Recent developments in the European Union and United Kingdom’s cybersecurity policies and programs — most prominently the adoption of the EU Cybersecurity Act — continued to demonstrate the region’s focus on improving cybersecurity in the public and private sectors, while also providing practical guidance and tools to assist companies and their boards with cyber risk management.
Despite the newer regulations, the ICO is still enforcing the DPA of 1998 despite newer regulations, including the DPA of 2018 and the GDPR, imposing even stricter obligations on companies that collect and process data, and authorizing enforcement agencies to levy even harsher fines in the event of a breach. As demonstrated by the Bounty case, the ICO is closely reading privacy policies and carefully reviewing the opportunities that data subjects are offered to opt out. As such, companies that sell information to third parties need to be transparent with their users that they are doing so.
SEC Reminds Firms to Follow Their Privacy Policies
The SEC has issued a risk alert identifying a range of privacy and cybersecurity compliance issues its staff has identified in the past two years. Many of these issues relate to failure to properly implement firms’ written policies.
On April 16, 2019, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a risk alert reminding investment advisers and broker-dealers that they must actually implement the promises they make with respect to protecting investors’ personal information in order to fulfill their regulatory obligations.8 The OCIE explained that it had found a number of firms had inadequate policies, or had failed to implement the measures they described in their policies, thus prompting the alert. The risk alert provided useful guidance to firms on the OCIE’s priorities with respect to privacy policy and related implementation requirements.
Regulation S-P and Required Privacy Practices
In the risk alert, the OCIE reminded firms that Regulation S-P requires firms to provide clear and conspicuous notice to their customers that accurately reflects their privacy policies and practices, to update that notice annually, and to accurately explain to investors their right to opt out of certain types of personal information disclosures. The regulation explains what must be included in these privacy and opt-out notices.
In addition, Regulation S-P’s Safeguard Rule requires firms to adopt written policies and procedures that address the administrative, technical and physical safeguards firms use to protect customer records and information. These must be “reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of [investor] records and information, and protect against unauthorized access to or use of [investor] records or information that could result in substantial harm or inconvenience to any [investor].”
Common Deficiencies in OCIE Investigations
The OCIE’s risk alert identified a number of common issues it has encountered over the last two years with respect to complying with these Regulation S-P requirements.
Lack of Required Notices
First, the OCIE reported a number of deficiencies with respect to the actual notices given to investors. It found that a number of firms did not provide the required notices when establishing the initial relationship with the investor, did not provide the required annual update notice and/or did not provide the required explanation of the investors’ opt-out rights.
Lack of Written Internal Policies
Second, the OCIE found that some firms did not have the written policies for protecting customer information required under the Safeguards Rule. Some firms’ policies simply restated the Safeguards Rule, but did not include policies and procedures for the actual safeguards. Others had policies and procedures that still contained blank spaces to be filled in by the firms. Still others had policies for delivering required privacy notices, but lacked any description of personal information safeguards.
Implementation and Adequacy Issues
Finally, the OCIE identified a number of examples of situations where it found that firms either did not adequately implement the policies they provided to investors or that the policies did not properly address the potential risks to investor information. Specifically, the OCIE identified 10 different areas where it found issues:
- Personal Devices. Policies and procedures did not appear reasonably designed to safeguard investor information on personal devices. The OCIE’s staff found that some firm employees regularly stored and maintained investor information on their personal laptops, but that the firm’s policies and procedures did not address how to properly protect this information on these devices.
- Electronic Communications. Policies and procedures did not address the inclusion of personal information in electronic communications. For example, the OCIE’s staff found firms that did not appear to have policies and procedures reasonably designed to prevent employees from regularly sending unencrypted emails containing this information.
- Training and Monitoring. Firms failed to properly train employees on how to follow their policies and procedures. For example, the OCIE found that some firms had policies and procedures that required investor information to be encrypted, password-protected and transmitted using only registrant-approved methods, but that employees were not provided adequate training on these methods and the firm failed to monitor if the policies were being followed by employees. This lack of training and monitoring rendered the policies and procedures themselves inadequate under Regulation S-P.
- Unsecure Networks. Policies and procedures did not prohibit employees from sending investor personal information to unsecure locations outside of the firms’ networks.
- Outside Vendors. Some firms failed to follow their own policies and procedures regarding outside vendors. For example, the OCIE’s staff found firms that failed to require outside vendors to contractually agree to keep investors’ personal information confidential, even though such agreements were mandated by the firms’ policies and procedures.
- System Inventory. Policies and procedures did not identify all systems on which the firm maintained investor personal information. Without an inventory of such systems, the OCIE staff noted, firms may be unaware of the categories of information that they maintain, which could limit their ability to adopt reasonably designed policies and procedures, and adequately safeguard that information.
- Incident Response Plans. Written incident response plans did not address important incident response topics, such as role assignments for implementing the plan, actions required to address a cybersecurity incident and assessments of system vulnerabilities.
- Insecure Physical Locations. Unsecure physical storage of investor information, such as in unlocked file cabinets in open offices.
