Cranfill Sumner & Hartzog LLP F. Marshall Wall mwall@cshlaw.com - - PowerPoint PPT Presentation

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

• F. Marshall Wall

Cranfill Sumner & Hartzog LLP

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

“[I] am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” Robert S. Mueller, III, Former FBI Director

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

NC Identity Theft Protection Act (N.C. Gen. Stat. §75-60, et seq.)

What is a "security breach"?

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

What is a security breach?

• Unauthorized access to AND acquisition of
• Unredacted AND unencrypted records or

data

• Containing personal information
• Where illegal use of this data has occurred

OR is reasonably likely to occur

• Creating a reasonable risk of material

harm to a consumer

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

NOT a Breach

• If only encrypted data is taken and the

encryption key is not with the data, it is not a data breach

• If the data was accessed but not

“acquired”, it is not a data breach

• If there is no risk of material harm to a

customer, it is not a data breach

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

NC Identity Theft Protection Act

What is the legal standard for protection of personal information?

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

NC Identity Theft Protection Act

• The Act requires that “reasonable care” be

used to protect data

• No further definition is given

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Curry, et al. v. Schletter, Inc. (WDNC)

• Defendant’s Motion to Dismiss denied

except as to breach of fiduciary duty claim

• Employees’ private information lost in

“phishing” scam

• Court found allegations sufficient to state

claims for negligence, invasion of privacy, and violations of NCITPA

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Rogers v. Keffer, Inc., et al. (EDNC)

• Defendants’ Motion to Dismiss allowed as

to NCITPA claim

• Plaintiff was identity theft victim
• Criminal used his name, SSN and other

personal information to buy two cars from defendant-dealership

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Rogers, cont.

• NOT a security breach for dealership to

provide SSN to credit reporting agencies and banks

• Plaintiff also did not successfully allege

damages under the NCITPA

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

What is “personal information”?

A person's first name or first initial and last name in combination with other information such as:

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

What is “personal information”?

• Social Security number
• Driver's license number
• Passport number
• Checking or savings account number
• Credit or debit card number
• PIN code
• Biometric data
• Passwords

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

How quickly must notice be given?

• There is no specific deadline for notice
• Notice must be “made without

unreasonable delay, consistent with the legitimate needs of law enforcement.”

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Who Gets Notice?

• Everyone whose personal information was

contained in the records

• The Consumer Protection Division of the

Attorney General’s staff

• If more than 1,000 people are affected,

notice must also be given to the three major credit bureaus

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

What if customers live in other States?

• Data protection statutes are specific to the

States where your customers live

• All 50 States – Alabama became the last

in March 2018 – the District of Columbia, and Puerto Rico have their own statutes

• Notice requirements, including the time to

give notice, vary significantly

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

What if customers live in other States?

THE BOTTOM LINE – if clients/customers are in other States, you have to give notice based on their home State’s law

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Who can sue?

• North Carolina allows a private right of

action, but only if the consumer can show injury

• A cause of action under the Act cannot be

assigned

• Violation of the Act is an unfair or

deceptive trade practice under N.C. Gen.

• Stat. § 75-1.1

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Federal Trade Commission

• FTC has brought more than 500

enforcement actions related to consumer privacy

• Typically relies on Section 5 of the FTC

Act, which prohibits unfair and deceptive trade practices

• Most actions are resolved by way of a

Consent Order.

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

FTC

• Key focus – whether companies are living

up to their stated privacy policies

– Wyndham Hotels case (Third Circuit 2015) – https://www.ftc.gov/system/files/documents/ca ses/150824wyndhamopinion.pdf

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

FTC

• Also examines what data companies keep,

how long they keep it, where they keep it, and whether they should keep it in the first place

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

FTC Enforcement Action Examples

• VIZIO paid $2.2M to settle claims that it

put software in its TV sets that monitored viewing habits without customers’ knowledge or consent

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

FTC Actions

• Brought an action against Twitter for

failing to suspend user’s access after a certain number of failed log in attempts and for allowing almost all of its employees “administrative” access to information in its system

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

FTC Actions

• Uber had a breach in May 2014 that

exposed consumer data; engineers posted access key information on GitHub.

