Introduction

In 2019, boards and senior management across a range of industries continued to cite cybersecurity as one of the most significant risks facing their companies. At the same time, comprehensive data privacy regulation became a new reality in the United States, and many companies have implemented major revisions to their privacy policies and data systems to achieve compliance with California's groundbreaking privacy legislation.

Major data breaches continued to make headlines in 2019, and state and federal legislators, enforcement authorities and regulators remained highly focused on data security and privacy practices. European regulators announced several notable enforcement actions under Europe's General Data Protection Regulation ("GDPR"), which confirmed that European authorities are willing to use the GDPR's authorization to levy large fines, even outside the context of major breaches resulting in exposure of customer information.

In this 2019 Year in Review, we highlight the most significant cybersecurity and privacy developments of 2019 and predict key challenges and areas of focus for the coming year.

Major Cyberattacks

Companies continued to suffer data breaches resulting from cyberattacks by malicious actors and security lapses resulting in exposure of customer data. Although a variety of business sectors remain at heightened risk, recent cyberattacks and data breaches highlight the particular risks faced by the financial, social media, and healthcare sectors. The most notable incidents of 2019 included the following:

  • The financial industry suffered several notable security breaches in 2019:
    • In May, it was reported that 885 million bank records, including social security numbers, bank account numbers and statements, and mortgage and tax documents that were maintained by First American Corporation were exposed through a design defect in an software application.
    • In July, Capital One disclosed that a hacker had gained access to personal and financial information for approximately 106 million customers, and estimated remediation costs at $150 million.
    • In June, an employee at Canada's Desjardins Group exposed the data of more than 4.2 million bank members by improperly collecting personal information and circulating it to a third party.
  • In the wake of two major incidents in 2018, Facebook suffered further data breaches in 2019:
    • In March, an internal investigation at Facebook revealed that hundreds of millions of account passwords were stored in plain text on its internal servers, meaning that it was possible for Facebook employees to search and potentially abuse the credentials.
    • Facebook suffered further data breaches in April (540 million user records exposed on public Amazon databases), September (more than 419 million user records exposed on a public database), November (approximately 100 third-party developers were improperly granted access to personal user data), and December (267 million user records, including names, unique user IDs, and phone numbers were exposed in another public database).
  • The social media industry reported further data security lapses in October 2019, when it was reported that 1.2 billion Facebook, Twitter and LinkedIn profiles were exposed and made publicly accessible on an unsecured server.
  • The healthcare sector was also the target of several significant cyberattacks:
    • In May, Quest Diagnostics disclosed that approximately 11.9 million patients' personal and financial data had been accessed through its external collection agency, American Medical Collection Agency.
    • A month later, LabCorp disclosed that 7.7 million of its patient records had been accessed through the same agency, highlighting once again the risks associated with third-party agencies and vendors.
    • In June, Dominion National, a dental and vision benefits insurer, disclosed a data breach that exposed the personal records of nearly 3 million patients.

U.S. Enforcement Actions and Regulatory Guidance

Not surprisingly in light of the ongoing large-scale data breaches, there were a number of significant U.S. enforcement actions relating to cybersecurity and data privacy in 2019. In some instances, several authorities or regulators have partnered together to announce a joint resolution that includes both financial penalties and remediation requirements. As expected,1 the Federal Trade Commission ("FTC") has taken a more active role in the privacy space, a trend we expect to continue in 2020. We also saw the initiation of major antitrust investigations of technology companies by U.S. and European authorities that included privacy practices as one area of possibly anti-competitive or abusive behavior, potentially blurring the lines between traditional consumer protection and competition regulation.

