoring a rise in ransomware exploits, with recent confirmations of scam emails also sent to lawyers in Alabama, Georgia, and California. The ABA has been working with the FBI to get the word out regarding ransomware – leading to state bars pushing out the message via newsletters and blog posts. In fact, the ABA has been warning lawyers for years regarding data security. Indeed, there is an argument that improved data security helps with the marketing of a law firm.

Although recent attacks have fed on a lawyer’s publicly accessible email address, these very same attacks also go after other professionals. For example, targets include hospitals – where patient information can ill afford to stay locked for a very long time.  As well, a growing number of accounting firms are falling prey to ransomware.   Ransomware is especially damaging to accounting firms given accountants hold critical financial data of clients that is often deadline-focused. Indeed, there may be significant penalties accessed against clients for untimely filings.

The threats have become more pronounced as criminals realize the benefit of redirecting resources to ransomware aimed at professionals such as lawyers and accountants. A consultant who assists accounting firms guard against ransomware attacks warned accountants last year of the polymorphic Virlock that spawns unique versions after every use so antivirus programs cannot recognize it as well as TeslaCrypt that uses file names associated with well-known online games found on a child’s computer – which can spread to other computers attached to a home network, including an office PC.

As set forth in a 2014 CERT notice, destructive and lucrative ransomware variants include: Xorist, CryptorBit, CryptoLocker, CryptoDefense, and Cryptowall. All of these exploits encrypt files on the local computer, shared network files, and removable media. Although the private decryption keys for CryptoLocker, Xorist, CryptoDefense have since become available – rendering these exploits defensible, recent ransomware variants with no available decryption keys continue to launch.  For example, in June 2015, the ABA warned about the CryptoWall ransomware exploit.  And, a March 9, 2016 blog post from the security firm TrustWave details a major botnet operator moving from spam campaigns to delivering a new ransomware exploit deploying malicious javascript – the Locky ransomware.   Kaspersky Labs also wrote about the Locky ransomware – and its successful targeting of several hospitals.   If it has not already done so, it is only a matter of time before the Locky ransomware migrates to lawyers and accountants.

 

FBI April 2016 Report

The FBI has addressed ransomware exploits for some time now – likely given it was inadvertently a participant in one such exploit. In 2012, the FBI was spoofed in a Reveton ransomware attack activated when a user visited a compromised website. Once infected, the victim’s computer immediately locks, and the monitor displays a screen stating there has been a violation of federal law. The bogus message goes on to say that the user’s Internet address was identified by the FBI as having been associated with child pornography sites or other illegal online activity. To unlock their machines, users are required to pay a fine using the MoneyPak prepaid money card service.

According to an April 29, 2016 FBI Bulletin, the FBI saw a pronounced increase in ransomware attacks in 2015 – with a projection that it will grow a great deal more during 2016. Despite the fact it will always be easy to pay ransom given the instructions are explicit and the amount sought can be in the $400 range, the FBI doesn’t support paying a ransom in response to a ransomware attack: “Paying a ransom doesn’t guarantee an organization that it will get its data back [and] not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

Instead, the FBI suggests the key areas to focus on with ransomware are prevention, business continuity, and remediation. Given that ransomware techniques are rapidly evolving, business recovery and continuity become even more crucial. More to the point, as recognized by the FBI: “There’s no one method or tool that will completely protect you or your organization from a ransomware attack.”   Instead, the FBI suggests firms focus on a variety of prevention efforts – in terms of awareness training for employees and technical prevention controls, as well as the creation of a solid business continuity plan in the event of a ransomware attack.  Planning for disaster can never be considered wasted time. And, after a ransomware attack is suspected, victims should immediately contact the local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.

If a firm has a proactive approach, there are certainly some basic things that can be done today to avoid a ransomware exploit. In an effort to help its constituency, the ABA has conveyed some basic technical defenses against ransomware:

  • Block executable files (such as “.exe” files) and compressed archives (such as zip files) containing executable files before they reach a user’s inbox.
  • Keep operating systems, browsers and browser plug-ins, such as Java and Silverlight, fully updated.
  • Program hard drives on your computer network to prevent any unidentified user from modifying files.
  • Regularly back up data with media not connected to the Internet.

