FTC Actions, Breach Cases Guide COVID-19 Cyber Response

By Alysa Hutnik, Taraneh Marciano and William Pierotti
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Consumer Protection newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!



Law360 (March 27, 2020, 5:37 PM EDT) --
Alysa Hutnik
Alysa Hutnik
Taraneh Marciano
Taraneh Marciano
William Pierotti
William Pierotti
Many companies are rapidly implementing work-from-home policies in response to COVID-19, requiring many, if not all, of their employees to connect remotely to the organization's computer network.

The sudden shift has been disruptive for companies and their employees alike, and malicious cyberactors like nothing better than a disruptive event. Indeed, recent reports have highlighted an increase in malicious phishing emails claiming to provide important updates or information about COVID-19.

Because bad actors often prey on the unwary during times of crisis, the dramatic increase in remote workers requires companies to be particularly diligent in protecting their systems and data. It's a good time to also be reminded of best practices to help mitigate cyber and legal exposure in these unusual circumstances.

What Is Reasonable Security in 2020?

Under most applicable legal standards governing the protection of data security and data privacy, companies are required to take reasonable steps to secure their information technology systems and safeguard customer information. While this standard has evolved over time, it has generally required the use of encryption, firewalls and antivirus software, implementing security patches, limiting employees' access to information within the scope of their roles and responsibilities and training employees on cyber best practices, among other measures.

As further updated guidance, the Federal Trade Commission, in January, announced that its consent orders would be revamped to include additional provisions.[1] These settlement orders often provide direction to businesses on benchmarks for what the agency considers to be reasonable security practices.

Broadly speaking, recent FTC consent orders have imposed more specific security obligations, increased the rigor of third-party assessor requirements and oversight and required participation by the company's board and executive suite in data security compliance.

More specifically, the orders have included directives for yearly employee training, access controls, monitoring systems for data security incidents, patch management systems and encryption. The FTC has also increased the level of scrutiny required by third-party assessors, including requirements that they collect and retain evidence supporting their conclusions such as independent sampling, employee interviews and document review.

Notably, the FTC has also started reserving the right to withhold approval for third-party assessors that fail to meet these new requirements or who do not perform adequately rigorous assessments. Finally, the FTC has started to require board members and senior officers to certify, under oath, that they have reviewed the company's cybersecurity policies and are complying with the applicable FTC consent order. While not every company will have all of these same controls as part of their information security program, it is helpful to compare how close (or not) controls align.

FTC and Breach Enforcement Cases Are Instructive

In the context of a company's remote access policies and procedures, FTC enforcement actions and litigation trends highlight the importance of remaining vigilant in the face of a shifting landscape and bad actors who will exploit vulnerabilities.

For example, the FTC brought an enforcement action against LifeLock Inc. for allegedly not taking reasonable steps when it failed to install antivirus programs on the computers that employees used to remotely access its network, putting customer information at risk. The action resulted in a $12 million settlement and the imposition of a comprehensive data security program, to be assessed biennially by independent third-party assessors for twenty years.[2]

Similarly, in the increasing number of civil actions filed after a company has suffered a data breach, the plaintiffs' claims turn on allegations that the defendant company did not employ reasonable measures to avoid the vulnerabilities that led to the breach.

For example, Medical Informatics Engineering Inc. faced allegations from both civil litigants[3] and state attorneys general[4] that it failed to take adequate and reasonable measures to protect its computer system,[5] where, among other things, the company had an alleged weak, easy-to-guess password for an account capable of accessing the network remotely.[6]

The plaintiffs further alleged that, when hackers took control of that account and accessed the network from foreign IP addresses, the company should have had security measures in place to identify that the malicious activity was anomalous and illicit. The state action resulted in a settlement requiring the payment of $900,000 and injunctive relief mandating improved cybersecurity procedures.[7] The civil class action was recently settled for $2.75 million.

Particularly relevant here, in the litigation stemming from the widely-reported Anthem Inc. breach,[8] an employee allegedly opened a phishing email containing malicious content.[9] As a result, the malicious actor was able to infiltrate the rest of the company's network and extract millions of customer records containing sensitive information. The plaintiffs alleged that the company's computer systems and data security practices were grossly inadequate. The company ultimately settled the lawsuit for $115 million.[10]

Remote Workforce Security Reinforcements

With the COVID-19 outbreak forcing a mass transition to a remote workforce in a very short time frame and the vast numbers of employees suddenly working remotely, companies are faced with an increased risk of compromise.

Widespread concern over COVID-19 offers malicious actors a perfect hook in phishing campaigns in particular. Increased remote access stresses IT infrastructure and provides an opportunity for malicious actors to blend in with the increased traffic to gain unauthorized access. Well-intentioned employees download sensitive information to less secure personal devices or send documents to personal accounts to keep serving their customers. Remote meetings offer opportunities for malicious eavesdropping.

In light of these and other data security vulnerabilities created by employees working remotely en masse, it's a good reminder for companies to frequently monitor and reinforce the measures they currently have in place to ensure they are reasonable in light of present day risks and foreseeable threats.

Notably, companies may not be able to rely only on cybersecurity plans and measures they had in place during normal circumstances. Rather, companies will be judged based on their foresight and responsiveness to the new risks posed by the current circumstances. While there is almost always some room for improvement, these controls are often already part of a dynamic information security program that has existing safeguards for business continuity. Indeed, many of the measures recommended below are good practices at all times.

