Information Intersection > Troutman Sanders LLP

NY AG Settles with Acer for $115,000 over Data Breach

BY C. READE JACOB, JR.ASHLEY L. TAYLOR, JR.SIRAN S. FAULDERS AND RONALD I. RAETHER, JR.

On January 26, New York Attorney General Eric Schneiderman announced a settlement with Acer Service Corporation over an alleged data breach involving more than 35,000 credit card numbers, including the credit card information and other personal information of 2,250 New York residents.  As part of the settlement, Acer agreed to pay $115,000 in penalties and to improve its data security practices.  The penalty amounts to approximately $50.12 per New York resident potentially affected.

Acer is a computer manufacturer based in Taiwan.  According to the A.G.’s press release, Acer maintained a website that had numerous security vulnerabilities.  For example, between July 2015 and April 2016, an Acer employee had enabled a debugging mode on Acer’s e-commerce platform, during which time the website saved all information provided by customers in an unencrypted format.  The unencrypted information included customers’ full names, home addresses, email addresses, credit card numbers, card expiration dates, card verification numbers, user names, and passwords.  Additionally, Acer erroneously configured its website to allow directory browsing by unauthorized users.  This configuration allowed external viewing of and access to subdirectories on the website using a simple web browser, according to the A.G.

In January 2016, Discover Card analyzed hundreds of fraudulent credit card transactions and determined that the fraudulent activity began subsequent to  consumers’ legitimate transactions with Acer.  This is known as a “common point of purchase” and indicates that Acer was potentially the target of a cyber-attack resulting in a compromise of credit card information.

The settlement requires Acer to maintain reasonable security policies designed to protect consumers’ personal information, including:

1.     Designating an employee or employees to coordinate and supervise its program designed to protect the privacy and security of personal information;

2.     Designating an employee or employees to be notified whenever any personal information is saved to or stored on Acer’s file system in unencrypted form;

3.     Annual employee training to educate employees who are responsible for handling personal information about data security, the importance of consumer privacy, and their duty to help maintain its integrity;

4.     Providing training in data breach notification law to all staff who are responsible for entering, maintaining, storing, or transferring personal information, and responding to events involving unauthorized acquisition, access, use, or disclosure of personal information;

5.     Identifying material risks to the security and confidentiality of personal information that are reasonably likely to result in the unauthorized disclosure, misuse, copying, alteration, destruction, or other compromise of such information, including through the regular review of security industry news sources for newly identified security vulnerabilities;

6.     Designing and implementing reasonable safeguards to control the risks identified through risk assessment, including use of multi-factor authentication for remote access to Acer computer systems, implementing an intrusion detection system, and conducting penetration testing (at least annually) and vulnerability assessments (at least quarterly);

7.     Regular testing of the effectiveness of the safeguards’ key controls, systems, and procedures; and

8.     Developing and using reasonable steps to select and retain service providers capable of maintaining security practices consistent with the agreement and requiring service providers by contract to implement and maintain appropriate safeguards.

The New York Attorney General’s office has been a leader in prosecuting data breaches.  In August 2016, the A.G. announced a settlement  with EZContactsUSA.com over an incident that involved the potential exposure of over 25,000 credit card numbers and other card holder data.  EZContactsUSA.com agreed to pay the A.G.’s office $100,000 to resolve the investigation.  In terms of dollar amounts and requirements to enhance security controls, the Acer settlement is similar to the EZContactsUSA.com settlement.

January 30, 2017   No Comments

New York Financial Regulator Revises Proposed Cybersecurity Regulation

BY RONALD I. RAETHER, JR.MARK C. MAOC. READE JACOB, JR. AND SHANNON V. PATTERSON

On December 28, the New York Department of Financial Services (“NY DFS”) released its highly anticipated revised cyber security rule.  As we previously noted here, the proposed regulations would require banks, insurance companies, and other financial services institutions to establish and maintain a cybersecurity program and to take other measures to protect against data breaches and cyber attacks.The NY DFS’s proposal sparked widespread backlash from the banking industry, and the New York financial regulator received over 150 comment letters from affected parties, including banks, insurers, and money service businesses.  Critics railed against the proposed regulation as being too strict and untenable as to certain specifics regarding cybersecurity programs, for increasing monitoring of third-party vendors, and for appointing a chief information security officer.

