“Data Privacy and Security 2018 First Quarter Update”
Safe & Sound 05/08/18 Meghan C. O'Connor, Rachel H. Weiss, Sarah A. Erdmann
We have already provided you with the update on Health Information Technology, Privacy and Security 2018 First Quarter Update but we did not want the non-health care entities to feel left out! As such, we have assembled a few other noteworthy events in the data privacy and security world from the first quarter of 2018.
FTC Published Report Raising Concerns with Mobile Device Security Updates
In the February 2018 Commission Report on Mobile Security Updates: Understanding the Issues, the Federal Trade Commission (FTC) summarizes data provided by eight mobile device manufacturers (Apple, Inc., Blackberry Corp, Google Inc., Samsung Electronics America, Inc., MTC America, Inc., LG Electronics USA, Microsoft Corp., and Motorola Mobility, LLC) in response to the FTC’s and Federal Communication Commission (FCC)’s orders to examine the security update practices of mobile device carriers.
In the report, the FTC recommended steps to address concerns related to mobile device security updates, including a wide variance in the time it took to roll out security updates, the length of time the devices remained eligible for updates, and how frequent devices were updated. The FTC suggested that stakeholders have an opportunity to work together to educate consumers about their role in the operating system update process and the significant of security update support. While the FTC recognized the industry’s efforts in expediting the security update process, the report suggested that manufacturers should deploy security updates more quickly and keep better records of decisions regarding support length, update decisions, and frequency. The FTC also requested that manufacturers adopt and disclose minimum guaranteed support periods for devices and that manufacturers notify consumers when support will end. As suspected, the FTC also emphasized the need for the industry to continue efforts to “start with security,” and embed security further into design and support culture and decisions. This is a message we have heard from the FTC before, including in its 2015 business guide.
NY Department of Financial Services Updates Cybersecurity FAQs
On February 21, 2018, New York’s Department of Financial Services (DFS) issued revised FAQs regarding 23 NYCRR Part 500 (the regulation establishing cybersecurity requirements for financial services companies). These are first-in-the-nation regulations imposing comprehensive cybersecurity and reporting obligations on banks, insurers, and other financial institutions. As we watch these developments, they might be a good barometer of what is coming in other states or what will be considered best practice or industry standard.
In the revised FAQs, DFS encourages all financial institutions to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500. DFS also clarifies in the FAQs that not-for-profit mortgage brokers, health maintenance organizations, and continuing-care retirement communities are considered “covered entities” under – and thus must comply with – 23 NYCRR Part 500. DFS also notes that “covered entities” acquiring or merging with a new company must update their risk assessment to address changes in information systems, nonpublic information, or business operations and should perform a factual analysis of how the regulatory cybersecurity requirements apply to that particular acquisition or merger. The FAQs also clarify that the requirement for the CISO report in writing to the Board of Directors at least annually is not accomplished by reporting to an authorized Board subcommittee.
SEC Issues Guidance on Cybersecurity Disclosures
The U.S. Securities and Exchange Commission (SEC) got in on the action as well. The SEC issued interpretive guidance on public company cybersecurity disclosures, applicable February 26, 2018. This guidance builds off of previous guidance issued in 2011 by the SEC’s Division of Corporation Finance. The new guidance provides public companies a guideline for cybersecurity disclosure requirements under federal securities laws. In particular, the SEC emphasizes the need for cybersecurity policies and procedures, specificity and timing of material cybersecurity risk disclosures, and refraining from disclosing cybersecurity risks or incidents that are material nonpublic information consistent with the prohibitions on insider trading under the general antifraud provisions of securities law.
Equifax: 2.4 Million Additional Consumers Were Affected by Last Year’s Data Breach
After previously reporting that 145.5 million Americans were affected by the company’s 2017 data breach, Equifax reported on March 1, 2018 that an additional 2.4 million consumers had also been impacted. When Equifax initially reported the breach in September 2017, the company noted that the hackers had obtained access to names, Social Security Numbers, addresses, and other personal information for approximately 143 million people. Since the initial report, the number of affected individuals has increased as Equifax has continued its ongoing investigation and analysis of the incident. Equifax stated that these additional individuals would be notified by mail and would receive the identity theft protection and credit monitoring services that had been offered to other affected individuals.
New and Updated State Breach Notification Laws
In March, Oregon’s governor signed a bill strengthening the Oregon Consumer Identity Theft Protection Act. The scope of the data breach notification provisions were expanded to include not only those who own or license personal information, but also those that otherwise “possess” personal information. Further, the definition of personal information was revised to include any “information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account.”
Notably, Oregon has followed a growing trend of states requiring breach notification to be made within a specific timeframe by requiring an entity that experiences a breach of security to notify affected consumers no later than 45 days after discovering or receiving notification of the breach from another person that maintains or possesses the personal information on its behalf. These changes are effective June 2, 2018.
Alabama and South Dakota were also the last two states to pass data breach notification laws in late March. The Alabama law becomes effective on June 1, 2018 and the South Dakota law becomes effective July 1, 2018.
For more information on state breach notification laws, please refer to Quarles & Brady LLP’s summary of the data breach laws in all 50 states.
For questions about any of these updates or data privacy and security generally, please contact Meghan O’Connor at (414) 277-5423/[email protected], Rachel Weiss at (414) 277-5829/[email protected], Sarah Erdmann at (414) 277-5512/[email protected], or your Quarles & Brady Data Privacy and Security attorney. Stay tuned to our Safe & Sound blog for future privacy and security updates and quarterly wrap-ups!