Data Security Roundup—August 2016
In-House Counsel Tip
Be aware that President Obama recently issued a Presidential Policy Directive on United States Cyber Incident Coordination. The Directive explains how the federal government will prioritize and respond to significant cyber incidents, and how it will deal with private companies who are impacted. Contact us for more information on how this may impact your company.
Executive and Regulatory Developments
DHS and DOJ Issue Guidelines for CISA
After much consternation and debate, the Cybersecurity Information Sharing Act of 2015 (CISA) passed with a whimper in late December 2015 as a small part of the omnibus Consolidated Appropriations Act. In mid-June, the Department of Homeland Security (DHS) and Department of Justice (DOJ) released guidance for non-federal entities on how to share and receive "cyber threat indicators" and "defensive measures." Non-federal entities can now share both types of cybersecurity information automatically with the federal government by joining the Automated Indicator Sharing (AIS) program, or manually by email or web form. They may also share such information through existing DHS programs. Regardless of the method, private entities that share such information with the DHS receive several protections under CISA, including protection from liability caused by the sharing of such information, as well as exemption from federal and state disclosure laws and regulatory enforcement actions stemming from the sharing of such information. The scope and efficacy of these protections has not been tested. Under CISA, private entities may also share cyber threat indicators and defensive measures amongst themselves, but such sharing does not provide the same protections as sharing with the DHS, apart from some liability protection. The full text of the non-federal entity guidance can be found here.
FBI and Secret Service Support FCC's Data Breach Proposal for Broadband Providers
On July 5, 2016, the Federal Bureau of Investigation (FBI) and United States Secret Service (USSS) jointly submitted comments in support of the Federal Communications Commission's (FCC) plan to extend data breach notification rules to broadband providers. The FCC's data breach proposal was introduced in April in an effort to extend the privacy requirements of the Communications Act to Internet Service Providers (ISPs) and would require ISPs to obtain consumer consent before tracking online activity. The FBI and USSS support the FCC's proposals to allow for delay of notification to customers when the notification would interfere with criminal or national security investigations, and to provide early notification of any breach to federal law enforcement agencies to facilitate coordination and information collection. Critics of the FCC's proposal argue that the proposed rules are overly burdensome and legally questionable. Among their concerns, critics argue that the proposals would unfairly restrict the use of broad classes of non-sensitive information among ISPs and would require notification to customers even in the event of unsuccessful breach attempts. Next, the FCC will decide whether to proceed with the proposed rulemaking, or issue a new or modified proposal. The full text of the FBI and USSS comments can be found here.
Shareholder Derivative Claims Against Target Executives Over Credit Card Data Breach Dismissed
On July 7, 2016, a federal court in the District of Minnesota dismissed derivative claims filed by Target shareholders against the company's executives and directors, stemming from the 2013 payment card breach that impacted up to 70 million Target customers. Target's motion to dismiss followed the release of a 91-page report prepared by a Special Litigation Committee (SLC) established by Target under a Minnesota law that permits companies to appoint special committees to review shareholder claims and submit recommendations regarding the pursuit of those claims. Over the course of its 21-month investigation, the SLC conducted 73 interviews, consulted with outside counsel and experts, and engaged in more than 100 meetings. In its final report, the SLC decided it was "not in Target's best interests to pursue derivative claims arising out of the 2013 data breach against the named officers and directors." In June, following the release of the final report, the plaintiffs stipulated to the dismissal of all shareholder claims. And this month, after the 30-day period for stakeholders to intervene had lapsed, the district court dismissed the shareholders' derivative claims without prejudice.
Microsoft Cannot be Compelled to Turn Over E-mail Data Held Overseas
On July 14, 2016, the Second Circuit handed Microsoft a victory when it held that the Stored Communications Act (SCA) does not authorize warrants against US-based service providers for content "stored exclusively on foreign servers." The dispute concerned a warrant application by the United States for the contents of a Microsoft customer's email account in connection with a narcotics trafficking investigation. Microsoft produced all information it held in the United States, as directed, but refused to produce data stored on the company's servers in Ireland. The Second Circuit rejected the government's argument that an SCA warrant requires records and other materials be produced "no matter where those documents are located, so long as they are subject to the recipient's custody or control." The Court explained that "[w]arrants traditionally carry territorial limitations"; therefore, warrants issued to seize items in the United States do not extend beyond the United States. Additionally, the Court stated that it was bound by the Supreme Court's recent rulings emphasizing the "presumption against extraterritoriality" for warrants.
Illinois, Nebraska, and Tennessee recently amended their data breach notification laws to broaden the scope of protectable data and refine notification procedures in the event of a security breach. Illinois and Nebraska both expanded the definition of "personal information" to include online account credentials (i.e., a user name or email address combined with a password or security question and answer that would permit access to an online account). Illinois additionally created new categories of "personal information" covering certain medical, health, and biometric information. All three states also amended provisions that previously created a safe harbor for encrypted data. Whereas Illinois and Nebraska have clarified those provisions, providing further guidance that data breaches involving encrypted data will still trigger notification obligations if the encryption key has also been acquired, Tennessee became the first state to eliminate the automatic safe harbor entirely. Under the amended Tennessee law, entities can no longer escape notification obligations simply by encrypting their data, though encryption may be considered when determining whether personal information has been "materially compromised." Tennessee also established a new statutory notification deadline that requires notice to individuals within 45 days of discovering a data breach, and Nebraska now imposes a new obligation to notify the state Attorney General no later than the time that notice is provided to individuals. Other amendments to Illinois' data breach notification law include updated data security requirements among data collectors and new requirements for contracts with third parties to narrow the possibility of unauthorized disclosures of personal information pursuant to the contract. The full text of the amended data breach notification laws are available through the following links: IL, NE, and TN. Nebraska's and Tennessee's amended laws took effect in July 2016; the Illinois amendments will go into effect on January 1, 2017.