Articles Posted in Boards of Directors

Are your cybersecurity management practices reasonable? Do you know your risk tolerance? Are you covering all the cybersecurity bases that make up reasonable cybersecurity?

The California Consumer Privacy Act (CCPA) and other emerging laws require organizations to have “reasonable cybersecurity practices.” The challenge is that there is no accepted definition of exactly what “reasonable” means.

Addressing this challenge, Robert Braun, co-chair of JMBM’s Cybersecurity & Privacy Group, will participate as a panelist for the online interactive program Cybersecure LA2020: A Reasonable Approach to Reasonable Security sponsored by SecureTheVillage.

There is no one size fits all: Whatever “reasonable” is to mean, it must – at the very least – take into account the particular circumstances of the organization and the information it possesses. It would clearly be unreasonable, for example, to hold a small manufacturing company or nonprofit to the same standard as a large bank.

Join SecureTheVillage at CybersecureLA 2020 and learn how to think through your organization’s particular cybersecurity and privacy circumstances … the information you must protect … the laws and regulations governing protection … your own corporate risk-tolerance … and integrate these together into an information security management program that’s reasonable for your organization.

Register Now

Date:   Wednesday, October 28th

Time:   2:30 – 5:00 pm Pacific Time

Who should attend:  Board members. C-Level Executives. CFOs, Chief Risk Officers, Chief Information Security Officers. Anyone in the organization with management responsibility for information security. Trusted advisors.

Learn by doing: CybersecureLA 2020 is organized as an interactive workshop, taking advantage of online event capabilities including small group discussion, polls, surveys, and interactive Q&A.

You will learn to:

  1. Identify your cyber-risk exposure
  2. Explore your cyber-risk tolerance
  3. Know the key elements of reasonable cybersecurity
  4. Leave with a well-defined process to follow in identifying what reasonable security is for your organization.

Register Now For This Informative Program

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

About JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

The FTC Speaks

On January 6, 2020, the Director of the Federal Trade Commission’s (FTC) Consumer Protection Bureau published a blog post with changes to the FTC’s approach to its orders and settlements of data breach enforcement actions.  One of the key elements of the report was a revision to the FTC’s routine enforcement practice to ensure that its remedial data security orders include greater specificity about compliance expectations for companies subject to enforcement action and for third-party assessors engaged to conduct FTC-mandated monitoring and audits of targeted companies’ data security practices.

Beyond greater detail guiding data security requirements, the blog post highlights that a core element of the FTC’s model for remedial orders is that senior management, on at least an annual basis, present the company’s written information security program to the board or other governing body for oversight and review, and that management certify to the FTC that the company has complied with data security obligations.

The Growing Role of Managers and Boards in Data Security

The decision by the FTC reflects a growing consensus about the roles and responsibilities of management and boards for the adequacy of enterprise programs to identify, evaluate, and manage data and information security risks.  While this is not the first time boards of directors have been held accountable for the security practices of the companies they represent, it shows that this obligation has become mainstream and should be noted by all companies, whether they are the victim of a breach or not.

The FTC’s endorsement of data security-related corporate governance approaches, safeguards, and third-party monitoring methods is likely to impact enforcement expectations of other regulators, whether state, federal or local, responsible for administering data security compliance and breach notification regulations.

Impact on Business

Businesses regularly collect vast amounts of personal information, and often are unaware of the extent, location and accessibility of that information.  Moreover, businesses rely on third parties to collect, store, and process data, and the responsibility for the protection of personal data – customer, client and employee data – is a hot potato.  Companies are only now reviewing their internal operations, as well as their relationships with vendors, to inventory their data and data collection practices.  The FTC’s rule makes it clear that the responsibility for the protection and privacy of personal information will reach to the top of the business. Continue reading

Looking back with the perspective of two years, the Equifax data breach still has many lessons to teach us. Unfortunately, some of the most important lessons are masked by the extremes of the errors that characterized the original breach, which include insider trading by top executives after the breach was discovered but before it was disclosed. That, combined with the length of time the company withheld news of the breach, and the irony that its entire business model is built on security, may lure some observers into believing that the incident is unique, and they could never screw things up as magnificently.