In response, the NY DFS made a number of changes to the proposed regulation.  Perhaps most favorable to financial institutions, money transmitters, insurance companies, and other covered entities is the Department’s decision to provide more risk-based controls related to cybersecurity programs, penetration testing, vulnerability assessments, audit trails, access privileges, encryption, and multifactor authentication. The original proposed rule provided more prescriptive minimum rule-based controls that offered less flexibility for covered entities.  The shift to more risk-based controls comports more closely with federal Gramm-Leach-Bliley Act (“GLBA”) requirements that the specific controls employed be in line with the size and sophistication of the regulated entity.

Other notable changes include:

  • Requiring that risk assessments be performed “periodically” rather than annually as mandated in the original regulation;
  • Requiring that the company’s cybersecurity plan be reviewed and approved by either a senior officer or the board of directors, and not both as called for in the original proposal;
  • Creating a “limited” small business exemption for covered entities that have fewer than 10 employees, less than $5 million in gross annual revenue, or under $10 million in year-end total assets;
  • Clarifying that businesses only need to ensure that someone is performing the duties of a chief information security officer, and that they don’t need to dedicate an employee exclusively to these activities;
  • Allowing companies to forgo encrypting nonpublic information and to use a different control when it finds such encryption to be “infeasible”; and
  • Narrowing the notification trigger by limiting required reporting to events that the business is already required to report to other regulators or supervisory bodies and that have “a reasonable likelihood of materially harming any material part of the normal operations” of the institution.The revised rule also extends the deadline for compliance to March 1, 2017 from its previous deadline of January 1, 2017.Even with the new changes, critics may still not be satisfied.  For example, the NY DFS rejected a request from a number of commentators that the proposed regulation should harmonize more closely with other standards, including state, federal, and international standards – both existing and proposed.  In response to these criticisms, the NY DFS stated that it “has been continually mindful of other standards and approaches and believes that the revised regulation is appropriately consistent with the goal of setting minimum standards.”The updated regulation will be finalized in January following a 30-day notice and public comment period, and will become effective on March 1, 2017.

January 3, 2017   No Comments

FDA’s Postmarket Management of Cybersecurity in Medical Devices

BY MARK C. MAORONALD I. RAETHER, JR. AND JONATHAN YEE

On December 28, the U.S. Food and Drug Administration issued its “nonbinding recommendations” guidance for addressing post-market cybersecurity vulnerabilities in medical devices under the title “Postmarket Management of Cybersecurity in Medical Devices.”[1] By its terms, the recommendations are for a “risk-based framework for assessing when changes to medical devices for cybersecurity vulnerabilities require reporting to the Agency and outlines circumstances in which FDA does not intend to enforce reporting requirements.”[2]

By its terms, the Guidance applies to: “1) medical devices that contain software (including firmware) or programmable logic, and 2) software that is a medical device, including mobile medical applications.”  It applies to legacy devices, in addition to those going onto the market.[3]

While the guidance states that it is a “nonbinding recommendation,” it represents the FDA’s recommendations to its own staff regarding the medical device community’s responsibilities to monitor, identify, and address cybersecurity threats to medical devices, including for emerging connected medical devices.

A few points in the guidance stand out in particular:

  • A good cybersecurity risk management program includes: (1) monitoring cybersecurity information sources for identification and detection of risks; (2) maintaining robust software lifecycle processes that include monitoring third-party software, and verification and validation for software updates and patches; (3) establishing and communicating processes for vulnerability intake and handling; (4) using threat modeling; (5) adopting a coordinated vulnerability disclosure policy and practice; and (6) deploying mitigation strategies.[4]  The FDA recommends that manufacturers “incorporate elements consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity.”[5]
  • The guidance concedes that “medical devices and the surrounding network infrastructure cannot be completely secured.”[6]  However, the focus of the program is on “the safety and essential performance of their device, the resulting severity of patient harm if compromised, and the risk acceptance criteria.”[7]
  • The FDA further urges manufacturers to characterize cybersecurity vulnerabilities as “acceptable or unacceptable” and “controlled or uncontrolled.”[8]  Uncontrolled risks are those that are “present when there is unacceptable residual risk of patient harm due to insufficient risk mitigations and compensating controls.”  While uncontrolled risks need to be reported to the consumers and the FDA, the FDA does not intend to enforce reporting requirements where: (1) there are no serious adverse effects, (2) the manufacturer provides interim and remediating controls with customers within 30 days, (3) the manufacturer fixes the vulnerability within 60 days, and (d) the manufacturer actively participates in an information sharing analysis organization (“ISAO”) that shares vulnerabilities and threats.[9]

                                                     

[1] Postmarket Management of Cybersecurity in Medical Devices, (FDA Dec. 28, 2016), available at: http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.

