The China Council for the Promotion of International Trade has currently issued at least 4,811 force majeure certificates due to the COVID-19 pandemic (link). These certificates qualify the coronavirus outbreak as a force majeure event and certify that a party’s partial performance or failure to perform under an agreement be excused if there is a force majeure clause in the agreement.  According to a Xinhua state media report, the total contract value for the agreements associated with the certificates is an alarming 373.7 billion Chinese yuan (equivalent to US$53.79 billion). Unfortunately, for many U.S. businesses impacted by the economic hardships caused by COVID-19, these force majeure certificates will be of little use if their contracts are governed by U.S. law. Companies should understand the impact and application of their existing force majeure clauses to COVID-19.

A typical force majeure clause releases obligations and liability if an extraordinary event occurs. These events are usually limited to events like war, fire, natural disasters, civil disorder, strikes or labor disputes, acts of God or other circumstances beyond a party’s reasonable control. When these unanticipated circumstances arise, the force majeure clause may be invoked to relieve the parties from their contractual obligations or to terminate the contract with no further liability from either party.

Far too often, force majeure clauses are an afterthought during the contract negotiation process.  Although seemingly unimportant when the parties are trying to close a deal, these clauses have substantive impacts to the business when unanticipated events occur. As the spread of COVID-19 disrupts global supply chains and results in the imposition of emergency rules and regulations, it becomes imperative for companies to prepare themselves for impending commercial disputes.

As a historical example, the SARS virus outbreak in 2003 resulted in many companies asserting force majeure clauses. Northwest Airlines famously relied on the force majeure clause in its labor contracts to lay off employees without notice, asserting that the SARS virus caused its air traffic to Asia to significantly decline. Not surprisingly, the Aircraft Mechanics Fraternal Association, an independent aviation union, claimed the layoffs were an immoral exploitation of the provision and challenged Northwest Airlines’ legal justification by filing a class-action grievance. The arbitration board held that while a number of the layoffs were justified by force majeure events, a certain subset of mechanics were unjustifiably laid off, and Northwest Airlines was ordered to rehire those mechanics. The takeaway from this is that a force majeure clause may not apply uniformly to different circumstances.

While the SARS virus resulted in many companies revising the force majeure clauses in their contracts to include “global epidemics” as triggering events, the Northwest Airlines example shows that COVID-19 should be carefully analyzed in its specific impact to different industries. In addition, other contract provisions will alter the legal analysis about whether a specific force majeure clause can be invoked. For example, certain jurisdictions may interpret “acts of God” or “epidemic” differently, so the governing law provision will have an effect on whether the force majeure clause may be invoked. Moreover, force majeure clauses are drafted with specific terms that impact their interpretation. For example, a force majeure clause that does not specifically cite “disease” or “epidemics” may nonetheless have an all-inclusive catch-all phrase (such as “any similar event beyond the reasonable control of a party”) that would lead to the COVID-19 pandemic qualifying as a force majeure event.

Just as companies must take a proactive approach to their employees’ health and safety with respect to COVID-19, companies should also take a proactive approach to the other business effects of COVID-19. If a company’s obligations have been affected by COVID-19 in any capacity, the company should consider certain practices in anticipation of any disputes and to prepare for the possible invocation of a force majeure clause, including, but not limited to the following:

  • keeping detailed records of COVID-19’s impact on its business functions and on any inability to perform the company’s contractual duties;
  • documenting COVID-19’s impact on the company’s supply chains, such as its vendor’s inability to secure raw materials, parts, components, or disruption to the capabilities of the vendor’s suppliers or independent distributors;
  • continuously evaluating the current events of COVID-19 and how the incident is affecting governments and the company’s industry. The situation is changing day-by-day, and keeping abreast of the current events will allow the company to quickly reassess its obligations and liabilities;
  • reviewing both existing customer agreements and vendor agreements, to analyze the legal obligations and liabilities of all parties under the agreements. Force majeure clauses are each drafted differently and should be interpreted by legal counsel.  Companies should also keep in mind notice provisions within its agreements, so that it does not inadvertently run afoul of its obligations to notify the other party; and
  • reviewing insurance coverages and whether the company’s current insurance covers business interruption related to COVID-19.