That would, however, be a mistake.

As litigation over the breach continues, there are some takeaways that might not be as obvious, but which are important to all companies. As courts and regulatory agencies struggle with how to respond to such breaches, punish companies that disregard regulations and look to compensate victims, it becomes increasingly clear that securities compliance is more important than ever. For public companies, data breaches are doubly dangerous.

First, a key lesson from Equifax is that words matter.

Earlier this year, a federal judge upheld most of the plaintiffs’ claims in a securities class action against Equifax (note, these are claims brought by shareholders, not those whose data was breached, though of course those subsets likely overlap), in part because statements on the company’s website, in SEC filings and during investor conferences stated it employed “strong data security.” Plaintiffs allege that the statements misled investors regarding “the strength of Equifax’s cybersecurity systems, its compliance with data protection laws, and the integrity of its internal controls.”

All companies, and especially those in the security business or whose business model is based on gathering, storing and processing information, can be tempted to tout one’s defenses as “the best,” “state of the art,” “industry-leading,” etc. More to the point, a marketing department is bound to use that kind of language. That language, however, is the basis for shareholder lawsuits, FTC enforcement actions and other problems. Here are three steps to take to ensure your cybersecurity statements aren’t what compound your misery after a breach: Continue reading

By Michael Gold and Bob Braun

A new ruling by the Illinois Supreme Court could trigger expensive class action lawsuits and private litigation against businesses, even where plaintiffs do not allege actual injury. The case demands attention, not only from those doing business in Illinois, but throughout the nation.

The Case and Its Holding

On January 25, 2019, the Illinois Supreme Court issued its long-awaited decision in Rosenbach v. Six Flags – and the unanimous opinion doesn’t do any favors for business.  The Court ruled that individuals alleging violations of the Illinois Biometric Information Privacy Act (BIPA) in state court – like using a thumbprint to clock in and out of work on a biometric time clock, without the statutorily required notice and acknowledgments in place – do not need to allege concrete injury in order to sue.  Rather, simply pleading a violation of BIPA’s technical requirements will be enough, without alleging any actual injury.  Because each violation carries a substantial fine, and the statute provides for a private right of action and recovery of attorneys’ fees, the Court has effectively opened the doors to the next wave of extremely risky and costly litigation for Illinois businesses.

Warning Signs

The decision is a warning sign, not only for Illinois businesses that use biometric information, but for businesses generally.

The case is one of a series that make it easier for plaintiffs to bring claims without asserting damages.  In other words, plaintiffs do not need to make one of the essential allegations of any lawsuit claiming money damages – that they have been harmed in fact.  This has, for years, been a stumbling block for lawsuits arising out of data breaches, as the existence of damages has been difficult to prove.  Just as more courts are willing to assume damages in those kinds of cases,  the Illinois court has done the same for violations of BIPA.  Importantly, this will not only ease the burden for individual plaintiffs; it is likely to expand the availability of class action claims as well.

The case is also demonstrative of the increasing willingness to reshape statutes that may not originally have been treated or viewed as privacy protection statutes.  The Federal Trade Commission, many attorneys general, local district attorneys and private plaintiffs have used laws prohibiting “unfair and deceptive trade practices” to address perceived privacy and security shortcomings. The use of BIPA in this context may well embolden governmental and private plaintiffs alike to consider whether existing statutes can be used to bring claims.

Finally, the Court’s opinion reflects a shift in attitude that underlies privacy legislation in the United States.  Just as the European Union and other jurisdictions have adopted the position that personal information belongs to the individual, this case recognizes the same trend in the United States. This decision, along with the California Consumer Privacy Act, and proposed laws in Washington, Vermont and other states – as well as measures being considered by the federal government – point to a new attitude toward the use of personal information by businesses.

Actions to Take

The Rosenbach case has implications far beyond Illinois.  Businesses operate in a world where regulators, law enforcement, and private individuals actively seek ways to hold companies responsible for ensuring personal privacy.  Part of their method is to use laws that may have been ignored, or to find ways to interpret existing laws, to support damage claims.  This creates a challenge for companies, since addressing the challenges posed by these laws requires companies to focus not on reacting to events, but on establishing information governance systems that addresses the collection and use of personal data.