As for the most basic of “basic training”, law firm administrators are being awakened to this threat with some sound advice that never gets old: “Be smart. Be aware. Don’t open or click on anything that looks suspicious. They won’t come in if you don’t open the door.” In other words, never click on a link, file or image from an untested source or untrusted URL. The extra seconds it takes to confirm the actual sender of an email message or owner of a website is well worth the time.

Given that business continuity best practices should mesh with IT security best practices, backups should obviously be stored outside the network. And, if you are forced to restore from a backup it is never wise to restore your data over existing production data. Consulting with a disaster recovery specialist before disaster strikes probably is a good idea.

Professionals – especially lawyers and accountants should also consider purchasing insurance that covers ransomware losses – including the related IT expenses.  Such insurance is typically purchased using a standalone policy that has been around for years. There are some malpractice insurers, however, e.g., CPAGold, who provide such coverage directly in the policy. Tech vendors and legal counsel associated with these carriers typically have years of experience handling these incidents and can be rapidly deployed to address any situation.

Given the serious threat of ransomware, businesses large and small are reminded to at least do the basics – train staff regarding email and social media policies, implement minimum IT security protocols, regularly backup data, plan for disaster, and regularly test your plans.

Electronic Health Records, Privacy, Risk Management

OCR focuses on HIPAA business associate agreements with $750,000 settlement

On April 20, 2016, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that provider group Raleigh Orthopaedic Clinic, P.A. of North Carolina (“Raleigh Orthopaedic”) agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule “by handing over protected health information (“PHI”) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.”

OCR initiated its investigation of Raleigh Orthopaedic following receipt of a “breach report” on April 30, 2013.  OCR’s investigation indicated that Raleigh Orthopaedic released x-ray films and related protected health information of 17,300 patients to an entity contracted to transfer the x-ray images to electronic media in exchange for harvesting the silver from the films.  Raleigh Orthopedic did not execute a business associate agreement with this entity prior to turning over the x-rays and PHI.

In addition to the $750,000 payment, Raleigh Orthopaedic ultimately agreed to revise its policies and procedures to: “establish a process for assessing whether entities are business associates; designate a responsible individual to ensure  business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.”

Raleigh Orthopaedic would have avoided a fine of $750,000, devoting time to a three-year investigation, and the stigma of a Corrective Action Plan if only someone on staff ensured that released PHI was subject to a properly worded business associate agreement. Given that HHS even offers model business associate agreement language there is really no excuse for any covered entity or business associate not to use this simply contractual safeguard — especially given that it is mandated.  Moreover, there really is no excuse for not having a standard process in place that documents the use and maintenance of business associate agreements — even the smallest of practice groups has an office manager who could implement this process.

Privacy, Risk Management

Government claims it accessed iPhone data and asks to Vacate Order

An Order requiring that Apple assist in the investigation of the San Bernardino shooting by disabling a feature that would auto-erase one of the shooter’s iPhone will soon be vacated.  The Order had been immediately challenged by Apple in the press.  After a massive filing from Apple and various amicus briefs, the government today filed a Status Report claiming that it “successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple Inc. mandated by Court’s Order Compelling Apple Inc. to Assist Agents in Search dated February 16, 2016.”  As a result, the government requested “that the Order Compelling Apple Inc. to Assist Agents in Search dated February 16, 2016 be vacated.”

It is not known what methods were used to access the encrypted data of this particular iPhone 5C but several assumptions can be made.  First, the various offers by the private sector guaranteeing access to the data might not have been mere bluster.  Second, this Apple feud will eventually be used as fodder when the Privacy Shield is eventually tested in a European Court. And finally, the government will be back at some point seeking similar relief from a Court.

Electronic Health Records, Privacy, Risk Management

OCR Privacy and Security Audits Round Two

On the heels of two recently announced settlements that should serve as wake up calls for covered entities, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced on March 21, 2016 that it will be conducting “Phase Two” of its audits of covered entities and their business associates.  According to the announcement, such audits “are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.”

This Phase Two will be quite comprehensive in scope — with a not-so-subtle threat to those who ignore the initial data gathering used to determine the “pool” of audit participants.  Specifically, the process begins with verification of an entity’s address and contact information by sending emails to covered entities and business associates with a request that full contact information be provided to OCR in a timely manner.   OCR will then transmit “a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.”