As companies work together to create business solutions to the impact that COVID-19 has had on all industries, not all businesses will come out unscathed. Although these are uncertain and challenging times, Taft understands the importance of business continuity and is resolved to maintain our high standard of responsiveness and excellence for our clients. Taft’s team of attorneys is ready to advise clients on all aspects of legal issues, obligations, and liabilities associated with COVID-19.

These are thoroughly disturbing statistics that should make every ERP user shudder:

A survey of more than 400 IT professionals conducted by Onapsis Research Labs found that 64-percent of ERP software systems suffered a data breach in the past two years. Onapsis reported that 90-percent of SAP’s ERP software systems remain vulnerable to a nasty virus called 10KBLAZE discovered one year ago.  Onapsis also reported that there are serious security weaknesses in Oracle’s ERP payment modules.

It seems that every week news of another data breach involving businesses, hospitals, and other organizations in the healthcare field and even government agencies find its way into the news media. For users of ERP software systems, there is a two-pronged risk they need to confront and address proactively:

  • The loss of valuable proprietary information about their supply chain, production processes, and even trade secrets that could command a high price in the underground market from unsavory competitors and counterfeiters in unfriendly countries.
  • Violating various state data breach and privacy laws including, the California Consumer Privacy Act (CCPA), if personally identifiable information of employees or customers is revealed.

In many respects, a leak of personal customer information would be as damaging as having business processes revealed to competitors. First off, there comes to the time, expenses and opportunity costs of properly responding to a data breach and providing the applicable notices to affected individuals, state regulators and the media.  Then comes the public embarrassment with a possible loss of trust along with the real possibility of penalties imposed by the state. This is all in addition to a wave of potential lawsuits that could be filed by affected individuals under state law, including the  CCPA, which allows for a private right of action.

Protecting ERP from Incidents

An ERP software system is a particularly inviting target for private and state-sponsored criminals as well as run-of-the-mill mischief-makers. For most companies, so many employees need access to the software that accidental or inadvertent data incidents can easily occur.

We wrote recently on the need for all businesses to prepare to defend themselves against CCPA lawsuits or penalties. For users of ERP software systems, beyond the obvious, there are additional steps organizations should implement.

One that often gets overlooked is to promptly install patches and fixes when the vendor sends them. As attorneys who’ve spent our careers working with clients on legal issues connected to data security matters relating to ERP software systems, often we are amazed at how slow some companies do this (or maintain and review log files). Now there is a kind of “double jeopardy” for not installing updates quickly: The software might become vulnerable to a hack or breach and the risk of possible CCPA penalties if there is a breach.

Establish Cybersecurity Policies

A related necessity is to ensure comprehensive and compliant cybersecurity procedures are established along with a software application maintenance policy. Part of this includes an audit methodology that delves deep into the system so that vulnerabilities can be identified even if the vendor has yet to launch a patch for it.

Keep in mind the law specifies that doing these things proactively can help create a safe harbor in the event of a hack, leak, or data incident, possibly preventing state investigators from knocking on your door.

Another important way of preventing data incidents is to limit the people who have access to identifiable customer data. A contractor who is part of the supply chain may very well need to know how many and when the components they provide must arrive at a manufacturer. They don’t need to be able to see which customers ordered the finished product. From both a current technological and cost perspective, there is little excuse for any company to allow access to identifiable customer data when there is no need for such access.

Finally, keep reinforcing to everyone who has access to data that security is as much their responsibility as it is the responsibility of the IT department. Far more breaches result from employee carelessness inside an organization than are the result of criminal activity. Remember that the CCPA does not distinguish between a deliberate hack and a mistake; the liability for an ERP user is the same.

ERP Contract Precautions

There are other preventative measures related to the CCPA that can be taken even before the contract for a new or upgraded ERP software system is signed.

Perhaps the most important is to ensure that the contract specifies who is responsible for data security and under what circumstances: Users, vendors, or integrators. The template ERP contracts used by vendors and integrators are usually vague about this, so greater specificity needs to be negotiated and written into the document.