- Login Credentials. Login credential practices were not secure, such as using login credentials that had been disseminated to more employees than permitted under the firms’ policies and procedures.
- Departed Employees. Instances existed where former employees retained access rights after their departure and therefore could access restricted investor information.
Key Takeaways
The OCIE’s risk alert highlights the care that firms should take in designing and implementing their cybersecurity and data privacy policies to ensure that they adequately address the risks that they face. Further, it is important for firms to not simply adopt a “boilerplate” policy and assume they have satisfied their regulatory obligations. Rather, firms should be sure to adapt the policies to meet their regulatory obligations and to reflect their actual practices, and then train their staff on how to comply with the policies they adopt.
Canadian Privacy Commissioner Concludes Investigation into Equifax Breach
The Office of the Privacy Commissioner of Canada (OPC) recently concluded its investigation on the impact of the Equifax breach on Canadians. In its report, the OPC found that Equifax Canada and its U.S.-based parent company fell short of its obligations under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
On April 9, 2019, the OPC released its report on the 2017 Equifax data breach, outlining how the actions of Equifax and its Canadian-based subsidiary Equifax Canada, impacted Canadians. The report concluded that the two companies had failed to meet their obligations under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).9
Background on the Equifax Breach
In September 2017, U.S.-based credit reporting company Equifax publicly announced that attackers gained access to the personal information of more than 143 million individuals, including approximately 19,000 Canadians who had purchased credit monitoring or fraud alert products from Equifax Canada. Almost all of the impacted Canadians had their social insurance number and other accompanying identifying information compromised.
According to the OPC’s report, the attackers gained access to Equifax’s systems in May 2017 and operated undetected for more than two months. Equifax did not notify Equifax Canada of the breach until shortly before Equifax disclosed the breach to the public in July 2017. Canadians who were impacted by the breach did not receive notifications that their personal information had been compromised until October 2017.
Although Equifax Canada provided free credit monitoring to the affected Canadians, the company did not provide the same post-breach protections that its U.S. parent company provided. For example, Equifax offered Americans the opportunity to freeze their credit files, while Equifax Canada did not provide that same credit freeze option to affected Canadians.
The OPC Report
After investigating the cause of the breach and the impact on Canadian residents, the OPC published a report that addressed the gaps in Equifax and Equifax Canada’s data protection practices and makes several recommendations for Equifax and Equifax Canada going forward. The report noted the following gaps with respect to Equifax and Equifax Canada’s compliance with PIPEDA:
- Equifax and Equifax Canada did not provide safeguards appropriate to the sensitivity of the personal information at issue;
- Equifax did not comply with PIPEDA’s data retention and destruction requirements;
- Equifax Canada did not demonstrate adequate accountability for protecting the personal information of Canadians; and
- Equifax Canada did not provide mitigation measures to the affected individuals that were adequate to protect their personal information from unauthorized use, such as future identity theft.
The OPC also found that Equifax Canada failed to obtain express consent to transfer personal information to a separate entity in the U.S. PIPEDA generally requires organizations to obtain express consent prior to such a transfer, where individuals would not reasonably expect the cross-border transfer of their information to a separate entity or where the proposed transfer involves certain types of sensitive information. Equifax Canada’s Canadian customers interacted exclusively with Equifax Canada and were not given any express notice that their information would be processed in the U.S. However, the OPC concluded that Equifax Canada acted in good faith in not seeking express consent for these disclosures because of previous OPC guidance that indicated that the transfers at issue did not require express consent.
The OPC concluded the report with the following recommendations to Equifax Canada:
- implement a procedure to ensure that the written arrangement between Equifax and Equifax Canada concerning the collection and disclosure of Canadian personal information remains up to date;
- implement a robust monitoring program to ensure compliance with that written arrangement;
- identify personal information that should no longer be retained by Equifax according to a set retention schedule, and delete such information; and
- every two years for a six-year term, provide the OPC (1) a report regarding the monitoring program described above, (2) an audit report and certification conducted by an appropriate external auditor against an acceptable security standard that covers all Canadian personal information for which Equifax Canada is responsible, including information processed by Equifax, and (3) a third-party assessment of Equifax’s data retention practices that covers all Canadian personal information processed by Equifax.
Equifax Canada entered into a compliance agreement with the OPC under which Equifax Canada agreed to comply with these recommendations and other requirements aimed at improving Equifax Canada’s data protection practices.10 For example, the agreement also requires Equifax Canada to improve the process by which it obtains consent to transfer personal information. As part of the agreement, Equifax Canada also agreed to extend its free credit monitoring service to impacted Canadians. However, Equifax Canada did not agree to provide the free or low-cost credit freeze product offered to impacted Americans after the breach.
Key Takeaways
The Equifax breach and the OPC’s response provides a useful reminder about the importance of compliance with local data protection laws to companies that store or process personal information from consumers in multiple jurisdictions. Years after the breach, Equifax and its local subsidiaries remain subject to extensive audit periods from government regulators and increased obligations to improve and maintain their data protection practices. The potential costs of a breach can outweigh the costs of implementing and maintaining comprehensive data protection policies and practices.
