UtahUtah Adopts Cybersecurity Affirmative Defense Act Protecting Business from Certain Claims Arising Out of Data Breaches

Utah Adopts Cybersecurity Affirmative Defense Act Protecting Business from Certain Claims Arising Out of Data Breaches

On March 11, 2021, Utah Governor Spencer Cox signed the Cybersecurity Affirmative Defense Act (the “Act”) into law.  The Act creates affirmative defenses to certain causes of action arising out of a breach of system security.  See generallyUtah Code Ann. §78B-4-701 et seq. 

The Act defines a breach of system security as including “an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.”  Utah Code Ann. § 13-44-102(1)(a).  Similarly, the Act defines personal information as including a person’s first name and last name when combined with a social security number, financial account number in combination with a required security code, and a driver’s license.  Utah Code Ann. § 13-44-102(1)(a).

The Act provides that business that “creates, maintains, and reasonably complies with a written cybersecurity program” and that is “in place at the time of breach of system security” shall be afforded an affirmative defense to tort claims arising out of the business alleged “fail[ure] to implement reasonable information security controls that resulted in the breach of system security.”  Utah Code Ann. § 78B-4-702.

Whereas the Act requires a written cybersecurity program, it does not set forth a new technical cybersecurity standard.  Instead, the Act requires that a written cybersecurity program “shall provide administrative, technical, and physical safeguards to protect personal information” and that a cybersecurity program should “reasonably conforms to the current version of” NIST 800-171, NIST 800-53, ISO 2700, and the HIPAA Security rule.  Utah Code Ann. § 78B-4-702(4); Utah Code Ann. § 78B-4-703(1)(b).  Altogether this requirement for a written cybersecurity program is not entirely dissimilar to a business cybersecurity program requirements under New York’s “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act), which we further outlined here.

There are a couple other notable provisions to the Act.  First, the Act does not create a private right of action if a business failed to comply with the Act.  Utah Code Ann. § 78B-4-704.  Second, the Act provides that if an action is brought in another state, but is governed by Utah law, then the Act should apply.  Utah Code Ann. § 78B-4-705. As such, if a Utah business is sued in court for an alleged failure to implement information security standards and a resulting breach, it may rely on the Cybersecurity Affirmative Defense Act to the extent that it had and followed its written cybersecurity program.  Moreover, Utah isn’t alone in providing for an affirmative defense as Ohio adopted similar legislation in 2018.  See Ohio Rev. Code Ann. § 1354 et seq.

Beckage closely monitors for any and all changes in the law related to breaches of system security, data breaches, or other cyber security incidents.  Beckage’s team of attorneys and technologist are especially entuned with both responding to a data breach and understand what a robust written cyber security program would entail.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

United States Department of Homeland Security (DHS) Announces New Grant Plan to Slow Epidemic Spread of Cyber Attacks

United States Department of Homeland Security (DHS) Announces New Grant Plan to Slow Epidemic Spread of Cyber Attacks

Businesses may be able to take a little sigh of relief that some help may be coming to the persistent threat of ransomware attacks.  The DHS announced that significant funds will be provided to a number of public and private sectors to help improve the nation’s protection against data security attacks and other crises.

The Feb. 25 Announcement

On February 25, 2021, DHS announced its funding notice for several different types of cyber preparedness grants worth nearly $1.87 billion.  After noticing a rise in both the number and complexity of cyber threats faced by communities, including targeted ransomware attacks on our infrastructure, hospital, transportation systems, DHS identified five critical priority areas for attention for its fiscal 2021 grant cycle: 1) cybersecurity; 2) soft targets and crowded places; 3) intelligence and information sharing; 4) domestic violent extremism; and 5) emerging threats.  These grant programs provide funding to state, local, tribal/territorial governments, transportation authorities, nonprofit organizations, and the private sector to improve the nation’s readiness in preventing, protecting against, responding to, recovering from terrorist attacks, major disasters, and other emergencies.

