Morrison Mahoney  
Connecticut  >>  Massachusetts  >>  New Hampshire  >>  New Jersey  >>  New York  >>  Rhode Island  >>  United Kingdom

Cybersecurity, Data Protection and Privacy Newsletter

March 3, 2021
Please email questions to cybersecurity@morrisonmahoney.com.
Click here to have future newsletters sent to your inbox.  
IN CASE YOU MISSED IT...
  • Never Trust, Always Verify: The National Security Agency (NSA) has released the Cybersecurity Information Sheet: Embracing a Zero Trust Security Model, which provides information about, and recommendations for, implementing Zero Trust within networks. The Zero Trust security model is a coordinated system management strategy that assumes breaches are inevitable or have already occurred. 

  • Assume the Worst: What does Zero Trust mean in the real world? If you have a device, assume it's compromised. If you receive an email requesting a critical resource (or money), assume it's phishing. 

  • For Our U.K. Friends: The London-based National Cyber Security Centre (NCSC) has released a free online tool called the "Cyber Action Plan" designed to assist small businesses in protecting themselves against cyberattacks. Users can fill out a 3-5 minute long questionnaire about their business and be provided with customized advice on how to better protect against cybercrime. It's a basic tool and will provide basic recommendations, but it's a great place to start for any business looking to being establishing a resilient cybersecurity program. 