[2] Id., p. 4.

[3] Id., p. 8.

[4] Id., pp. 13-14.

[5] Id., p. 14.

[6] Id., p. 14.

[7] Id., p. 15.

[8] Id., Section VII.

[9] Id., pp. 8, 23.

December 30, 2016   No Comments

Summary Judgment Motion is Filed in TCPA Class Action Involving Airbag Recall

BY JULIE D. HOFFMEISTER AND DAVID N. ANTHONY

According to the complaint in Ibrahim v. American Honda Motor Co., Inc., defendants Sterircycle, Inc. and Stericycle Communication Solutions, Inc. (collectively referred to herein as “Stericycle”) violated the Telephone Consumer Protection Act by making unauthorized telephone calls using a prerecorded or artificial voice to the cellular telephones of individuals throughout the nation.

Stericycle’s calling program started after Honda commenced a recall of defective airbags from vehicles that it sold in the United States.  To expedite its airbag recall, Honda allegedly engaged in an automated calling operation to alert owners of the affected vehicles.  Stericycle, a provider of automated calling services to companies conducting recalls of their products, made the calls on behalf of Honda.  Some of these calls were supposedly made to telephone numbers of individuals who never owned a Honda, like the named plaintiff, Wasif Ibrahim.  Ibrahim claims that he has received nearly a dozen phone calls to his cell phone since January 2016.

Ibrahim’s class action complaint seeks to certify a nationwide class of persons who, within four years prior to the commencement of the litigation, received one or  more telephone calls from Stericycle featuring a prerecorded or artificial voice message relating to a product recall, where the called party was not, according to Stericycle’s records, the intended recipient of the call, or who did not consent to be called.

On December 19, Stericycle filed a motion for summary judgment, arguing that “Plaintiff’s claim is not only meritless, it is dangerous.”  Stericycle contends that its calling program falls squarely within the TCPA’s “emergency purpose” exception, and further argues that “this lawsuit challenges the lawfulness of phone calls that are saving lives.”  Stericycle concluded its motion by stating: “Lives depend on reaching car owners as quickly as possible.  That urgency may make ‘wrong number’ calls more likely, but that makes it even more imperative that outreach efforts enjoy the protection of the emergency exception.”

The motion was scheduled for presentment before the United States District Court for the Northern District of Illinois on December 23.  We will continue to monitor the developments in this case.

December 28, 2016   No Comments

Federal Communications Commission Chairman Tom Wheeler Announces Resignation on Dec. 15, 2016, Signaling Potential Reform to the Telephone Consumer Protect Act (TCPA)

BY DAVID N. ANTHONY, ALAN D. WINGFIELD, JONATHAN FLOYD AND JIM TREFIL

Federal Communications Commission Chairman Tom Wheeler said Thursday that he’ll step down from his post on Jan. 20, 2017. Wheeler was appointed by President Obama three years ago to lead the FCC. Prior to his October 2013 confirmation as the 31st chairman of the FCC, Wheeler served as managing director at venture capital firm Core Capital Partners. He was president of NCTA (now “the Internet & Television Association”) from 1979 to 1984 and led the CTIA (now “the Wireless Association”) from 1992 to 2004.

Wheeler’s announced departure is not unusual, as FCC chairmen traditionally resign when a new Administration arrives. “Sitting in this chair has been the great privilege of my professional career,” Wheeler said as the FCC’s open commission meeting on Thursday concluded. “I want to thank all of my colleagues. It has been a team effort.”

Tom Wheeler’s tenure at the FCC is highlighted by an expansive interpretation of the Telephone Consumer Protection Act (TCPA) in a series of rulings culminating in the Commissioners’ landmark 2015 declaratory order. That order, the capstone of Wheeler’s pro-TCPA faction at the FCC, expanded the reach of the TCPA in multiple ways and significantly increased risks for businesses of all types attempting to contact consumers by telephone. These rulings have facilitated a tidal wave of TCPA litigation that set new records every year, as well as and hundreds of millions of dollars of litigation settlements by legitimate businesses making legitimate calls for legitimate reasons. If TCPA filing activity holds steady through December, it could reach 5,000 lawsuits filed in 2016 alone.

