On November 21, 2018, the Pennsylvania Supreme Court, the highest ranking state court in Pennsylvania, ruled that an employer had a common law duty to exercise reasonable care to protect employees’ personal data where, as a condition to employment, the employer (i) required employees to provide sensitive data, (ii) the employer chose to store such data, and (iii) the collection and storage of that information by the employer could foreseeably expose the employees to “unreasonable risk of harm”. Dittman v. UPMC, No. 43 WAP 2017, 2018 WL 6072199 (Pa. Nov. 21, 2018).

In a class action, the Court accepted the employees’ argument that this duty included the obligation to take “reasonable measures to protect” the data from “foreseeable risk that [hackers] would attempt to access and [comprise and/or steal] that information.” The court further accepted the employees’ position that the intervening criminal action by the hackers did “not eviscerate the duty …to take reasonable anticipatory measures against foreseeable criminal conduct…”

Note that the Court stopped short of defining what “reasonable” care would have been in this case, but the Court for purposes of this ruling accepted the employees’ statement that the employer failed to encrypt the data at issue, did not have appropriate firewalls or other “reasonable” measures.

It is critical for employers in any jurisdiction to take note of this ruling. Pennsylvania, like the majority of states in the US, does not currently have a statute requiring companies to affirmatively protect sensitive information. However, the Court here found that this duty exists in common law.

Moreover, it is reasonable to assume that the next retailer hit with a major credit card breach will be subject to similar claims and have potential liability where, customers, if paying by credit card, must provide personal payment information to the retailer, unless that retailer can prove it adopted “reasonable” measures to guard against the “foreseeable” risk that such data may be subject to compromise.

In light of the Pennsylvania court’s ruling and two recent decisions in the U.K. and North Carolina, companies are strongly urged to take action now – if they have not already – to undertake “reasonable” measures to (i) identify the sensitive data they collect and store, (ii) protect that data from foreseeable compromise – considering the type of data stored, and the company’s size and resources, (iii) be vigilant in monitoring its systems to detect compromises quickly, and (iv) have a written response plan for when, not if, an attack occurs.

And for those resisting cyber insurance and crime coverage, you may wish to reconsider in light of these rulings.

In the wake of GDPR and California’s new data privacy law, website privacy policies continue to be a hot topic for the business community.

These pieces of legislation, the FTC Act, and various other sectoral and state laws and regulations set forth a myriad of complex rules and guidelines for website privacy policies.  At a minimum:

  • Privacy policies should clearly and concisely state:
    • What information is being collected when a person visits your site
    • Who else may have access to that information
    • Site visitors’ options – to opt in or opt out – without complicated or costly means to do so
    • How you will communicate with your customers/site visitors if their data is compromised (if you wish to avoid more costly or public means of breach notification that may be mandated by certain jurisdictions)
    • Whether you are tracking site users’ locations (and with California and EU site visitors, this cannot be done without clear disclosures and consent)
    • How cookies are being used
    • How long is information retained
  • They should not be materially misleading.
  • Consent:  If you are, or think you might be, subject to GDPR and/or if you are inviting or expect site visitors from California, your website should take the “opt-in” approach (without pre-checked boxes to receive future correspondence or advertisements)
    • “Consent” under GDPR for direct consumer marketing must be freely given, specific, informed, and unambiguous.
      • Site visitors should not be penalized if they choose not to consent.
    • Your customer must know to what they are consenting, and you cannot repurpose consent given for one activity for another, unrelated activity.
  • Your website should include mechanisms to allow a data subject to request (i) confirmation and/or correction of information you have about that person, (ii) that you remove (the right of “erasure”) that person’s data from your systems, and (iii) that you transfer their information to a third party
  • If your website processes payment transactions, it must be PCI compliant.
    • If the website uses a third-party payment processor, this should be clearly stated on the website and you should review your contract with that processor as to indemnification, notice obligations and liability disclaimers or limits if the processor experiences a breach.

In addition to the issues highlighted above, there are many other cyber and data protection-related considerations associated with websites and the disclosures in privacy policies.

Regardless of whether you are subject to GDPR, if your stated privacy policy, terms and/or conditions are misleading and/or deceptive, you will be inviting federal and state claims of deceptive and/or unfair trade practices.