Another aspect deals with specifying the roles and responsibilities of third-party contractors from when a contract is signed to when the ERP software system goes live. It is common for an integrator to use outside resources, which means there could be dozens of people unknown to the customer who will have at least temporary access to identifiable data. These entities need to have a contractual obligation to be responsible if their work is the cause of an incident or breach.

By the way, all of these precautions are important steps to take to help comply with not just the CCPA but most data privacy and data breach laws as well, such as New York’s new Shield Law.

We’ve spent our career negotiating and drafting contracts for ERP software systems and handling disputes that arise when there is an issue. If you’re an executive or inside counsel at an organization concerned about possible liability under the CCPA due to an ERP implementation, feel free to contact us. We will be pleased to share our knowledge and experience with you.

The California Consumer Privacy Act (CCPA) was barely a month old when the first private lawsuit was filed under the law. The action against a children’s clothing company and Salesforce Inc., the giant developer of CRM software that hosted the retailer’s customer data, was filed in federal court in early February 2020.

The details of the lawsuit are not as important as the reality that it highlights the need for companies of all sizes and types to do two things. They must ensure they are taking proactive steps to prevent data hacks and leaks and know what will be required to defend themselves against allegations made by consumers and the state.

The state attorney general says his office will not launch enforcement actions against companies until July 1, 2020, as long as they can show they are taking steps to comply with CCPA’s requirements. Yet as the lawsuit underscores, there is nothing stopping individuals from seeking damages as a result of alleged leaks and hacks well before mid-year.

Offense is Defense

In 2018, a 15-year-old, self-taught, ethical hacker named Marcus Weinberger terrified a packed hall at a technology conference by having attendees call out the name of their firm. Using the laptop he takes class notes on and some things he bought with his allowance at the mall, he hacked into every organization’s data in under 15 minutes.

This proves that companies must begin to acknowledge that what can get hacked will get hacked, deliberately or leaked by accident, carelessness or error.

The first line of defense is to ensure that identifiable or personalized information is thoroughly encrypted. In fact, the CCPA specifies this as a possible safe harbor against fines or a lawsuit. One technology company went so far as to set up its software so that it could be downloaded only onto an encrypted stick it licensed to its users. Non-users could not acquire it.

But there are additional steps that must be taken by businesses to prepare themselves to defend against CCPA complaints.

Another vital move is to prepare and document a plan that will detect and stop a breach, whether from a potential hacker or because an employee made a mistake, and know how to notify people whose data may have been compromised. The CCPA requires prompt notification. Being able to show a court or a state tribunal that this was done and the company had taken proactive steps to limit the damage can be a strong defense.

Limit the number of people who have access to customer data to only those that need the customer data to do their job. For instance, an ERP software system will likely contain an enormous amount of identifiable information about customers. An employee responsible for the supply chain or one who is involved in the production process may not need to have access to data about specific customers. The fewer people who can accidentally or deliberately expose this information, the lower the risk of a breach.

If employees use their own devices for work – perhaps because they travel for their job – check these devices regularly for any malware or viruses. When Barack Obama was elected president, he did not want to give up his beloved Blackberry. So, the NSA spent a week making sure it was clean and installing safeguards to prevent it from being hacked in the future. Businesses need to do something similar with the phones, tablets and laptops carried around by people who use them to remotely access customer data. It may not need to be as stringent as needed to protect a president’s communications and data, but sufficient to safeguard a company’s customer information.

Likewise, every company needs to remind all employees at every level in the organization that data security is their job and not merely the responsibility of somebody in IT.

CCPA Can Be Costly

The CCPA creates statutory damages for any business that collects and stores a customer’s personal data. The penalties range from $100 to $750 per customer, per incident or the actual damages – whichever is greater. The law states the breach itself is a damage.

A breach involving 10,000 individuals or households could result in a fine of $7.5 million and unleash a torrent of individual and class action lawsuits around minor and major breaches because the plaintiffs do not have to prove actual damages.

In fact, the law instructs judges to consider the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, over how long the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities and net worth.