In October 2016, the federal appeals court for the District of Columbia Circuit heard oral arguments in ACA International, et al. v. FCC, appealing the 2015 declaratory order. Also pending is control of the FCC shifting to a majority that is likely to reflect the view that the FCC has fundamentally overstepped its bounds in its aggressive regulatory acts. While it is too soon to know whether the shift in control will result in a dramatic shift in regulatory direction, there are a number of relatively easy measures the new majority to take actions to significantly shift the regulatory status quo under the TCPA to scale back the most extreme parts of the FCC’s current positions. Between the pending appeal and the change in control at the FCC, 2017 is shaping up to a watershed year for the TCPA.

In the interim, Republican FCC commissioner Ajit Pai is expected to be named interim chairman. He’s also seen as a contender for appointment as Chairman by President-Elect Donald Trump.

December 21, 2016   No Comments

Medical Services Company to Pay $9.25M in TCPA Class Action Settlement

BY JULIE D. HOFFMEISTER AND DAVID N. ANTHONY

The United States District Court for the Eastern District of Louisiana recently granted final approval of a $9.25 million Telephone Consumer Protection Act class action against Advanced Care Scripts, Inc. (“ACS”).

According to the class action complaint, ACS engages in the management and dispensing of specialty medications and oral oncology products.  To advertise their services, ACS allegedly blasted thousands of junk faxes to businesses, including the named plaintiff, Jefferson Radiation Oncology, LLC, without obtaining the businesses’ prior express consent to do so.

After engaging in litigation for nearly a year, the parties reached a class action settlement consisting of a $9.25 million settlement fund, with $20,000 being awarded to the class representative and $1.85 million for attorneys’ fees.  The settlement class consists of “all persons and entities that received facsimile transmission from Advanced Care Scripts or its vendor that advertise, promote, or describe Advanced Care Scripts’ products or services and do not contain” an opt-out notice advising recipients of their right to stop future junk faxes.  The class consists of approximately 24,000 individuals and entities.  No members of the settlement class objected to the proposed settlement, and only one class member opted out.

December 16, 2016   No Comments

Insurer Denies Coverage in TCPA Class Action

BY JULIE D. HOFFMEISTER AND DAVID N. ANTHONY

As we previously reported, US Coachways entered into a $49.9 million Telephone Consumer Protection Act class action settlement.  Because the motor coach leasing company could not fund the settlement, the company tendered a claim for the action to its insurer, Illinois Union Insurance Company, who subsequently denied coverage to US Coachways.  US Coachways assigned its rights against the insurer to the named plaintiff and the putative class members.

Illinois Union has now filed a declaratory action suit in New York federal court seeking a judgment that it has no coverage obligations for the underlying lawsuit.  Specifically, the insurer alleges that the policy at issue is limited to actions that fall within “the performance of professional services as a bus charter broker for others for a fee.”  Illinois Union argues that the underlying TCPA class action did not arise from the performance of such services.  “Rather, the underlying lawsuit arose from the alleged use of the ATDS to transmit text messages for advertising purposes only, and does not contain any allegations unique to the performance of the US Coachways’ services as a bus charter broker.”

This new lawsuit serves as a reminder to companies of the importance of reviewing their insurance policies and ensuring comprehensive coverage, especially for TCPA class actions.  We will continue to monitor the developments in this case.

December 16, 2016   No Comments

Telephone Company Settles TCPA Class Action for $11 Million

BY JULIE D. HOFFMEISTER AND DAVID N. ANTHONY

On December 14, the parties in Mey v. Frontier Communications Corp. filed a motion for preliminary approval of a settlement of a Telephone Consumer Protection Act class action.

According to the Complaint, Frontier, a telephone company that offers voice, broadband, satellite video, and wireless internet data access for individuals and small businesses, uses telemarketing to generate sales.  Frontier supposedly called the named plaintiff on two occasions in 2013.  Plaintiff claims that the calls were made using an automatic telephone dialing system to telephone numbers that were on the national Do Not Call Registry.

After more than three years of litigation, the parties reached a class settlement.  The settlement class consists of all persons within the United States to whom Frontier, or any party acting on Frontier’s behalf, since August 20, 2009: (a) initiated more than one telemarketing call within a 12-month period to any number on the national Do Not Call Registry; and/or (b) initiated one or more telemarketing calls [to any number] assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service, or any service for which the called party is charged for the call.

The class consists of 36,219 unique telephone numbers.  The settlement class will share an $11 million common fund, with each class member to receive at least $90 and the balance of the fund to be divided on a per-call basis to class members who received multiple calls.