However, there are other issues that many companies either ignore or neglect, including:

  • Reviewing advertising insurance coverage
    • Even if you have general commercial liability insurance that includes advertising coverage, it may NOT include coverage for your digital advertising. If you do not know the answer to this, we urge you to ask your broker!
  • Assessing whether the website is ADA compliant
    • Circuit courts around the country are split on their application of Title III of the Americans with Disabilities Act (“ADA”) to websites. However, many courts are taking the position that because websites are “places of public accommodation,” they are indeed subject to the ADA.
  • Clear and complete disclosure of warranty terms
    • It is worth noting that different laws apply if you are a manufacturer or a retailer.
    • In New Jersey, retailers must comply with the state’s Truth-in-Consumer Contract, Warranty, and Notice Act.
  • Disclosure of pricing, shipping, handling and return mechanisms, requirements and limitations
  • Review of general website terms and conditions
    • Do they protect your intellectual property?
    • Do they disclose third-party links?
    • Do they address the intended or unintended collection of information about minors?
    • Do they clearly state dispute resolution mechanisms?

For any business – but particularly for a business new to the internet or e-commerce – it is easy to purchase a website “kit” without giving the necessary thought to these and other considerations. If you are just establishing an online presence, do not just “cut, paste and go.” And if your business operates an already-established website, the stated terms, conditions, privacy policy, and notices should be reviewed at least annually.

A website is a wonderful way to promote and expand your brand – provided it is appropriately established, maintained and protected.

One of the most common misconceptions surrounding cybersecurity and data protection measures is that they are too expensive to deploy and maintain – so much so that they become prohibitive for small and middle market businesses. Another one I hear often is that the implementation process can seem daunting for business owners who may be unsure about where exactly to begin.

While top-of-the-line cybersecurity programs and managed IT service packages can certainly be expensive and complex to deploy, there are several, low or no cost measures that are worth considering. An ounce of prevention, even on a limited budget, can go a long way.

1. Password protocols and two factor authentication

  • Passwords should be (at least) 10 characters
  • Changed quarterly
  • Kept in a secure location
  • Change default passwords
  • Two factor authentication can be established with minimal (or no) cost

2. Patch early, patch often: All computers and other devices should be updated regularly

3. Bank online through one, isolated computer that is not used for any other purpose, and which is not connected to the business’ local area network

4. Train your personnel on cyber mindfulness

  • More than one-third of ransomware attacks are launched via a phishing email
  • Verify from a known source – pick up the telephone!
  • If you see something, say something…

5. Least rights – for small organizations, everyone wears multiple hats… but for sensitive information, minimize who has access to the crown jewels

6. Back up your data

7. Encrypt your data

8. Secure your physical environment

9. Due diligence: read your contracts, your privacy policies and understand your legal obligations

10. Have a plan!

  • The day you discover you have had an incident is not the day to figure out “now what”?
  • PTA calling tree
  • Do NOT store the plan on the computer!

If you’d like to keep these tips at hand, they are available for download here. Be smart and be safe!

Cybersecurity is a hot button for all businesses these days. However, in the flurry of new privacy regulations and the focus on protection of consumer data, many businesses are not paying enough attention to how they could – and should – be using cybersecurity protocols to protect valuable trade secrets.

Trade secret protections apply broadly to business, financial and technical information, so long as: (1) the information is not generally known or ascertainable outside the owner’s organization and control; (2) the owner derives independent economic value or business advantage from the information not being known; and (3) the owner makes reasonable efforts to preserve its secrecy.  The unauthorized disclosure of trade secrets can lead to loss of strategic advantage over competitors and harm to your company’s finances and reputation. Failing to adequately protect trade secrets could also result in losing a misappropriation case against a bad actor.

Trade secret rights are secured and maintained solely by “reasonable efforts” to preserve their secrecy, which must be both internal (i.e., with employees) and external (i.e. with third party vendors).  While appropriate steps to protect trade secrets include offline actions like using non-disclosure agreements or physically locking confidential information away, courts are also now considering the adequacy of cybersecurity measures when they analyze reasonable efforts.