LinkedIn
VIRGINIA ENACTS COMPREHENSIVE PRIVACY LAW
On Tuesday, March 2, Gov. Ralph Northam signed the Virginia Consumer Data Protection Act,  a comprehensive data privacy law which will go into effect on January 1, 2023 and apply to all non-exempt businesses that control or process the personal data of at least 100,000 consumers, derive more than 50 percent gross revenue from the sale of personal data or process the personal data of at least 25,000 consumers.
The Act is similar to the CCPA in many ways, although there is no Private Right of Action. For example, Virginia residents will now have the rights to confirm whether or not a controller is processing personal data; to access such personal data to correct inaccuracies; to delete personal data provided by or obtained about the consumer; obtain a copy of the personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and to opt out of the processing of the personal data for certain purposes, such as targeted advertising and the sale of the data
While 11 months seems like a long time, it is not in the context of Act compliance. It took most businesses longer than that to become CCPA compliant, and many are still struggling. We will bring more details on the Act, and how to comply, in the near future. 
RANSOMWARE & HOSPITALS   
In the past year, there has been an unprecedented rise in cyber-attacks on hospitals and healthcare organizations. The finding in a recent report (“U.S. Healthcare Cybersecurity Market 2020”) reflects what we have seen in the trenches: more than 90 percent of all healthcare organizations reported at least one security breach in the last three years, and 61% of healthcare businesses acknowledged they don't have effective mechanisms to maintain proper cyber hygiene. Yet another report reveals that healthcare data breaches were up 55.1% last year from 2019, and the average cost of a breach in healthcare has increased 10.5% from 2019 to 2020, with the cost per breached record rising 16.3%, from $429 two years ago to $499 last year. We won't name names, but if you did a simple Google search for "Hospital Data Breach," you would quickly find millions of results, with dozens and dozens of recent breaches and an equal number of recent lawsuits. And unlike in other industries, the consequences of a cyber attack at a hospital can be deadly; just recently authorities in Germany announced that a ransomware attack caused the failure of IT systems at a major hospital in Duesseldorf, causing the death of a woman who needed urgent medical attention after she had to be transported to another city for treatment.
All of these facts are troubling. There are more breaches, increased costs and no end in sight. Ransoms are being paid with increased and alarming frequency, and without any guarantee that the stolen information has been contained and won't be disseminated. For example, last month a California based provider of medical and surgical eye care services was informed by its storage vendor that the vendor's systems were hacked and the protected health information of almost 30,000 patients was stolen in a ransomware attack. A decision was made to pay the ransom, and the hackers returned the stolen information along with an assurance that no copies of the data were made. Would that make you sleep better at night if you were responsible for the data, or if you were a person whose private information was stolen? Probably not. 
Recognizing that ransomware has emerged as the largest cyber threat facing hospitals today, the Center for Internet Security, Inc. (CIS) recently announced that it is launching a no-cost ransomware protection service (Malicious Domain Blocking and Reporting (MDBR)) for private hospitals in the Unites States, including independent hospitals, multi-hospital systems, hospital-based integrated health systems, post-acute patient care facilities, and psychiatric, rehabilitation, or other specialty hospitals. According to CIS, more than 1,000 U.S. State, Local, Tribal, and Territorial government organizations already have a successful track record using MDBR through a federally funded pilot program via the MS-ISAC, and since its inception, and through the beginning of this year, the MDBR service has blocked more than 748 million requests for known and suspected malicious web domains, which might have resulted in a ransomware infection or other harmful cyber-attack. In December 2020, there were nine instances of ransomware domains being blocked by MDBR for a group of nine U.S. public health organizations already on the service, and during the same month, MDBR prevented malicious requests for over 4,200 known malware domains, 50 known phishing domains and 15 known command-and-control domains. 
CIS claims that MDBR is an effective and easy way to implement tools in the defense-in-depth or multi-layered approach to cyber best practices that can help prevent cyber threats against hospital systems before they start, and CIS Is correct. (To learn more about and/or sign up for CIS’s MDBR service for U.S. private and public hospitals, click here.) But CIS is just one piece that is needed for a comprehensive cyber program. In many, if not all ways, it comes down to the basics. Strong E-mail policies, ongoing training, robust vendor management, and cyber insurance to name a few. In terms of risk management in the cyber world, there can never be enough. But there can be effective and efficient (and even free) ways to mitigate risk if you stay on top of the latest developments. 
Florida District Court Recommends Denial of Settlement Because Plaintiffs Lack Standing in Data Breach Case
Last month, a federal district court in Florida denied the plaintiffs’ motion for preliminary approval of a class action settlement reached with the defendant, Earl Enterprises Holdings, Inc., in a data breach case. Hymes v. Earl Enters. Holdings, Case No. 6:19-cv-644-CEM-GJK (M.D. Fla. 2021). The case arose from a breach that occurred at various restaurants owned by the defendant between May 2018 and March 2019. Specifically, the plaintiffs alleged that 2.15 million payment card numbers were stolen from the defendant’s restaurants and placed on the dark web for sale. The class representatives were (1) New York residents who cancelled their credit card prior to any unauthorized charges and (2) California residents who discovered unauthorized charges but were reimbursed for same.  The parties proceeded to an early mediation and agreed upon an initial resolution which included a settlement fund of $650,000 from the defendant.  The plaintiffs proceeded to file an unopposed motion for approval of the settlement.
In determining the class representatives lacked standing to sue, the District Court relied primarily upon two recent decisions from the Eleventh Circuit. In 2020, the Eleventh Circuit rejected a plaintiff’s argument that being exposed to an elevated risk of identity theft conferred standing. Muranksy v. Godiva Chocolatier, Inc., 979 F.3d 917 (11th Cir. 2020). There, the court concluded exposure to an elevated risk of identity theft is neither direct harm nor “anything approaching a realistic danger” Id. at 933. The Eleventh Circuit remanded the case to the district court for dismissal
Less than four months later—and just days before the District Court’s decision in Hymes—the Eleventh Circuit issued a similar decision in Tsao v. Captiva MVP Restaurant Partners, LLC, 2021 WL 381948 (11th Cir. 2021) (discussed our last newsletter).  There, much like in Hymes, the plaintiff alleged that credit card information may have been accessed by hackers in a data breach. After learning of the breach, the plaintiff cancelled his credit cards. The Tsao defendant filed a motion to dismiss for lack of Article III standing, which the district court granted. On appeal, the plaintiff argued that dismissal was improper because he has already suffered loss of time, rewards points, and access to his accounts and that he could suffer future injury from the breach. The Eleventh Circuit rejected both arguments, citing to the fact that most data breaches do not result in “detected incidents of fraud on existing accounts” and that generally stolen credit card information alone cannot be used to open unauthorized accounts. Id. at *7. The Eleventh Circuit also pointed to the fact that the plaintiff had canceled his credit cards such that the risk of credit card fraud in the future was effectively eliminated
In applying the Eleventh Circuit’s recent authority to the facts in Hymes, the District Court concluded that the plaintiffs’ motion failed to establish standing in that there were no allegations that the plaintiffs actually paid for the unauthorized charges, if any. The Hymes court therefore recommended that the motion for approval of settlement be denied. The District Court also cited other concerns with the terms of the agreement, including that it contemplated a service award to the plaintiffs without any description of what the service award compensates the plaintiffs for. The court warned that “Supreme Court precedent prohibits awards to class representatives that compensate the representatives for their time and reward them for bringing a lawsuit.” (Doc. No. 73, p. 28)
We will continue to keep you updated on all of the important developments with respect to data breach standing cases.  