For a large corporation, the award could be in the hundreds of millions of dollars and a smaller, privately owned business might be forced into bankruptcy.

As data security and privacy lawyers, we have helped companies establish internal procedures, policies and rules around protecting the data they hold. If you are a general counsel or executive and want to ask questions about what programs your organization can implement to head off CCPA sanctions from the state or lawsuits, please call or email us. We’ll be happy to share what we know about the law and what other companies are doing.

According to the FBI, billions of dollars are lost every year repairing computer systems and networks hit by cyberattacks like ransomware. The 2019 Internet Crime Report notes that in 2019 alone, the FBI’s Internet Crime Complaint Center received 467,361 complaints of cybercrime with reported losses exceeding $3.5 billion. While the number of ransomware attacks has declined sharply, the amounts demanded in such attacks has increased. For example, BleepingComputer recently reported seeing ransom notes for the Ragnar Locker ransomware, which targets software commonly used by managed service providers, with demands ranging from $200,000 to about $600,000.

Some insurers selling cyber insurance offer to pay a ransom demand, which theoretically should allow the policyholder to get their data back. But what happens if you don’t have cyber insurance or the funds to pay the ransom? What if you pay the ransom and the criminals renege? If your computers and network are slowed but otherwise operable, will your traditional business owners’ insurance policy pay to replace the damaged computers and network?

Contrary to popular belief, paying a criminal’s ransom demand does not guarantee that you will get access back to your computers and data. The FBI does not advocate paying a ransom because in some cases, victims who paid a ransom were never provided with decryption keys to unlock their computers and data. Indeed, in a recent federal court case in Maryland, an embroidery company that was the victim of a ransomware demand paid the ransom and the criminal reneged. The company then had to hire a security firm to replace and reinstall the company’s software and install protective software on their computer system, but some software was lost forever. In the end, the computer system lost efficiency because the protective software slowed the system, and the company’s computer expert testified that there were likely dormant remnants of the computer virus on the system that could re-infect the entire system.

The State Auto business owners’ insurance policy appeared to cover the damage. But because the computer system was still operable, State Auto denied the claim. The case turned on the policy language that the insurer would pay for “direct physical loss of or damage to Covered Property,” where the term “Covered Property” included software and data stored on the computer. The court, citing other cases, held that “physical damage” was not restricted to the physical destruction of the computer, but included loss of access, loss of use, and loss of functionality. The court also rejected the insurer’s argument that the policy required an utter inability to function. Instead, the court reasoned:

The more persuasive cases are those suggesting that loss of use, loss of reliability, or impaired function demonstrate the required damage to a computer system, consistent with the “physical loss or damage to” policy language. Here, not only did Plaintiff sustain a loss of its data and software, but Plaintiff is left with a slower system, which appears to be harboring a dormant virus, and is unable to access a significant portion of software and stored data.

In the end, the court granted summary judgment for the embroidery company allowing it to recover more than $300,000 to replace its computer server, software, and data. The case is National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, No. SAG-18-2138 (D. Md. Jan. 23, 2020).

A list of the FBI’s cyber defense best practices can be found here.

The U.S. Food and Drug Administration (FDA) issued a press release on March 3, 2020, to inform patients, health care providers and manufacturers about a newly discovered cybersecurity vulnerability. A vulnerability set referred to as “SweynTooth” affects wireless communication technology known as Bluetooth Low Energy (BLE). BLE allows two devices to “pair” and exchange information to perform their intended functions while preserving battery life and can be found in medical devices, as well as other devices, such as consumer wearables and Internet of Things (IoT) devices. Microchips using BLE may be in a variety of medical devices, such as those that are implanted in or worn by a patient (such as pacemakers, stimulators, blood glucose monitors and insulin pumps), or larger devices that are in health care facilities (such as electrocardiograms, monitors and diagnostic devices like ultrasound devices). The SweynTooth vulnerabilities may allow an unauthorized user to wirelessly crash a device, stop it from working, or access device functions normally only available to the authorized user.

The FDA said it is not aware of any confirmed events related to SweynTooth, but noted that software to exploit the vulnerabilities is publicly available. Medical device manufacturers are currently assessing potential affected devices and are identifying risk and remediation actions.