  • In July 2019, the FTC and Securities and Exchange Commission ("SEC") both announced settlements with Facebook, while the Department of Justice ("DOJ") filed a civil complaint against the company arising from the same circumstances.2
    • On July 24, the FTC announced a $5 billion settlement with Facebook for violations of Section 5(a) of the FTC Act and its prior 2012 FTC settlement order, based on allegations that Facebook provided users with deceptive privacy disclosures and shared users' personal information with third-party applications used by those users' Facebook friends. The FTC required Facebook to implement remedial measures, including:
    • Establishing a robust privacy and information security program;
    • Appointing a new board subcommittee to serve as an Independent Privacy Committee comprised of independent directors demonstrating certain minimum privacy and data protection capabilities; and
    • An annual certification by Facebook's principal executive officer (CEO Mark Zuckerberg) and a designated compliance officer.
    • That same day, the DOJ filed a complaint against Facebook alleging, among other things, that Facebook violated its 2012 FTC settlement order by providing users with deceptive privacy disclosures and settings; sharing users' personal information with third-party applications used by those users' Facebook friends; and misrepresenting the extent to which users had to opt-in before being subjected to certain facial recognition technology.
    • The next day, the SEC announced a $100 million settlement with Facebook resolving claims that the company's public filings contained misleading statements about the misuse of user data.
  • Also in July, Equifax agreed to pay $575 million—potentially rising to $700 million—in a settlement with the FTC, the Consumer Financial Protection Bureau ("CFPB"), the New York Department of Financial Services, and 48 U.S. states over the company's "failure to take reasonable steps to secure its network" based on the company's 2017 breach involving the information of 147 million people. Equifax was required to take remedial steps, including:
    • Conducting annual assessments of internal and external security risks;
    • Obtaining annual certifications from the board of directors or relevant subcommittee attesting to compliance with the settlement order; and
    • Ensuring that service providers that access personal information stored by Equifax have adequate safeguards to protect such data.3
  • In September 2019, Google and YouTube agreed to pay $170 million to the FTC and New York State to settle allegations that the companies illegally collected personal data from children without the consent of their parents. It was by far the largest amount ever obtained by the FTC in a matter brought under the Children's Online Privacy Protection Act, enacted in 1998.
    • In November 2019, the FTC announced a proposed settlement with InfoTrax Systems, L.C., a third-party service provider, regarding multiple data security failures allegedly resulting in the unauthorized access of end-users' personal information. The proposed settlement is noteworthy in several respects:
      • The FTC alleged a violation of the FTC Act predicated solely upon InfoTrax's failure to maintain reasonable security measures;
      • The settlement order contains extensive prescriptive requirements regarding improvements that InfoTrax must make to its data security practices; and
      • One commissioner filed a concurring statement criticizing the settlement's standard 20-year term as excessively long.4
  • In July 2019, Cisco Systems reached a $6 million settlement with 19 state Attorneys General to resolve a whistleblower lawsuit under the False Claims Act ("FCA") alleging that the company sold software that was vulnerable to digital attacks. No evidence of any hack or unauthorized access to security systems utilizing Cisco's software was uncovered by the investigation. This was the first successful cybersecurity whistleblower case brought under the FCA.
  • The FTC and DOJ announced antitrust investigations into the "Big Four" technology companies (i.e., Facebook, Google, Amazon and Apple) that included aspects of their privacy practices, and multiple state Attorney General investigations similarly targeted a combination of privacy practices and more traditional anti-competitive behaviors.

In addition to these enforcement actions, U.S. federal authorities also issued new cybersecurity guidance:

  • Over the course of 2019, the FTC has been working to strengthen the injunctive relief imposed in orders in data security cases.5
    • In April 2019, the FTC issued a statement explaining that it was examining the obligations in its orders in data security cases and mandating "new requirements" while "anticipat[ing] further refinements."6 Thereafter, the FTC ultimately issued seven data security orders with specific data security practices and obligations that differed markedly from past orders.
    • In a recent blog post, Andrew Smith, the director of the FTC's Bureau of Consumer Protection, explained the origin of these efforts and summarized the orders' refinements. Smith acknowledged that FTC data security orders historically "contained fairly standard language,"7 which the Eleventh Circuit stuck down in 2018 as "unenforceably vague" when vacating an FTC cease-and-desist order against LabMD, Inc.8 After considering the information learned during the December 2018 hearing and the LabMD decision, the FTC focused on three areas for change: (1) proscribing "more specific" requirements for data security programs that are tailored to the problems alleged in the complaint; (2) increasing "third-party assessor accountability" and enhancing FTC oversight of assessors; and (3) elevating "data security considerations to the C-Suite and Board level" in the form of senior officer compliance certifications.
  • In April 2019, the SEC's Office of Compliance Inspections and Examinations ("OCIE") issued a Risk Alert addressing privacy-related obligations under Regulation S-P, the primary SEC rule regarding privacy notices and safeguard policies for all registered broker-dealers and investment advisers. The Risk Alert set out the most frequent Regulation S-P deficiencies that OCIE had identified during examinations over the past two years.9
  • A month later, the OCIE released another cybersecurity-related Risk Alert, this time, highlighting the risks associated with broker-dealers and investment advisors storing customers records and information in the cloud and on other types of network storage solutions.10
  • In early January of 2020, the SEC issued the OCIE's 2020 Examination Priorities, which highlighted that the OCIE will continue to prioritize information security in its examination programs.11

Please click here to read the full alert memorandum.

Footnotes

1. For further information, see the Cleary Gottlieb "2018 Cybersecurity and Data Privacy Developments: A Year in Review" publication at https://www.clearygottlieb.com/-/media/files/alert-memos-2019/cybersecurity-and-data-privacy-developments--2018-in-review_r1-pdf.pdf.

2. For further information on this Facebook settlement, see the Cleary Gottlieb "July 2019 Privacy and Cybersecurity Enforcement: Lessons for Management and Directors" publication at https://www.clearycyberwatch.com/2019/08/july-2019-privacy-and-cybersecurity-enforcement-lessons-for-management-and-directors.

3. For further information on this Equifax settlement, see the Cleary Gottlieb "July 2019 Privacy and Cybersecurity Enforcement: Lessons for Management and Directors" publication at https://www.clearycyberwatch.com/2019/08/july-2019-privacy-and-cybersecurity-enforcement-lessons-for-management-and-directors.

4. For Cleary Gottlieb's previous blog post discussing the FTC settlement, see https://www.clearycyberwatch.com/2019/11/latest-ftc-data-privacy-settlement-may-signal-more-direct-approach-to-regulating-data-security.

5. For Cleary Gottlieb's previous blog post discussing the FTC's actions, see https://www.clearycyberwatch.com/2020/01/ftc-summarizes-a-year-of-change-in-its-data-security-orders.

6. For the FTC's April 2019 statement, see https://www.ftc.gov/system/files/documents/cases/2019-03-19_idressupclixsense_statement_final.pdf.

7. For the FTC's blog post, see https://www.ftc.gov/news-events/blogs/business-blog/2020/01/new-improved-ftc-data-security-orders-better-guidance.

8. LabMD, Inc. v. Fed. Trade Comm'n, No. 16-16270, 2018 WL 2714747, at *1 (11th Cir. 2018).

9. For Cleary Gottlieb's previous blog post discussing the SEC's Regulation S-P Risk Alert, see https://www.clearycyberwatch.com/2019/05/sec-privacy-risk-alert-may-foreshadow-upcoming-reg-s-p-enforcement-against-broker-dealers-investment-advisers.

10. This alert and the SEC's Regulation S-P Risk Alert are the latest in a series of recent privacy and cybersecurity guidance documents issued by the SEC, including the SEC's February 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures and October 2018 Report of Investigation on cyber-related frauds and public company accounting controls.

11. For Cleary Gottlieb's previous blog post discussing the SEC OCIE's 2020 Examination Priorities, see https://www.clearycyberwatch.com/2020/01/from-the-expected-to-the-surprises-highlights-of-sec-ocies-2020-priorities.

To view original article, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.