These developments also cannot be effectively addressed solely at a technical level – in particular, they cannot be delegated to an information technology department.  Rather, the active involvement of senior management is crucial to evaluating the risks a company is willing to take in the context of existing and emerging privacy laws, and ensuring deployment of governance frameworks that realistically address these risks without undermining the company’s business mission.

The JMBM Cybersecurity and Privacy Group counsels companies on incorporating privacy and information security into enterprise governance.  For additional information, contact Michael Gold (MGold@jmbm.com) or Bob Braun (RBraun@jmbm.com).

 

In their column, Top 10 cybersecurity predictions for the new year, Robert Braun and Michael Gold, co-chairs of JMBM’s Cybersecurity & Privacy Group offer predictions on federal privacy legislation (they won’t pass any and if by chance they do, it won’t work), data localization (more companies will have to decide whether to maintain services in foreign jurisdictions or leave those markets), governance (companies will get finally  get real about enforcing written cybersecurity policies), and more.

Published by the Daily Journal, you can read the column here.

 

About JMBM’s JMBM’s Cybersecurity & Privacy Group
JMBM’s Cybersecurity & Privacy Group counsels clients in a wide variety of industries, including retail, aerospace, health care, utilities, sports, media, and professional services such as accounting firms, law firms, business management firms and family offices. We represent clients in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity & Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

About the Daily Journal
The Daily Journal is California’s largest legal newspaper. Published daily, it includes breaking news and exclusive coverage of California legal affairs, California law firm news, updates on business transactions, and special reports throughout the year.

Robert E. Braun and Michael A. Gold are co-chairs of the Cybersecurity & Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP.

Contact Bob Braun at RBraun@jmbm.com or +1 310.785.5331.
Contact Mike Gold at MGold@jmbm.com or +1 310.201.3529.

The SEC warns public companies that lax cybersecurity practices could violate rules governing internal accounting controls, and offer nine scams as cautionary tales.

The SEC has become increasingly active when it comes to cybersecurity. Last month, it issued an investigative report about Business Email Compromises (BCEs) involving nine public companies that lost nearly $100 million when they wired funds to thieves impersonating corporate executives or vendors. While the SEC did not take action against the companies, it noted that policies and procedures that allowed for the thefts, accomplished via simple means of email and wire transfers, could leave a company in violation of accounting rules requiring that public companies safeguard corporate assets. The report makes a strong case that all companies, not just the boards of public companies, need to be aware of and protect against scams of these sorts.

The Commission considered whether the victimized companies complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934. Those provisions require certain issuers to devise and maintain a system of internal accounting controls that provide reasonable assurances that management authorizes corporate transactions and access to company assets. “While the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not,” the report stated.

The Commission chose to issue the report as guidance and declined to bring charges against the companies. While these companies dodged a second bullet, all companies should take this opportunity to benefit from the SEC’s analysis, and how important it is that board members understand the multiple aspects of cybersecurity, cyber risk, and related compliance.

Some directors may still assume that a cybersecurity breach is one that involves hackers infiltrating a company’s computer systems and stealing the customer data. With this preconception, an enterprise will focus on hardware, software, and firewalls and other technical solutions, which can lull management into thinking that increasing the data security budget is enough to address security threats. But almost all breaches have a human element – these losses cited in the SEC report were based on social engineering,” which we’ve written about – exploiting human weakness, not technological failures. The only thing “hacked” was what should have been the proper level of suspicion of the employee targeted, and lax internal controls. So how should companies respond, and what do board members and top executives need to do to avoid problems?  Continue reading

human-firewall-superhero-300x166One of the great frustrations in contemplating a data security program is that there is no such thing as a one-size-fits-all solution.  There is no law or regulation that specifies the exact steps a company needs to take in order achieve data security.  While there are some regulatory and industry recognized compliance programs – like health law requirements under HIPPA and the data security standards established by the Payment Card Industry – these provide compliance guidelines, not actual data security.  And these compliance guidelines themselves emphasize that each firm must establish security standards which meet the requirements of their business operations.