In addition, several microchip manufacturers have already released patches. For more information about SweynTooth cybersecurity vulnerabilities – including a list of affected devices, see this ICS Alert from the Cybersecurity Infrastructure Security Agency.

The FDA has asked manufacturers to communicate to health care providers and patients which medical devices are affected by SweynTooth and offer ways to reduce the risk.  Patients should talk to their health care providers to determine if their device is affected.

“Medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches. These breaches potentially impact the safety and effectiveness of the device and, if not remedied, may lead to patient harm,” said Suzanne Schwartz, M.D., MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health. “The FDA recommends that medical device manufacturers stay alert for cybersecurity vulnerabilities and proactively address them by participating in coordinated disclosure of vulnerabilities as well as providing mitigation strategies. An essential part of the FDA’s strategy is working with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to address cybersecurity concerns that affect medical devices in order to keep patients safe.”

Companies making and selling any sort of connected devices, particularly medical device companies, need to be vigilant in addressing the security issues inherent in their products. If you are an executive or general counsel and have questions about what you need to do to address potential cybersecurity issues, please contact us.

With the stock market dropping 3,500 points last week, panicked over the latest coronavirus scare, COVID-19, public companies should expect plaintiff class action securities lawyers to pounce on any material misstatements or omissions made in their press releases and public disclosures, including misstatements about supply chain difficulties.

According to Thomas Insights, 60% of U.S. manufacturers have been impacted by COVID-19 in their production facilities and supply chains, with 46% of suppliers reporting that their shipping and logistics have been disrupted, 35% reporting incidents of offshore factory suspension and production restrictions, and 8% reporting that the outbreak has caused the costs of goods to surge. Given these difficulties and a declining market, company executives may feel compelled to quell investor panic about their supply chain difficulties.

To read the full Taft law bulletin on this topic, click here.

The list of ERP software system train wrecks is legendary – and growing. Hardly a month passes without news appearing of another lawsuit being filed against a vendor or integrator by a customer who claims they wasted tens of millions of dollars – sometimes hundreds of millions – only to discover than an upgrade or a new system went off the rails.

We’ve written about many of these failures, most recently on problems faced by the state of Maryland, Revlon, and National Grid. And ERP consultant Eric Kimberling created a list of his Top 10 Worst ERP Failures of All Time.

The specifics of each failure differ. Yet as attorneys who’ve spent our careers negotiating and drafting ERP contracts, and litigating disputes when a project goes sideways, we’ve seen a number of issues that each failure has in common. Here is our list of the six most frequent reasons why an ERP project is likely to come undone.

1 – The customer didn’t start its selection process with a consultant. A technology-agnostic authority with deep ERP experience in a range of industries will help a company with everything from framing the RFP to assessing proposals and then riding herd on the vendor and integrator as the project is being implemented. A good consultant will know when suppliers are blowing smoke to upsell their services and when they’re drawing attention to a legitimate problem.

2 – The customer accepts at face value what vendors and integrators tell them. This is related to No. 1. The sales teams sent out by vendors such as SAP, Oracle and Microsoft, as well as from integrators such as Accenture, have only one job: get you to sign the order. They will say what they believe you want to hear. “We have deep experience in the widget business,” even if they’ve never stepped foot in a widget plant. Customers unfamiliar with these tactics who proceed without a consultant at their side can easily fall prey. In the same vein, the product demo shown to potential customers often doesn’t work the way the actual version being sold functions in a real-time situation.

3 – Top management didn’t “own” the project. Many times, top executives assume that because they have an integrator they don’t need to spend time managing the project.  What they overlook is that an ERP software system touches nearly every aspect of the business from the supply chain and production to distribution, invoicing, accounting and even payroll. Yet despite its far-reaching impact and enormous amount of company money and people’s time that are required to make it operational and useful, we’ve seen companies hand off responsibility for the integration to either their IT department or a third party integrator with little or no active oversight from the top. No other aspect of a business is dealt with this way and ERP must receive the same attention that is given to cash flow and head counts.