For companies that already have cybersecurity measures in place, a great deal can be accomplished by reinforcing those policies now and reminding and reeducating employees. For companies that have been planning to implement such measures, there is no time like the present. The recommendations are broadly categorized as: (1) enterprise-level controls, (2) secure communications, and (3) employee education.

Enterprise Level Measures

As relevant to the current environment, companies should confirm that their technical safeguards protecting their networks are sufficiently robust. For example, such safeguards typically include:

  • Updating virtual private networks, network infrastructure devices and devices being used to remote into work environments with the latest software patches and security configurations;

  • Ensuring IT security personnel are prepared to ramp up the following remote access cybersecurity tasks: log review, attack detection and incident response and recovery;

  • Implementing multifactor authentication on VPN connections to increase security. If multifactor authentication is not required, consider whether teleworkers are required to use robust passwords;

  • Updating incident response plans, taking into account changes in the business and greater economic and social environment (and considering a mini-table top incident response run-through based on the current environment); and

  • Increasing employee awareness of information technology support mechanisms for employees who work remotely (which could help prevent unauthorized workarounds).[11]

Securing Communication Channels

Increased conference calls and remote meetings have created a higher risk for eavesdropping. While we are all trying to stay connected, it's a good reminder to confirm that we are connecting only with those we intend to. Companies should consider implementing safeguards related to remote conferencing, including:

  • Limiting reuse of access codes;

  • Using one-time PINs or meeting identifier codes for sensitive meetings and considering multifactor authentication;

  • Enabling notifications when attendees join;

  • Using a dashboard to monitor attendees and identify all generic attendees; and

  • Recording meetings only if necessary.[12]

Employee Education and Obligations

The best measures at the enterprise level and the most robust written policies will accomplish little if a company's employees are not aware of best practices and not doing their part to help secure the network. Now is an excellent time for companies to remind employees to:

  • Keep their cybersecurity software up to date;

  • Use long, strong and unique passwords;

  • Ensure their home networks are secure by enabling encryption on their routers (and educate employees on how to do so if necessary); and

  • Continue to follow their company's security guidance and policies.[13]

In addition to reminding employees generally of cybersecurity policies and best practices, companies are best advised to also educate employees about the increase in phishing campaigns piggybacking on concerns about COVID-19 and advise them to:

  • Avoid clicking on links and opening attachments from unsolicited emails;

  • Use trusted sources that they navigate to individually, such as government sites, for up-to-date information about COVID-19; and

  • Never reveal personal or financial information in an email and not respond to emails requesting this information.

Conclusion

Although it is impossible to eliminate entirely the risk of cyberincidents, studies have shown that preparedness absolutely helps with mitigating exposure to a company if it faces a compromise.

In contrast, companies that fail to account for changing threats to their data and networks — such as foreseeable threats presented by COVID-19 and the significant increase of remote access to their computer networks — are likely to face increased exposure, particularly in light of changing laws, such as California's Consumer Privacy Act, which provides statutory damages for valid claims stemming from a data breach.

While cyberpreparedness remains a priority at all times, COVID-19 imposes additional burdens on all companies to focus attention on securing mission-critical needs.



Alysa Hutnik is a partner, Taraneh Marciano is special counsel and William Pierotti is a law clerk at Kelley Drye & Warren LLP.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] https://www.ftc.gov/news-events/blogs/business-blog/2020/01/new-improved-ftc-data-security-orders-better-guidance?utm_source=govdelivery.

[2] https://www.ftc.gov/news-events/press-releases/2010/03/lifelock-will-pay-12-million-settle-charges-ftc-35-states.

[3] https://www.law360.com/articles/690294?scroll=1&related=1.

[4] https://www.law360.com/articles/1107538.

[5] See State of Indiana et al. v. Medical Informatics Engineering, Inc., No. 18-cv-969 (N.D. Ind. 2018). https://www.law360.com/articles/1107538/attachments/0.

[6] In Re: Medical Informatics Engineering, Inc., Customer Data Security Breach Litigation, No. 15-md-02667 (N.D. Ind. 2015). https://www.innd.uscourts.gov/sites/innd/files/Consolidated Amd Class Action Cmplt.pdf.

[7] https://www.law360.com/articles/1163999/states-secure-900k-deal-in-first-coordinated-hipaa-suit.

[8] https://www.law360.com/articles/618625.

[9] https://www.bankinfosecurity.com/new-in-depth-analysis-anthem-breach-a-9627.

[10] See In Re Anthem, Inc. Data Breach Litigation , No. 15-md-02617 (N.D. Cal. 2015). https://www.law360.com/articles/1073957.

[11] For additional guidance on cybersecurity measures specific to the COVID-19 outbreak, visit the webpage of the Cybersecurity and Infrastructure Security Agency ("CISA"), an agency of the Department of Homeland Securityhttps://www.cisa.gov/coronavirus.

[12] For additional guidance on securing communications channels, visit the webpage of the National Institute of Standards and Technology, an agency of the United States Department of Commercehttps://csrc.nist.gov/.

[13] View the FTC blog webpage for additional security tips for working from home that can be shared with remote employees. https://www.consumer.ftc.gov/blog/2020/03/online-security-tips-working-home.

For a reprint of this article, please contact reprints@law360.com.

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!