Workforce Bulletin

Since the dawn of digitalization, the collection and retention of personal and other business confidential data by employers has implicated security and privacy challenges—by amassing a treasure trove of data for bad actors (or unwitting/unauthorized employees) and drawing a roadmap for those seeking to breach the system. Adding artificial intelligence (AI) into the mix creates further areas of concern. A recent survey undertaken by the Society of Human Resource Management of more than 2000 human resources professionals indicates that AI is being utilized by the majority of ...

On February 1, 2023, the FTC announced a proposed $1.5 million settlement with GoodRx Holdings, based on alleged violations of the Federal Trade Commission Act (“FTC Act”) and Health Breach Notification Rule (“HBNR”) for using advertising technologies on its websites and mobile app that resulted in the unauthorized disclosure of consumers’ personal and health information to advertisers and other third parties. On the same day, the U.S. Department of Justice, acting on behalf of the FTC, filed a Complaint and Proposed Stipulated Order detailing the FTC’s allegations and the terms of the proposed settlement. 

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.

The Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) jointly published a new resource as part of their ongoing efforts to promote awareness of, and help organizations defend against, supply chain risks. The publication, Defending Against Software Supply Chain Attacks, provides recommendations for software customers and vendors as well as key steps for prevention, mitigation and resilience of software supply chain attacks.

Software supply chain attacks occur when a cyber threat actor infiltrates a software ...

While businesses and their employees continue to operate in the “new frontier” of working-from-home during the COVID-19 pandemic and the gradual reopening of the economy, a serious risk continues to present itself: the threat of cybercrime. The increased use of remote access to work systems and related applications has made businesses a prime target for those unscrupulous individuals seeking to encroach on companies’ cyber-landscape. Flaws in VPNs, firewalls, and videoconferencing, for example, have exposed many companies’ electronic infrastructures to these incursions. Similarly, the at-home workforce has increasingly been subjected to social engineering attacks often cloaked as communications purporting to provide information about pandemic-related issues.

In addition to the technical measures necessary to confront these threats, businesses would be well-advised to ensure that their cyber insurance is up to date and responds to this challenging new environment. Such coverage may be found in a variety of insurance, including property policies, commercial crime bonds or in stand-alone cyber risk policies. Regardless of where it resides, cyber insurance typically provides coverage for data breaches, ransomware attacks and employee wrongdoing, and for loss of business income occasioned by covered occurrences.

While the jurisprudence related to these issues continues to develop, some recent cases provide insight into how courts may decide cyber coverage questions in the current environment. 

Ransomware - Covered

Earlier this year the U.S. District Court for the District of Maryland considered the issue of how first-party “computer coverage” responded to data loss resulting from a ransomware attack. In National Ink & Stitch, LLC v. State Auto Property & Casualty Ins. Co., No. SAG-18-2138, 2020 WL 374460 (D. Md. Jan. 23, 2020), the insured was an embroidery and screen printing business that stored business-related art, logos, designs and graphics software on a server that became compromised by a ransomware attack. Id. at *1. As a result, the insured needed to recreate stored data that it was unable to access because of the incursion. Id. Further, after the software was replaced and reinstalled by experts, there remained a likelihood that remnants of the virus lingered on the system, leaving the insured with the unpalatable choice of either “wiping” the entire system or purchasing a new server. Id.

The policy at issue responded to “direct physical loss of damage to Covered Property at the premises…caused by…any Covered Cause of Loss.” Id. “Covered Property” included electronic data processing, recordings or storage media such as film, tapes, disks, etc. in addition to data stored on such media. Id. at *1-2. Software was included as “covered property” in the policy. Id. at *1. The insurer denied the claim on the basis that the insured had not experienced direct physical loss or damage to its computer system to justify reimbursement of the cost of replacing the entire system. Id. at *2. That is, because the insured “only lost data and could still use its computer system,” the insurer took the position that there was no “direct physical loss” and, therefore, no coverage. Id.

In finding that the insured should be reimbursed for its losses, the court determined that the plain language of the policy “contemplates that data and software are covered and can experience ‘direct physical loss or damage’” Id. at *3. The court refused to credit the insurer’s argument that a loss of software and its related functionality was not a direct loss to tangible property simply because the insured could still use the system albeit in a diminished fashion. Id. Instead, relying on relevant case law, the court it recognized that the insured’s computer system, while still functional, had been rendered inefficient and its storage capability was damaged in a way that its data and software could not be retrieved. Id. at *4. Accordingly, the court ruled that the policy did not require the computer system to be completely unable to function in order to constitute covered “physical loss or damage”. Id. at *5.

In granting summary judgment in favor of the insured, the court viewed the system’s loss of use and reliability and impaired function to be consistent with the “physical loss or damage to” language in the policy. Id. This was so because “not only did [insured] sustain a loss of its data and software, but [it] is left with a slower system which appears to be harboring a dormant virus, and is unable to access a significant portion of software and stored data.” Id.

New York is the latest state to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information. New York now joins California, Massachusetts and Colorado in setting these standards. New York’s law mandates the implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing. Businesses should immediately begin the process to comply with the Act’s requirements effective March 21, 2020 ...

On May 9, 2019, the United States Department of Justice announced the indictment of two Chinese Nationals as members of a sophisticated hacking group responsible for the hack of Anthem, Inc. and other unnamed U.S. based large technology, communications and basic materials companies. The hack resulted in the breach of personally identifiable information of over 78 million individuals held by Anthem and the theft of confidential business information from the victimized organizations. The indictment provides a roadmap to advanced hacking attacks regularly faced by technology ...

We published an article with NYSBA Labor and Employment Law Journal, titled “Employee Threats to Critical Technologies Are Best Addressed Through a Formalized Insider Threat Risk Assessment Process and Program.” With the New York State Bar Association's permission, we have linked it here.

It is highly likely that the National Association of Insurance Commissioners (“NAIC”) will adopt a model data cyber security law premised largely on the New York State Department of Financial Services (“NYSDFS”) cyber security regulations.  Recently, we discussed the NYSDFS’ proposed extension of its cyber security regulations to credit reporting agencies in the wake of the Equifax breach.  New York Governor Andrew Cuomo has announced, “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be ...

By Alaap Shah and Marshall Jackson

Data is going digital, devices are going mobile, and technology is revolutionizing how companies operate. It seems to be business as usual, as your hospitality company continues to collect, use and transmit large amounts of sensitive data to operate the business. You have even taken measures to help guard against the “typical” risks such as lost laptops, thumb drives and other electronic devices. However, unbeknownst to you, hackers sit in front of their computers looking for ways into your network so that they may surreptitiously peruse ...

By: Alaap Shah and Marshall Jackson

Data is going digital, devices are going mobile, and technology is revolutionizing how companies operate. It seems to be business as usual, as your hospitality company continues to collect, use and transmit large amounts of sensitive data to operate the business. You have even taken measures to help guard against the “typical” risks such as lost laptops, thumb drives and other electronic devices. However, unbeknownst to you, hackers sit in front of their computers looking for ways into your network so that they may surreptitiously peruse ...