If an entity does not respond to the initial request to verify contact information or the pre-audit questionnaire, OCR will simply use publicly available information about the entity to create its own audit subject pool.  As set forth in the announcement, “an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.”

According to OCR, information gleaned from the audits will be used to “develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.”   Dangling what it considers a carrot to participants, OCR further explains that it will “broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.”

Of significance to this entire audit process is the fact that HHS “is responsible for the on-site auditors.  Neither covered entities nor their business associates are responsible for the costs of the audit program.”    This may actually turn out to be a harbinger of bad things to come for certain covered entities and business associates.  Similar to those “fine-funded” EU Data Protection Agencies such as the Spanish agency that has gone after Google for the past several years, OCR will likely hit hard in order to justify its audit budget.   Ultimately, in the same way a good accountant can mitigate an IRS audit, covered entities and business associates must rely on seasoned counsel as early as possible in the audit process in order to ensure a good learning experience does not morph into a financial hardship.  Simply put, before one of these letters come in the mail, make sure you have your counsel lined up.

Electronic Health Records, Privacy, Risk Management

Recent HIPAA settlements are wake up calls

On March 16, 2016, the Office for Civil Rights (“OCR”) announced its $1.55 million Resolution Agreement and Corrective Action Plan with North Memorial Health Care of Minnesota.  North Memorial  agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

OCR initiated its investigation of North Memorial following receipt of a report on September 27, 2011, which indicated that “an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.”

The investigation indicated that North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. OCR further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure – “including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.”

In addition to the $1,550,000 payment, North Memorial is required to develop “an organization-wide risk analysis and risk management plan, as required under the Security Rule.”  North Memorial will also train appropriate workforce members on “all policies and procedures newly developed or revised pursuant to this corrective action plan.”

In by now typical fashion, OCR announced another settlement right after the North Memorial settlement.

On March 17, 2016, the OCR announced its $3.9 million HIPAA settlement with the biomedical research institute, Feinstein Institute for Medical Research.  Feinstein settled potential HIPAA violations by agreeing to undertake a substantial corrective action plan.  OCR’s investigation began after Feinstein filed a report indicating that on September 2, 2012, a laptop computer containing ePHI of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included “names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.”

OCR’s investigation discovered that Feinstein’s security management process was “limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.” Further, Feinstein lacked “policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.”

The Feinstein and North Memorial settlements are obvious wake-up calls.

First, OCR apparently has no problem whatsoever finding that research institutions are covered entities even though such organizations may not squarely fit into the provider, health plan or clearinghouse bucket for all their activities.  See 45 C.F.R. § 160.103.   As set forth by the OCR Director Jocelyn Samuels in the press release, “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

Second, it is much preferable to hire legal counsel and spend several thousand dollars on a good business associate agreement and perhaps $20,000 on a comprehensive risk analysis than it is to pay $1.55 million on an OCR settlement.

And finally, train employees on proper handling of laptops and make sure your laptops are encrypted just in case they are ever lost or stolen.  In both cases, the actual trigger leading to these seven figure settlements was a breach report sent to OCR because of a laptop stolen from a car.

Privacy, Risk Management

Apple Ordered to Disable Auto-Erase Feature

Pursuant to the All Writs Act, 28 U.S.C. § 1651, Magistrate Judge Sheri Pym ordered on February 16, 2016 that Apple assist in the investigation of the San Bernardino shooting by disabling a feature that would auto-erase one of the shooter’s phone after ten password attempts.  According to the government’s ex parte application, unless the auto-erase feature is disabled, “iOS will instantly, irrecoverably, and without warning erase the encryption keys necessary for accessing stored data.”  Declaration of Christopher Pluhar at 5.  Although the media is reporting that Apple is being forced to unlock the phone, that is not the case.

Even though Judge Pym ordered that Apple provide “reasonable technical assistance to assist law enforcement agents in obtaining access to the data on the SUBJECT DEVICE,” what was actually ordered would only allow investigators to “brute force” determine the password for the phone without the possibility of any data deletion.  The software ordered to be provided by Apple would have “a unique identifier of the phone so that the SIF [software image file] would only load and execute on the SUBJECT DEVICE.”  In other words, the software would purportedly not be used by the authorities for other devices.