• While negotiating a settlement with FTC,

the same thing happened again.

• Uber learned of the second breach in

November 2016 but did not report it until November 2017.

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

FTC Actions

• Brought an enforcement action against

Snapchat when its promise that messages would “disappear forever” but in fact they did not

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

FTC Actions

• Pursued Lenovo for including software on

its laptops that allowed another company to deliver pop-up ads when customers hovered over certain products on websites

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Securities and Exchange Commission

Washington D.C., Sept. 22, 2015 — The Securities and Exchange Commission today announced that a St. Louis-based investment adviser has agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

SEC

• This is the first enforcement action from SEC
• Found that the firm failed to have policies and

procedures, failed to have a firewall, failed to encrypt data, and failed to have a response plan

• $75,000 fine
• Censure
• Cease and desist order

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

SEC

• Enforces the Gramm-Leach-Bliley Act

– Title V governs when non-public consumer information may be disclosed – Requires notice of privacy policies to customers

• Regulation S-P governs privacy of consumer

financial information

• Oversees broker-dealers and advisers,

among others

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

US Department of Health and Human Services

• Enforces compliance with HIPAA and

HITECH through the Office of Civil Rights

• HIPAA privacy rule applies to Protected

Health Information (PHI)

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

DHHS Enforcement

June 18, 2018 DHHS Press Release M.D. Anderson Cancer Center ordered to pay more than $4.3M for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

M.D. Anderson case

• Case stemmed from loss of a laptop and

two USB “thumb drives” containing unencrypted electronic protected health information (ePHI) for more than 33,000 individuals

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

General Data Protection Regulation (GDPR)

• European Union regulation
• Went into effect on 25 May 2018
• Applies to anyone processing personal

data of EU “data subjects” or offering goods or services to individuals in the EU

• Doesn’t matter where your business is

located or the data is processed

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

GDPR

• Data subjects have more control over their

personal information

• “Right to be forgotten”
• Steep fines for violations
• Short time to give notice of data breaches

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

California Consumer Privacy Act

• Effective 1 January 2020
• Protects privacy of California residents
• Already amended and more amendments

possible/likely

• Similar to GDPR
• Private right of action with dollar limits on

potential recovery

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Avoiding Data Breach Incidents

• Prevent
• Detect
• Respond

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Avoiding Data Breach Incidents

• Assess your systems, policies, and

procedures routinely

• Educate your employees – most cyber

incidents are the result of human error

• Outside testing of your security
• Determine what data you collect, where

and for how long you keep it, and why

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Avoiding Data Breach Incidents

• Have an incident response plan and

PRACTICE it

• Restrict access
• Encrypt data
• Back up data continually
• Update your software

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Avoiding Data Breach Incidents

• Require strong passwords and frequent

changes

• Segment your network
• Monitor network activity
• Remember – a data breach is not always

a cyber incident!

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Cyber Liability Insurance

• Generally policies are designed to cover at least some of

these risks:

– Hacking – Denial of service attacks – Web content liability – Data breaches – Damage to your network

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

What’s Covered?

• MORE LIKELY

– Third-party claims and costs

▪ Example – personal data for customers is accidentally released

• LESS LIKELY

– First-party claims

▪ Network damage to your systems from a hacker attack may be insurable ▪ Reputational damage to your company probably cannot be insured ▪ Loss of intellectual property is often not covered by these policies

– Business interruption coverage for “cyber-losses”

▪ Often capped or limited

• EXCLUDED

– State-sponsored attacks by other governments, usually

• F. Marshall Wall

mwall@cshlaw.com @NCCyberLawyer

Questions?