The DHS announced several non-competitive grants which are to be awarded to recipients based on several factors:

  • State Homeland Security Program – The State Homeland Security Program provides $415 million to support the implementation of risk-driven, capabilities-based state homeland security strategies to address capability targets;
  • Urban Area Security Initiative – The Urban Area Security Initiative provides $615 million to enhance regional preparedness and capabilities in 31 high-threat, high-density areas; and
  • Emergency Management Performance Grant (“EMPG”) – EMPG provides more than $355 million to assist state, local, tribal, and territorial governments in enhancing and sustaining all-hazards emergency management capabilities; and
  • Intercity Passenger RailAmtrak Program – The Amtrak Program provides $10 million to Amtrak to protect critical surface transportation infrastructure and the traveling public from acts of terrorism and increase the resilience of the Amtrak rail system.

Moreover, the DHS announced several competitive grants, including:

  • Operation Stonegarden – Operation Stongarden provides $90 million to enhance cooperation and coordination among state, local, tribal, territorial, and federal law enforcement agencies to jointly enhance security along the United States land and water borders;
  • Tribal Homeland Security Grant Program – The Tribal Homeland Security Grant Program provides $15 million to eligible tribal nations to implement preparedness initiatives to help strengthen the nation against risk associated with potential terrorist attacks and other hazards;
  • The Nonprofit Security Grant Program – The Nonprofit Security Grant Program provides $180 million to support target hardening and other physical security enhancements for nonprofit organizations that are at high risk of a terrorist attack;
  • Port Security Grant Program – The Port Security Grant Program provides $100 million to help protect critical port infrastructure from terrorism, enhance maritime domain awareness, improve port-wide maritime security risk management, and maintain or re-establish maritime security mitigation protocols that support port recovery and resiliency capabilities;
  • Transit Security Grant Program – The Transit Security Grant Program provides $88 million to owners and operators of public transit systems to protect critical surface transportation and the traveling public from acts of terrorism and to increase the resilience of transit infrastructure; and
  • Intercity Bus Security Program – The Intercity Bus Security Program provides $2 million to owners and operators of intercity bus systems to protect surface transportation infrastructure and the traveling public from acts of terrorism and to increase the resilience of transit infrastructure.

Impact on Business

Private sector businesses can apply for these grants, especially if they are in the process of developing and creating cyberwarfare and other data defense tools.  Grant  information can be found here.

Beckage has responded to countless data breaches and is always comforted to see more dollars that foster collaboration between public and private sectors to help defend and protect U.S. business and more.

If you have questions about the grant dollars or how to apply, please contact a Beckage attorney at 716.898.2102.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Data BreachUpcoming National Data Breach Notification Legislation

Upcoming National Data Breach Notification Legislation

Among growing pressure in the wake of the allegedly state-sponsored SolarWinds cyber attack , federal legislators on both sides of the isle have expressed renewed interest in a federal data breach notification law.  Currently, each state has it own data breach notification law governing notice requirements to individuals, state attorneys general, and credit reporting agencies, when personal identifiable information such as names, social security numbers, and credit card information are accessed or acquired as part of data breach.  As a result, data breach response involves a host of competing timelines for business to notify various individuals and organizations.  This can prove to be inconsistent, complex, costly, and time consuming.

In an attempt to streamline the data breach notification process, Representatives Michael McCaul (R-TX-10), ranking member of the House Foreign Affairs Committee, and Jim Langevin (D-RI-2), chair of the House Armed Services Committee’s cybersecurity subcommittee, are drafting a bill which would create a federal mandatory breach notification.  The proposed bill would involve removing sources, methods, and names out of notifications and sending them to the Cybersecurity and Infrastructure Security Agency (“CISA”).  Moreover, the proposed bill will incorporate input from the Cyberspace Solarium Commission, a group established by Congress comprised of lawmakers and other officials with the purpose of developing a strategic approach to our nation’s defense against cyberattacks.  The Cyber Solarium Commission released its first report in March 2020 calling for several government reforms including, but not limited to: issuing an update to our National Cyber Strategy; establishing a permanent House and Senate Committee on Cybersecurity; and strengthening CISA.

Moreover, the proposed bill is expected to be based on, in large part, previously drafted legislation by Rep. Langevin in 2017 entitled “Personal Data Notification and Protection Act of 2017” (“PDNPA”).  See Personal Data Notification and Protection Act of 2017, H.R. H.R.3806, 115 Cong. (2017).  The PDNPA was introduced into the house on September 18, 2017, in the wake of the Equifax breach , but died in committee as political energy began to change focus.

