Morrison Mahoney  
Connecticut  >>  Massachusetts  >>  New Hampshire  >>  New Jersey  >>  New York  >>  Rhode Island  >>  United Kingdom

Cybersecurity, Data Protection and Privacy Newsletter

February 10, 2021
Please email questions to cybersecurity@morrisonmahoney.com.
Click here to have future newsletters sent to your inbox.  
IN CASE YOU MISSED IT...
  • Hospitals Beware: Intelligence agencies in the U.S., Canada and Europe have warned that cybercriminals are continuing their relentless attempts to break into health-care systems to steal COVID-19 vaccine-related research and data.
     
  • The NYCPA and MCPA?: Both New York and Minnesota are considering legislation that substantially mirrors the California Consumer Privacy Act. Gear up, as these types of statutes are coming over the next several years across the country. We'll keep you posted on all future developments. BUT FIRST....

  • The Virginia Consumer Data Protection Act: By the end of the month, the Virginia Consumer Data Protection Act should be signed into law. This Act is similar to the CCPA in many ways, and will provide Virginia residents with the rights to confirm whether or not a controller is processing personal data; to access such personal data to correct inaccuracies; to delete personal data provided by or obtained about the consumer; obtain a copy of the personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and to opt out of the processing of the personal data for certain purposes, such as targeted advertising and the sale of the data. Once signed into law, we will bring you a full analysis. 

  • Insurers Should Read This: The New York State Department of Financial Services has created a a Cyber Insurance Risk Framework that outlines best practices for property/casualty insurers to help manage cyber risk. There are six key practices detailed in the Framework which can be viewed here. 

  • If it Can Happen To Them...: Information Security researchers were fooled by a very well executed social engineering campaign. How it went down makes for a fascinating read, and should remind you that bad actors don't lack ingenuity, resources or motivation.