4 – ERP is viewed as a “tech” project. An ERP software system is a technology tool that provides a business management solution. When the person in the corner office thinks of ERP only as a tech project, it can get relegated to the same category as an upgrade to Windows or iOS. Sign the contract and let the folks over in IT worry about the implementation and any problems that might arise. Unfortunately, many integrators are guilty of trying to let the CEO, COO and CFO think in these terms because it reduces the chance of being asked tough questions when there are problems.

5 – Template contracts are signed without negotiating. When a company tells a vendor and integrator “we’ll do it!” the contracts that get slid across the desk are one-sided in favor of the seller. To the extent possible, a customer’s contracts should:

  • Include all of the sales material presented and the proposal that was accepted.
  • Be as specific and detailed as possible.
  • Define the exact responsibilities of the customer, the vendor and the integrator.
  • Detail how changes will be made during integration and who is authorized to approve any changes.
  • Include a list of the subcontractors to be used by the vendor or integrator, their role in the project and their experience on similar ERP software systems in a similar industry.
  • Specify the warranty limits and include language detailing what remedies will be available in the event of a project meltdown.

6 – Management sees the vendor and integrator as their partner. Too often, the reality is just the opposite. The large vendors and integrators are skilled at lulling the customer into a false feeling of “we’re in this together.” While sometimes this is true, in a growing number of instances the sellers are only selling – and upselling – their services and view the customer as their adversary to be “handled.” This can result in a company agreeing to pay now for licenses it won’t need for years in the future, if ever. A partner would not do this.

Management’s Responsibility

Vendors and integrators may not be angels when it comes to their dealing with a customer, however, frequently, management must shoulder part of the blame when an ERP implementation fails. As ERP attorneys who have litigated many ERP disasters, we often find that if the C-suite had been doing its job the problem may not have escalated in the first place.

If you are a general counsel or other senior executive at a company or public sector body considering an upgrade to your ERP software system, or thinking about installing one for the first time, we’d be happy to speak with you about how to do the project the right way. We’ll answer your questions and can refer you to several of the top consultants in the ERP space.

Much of the business world has been focusing on ensuring it is compliant with California’s tough Consumer Privacy Act (CCPA) that took effect Jan. 1, 2020. Far less attention has been paid to a second law enacted by the state legislature that came into force at the same time regulating the data security of connected “smart” devices.

Called the IoT law, the far-reaching act covers everything from connected bathroom scales and fitness trackers to printers, major appliances and some GPS devices. About the only products exempt from California’s rules are those regulated by federal law, such as medical devices covered by the FDA and vehicles that come under the purview of the National Highway and Transportation Safety Act.

Like CCPA, California’s IoT law covers California residents and households regardless of where the manufacturer is based or when an item is actually made. But because of the state’s huge population and massive economic impact – by some estimates, California is the world’s fifth-largest economy – in many respects its IoT law became a national law.

Complying with the IoT Law

For the first time, IoT devices must have what the legislation calls “reasonable” security features that are appropriate to the nature of the device, and the information being collected, transmitted and stored, and are intended to protect both the device and its information from unauthorized access, use, modification, disclosure or destruction.

The law doesn’t actually define what a “reasonable” security feature might be other than if it can be accessed outside of a home’s local network – a basic function of any consumer-focused IoT device. Each must have a unique password, and the requirement for users to be able to create their own method of authenticating before access to the device is allowed the first time it is used.

As a result, businesses making and selling smart IoT devices need to review and reconsider what information is being collected and how it is used. The law repeatedly refers specifically to traditional household items, such as microwaves and children’s toys, which often have the ability to collect more data than is really needed to function properly.

In the legislative report that accompanied the law, the Assembly referred to a smart doll with Bluetooth that allowed the doll to talk with kids. It prompted children to provide all sorts of irrelevant information, such as their addresses and the names of their schools. A hacker could use this data to do all sorts of horrible things to vulnerable children.