The Frontier settlement is the latest in a string of recent TCPA class action settlements affecting a wide range of industries.

December 15, 2016   No Comments

Responding to a Data Breach: The FTC’s Guide

BY MEGAN C. NICHOLLS, RONALD I. RAETHER, JR. AND MARK C. MAO

The FTC issued a new video and updated guide for businesses on how to respond to a data breach.  The three steps identified in the guide and discussed in the video are:

  1. Secure your operations – This step focuses on preventing further attacks due to the same vulnerabilities.
  • Mobilize your breach response team
  • Engage a third-party forensics investigator, if appropriate, and legal counsel
  • Secure the physical perimeter
  • Take affected equipment offline, but leave the equipment turned on so your forensics investigator can evaluate the equipment effectively
  • Change usernames and passwords
  • Ensure your website is not displaying personal information
  • Ensure other websites are not displaying the data exposed during the breach
  • Interview witnesses
  • Preserve evidence
  1. Fix vulnerabilities – This step focuses on fixing the root cause of the security incident.
  • If the breach involved a third-party service provider, determine if you need to change their privileges to limit the personal information they can access
  • Determine if your segmentation plan was effective, possibly with the help of your forensics investigator
  • Gather facts about the breach
  • Create a plan to communicate about the breach to affected audiences (such as employees, consumers, and business partners)
  1. Notify appropriate parties – This step is focused on who needs to be notified that a breach has occurred.  The guide provides a model notification letter that may be used in the event of a breach.
  • Determine who you are legally required to notify and when you are required to notify such individuals, governmental bodies, or businesses
  • Notify your local police department
  • If the breach involved electronic health information, make sure to look at the HIPAA Breach Notification Rule and the FTC’s Health Breach Notification Rule

As may be obvious, the key to an effective data breach response is adequate preparation before a breach occurs.  Businesses should proactively consider having: (1) a data breach response team informed and ready to respond in case a security incident is discovered; (2) an effective communication plan to involve legal counsel as soon as possible to preserve privilege; and (3) a documented incident response plan to guide the data breach response team and legal department through the steps identified above.  Additionally, businesses may find that conducting mock data breach exercises help prepare and build confidence in the individuals that will be required to act quickly and effectively when a breach occurs.

The Cyber Security, Information Governance & Privacy team at Troutman Sanders maintains a 50-state survey on data breach laws, which can be found here.  Because of our team’s technical background, we are uniquely positioned to understand your business’s information technology concerns and to help you address any risks from a legal perspective.  We advise businesses throughout their data security lifecycle, from developing a pragmatic incident response plan to assisting with data breach identification, response, and recovery efforts.

December 1, 2016   No Comments

Cross-Motions for Summary Judgment Filed in Costco FCRA Class Action

BY JULIE D. HOFFMEISTER AND DAVID N. ANTHONY

As we previously reported, the named plaintiff in Paci v. Costco Wholesale Corporation filed a Fair Credit Reporting Act putative class action against Costco alleging that the retailer’s receipts contained more digits of the payment card’s account number than is permitted under the Act.

The parties recently filed cross-motions for summary judgment.  Costco argued that it did not violate the Act because the “extra” six digits permissibly revealed only the type of card Paci used for her purchases and not any personal information.  Those first six digits are identical on all cards, Costco stated.  Costco also argued that the statute only applies to receipts provided to customers “at the point of sale or transaction.”  Here, in contrast, Paci received the receipt in an area separate and apart from the cash registers.  Costco finally argued that Paci lacks Article III standing to maintain her class action  because the receipt at issue has been secured in a file cabinet since she received it, and she has never established how the receipt could have been used to facilitate identity theft.

In her summary judgment motion, Paci argued that discovery “has confirmed that the receipt is printed within a Costco store and that the machine that prints the subject receipt is part of Costco’s point of sale system,” thus entitling Paci to judgment as a matter of law.  Paci also argued that she satisfies Article III standing requirements.  According to Paci, “[t]he plain language of the statute . . . indicates that the violation, the concrete harm, is completed once the electronically printed receipt is ‘provided to the cardholder at the point of sale or transaction.’”  She concludes that an invasion of a legally protected interest is sufficient to satisfy Article III.  Paci also briefly argues that expending time to protect her receipt instead of simply throwing out her receipt could also constitute concrete injuries.

The motions are expected to be fully briefed by the beginning of January.  We will continue to monitor the case and report on the Court’s ultimate decision.

November 30, 2016   No Comments