Cybersecurity breaches can cause significant strain on any business. Unfortunately, as we have previously reported, the number, frequency, and variety of cyberattacks continue to rise. And recent news indicates that dealing with the consequences of a breach is becoming more difficult, particularly for businesses that are not proactive in their cybersecurity programs.
Government Fines and Civil Settlements Are on the Rise
The US Health and Human Services Department’s Office for Civil Rights (OCR) is the agency responsible for enforcing and investigating violations of the Health Insurance Portability and Accountability Act (HIPAA). Recently OCR announced the second-largest penalty it has ever imposed in response to a cyber breach. Premera Blue Cross, the largest health plan in the Pacific Northwest, agreed to pay $6.85 million for a 2015 data breach that exposed personal information, including social security numbers and health care information, of approximately 10.4 million individuals. In addition to the penalty, Premera agreed to pay $32 million to settle multi-jurisdictional litigation brought by the impacted individuals. Premera is also required to perform a “robust corrective plan” that will be subject to government oversight.
It was also announced last week that Anthem, Inc., one of the largest health insurance providers in the country, has agreed to pay $39.5 million to resolve the claims of 40 states resulting from a breach that impacted 80 million customers and included disclosure of social security numbers, income data, and other personal details. This comes on top of the $115 million Anthem has already agreed to pay to resolve a customer class-action lawsuit, and the $8.7 million Anthem has agreed to pay in California. Like Premera, Anthem also is required to implement corrective measures.
While these extraordinary sums reflect the vast number of affected individuals, the cases serve as a significant warning that businesses must be proactive when it comes to cybersecurity. As these and other, smaller cases show, government fines and civil liabilities are significantly higher when a business’s cybersecurity safeguards are found to be deficient. For example, the government investigation of Premera found the company had engaged in “systemic noncompliance” with applicable data security rules, including its failure to conduct an “enterprise-wide risk analysis” and implement risk management and auditing tools. The lawsuits against Premera also alleged the company lacked adequate data security measures and that it had failed to fix security flaws identified by both internal and external audits. In the Anthem case, government officials accused the company of “lax security and oversight” in failing to update its antivirus software and identify potential vulnerabilities in its systems.
These factors undoubtedly played into the significant monetary fines and settlements in these cases, and we expect them to heavily influence government investigations and civil suits going forward.
Private Civil Lawsuits Are Gaining More Traction
Another key factor is a company’s potential exposure to lawsuits by affected individuals. These suits continue to gain traction in the courts. The threshold issue is whether the individuals whose personal information has been exposed have been “damaged,” even if there is no evidence that the information has actually been used to commit identity theft in some manner. Courts are split on this issue, but several courts have recently found that the mere exposure of personal information is sufficient to sustain a lawsuit. In those cases, the courts have focused on the nature of the breach, the type of data that was exposed, and whether the breach was attributable to significant alleged failures in the defendant’s data security program. As the number of data breaches affecting small to midsize companies continues to rise, we expect courts will continue to divide on this issue.
The US Government Just Complicated the Response to Ransomware Attacks
Increasing the potential exposure to businesses, the US Treasury Department announced last week that victims of ransomware attacks may face liability for paying ransoms. A company that pays the demanded ransom—and any companies that help make the payment, such as insurance companies or consultants—could face liability if the criminal actor turns up on a US list of “banned” cybercriminal organizations. The Office of Foreign Asset Controls (OFAC), a division of the Treasury Department, has issued regulations prohibiting companies from doing business with these banned criminal organizations.
In staking its position, OFAC stated it “may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to US jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.” Companies in violation of the new rule could face fines of up to $20 million. In considering whether to impose such fines, OFAC said it will consider a company’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome . . .” Look for a wide range of outcomes as OFAC begins to enforce its new rule.
The rule is not based on an entirely new concept. The FBI has long discouraged companies from making ransom payments so as not to encourage the criminal conduct. But it has not typically sought to prevent ransom payments or penalize those who make them. It appears OFAC wants to be more proactive. In stating its rationale, OFAC noted, “Ransomware payment benefits illicit actors and can undermine the national security and foreign policy objectives of the United States.” The only way to definitely avoid liability is to obtain a “license” from OFAC, which the agency says will be very hard to obtain.
What Can You Do to Mitigate Your Potential Exposure?
As we have identified in prior alerts, cybersecurity laws continue to expand. Government investigators are particularly unsympathetic to businesses whose cybersecurity practices are not up to par with applicable laws and regulations, and the lawsuits alleging sub-par cybersecurity standards are the ones that tend to result in larger court settlements. As such, it is more important than ever for businesses to ensure they are meeting the minimum cybersecurity standards required by law.
In New York, for example, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, effective March 2020, sets out six cybersecurity requirements. Nearly every business operating in New York that maintains or processes personal data must:
- Designate an employee to coordinate a security program.
- Identify the “reasonably foreseeable” internal and external risks to the business’s electronic systems.
- Assess the sufficiency of existing safeguards to control those risks.
- Train and manage employees in data security.
- Select service providers capable of maintaining appropriate safeguards, and require providers to follow those safeguards.
- Adjust security programs when there are any changes to the potential risks or to the type of data processed or manner by which it is processed.
- Failure to address these basic requirements can result in significant government penalties and potential liability if a data breach occurs.
- Meeting these requirements can be daunting. But there is a way your business can begin developing a cybersecurity program.
It all starts with understanding what private information your business has, how you use it, and where it is stored. This is sometimes referred to as “data mapping.” By mapping this information, you can begin to identify and address your potential risks. Does your business even collect or maintain “private” information? If it does, is it necessary? If it is necessary, is the information located in one place, or is it dispersed over different systems and servers? Is access to the information limited to only those people who need it to perform their jobs? Is your system password protected? Does each user have a unique password, and are those passwords sophisticated? Is multifactor authentication used to log into the system? Is the data encrypted? Do you have appropriate firewalls, anti-malware software, and anti-virus software? Are these programs and other software, including web browsers and operating systems, regularly updated?
Once you answer these questions, you can develop a cybersecurity plan that meets the SHIELD Act or other legal requirements—by either modifying how you do business in the first place or implementing the types of policies, practices, and technology you need to address the risks to your systems.
If you have any questions about how to develop a cybersecurity plan or comply with any legal or regulatory requirements, Barclay Damon’s Cybersecurity Team can assist.
If you have any questions regarding the content of this alert, please contact one of the Cybersecurity Team’s leaders, Nick DiCesare, at ndicesare@barclaydamon.com, or Kevin Szczepanski, at kszczepanski@barclaydamon.com, or another member of the team.