So, in the trade secret world, what is a reasonable “cyber” effort?  Like cybersecurity technology, case law on this issue is continuously evolving.  However, if you possess any trade secret information that is stored or communicated electronically, we recommend, at a minimum, the following:

  1. Ensure you have appropriate access protections in place. Trade secret information should be password protected and stored on a secure server.  Review your firewalls, encryption procedures, anti-virus software and the like.  Stay current with software patches and consider encryption for data at rest as well as for data in motion.  Access credentials should require multi-factor authentication.
  2. Limit the people who have access to your electronic information (think “least rights” access). Consider limiting electronic access to those specific employees or agents who actually need the information.  The more people who have access to trade secrets (and the ability to share it with just the click of a mouse), the higher your risk of breach or misappropriation.
  3. Train your employees and agents on appropriate use of your electronic systems. For example, remind them not share their passwords with anyone (even co-workers) and educate them on using company devices (like laptops and smartphones) correctly when they are offsite.  Consider how your employees connect to your system when working remotely (i.e. require them to only use password protected Wi-Fi networks, and not public Wi-Fi).  Think about limiting or prohibiting use of USB ports or other portable drives on company computers.  Teach your employees how to recognize phishing attempts.
  4. If you allow employees to access your systems from personal devices, consider an appropriate “BYOD” (bring your own device) policy and technology to secure the work environment on those devices.
  5. Restrict departing employees’ access to electronically stored information. Following termination, disable access to IT systems, change passwords, and make sure company-owned devices are returned.
  6. Ensure that you are monitoring and improving your cybersecurity efforts periodically. Consult experts about the latest developments in technology.  Conduct regular training about appropriate use of electronic systems and advise your employees of the risks of failure to follow protocol.
  7. Revisit confidentiality agreements with third parties and consider whether they reflect cybersecurity protocols.

Once your “crown jewels” are exposed, you cannot “recapture” them.  Be smart, be secure and be prepared.

One of my husband’s goodhearted employees nearly fell victim to a scam that has been rampant throughout the country. The employee received an email from a senior staff member (or so it seemed) asking if he was in the office. It was early on a Friday morning, before many people had arrived. The employee, never wanting to disappoint, responded yes. The alleged senior staff member then asked the employee for help – asking if he could go to a nearby drug store, purchase several gift cards and then send him the redemption codes. The employee got as far as purchasing $500 worth of gift cards before he took a moment to think about what he was doing. Just prior to sending the codes, he picked up the phone to confirm with the senior staff member…

While the employee ultimately realized he might be the subject of a scam, too many people take action without first verifying. By our nature, people are helpful. We hold the door for others and offer to send money to someone in need. Scammers are all too happy to take advantage of our good nature. Sadly, in this day and age, we need to take that extra minute or two (or three) to pick up the phone and verify. Being helpful is wonderful – but being smart is self-preservation.

And, for employers, this type of scam is best combated by proper and regular cyber training for your personnel. More than half of reported breaches (and some in the headlines), begin with employees responding to this type of phishing email, a spoofed account or a suspect link. Be smart and be secure.

As the target of a corporate cyber breach, are you a victim – along with your customers and personnel – or are you a “willing” accomplice to the crime?

This week, a U.K. bank was fined in excess of $21 million dollars for failing to protect its systems and customers against a “foreseeable” cyber-attack that occurred in 2016.

The bad actors exploited deficiencies in the design of the bank’s debit cards. In the year preceding the attack, Visa, Inc. had issued a warning to lenders, including this bank, about this weakness. As such, the regulator found that the bank was on notice of the potential for the attack, and nevertheless failed to take action to prevent its occurrence.

Those of you based in the U.S. reading this post may say, “well that is the U.K.”…

However, earlier this year, a Federal District Court in North Carolina found that a U.S.-based company that failed to train its personnel about a “known” phishing scam had acted “intentionally” when one of its (untrained) employees released the company’s employees’ W-2s in response to such a phish.  In this case, the IRS had issued warnings in prior years about this type of scam.  However, the U.S. company did not train its personnel to be aware of such an attack, nor did they have protocols in place to guide personnel in such instances.  In finding that the company acted “intentionally,” the court ruled that the company, in effect, willfully exposed the social security numbers of its personnel.  Under North Carolina law, having been found to have acted intentionally, the company was subject to treble damages.

Given these rulings, and with more and more states adopting proactive legislation requiring businesses to have written policies, procedures and protocols in place to prevent, detect and mitigate cyber-attacks, companies may not be able to argue that they were “innocent” victims, too.