The PDNPA required, in relevant part, that “any business entity engaged in or affecting interstate commerce that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period shall, following the discovery of a security breach of such information, notify…any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired.”  See id at § 2(a).

Notice under the PDNPA was to be completed by one of the following methods: i) written notification to the last known home mailing address of the individual in the records of the business entity; ii) telephone notification to the individual personally; iii) e-mail notification, if the individual consented, and if consistent with the 01 of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001); or if the number of individuals affected exceeded 5,0000 person, notification could have been provided to media “reasonably calculated to reach such individuals”.  See id at § 7. 

Similarly, PDNPA required a business entity who suffered a data breach affecting greater than 5,000 persons to notify credit reporting agencies.  See id at § 6.  PDNPA provided authority to the Federal Trade Commission to enforce penalties; however, it also recognized state attorneys general could, in the interest of the residents of their state, bring civil action against violators imposing fines of $1,000 per day per individual whose personal identifiable information was exposed with a maximum of $1,000,000 per violation, unless the business entity’s conduct was found to be willful or intentional.  See id at §§ 8-9. 

Finally, PDNPA was to supersede all state laws regarding breach notification by a business entity engaged in interstate commerce who suffers a data breach.  See id at § 10.  Whereas PDNPA never was enacted, the proposed legislation will likely closely mirror the above-referenced terms.

The Beckage Incident Response team will continue to monitor any developments regarding a national data breach notification law and will update its guidance accordingly. Our attorneys are nationally recognized for our experience working on data breaches, including some of the most notorious cyber incidents in recent history. If your business is in the midst of navigating the complexities surrounding a recent data breach, our team can be reached anytime via  our 24/7 data breach hotline at 844-502-9363 or by emailing IR@beckage.com.   

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.

Cyber InsuranceDFS February 2021 Guidance To Cyber Insurers

DFS February 2021 Guidance To Cyber Insurers

On February 4, 2021, the New York State Department of Financial Services (DFS) issued specific guidance to property/casualty insurers writing cyber insurance policies, known as the Cyber Insurance Risk Framework (“Framework”). The DFS promoted itself as the first US regulator in the nation to issue a specific guidance on cyber insurance, explaining the suggestions of the Framework are based on continued dialogue with the insurance industry and experts in cyber insurance regarding the shifting landscape of cybersecurity.

With the Covid-19 pandemic forcing companies to shift to an online workforce, cybercrimes, like ransomware and malware attacks, have drastically increased in frequency, severity, and cost to victimized companies. Cybercriminals use payments extorted from ransomware to fund more frequent and sophisticated ransomware attacks, emboldening them to target other organizations and widen their campaigns. The widespread use of ransomware has pressured cyber insurers to increase rates and tighten underwriting standards for cyber insurance.

The DFS advises New York regulated property/casualty insurers offering cyber insurance to establish a formal strategy for measuring cyber insurance risks that can be approved by a board or a governing entity. The Framework acknowledges that strategies should be proportionate with each insurer’s risk based on the insurer’s size, resources, geographic distribution, market share, and industries insured.  It is important to note the Framework constitutes a list of best practices and suggested approaches and does not yet constitute rules or regulations for the insurance industry.

The Cyber Insurance Risk Framework encourages cyber insurers to formalize a Cyber Insurance Risk Assessment Strategy that is managed by a governing body and establishes and/or formalizes qualitative and quantitative measures and goals for cyber risk that incorporate six best practices identified by DFS:

  1. Manage and Eliminate Exposure to “Silent” Cyber Insurance Risk

Cyber insurers should determine whether they are exposed to silent or non-affirmative cyber insurance risk, an insurer’s obligation to cover cyber incident losses under a policy that does not explicitly mention cyber incidents. The Framework suggests that insurers evaluate their silent risk exposure and take steps to minimize that exposure.

2. Evaluate Systemic Risk

Cyber insurers should conduct regular systemic risk evaluations and plan for potential losses. Increased reliance on third-party vendors has caused systemic risk to grow exponentially and thus, insurers should understand the third parties used by their insureds and model the effect of catastrophic cyber events that may result in simultaneous losses.