The Order concludes with the following:  “To the extent that Apple believes that compliance with this Order would be unreasonably burdensome, it may make an application to this Court for relief within five business days of receipt of the Order.”  Given that the Order also anticipates that Apple would be compensated given it requires that Apple “shall advise the government of the reasonable cost of providing this service” it may be the case the Judge anticipates objections based on the expense or efforts related to the request – and not the significant precedent set by this equitable relief.

In an open letter to customers, Apple’s CEO has publicly challenged the request and set up the stakes as follows:

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

According to Mr. Cook, “[o]nce created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.”

Judge Pym gave Apple five days to respond to the Order so a major battle is about to unfold — with various privacy groups already sharpening their amicus pencils.  Given it was prior US government mass surveillance that caused the Court of Justice of the European Union to strike down the EU Safe Harbor framework for data transfer emanating from the EU, this Order obviously holds more significance than the brute force unlocking of a single phone.  Depending on how this case unfolds it will have a direct impact far removed from Judge Pym’s courtroom and may even cause the EU-US Privacy Shield to fail before it really even got off the ground.

Privacy, Risk Management

Replacement Safe Harbor Reached

First announced today by Bloomberg BNA, the U.S. and the European Union reached agreement on a new data transfer framework to replace the invalidated Safe Harbor program.  The European Commission press release provides details of this agreement and the new EU-US Privacy Shield:

The EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

By way of background, the U.S./EU Safe Harbor Program allowed U.S. companies to transfer EU citizens’ data to the U.S. if they self-certified to the U.S. Department of Commerce their compliance with privacy principles similar to those contained in the EU Data Protection Directive.  The program was invalidated by the Court of Justice of the European Union based on a claim the U.S. government’s surveillance programs necessarily showed a lack of compliance given the lack of adequate restrictions on this data gathering.  The result was widespread confusion among multi-nationals given the invalidation of Safe Harbor affected thousands of U.S. companies certified in the program as well as many more companies relying on the certification to transfer personal data to those companies.

One key takeaway of this agreement is that it continues to place enforcement power with the FTC regarding the “robust obligations on how personal data is processed and individual rights are guaranteed.”  Moreover, according to the Press Release, the U.S. “has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.”  And, with regards complaints on possible access by national intelligence authorities, the new Ombudsperson will take charge.

It remains to be seen whether the NSA is on board or whether this agreement was a huge temporary fix simply so that all sides could save face.  What is certain, however, is that multi-nationals should have very little comfort that this fix is permanent and will be left unchanged after its inevitable challenge in the court system.

Network Security, Privacy, Risk Management

Wyndham Settles with FTC

Ending its epic battle with the FTC, Wyndham entered into a settlement agreement with the FTC.  Under the terms of the Stipulated Order that was filed on December 9, 2015 with Judge Salas, Wyndham will establish a “comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates.”  In addition, the company is required to “conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.”

These safeguards have a shelf-life of 20 years — common for FTC stipulated agreements involving data breaches.  What is noteworthy and distinct from other settlements, however, is that there is no money changing hands — Wyndham pays no fines, investigative costs or any amount for that matter.   This overall result — especially in light of the Third Circuit ruling, can only be considered a solid victory for Wyndham.

Franchise operators also scored somewhat of a victory given the FTC finally gives some guidance as to what it considers to be a reasonable security program for franchise operators.  First, the FTC alerts future companies that if they conform to the most current Payment Card Industry Data Security Standard (PCI DSS) for certification of a company’s security program, they are in the right direction towards implementing a satisfactory program.  Indeed, the settlement specifically defines its terms as per PCI DSS Version 3.1.  Not surprisingly, the second aspect of a suitable program requires the implementation of a risk-based approach to threat assessment.  As set forth in I.C of the Stipulated Order, Wyndham’s program must include “the design and implementation of reasonable safeguards to control the risks identified through risk assessment (including any risks emanating from the Wyndham-branded Hotels), and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedure.”

The agreed-upon requirements also apply to any “entity that that Defendant has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order.”  And overall compliance features of the Stipulated Order mimic discovery process available under the Federal Rules of Evidence and will certainly be tested over the twenty-year term.  Such future testing — coupled with potential new breaches, may lead to future stipulated Orders.  For the moment, however, Wyndham should be relieved with the results of its FTC skirmish — as well as happy with the work done by its counsel.