European Commission Draft Decision: UK GDPR Passes Muster for Cross-Border Data Transfers
One of the most impactful policies implemented under the General Data Protection Regulation (GDPR) is the general prohibition of cross-border data transfers from within the European Union (EU) to a non-member state outside of the EU—unless one of several enumerated exceptions applies.  One of these exceptions is when the European Commission issues a decision that the country outside the EU to which the data is transferred has an adequate level of data protection.  Obtaining this designation is no rubber stamp process. Out of the G-20 (in terms of national economy, the world’s 19 largest countries, plus the EU), only Argentina, Canada (for commercial organizations), and Japan have received this designation from the EU. Accordingly, there was a question, following Brexit, of whether the United Kingdom, now a non-member state, would receive this designation.  A lot was riding on the decision because if the UK did not receive the designation, any organization transferring data from within the EU to the UK would have had to take steps to ensure that another exception, such as standard contractual clauses or binding corporate rules, would govern the data transfers
To the relief of many, on February 19, 2021, the European Commission issued a draft decision establishing that the UK does indeed ensure an adequate level of protection for personal data transferred from the EU to the UK.  UK data protection policy has evolved in the past two years.  Initially, with the UK a part of the EU, the UK was subject to the GDPR.  During a transition period between January 31, 2020, when the UK withdrew from the EU, and December 31, 2020, EU law continued to apply in the UK.  Thereafter, the UK data protection law, entitled the UK GDPR and based on the GDPR, went into effect. With respect to the European Commission’s decision, the next steps include the European Data Protection Board’s submission of an opinion regarding the adequacy of the UK GDPR, followed by the decision going before member state representatives for approval.  The adequacy decision will be valid for a period of four years, after which time it will come up for review again
Given the uncertainty surrounding Brexit ever since the determinative 2016 vote, the European Commission’s draft decision is good news for organizations that transfer data from the EU to the UK.  Nevertheless, these organizations should stay tuned in to any further developments, as there are still a few steps before the adequacy decision is finalized.  In the meantime, organizations are wise to consult with counsel to ensure that their cross-border data transfers and other data practices are legally compliant.
This communication, which we believe may be of interest to our clients and friends is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments, and all copies. This may be considered attorney advertising in some jurisdictions. If you have any questions about the items above or Morrison Mahoney's Cybersecurity, Data and Privacy Protection practice, please feel free to contact Daniel Marvin at dmarvin@morrisonmahoney.com or Robert Stern at rstern@morrisonmahoney.comWith 180 attorneys and 10 offices throughout the Northeast, Morrison Mahoney LLP is one of the leading business and litigation firms in the region. We provide a wide array of legal services covering cybersecurity, litigation, transactional, appellate and insurance coverage practice areas. For more information about the firm, visit our web site at: www.morrisonmahoney.com.
Wall Street Plaza, 88 Pine Street, Suite 1900 | New York, NY 10005
Phone: 212-825-1212 | www.morrisonmahoney.com
Manage your preferences | Opt out using TrueRemove®
Got this as a forward? Sign up to receive our future emails.
View this email online.

This email was sent to ckramer@morrisonmahoney.com.
To continue receiving our emails, add us to your address book.