  • It Can Happen To You...: Leon Medical Centers which has eight locations in Florida, and Nocona General Hospital which has three  locations in Texas, each suffered a data breach in which hackers demanded a ransom, and subsequently published tens of thousands of records, including diagnostic scans, medical records, employee  background checks and other PII on the dark web. This type of extortion scheme has become rampant, with some hackers using it for leverage, and others following through on their threats. 
LinkedIn
Social Engineering Fraud vs. Computer Transfer Fraud Insurance Coverage: Why Policy Language Matters
By: Daniel Marvin
In an all too common scenario, company employees fall victim to email phishing schemes which result in them wiring substantial sums of money to hackers. Mississippi Silicon Holdings, LLC found itself in that position in 2017, when it’s chief financial officer received an email from a known vendor requesting that future payments be sent to a new bank account. Attached to the email was a letter, on the vendor’s letterhead, from a company executive requesting the same. Subsequently, Mississippi Silicon Holdings’ CFO authorized two payments to the hackers totaling more than $1,000.000.00. Pursuant to the company’s verification process, a second employee confirmed the transaction on the company’s bank’s website, and its chief operating officer authorized the transfer on a phone call with the bank. Eventually, the real vendor requested payment, and the scheme was realized. Mississippi Silicon Holdings claimed a loss with its insurer Axis Insurance Company under a policy which provided for a limit of $100,000 in social engineering coverage and $1 million in Computer Transfer Fraud coverage. Axis paid the Social Engineering Fraud coverage, but denied Computer Transfer Fraud coverage per the policy terms. Litigation ensued (The matter is Miss. Silicon Holdings, LLC v. Axis Ins. Co., 2020 U.S. Dist. LEXIS 29967 (N.D. Miss. 2020)).
Under the terms of the Computer Transfer Fraud policy, Axis agreed to “pay for loss from damage to Covered Property resulting directly from Computer Transfer Fraud that causes the transfer, payment, or delivery of Covered Property from the Premises or Transfer Account to a person, place, or account beyond the Insured Entity's control, without the Insured Entity's knowledge or consent.” Axis contended that there was no coverage because Mississippi Silicon Holdings’ computer systems were not manipulated, and because the subject transfers were made with Mississippi Silicon Holdings’ knowledge and consent. The Court agreed, ruling that “…it cannot be ignored that the provision [of the policy] itself specifically requires that the fraudulent act directly cause the loss. And it further cannot be ignored that MSH's employees, not the fraudulent emails themselves, actually initiated the transfer. If a proximate cause standard or some other more expansive coverage was intended, that language undoubtedly could have been included in the Policy
In addition, the Court’s ruling was based on comparison of the language between the policy’s Social Engineering Fraud and Computer Transfer Fraud provisions, noting that the Social Engineering Fraud provision "clearly authorizes coverage when an employee relies on information that is later determined to be false or fraudulent. In contrast, the Computer Transfer Fraud provision, rather than specifically extending coverage when an employee in good faith relies upon fraudulent information and inflicts a loss, specifically states that coverage is only available when the loss occurs 'without the insured entities' knowledge or consent.’'' That language was a key distinction, and based on the plain policy language, this was a relatively easy decision of the Court and consistent with other courts that have ruled in similar matters.
So, can we learn anything from the Court’s decision? Yes, but let’s take this time instead to learn from facts. If your company receives a request for money to be wired, PICK UP THE PHONE and call the vendor at a known telephone number. You may be very thankful that you did. 
 Important Reminder: Draft Vendor Contracts to Spell Out What Happens to Your Organization’s Data Upon Termination
By: Alex D'Amico
We have repeatedly emphasized in this newsletter the importance of including terms in vendor contracts addressing cybersecurity and data management. These legally binding agreements can be used to ensure that an organization’s vendors maintain appropriate levels of cybersecurity or are acting legally, as well as to implement appropriate data practices and procedures, and to spell out remedies in the event of a data incident, among other things. A recently filed lawsuit reveals another set of terms that should be spelled out in vendor contracts: the responsibilities of the vendor with respect to the client’s data upon receiving notice of termination of the contract.
Caliber Home Loans, Inc. (“Caliber”), a mortgage originator and servicer, commenced litigation against Sagent M&C, LLC (“Sagent”), the vendor that provided Caliber’s loan processing platform—a technological system that keeps track of loan information and processes updates about events like payments, defaults, and payoffs throughout the life of the loan.  In the complaint, Caliber accuses Sagent of leveraging its possession of Caliber’s data to the point of extortion.  Specifically, Caliber had grown dissatisfied with Sagent’s performance and advised Sagent that it would be terminating the contract. In connection with ending its relationship with Sagent, Caliber had to begin the extensive process of retrieving its data from Sagent to be provided to Caliber’s new loan processing platform provider.  By Caliber’s own admission, the transition process is an extraordinary undertaking that often takes a year or longer. Caliber alleges that Sagent’s actions turned belligerent, however, refusing to facilitate an orderly transition unless Caliber agreed to new contract terms that were longer than any previous contract, with a price nearly twice as high. 
Sagent has not yet responded to the Complaint, but it is easy to anticipate its defense: Why should Sagent be forced to dedicate the substantial resources necessary to facilitate Caliber’s transition between platforms without the benefit of lucrative financial terms or generating goodwill with a customer that is already terminating the business relationship?  Clearly, the termination of a vendor relationship creates a plethora of thorny issues, especially with respect to data. For this reason, organizations are well-advised to proactively include terms in their vendor contracts spelling out in detail what will happen to the client’s data, and the vendor’s obligations with respect to such data, upon termination of the contract. Clear and detailed terms will put an organization in the best possible position for its vendor to follow through with its duties in the transition and to avoid litigation.
Eleventh Circuit Weighs in on Data Breach Standing 
By: Daniel Marvin 
If you are an active reader of our Newsletter, you know that over the past several years, we’ve brought you all of the important updates regarding a plaintiff's’ standing to sue when his or her information is compromised in a data breach (if you are not an active reader you can sign up here). In the typical fact pattern, a store suffers a data breach, a plaintiff’s PII is stolen, and the plaintiff sues the store. The question then becomes if that plaintiff has suffered an “injury,” which is required for standing to sue. In other words, with no injury, there can be no lawsuit. The United States Supreme Court has ruled (most recently in the matter of Spokeo v Robbins) that standing can only exist if it is “concrete and particularized, actual and imminent and not conjectural or hypothetical. To be concrete, the injury must be de facto, or actually exist. So, what becomes of our plaintiff? 
The Eleventh Circuit recently weighed in on this issue in Tsao v. Captiva MVP Rest. Partners, LLC, 2021 U.S. App. LEXIS 3055 (11th Cir. Feb. 4, 2021). The facts are straightforward and typical; hackers gained access to a restaurant’s point of sale system and stole customer data. Customers were notified, and naturally, less than two weeks later, a class action complaint was filed in which the plaintiff alleged that he suffered harm as a result of the breach, and also faced an increased risk of future harm. Defendant moved to dismiss and the Court obliged. Following Spokeo, the Court found that the plaintiff failed to allege a concrete and particularized injury that was actual or imminent. “[G]enerally speaking, the cases conferring standing after a data breach based on an increased risk of theft or misuse included at least some allegations of actual misuse or actual access to personal data.”  So, in what circumstances can a plaintiff demonstrate standing? In most instances, Courts will look to see if there are some allegations of identity theft, financial loss or other relating harm that can be traced directly to the breach. Self-imposed financial loss (such as paying for identity theft protection or spending time cancelling cards) will not suffice. 
Learn more about our team by clicking on the images below.
Daniel Marvin, Robert Stern, John Knight
Michael Aylward, Eva Kolstad and Anthony Abeln
Alex D'Amico and Jennifer Chan

This communication, which we believe may be of interest to our clients and friends is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments, and all copies. This may be considered attorney advertising in some jurisdictions. If you have any questions about the items above or Morrison Mahoney's Cybersecurity, Data and Privacy Protection practice, please feel free to contact Daniel Marvin at dmarvin@morrisonmahoney.com or Robert Stern at rstern@morrisonmahoney.comWith 180 attorneys and 10 offices throughout the Northeast, Morrison Mahoney LLP is one of the leading business and litigation firms in the region. We provide a wide array of legal services covering cybersecurity, litigation, transactional, appellate and insurance coverage practice areas. For more information about the firm, visit our web site at: www.morrisonmahoney.com.
Wall Street Plaza, 88 Pine Street, Suite 1900 | New York, NY 10005
Phone: 212-825-1212 | www.morrisonmahoney.com
Manage your preferences | Opt out using TrueRemove®
Got this as a forward? Sign up to receive our future emails.
View this email online.

This email was sent to ckramer@morrisonmahoney.com.
To continue receiving our emails, add us to your address book.