Eleventh Circuit Finds no Coverage Under CGL Policy in Junk Fax Putative Class Action
A federal appeals court, applying Georgia law, recently held that Travelers unit St. Paul Fire & Marine Insurance Company (St. Paul) did not need to cover a multimillion-dollar settlement in a junk fax putative class action alleging Telephone Consumer Protection Act (TCPA) violations. According to the court, the alleged unsolicited faxes did not constitute an “accident” under St. Paul’s insurance policies — a condition precedent to coverage.
On April 12, 2019, the Eleventh Circuit affirmed a district court’s holding that St. Paul has no obligation under a series of commercial general liability (CGL) policies issued to Atlanta-based manufacturing sourcing provider MFG.com (MFG) to cover a $22 million settlement reached in a putative class action alleging TCPA violations.11
The Junk Faxes
As part of a fax advertising campaign, MFG purchased lists of individuals who MFG believed had consented to receive marketing materials via fax. Between September 2005 and November 2008, MFG sent approximately 494,212 unsolicited fax advertisements to those individuals. Although MFG believed that its advertising campaign complied with all applicable laws, MFG was mistaken, as the fax recipients had not in fact consented to MFG’s unsolicited advertisements. The junk faxes allegedly caused property damage to the fax recipients in the use of their fax machines, depleting their ink and paper.
The St. Paul Policies
At the time MFG sent the junk faxes, it had in place a series of CGL policies (the policies) that covered liability for “property damage” caused by an “event.” The policies defined “property damage” as “physical damage to tangible property of others, including all resulting use of that property” or “loss of use of tangible property of others that isn’t physically damaged.” The policies defined “event” as “an accident, including continuous or repeated exposure to substantially the same general harmful conditions.” The policies did not define “accident.”
The TCPA Putative Class Actions
In November 2008, G.M. Sign, Inc. (GM Sign), a commercial sign manufacturer and recipient of MFG’s junk faxes, commenced a putative class action in Illinois state court against MFG. The lawsuit alleged that MFG sent GM Sign and the putative class members fax advertisements without their permission, in violation of the TCPA. MFG noticed the claim to St. Paul, which denied coverage.
MFG removed the underlying case to federal court, and on July 29, 2009, the parties stipulated to dismiss the lawsuit without prejudice to refile. One day later, GM Sign commenced another lawsuit in Illinois state court alleging the same TCPA claims on behalf of the same putative class. The lawsuit eventually settled for $22,536,500, though the parties agreed that MFG would pay only $460,000 of that amount. MFG then assigned to GM Sign and the putative class MFG’s claims against and rights to payment, if any, under the policies.
The Coverage Action and the District Court’s Decision
GM Sign, as assignee of MFG’s rights under the policies, then filed a declaratory judgment action against St. Paul in Georgia state court seeking a declaration that the policies covered the settled claims. St. Paul removed the coverage action to Georgia federal court and filed a counterclaim that it owed no coverage. On the parties’ cross-motions for summary judgment, the court granted St. Paul’s motion, holding that under the Eleventh Circuit’s decision in Mindis Metals, Inc. v. Transportation Insurance Co., “the intentional delivery of fax advertisements does not qualify as an ‘accident’ under Georgia law, even if the sender erroneously believed that it had consent to send the fax advertisements.” GM Sign appealed.
The Eleventh Circuit’s Decision
The Eleventh Circuit agreed with St. Paul and the district court, holding that the settled TCPA claims were not covered under the policies because the alleged property damage was not caused by an “accident,” a condition precedent to coverage. In reaching its conclusion, the court determined that it was bound by its decision in Mindis Metals, which held that intentional conduct premised on erroneous information does not constitute an accident. “MFG intended to send the faxes and thus intended to cause the resulting property damage, the use of the fax machines and the depletion of the machines’ ink and paper,” the court wrote. Moreover, “[t]he fact that MFG mistakenly thought the recipients had consented to receive the faxes is insufficient under Mindis Metals to render the property damage an accident under Georgia law.” Accordingly, the court concluded, the settled TCPA claims were not covered under the policies.
Key Takeaways
As the court’s decision in G.M. Sign illustrates, TCPA claims may not fit neatly into coverage. However, given the increased frequency of TCPA lawsuits in recent years and their significant costs, policyholders should nonetheless consider all coverage lines that may respond to such claims, including, for example, CGL, directors and officers liability, errors and omissions liability and cyber liability. In addition, policyholders faced with TCPA exposure would be well-advised to proactively work their insurance brokers, advisers and carriers in an effort to obtain the most favorable coverage possible.
_______________
1 The General Affairs Council’s regulation can be read here.
2 The commission’s recommendation can be read here.
4 The Board Toolkit can be found here.
5 Information on the cyber accelerator can be found here.
7 A copy of the ICO’s decision is available here.
8 The risk alert is available here.
9 The full text of the OPC report can be found here.
10 The full text of the compliance agreement can be found here.
11 G.M. Sign, Inc. v. St. Paul Fire & Marine Ins. Co., No. 17-14247, 2019 WL 1579792 (11th Cir. Apr. 12, 2019).
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.