As yet another related example, a business owner in Buffalo, New York, complained on LinkedIn when she discovered to her horror that her Google Home Assistant began recommending nursery rhymes to her two-year-old when the child asked for her favorite song to be played. The woman said she disconnected the device immediately and now only plays music to the little girl from a computer. Given Google’s history, she worried about what third-parties had purchased the information about her daughter and the family.

California legislators also referred to the ability of malware to spread across a network of IoT devices simply because a user made dinner.

So, manufacturers of connected devices need to take into account the potential of a virus, malware or ransomware spreading across its network.

It is not difficult to do. A researcher hacked into his own smart insulin pump. This allowed him to control the amount and frequency his insulin was delivered. A lethal dose could be delivered remotely by a hacker.

A Need to be Proactive

All companies making and selling any sort of consumer-focused smart devices need to be proactive in addressing the security issues inherent in their product.

If a device is hacked and the data stolen or misused, one of the strong defenses against a complaint filed by the state after a security incident would be that the business took “reasonable steps” – the wording in the legislation – to prevent it from happening. This makes ensuring the safety of an IoT device the responsibility of the CEO and the board.

As data security and privacy attorneys, we are tracking the growing expansion of state legislation designed to protect consumers and their families. We are also following the progress of proposed federal legislation as various bills move through House subcommittees.

If you are in senior management as an executive or general counsel and have questions about what you need to do to comply with California’s IoT security law, feel free to contact us. We will be happy to share with you ideas on how to stay in compliance.

Last summer, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The SHIELD Act’s data breach notification requirements are already effective and the law’s data security requirements go into effect on March 21. Any company that does business in New York or has customers in New York needs to understand what the law requires.

New York, like many other states, has a data breach notification law that requires businesses to notify consumers when a breach occurs. The SHIELD Act goes further than New York’s previous law, both in its definition of what type of information is covered and in reaching companies that may not have any connection to New York except for having information about New York residents in their database. The SHIELD Act:

  • Expanded the scope of information subject to New York’s previous data breach notification law. Previously, the law covered “personal information,” meaning information which, because of name, number, personal mark, or other identifier, can be used to identify a person. The scope of information has been expanded to include what the law now calls “private information,” which also includes biometric information, email addresses and their corresponding passwords or security questions and answers, and protected health information as defined under HIPAA.
  • Broadened the definition of a data breach to include unauthorized access to private information. Previously, information had to be “acquired” in order for a data breach to occur, now only “access” is necessary. In determining whether information has been “accessed” without valid authorization, businesses may consider, among other factors, indications that the information was viewed, communicated with, used, or altered.
  • Updated the notification procedures companies must follow when there has been a breach. Importantly, the law applies the notification requirement to any person or entity with the private information of a New York resident, not just to persons or entities that conduct business in New York. Notice is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of the information. If a determination that notice is not required is made, the determination must be documented in writing and maintained for at least five years, and if the incident affects over five hundred residents of New York, the written determination must be provided to the state attorney general.
  • Requires businesses to enact “reasonable” security practices. The law creates data security requirements tailored to the size of a business. For instance, a small business (based on revenues and number of employees) will be deemed to have reasonable security practices in place if its security program “contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” Businesses that are not small businesses must implement a data security program that includes reasonable administrative safeguards (including risk identification and assessment, employee training, and monitoring), reasonable technical safeguards, and reasonable physical safeguards. A business that is subject to and meets the data security requirements of other federal or New York laws that include cybersecurity protections (including HIPAA-HITECH and Gramm-Leach-Bliley) is deemed to have met the data security requirements of the SHIELD Act.

Like the EU’s General Data Protection Regulation (GDPR) and like the California Consumer Privacy Act (CCPA), the SHIELD Act has extraterritorial effect—if you have private data of a New York resident, you have to comply with the law. Given the size of the state of New York, companies that do business on any but the most hyperlocal level need to evaluate whether they must comply.

On Feb. 5, 2020, the United States Patent and Trademark Office (USPTO) announced that U.S. Secretary of Commerce Wilbur Ross had appointed David Gooder as the new commissioner for trademarks. Gooder replaces Mary Boney Denison who retired from the position with the agency on Dec. 31, 2019.

To read the full law bulletin on this topic, click here.