Having written policies and procedures, supporting technology and educated personnel will go a long way toward protecting the company, its customers and its personnel;  and when (not if) an attack occurs, the company will be prepared to respond effectively.

I am sure you have read about the latest breach this time, hitting Facebook.  Facebook confirmed that the access codes for 50 million accounts were compromised.  Facebook is still investigating the impact of the breach, and has not yet reported whether any personal information was gathered or misused from those accounts.

For those of you that use Facebook, err on the side of caution and assume your information was compromised.  If you have not already done so, change your login credentials for your Facebook account.  If you use the same credentials for other accounts (which you should not do), then those account credentials should be changed, too.  If you link your Facebook account to other social media accounts, you should check those accounts and change the credentials on those accounts, too.

I noted in a prior post that birthdays should not be posted on LinkedIn.  Similarly, such personally identifiable data points should not be posted on your Facebook or other social media accounts.

While Facebook may be a wonderful way to stay in touch with friends and family, living out loud online puts you at risk.

Do not feel compelled to share future plans for travel, or other personal data/information, on social media. Be smart and be safe!

Many businesses and individuals dispose of aging equipment, laptops, desktops, servers and more by monetizing those items. Disposal may be by sale at auction or donation to charity. Some companies now lease equipment, and turn over such items at lease end. However, many businesses and individuals forget – or do not realize – that their equipment used to process data store the data. This could include such items as computers, fax machines, photocopiers, cellphones or other similar devices. When you return, sell or donate that equipment, you may be unwittingly causing a data breach.

NCIX, a recently failed Canadian company, did just that. The company, strapped for cash, sold off servers without first wiping the data. The devices in question stored data in plain text and contained decades of customer information, including names, addresses and payment information.

Whether you are returning leased equipment or selling or donating old items, and even if the data is encrypted, always have the data wiped from the device. For leased equipment, do not assume the leasing company will do this for you absent an express contractual undertaking to do so.

I recently had a death in the family. One of the things we addressed while making arrangements was to freeze the credit of my stepfather. I would like to say, as a cyber attorney, that this was my idea, but I confess in mourning the loss of a wonderful man, I was thinking like a daughter and not like an attorney. The credit freeze was one of the services the funeral home offered.

Sadly, this is one of the more important things that a family should do after losing a loved one. Criminals comb obituaries to find homes they can break into, and identities they can steal. Freezing the credit of a lost loved one does not impede the settlement of the estate, and ensures that a grieving family does not have the added heartache of a stolen identity and stolen assets. Consideration should also be given to social media profiles and accounts, along with credit cards. While it is a unfortunate statement about our society that a family in mourning must address such matters, it is essential that this be undertaken quickly.

NJCCIC shared today that as of 9/21/18, Equifax, Experian and TransUnion will be required to offer free credit freezes. NJCCIC further reported that “[a]s part of the new Economic Growth, Regulatory Relief and Consumer Protection Act, parents will also be able to request free credit freezes for children under the age of 16 and free crediting monitoring services will be offered to all active duty military personnel.” More information is available on the Federal Trade Commission Consumer Information blog.

Keep in mind, however, that if you are in the process of buying or financing a major purchase (car or home), or undertaking any other venture for which a third party would look to run a credit check, you will need to allow for those parties to access your credit report. Further, if you do freeze your credit, and then misplace your access credentials with the particular credit agency, it is not a small undertaking to prove you are really you to unfreeze your credit. And, of course, be careful how you select your access credentials, respond to security questions, and keep credentials in a secure location.

The American Bar Association’s recent cybersecurity webinar reminded us all that the largest source of cyber loss is still people. And for businesses, it is their employees who continue to click on suspicious links and respond to phishing and other scams.

If you think this does not apply to you or your business, think back to the recent Federal District Court ruling in which the court found the defendant intentionally negligent due to a failure to train its employees regarding a known scam that sought to dupe key personnel into releasing employees’ W-2s.

While annual training is certainly a step in the right direction, the fact is that the “bad guys” do not wait 365 days to launch their next scam. As such, for businesses across the board, continuous cybersecurity training is critical and warrants more than a “one and done” approach. Between formal training programs, interim tips and reminders are crucial in keeping personnel vigilant.

As with any initiative, corporate commitment to cyber-mindfulness must begin at the top and if the C-suite is not engaged, management and staff will follow suit.