The fact is that data security, like any kind of security, requires a clear understanding of the unique needs and operations of a company.  Every company has different information requirements and standards as to the information it collects, how it retains and how it uses that information.  Consequently, data security can only be achieved by understanding what a particular firm does, not what is common or typical in an industry.

Assessment Defines Approach

Another factor is that while it is common to look at data security as a technical issue, technical compliance addresses only part of the goal; any review of data breaches will show that individuals – the human factor – are the most common source of insecurity.  This is not just due to the possibility of an employee clicking on the wrong website or responding to the wrong email; human error can start at the point that a data security plan, and its technical components, are contemplated.  Without understanding the scope of the company’s data security requirements, those selecting and implementing the “solution” will find that they have not addressed the security challenges.

Continue reading

I’m attending the Arthur J. Gallagher Risk Management Roundtable on September 12 and 13 at the Intercontinental Hotel  in New Orleans, where Alex Ricardo of Beazley and I will be speaking on Cybersecurity in the Hospitality Industry tomorrow morning.  I’ll be leading a discussion of the unique privacy and security issues facing hotels, managers and owners, the legal issues facing hotels, director and officer concerns, and the importance of preparing for the inevitable breach.

Cybersecurity is one of the biggest issues facing hotels – barely a day goes by without the report of another hotel chain being targeted, and for good reason; hotels have many of the openings that hackers look for, including multiple systems, wide access to WiFi (with limited or no security), valuable data, large numbers of employees and vendors with access to hotel systems, and customers that, unwittingly, can aid in carrying out a breach.

If you are interested in a copy of my presentation, you can reach me at rbraun@jmbm.com.

 

Businessmen superheros and tearing shirts off with c

This article, written by Michael A. Gold, Partner at Jeffer Mangels Butler & Mitchell, was originally published by Bloomberg BNA Corporate Governance Report on October 7, 2013 and articulates the responsibility that corporate boards must own in order to protect the electronic assets of their organization. Read Cyber Risk and the Board of Directors –Closing the Gap.

The term ‘corporate assets’ may conjure up thoughts of mechanical equipment, financial instruments, computer hardware, and even personnel. Often overlooked in this terminology are an organization’s digital information assets, which may include high-value trade secrets, sensitive digital correspondence, business strategy information, or the financial and personally identifiable information of consumers.

Corporate directors have a duty to protect all organizational assets. While the assumption is that cybersecurity threats are only a problem for hi-tech companies, the truth is that the potential for a data breach poses a significant risk for any company that stores any of its data electronically. Threats to a company’s sensitive digital information can include cyber-attacks, hacking, phishing, and ransomware scams, to name a few.

“Corporate boards can be timid about engaging cyber risk because the nature of these risks has no real parallel in the experience of most corporate directors.”

– Michael A. Gold

Due to the seemingly massive volume of information and lack of time or personnel, Cyber Security Fatigue besets many corporate boards. Corporate directors may focus their efforts on other priorities that are more closely related to their areas of expertise, believing that cyber security is being managed by their corporate information technology department.

It’s a common misconception among many organizational leaders that the corporate IT department is responsible for managing a company’s cybersecurity shield. Often, the truth is that IT departments are, in general, not experts in cybersecurity; in fact, many of the directives of IT professionals is counter to encouraging good cybersecurity practices in favor of speed of access, simplified password protocols, or rushing to get a product or service to market quickly.

This article, written by Michael A. Gold, Partner at Jeffer Mangels Butler & Mitchell, was originally published by Bloomberg BNA Corporate Governance Report on October 7, 2013 and articulates the responsibility that corporate boards must own in order to protect the electronic assets of their organization.

Also covered in this article is the role that corporate directors play in addressing cybersecurity risks, preparing for the possibility of a cyber-attack, and responding to data breaches, should one occur. Possible legal implications for the board and its members, as well as reports from Lockton Companies, a major insurance broker regarding the “increasing trend in D&O Claims filed as a result of data breach events, and lack of adequate disclosure surrounding such events,” are included.

Reproduced with permission from Corporate Governance Report, 16 CGR 120, 10/07/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) https://www.bna.com

Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. He is also a co-author of Bloomberg BNA’s Corporate Practice Series Portfolio 86, Records Retention for Enterprise Knowledge Management, which is available for purchase at https://www.bna.com/records-retention-p6983/.  Contact Mike at MGold@jmbm.com or +1 310.201.3529.