3. Rigorously Measure Insured Risk by Using Data

Cyber insurers should use a comprehensive, data-driven approach to assess their insured’s potential gaps and cybersecurity vulnerabilities.

4. Educate Insureds and Insurance Producers

Cyber insurers should educate their insureds and insurance producers about the value of cybersecurity measures and the need for, benefits of, and limitations of cyber insurance.

5. Obtain Cybersecurity Expertise

Cyber insurers can use strategic recruiting practices to hire employees with cybersecurity experience and invest in their training and development.

6. Require Notice to Law Enforcement

In the event of a cyberattack, cyber insurance policies should require victims notify and engage law enforcement agencies to help recover lost data and funds.

This guidance brings operational and other challenges to those in the property/casualty insurance market. It also adds new potential requirements to pass along to their insureds. For example, insureds may not know that their policy will require notification of law enforcement, and they may have reasons not to notify law enforcement, but if they choose not to it can lead to a coverage dispute.

Beckage advises those in the insurance industry on risk management, cybersecurity best practices and measures, third-party vendor management, and incident response.  Beckage also works with global clients to evaluate risk management, including opportunities to obtain various cyber and tech related coverage. We can be reached 24/7 via our data breach hotline at 844.502.9363 or IR@beckage.com.

Subscribe to our newsletter. 

*Attorney advertising – prior results do not guarantee future outcomes. 

Emotet MalwareThe Emotet Attack Gets Attacked

The Emotet Attack Gets Attacked

Having responded to numerous malware and ransomware incidents, it is clear that cyber threats are persistent but not impenetrable.  The thing that pokes holes in company’s IT environments, can itself be vulnerable as a recent incident with Emotet has proven.  This recent occurrence can hopefully provide businesses with assurance that government, like private industry, is working hard to push back on cyber threats.    

What is it? 

Emotet is an extremely well-traveled bit of malware. It has been spread far and wide across the globe and led to countless data incidents via automated phishing emails.  By luring recipients to not only open a spam email, but then download an attachment or click a link, whether it be a fake invoice or COVID-19 vaccine information, Emotet tricked recipients into installing malware on their system that then opens a gateway to the botnet’s system.  And continuously, since 2014, the Emotet botnet runs more phishing campaigns, convinces more individuals to download malware masked as attachments, and opens more gateways to more Windows systems, calling out and then preserving a point of access to an unsuspecting party.  

Why is it dangerous? 

Think of every successful introduction of Emotet malware onto a computer as opening a gateway to that system.  Then think of all the gateways being amassed by the group that controls Emotet.  Now imagine that team saying to a global community of cyber attackers, “Which gateways would you like to purchase access to in order to deploy your ransomware or whatever attack you have in mind?”  The result has been, according to Ukrainian law enforcement, $2.5 billion in damages by resulting attacks.  Popular ransomware variants like Ryuk are known to be paying for that access and contributing to the resulting financial hardship.  So Emotet may not be the illegal drug, but they are the needle delivering it.   

What happened? 

The FBI, Europol, Canada’s Royal Mounted Police, the National Police of Ukraine, the UK’s National Crime Agency and other international law enforcement agencies, with the aid of private researchers, embarked on an expansive raid on Emotet, reportedly two years in the making.  Operation Ladybird, as it was known, sought to take over a command-and-control network of servers in over 90 countries.  The result?  A success.  The Emotet disruption was pulled off by replacing the machines at the center of the botnet’s infrastructure with the computers of law enforcement, allowing law enforcement to negate any further requests from the malware to the botnet and prevent any malicious activity.  The infrastructure that controls the Emotet operation is now under the control of law enforcement and now the botnet responsible for up to 30% of all malware attacks is offline, leaving those who once relied on purchasing access to those gateways for deploying cyber-attacks at a loss for access.   

The Beckage Team has extensive experience counseling clients on data security matters, breach response preparedness, and breach coach services.  We have also worked on headline-making data incidents, including those associated with malware and ransomware strains like Emotet and Ryuk. Our team can be reached anytime via our 24/7 data breach hotline at 844-502-9363 or by emailing IR@beckage.com.   

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.  

1 2 3