Web analytics concept - Multicolor version

On February 10, 2011, the California Supreme Court held in Pineda v. Williams Sonoma that ZIP codes are considered “personal identification information” under the Song-Beverly Credit Card Act, California Civil Code § 1747 et seq. (the “Act”). As previously discussed in our January and March 2009 client alerts, the Act is intended to protect consumer privacy rights by restricting the type of information retailers can request from consumers in connection with credit card transactions. At the same time, the Act also makes it difficult for retailers to collect information from their customers that could help them offer services and goods on a competitive basis.

Background

The Act provides in part that retailers shall NOT do any of the following:

1. Request or require the cardholder to write any personal identification information on the credit card transaction form as a condition to accepting the credit card as payment in full or in part for goods or services.

2. Request or require the cardholder to provide personal identification information, which company personnel writes or otherwise records on the credit card transaction form as a condition to accepting the credit card as payment.

3. Use a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder in any credit card transaction.

See Cal. Civ. Code § 1747.08(a).

Under the Act, personal identification information is “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Id. at § 1747.08(b).

On December 19, 2008, in Party City Corp. v. The Superior Court of San Diego County, the California Court of Appeal held that ZIP codes did not fall within the definition of personal identification information.

This ruling allowed retailers to request ZIP code information prior to a credit card transaction provided that such information is not requested in connection with other personal information (i.e., name, phone number, address, etc.), and the customer is not required to give this information in order to consummate the transaction.

The trial court in Pineda applied Party City’s logic, and concluded that a ZIP code, without more, did not constitute personal identification information. The Court of Appeal affirmed the trial court’s decision in all respects, in large part because a ZIP code pertains to a group of individuals, unlike an address or telephone number that is “specific in nature regarding an individual.”

The California Supreme Court, however, rejected this reasoning and relied on the Act’s protective purpose and expansive language by holding that the word “address” should be construed as “encompassing not only a complete address, but also its components.” The court expressed misgivings  about Williams-Sonoma’s “reverse append” practices and the potential for retailers to circumvent the Act by collecting indirectly what they cannot legally collect directly. In reversing Party City, the Supreme Court pointed out that Williams-Sonoma had the following intention by requesting plaintiff’s ZIP code:

“[Williams-Sonoma] subsequently used customized computer software to perform reverse searches from databases that contain millions of names, e-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book. The software matched plaintiff’s name and ZIP code with plaintiff’s previously undisclosed address, giving defendant the information, which [Williams-Sonoma] now maintains in its database. [Williams-Sonoma] uses its database to market products to customers and also sell the information it has compiled to other businesses.”

Although the Supreme Court may have had this particular fact-pattern in mind in overturning Party City, the Court’s language does not appear to be limited to collecting and using ZIP codes to perform such reverse appends. Rather, the decision broadly states that “[i]n light of the statute’s plain language, protective purpose, and legislative history, we conclude that a ZIP code constitutes ‘personal identification information’ as that phrase is used in section 1747.08.”

Penalties for Violation

The penalties for violating the Act can be significant, and can include a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation. The fines can be assessed and collected in a civil action by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred. In addition, more than a dozen national retail chains operating in California have been hit with lawsuits since the Pineda decision, setting off a flurry of litigation with most of the lawsuits being filed in San Francisco or Los Angeles courts.

Future Questions

One potential question that Pineda raises is whether ZIP codes are the end of the line or whether other “non-traditional” forms of personal identification information, such as emails and/or IP addresses could be treated as personal identification information for purposes of the Act. In light of the court’s decision in Pineda, it seems possible that plaintiff and consumer advocacy groups may wish to revisit the Symantec holding (discussed in our March 2009 Client Alert) in order to try to eliminate the “online” vs. “offline” distinction between retailers.

Suggested Actions

JMBM represents many retailers, and we strongly recommend that our clients implement written policies and procedures that comply with the aforementioned requirements of the Act. We would be happy to assist you if you require additional information on these recent developments, the Act or preparing policies and procedures.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.