The California Consumer Privacy Act (CCPA) was barely a month old when the first private lawsuit was filed under the law. The action against a children’s clothing company and Salesforce Inc., the giant developer of CRM software that hosted the retailer’s customer data, was filed in federal court in early February 2020.

The details of the lawsuit are not as important as the reality that it highlights the need for companies of all sizes and types to do two things. They must ensure they are taking proactive steps to prevent data hacks and leaks and know what will be required to defend themselves against allegations made by consumers and the state.

The state attorney general says his office will not launch enforcement actions against companies until July 1, 2020, as long as they can show they are taking steps to comply with CCPA’s requirements. Yet as the lawsuit underscores, there is nothing stopping individuals from seeking damages as a result of alleged leaks and hacks well before mid-year.

Offense is Defense

In 2018, a 15-year-old, self-taught, ethical hacker named Marcus Weinberger terrified a packed hall at a technology conference by having attendees call out the name of their firm. Using the laptop he takes class notes on and some things he bought with his allowance at the mall, he hacked into every organization’s data in under 15 minutes.

This proves that companies must begin to acknowledge that what can get hacked will get hacked, deliberately or leaked by accident, carelessness or error.

The first line of defense is to ensure that identifiable or personalized information is thoroughly encrypted. In fact, the CCPA specifies this as a possible safe harbor against fines or a lawsuit. One technology company went so far as to set up its software so that it could be downloaded only onto an encrypted stick it licensed to its users. Non-users could not acquire it.

But there are additional steps that must be taken by businesses to prepare themselves to defend against CCPA complaints.

Another vital move is to prepare and document a plan that will detect and stop a breach, whether from a potential hacker or because an employee made a mistake, and know how to notify people whose data may have been compromised. The CCPA requires prompt notification. Being able to show a court or a state tribunal that this was done and the company had taken proactive steps to limit the damage can be a strong defense.

Limit the number of people who have access to customer data to only those that need the customer data to do their job. For instance, an ERP software system will likely contain an enormous amount of identifiable information about customers. An employee responsible for the supply chain or one who is involved in the production process may not need to have access to data about specific customers. The fewer people who can accidentally or deliberately expose this information, the lower the risk of a breach.

If employees use their own devices for work – perhaps because they travel for their job – check these devices regularly for any malware or viruses. When Barack Obama was elected president, he did not want to give up his beloved Blackberry. So, the NSA spent a week making sure it was clean and installing safeguards to prevent it from being hacked in the future. Businesses need to do something similar with the phones, tablets and laptops carried around by people who use them to remotely access customer data. It may not need to be as stringent as needed to protect a president’s communications and data, but sufficient to safeguard a company’s customer information.

Likewise, every company needs to remind all employees at every level in the organization that data security is their job and not merely the responsibility of somebody in IT.

CCPA Can Be Costly

The CCPA creates statutory damages for any business that collects and stores a customer’s personal data. The penalties range from $100 to $750 per customer, per incident or the actual damages – whichever is greater. The law states the breach itself is a damage.

A breach involving 10,000 individuals or households could result in a fine of $7.5 million and unleash a torrent of individual and class action lawsuits around minor and major breaches because the plaintiffs do not have to prove actual damages.

In fact, the law instructs judges to consider the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, over how long the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities and net worth.

For a large corporation, the award could be in the hundreds of millions of dollars and a smaller, privately owned business might be forced into bankruptcy.

As data security and privacy lawyers, we have helped companies establish internal procedures, policies and rules around protecting the data they hold. If you are a general counsel or executive and want to ask questions about what programs your organization can implement to head off CCPA sanctions from the state or lawsuits, please call or email us. We’ll be happy to share what we know about the law and what other companies are doing.

According to the FBI, billions of dollars are lost every year repairing computer systems and networks hit by cyberattacks like ransomware. The 2019 Internet Crime Report notes that in 2019 alone, the FBI’s Internet Crime Complaint Center received 467,361 complaints of cybercrime with reported losses exceeding $3.5 billion. While the number of ransomware attacks has declined sharply, the amounts demanded in such attacks has increased. For example, BleepingComputer recently reported seeing ransom notes for the Ragnar Locker ransomware, which targets software commonly used by managed service providers, with demands ranging from $200,000 to about $600,000.

Some insurers selling cyber insurance offer to pay a ransom demand, which theoretically should allow the policyholder to get their data back. But what happens if you don’t have cyber insurance or the funds to pay the ransom? What if you pay the ransom and the criminals renege? If your computers and network are slowed but otherwise operable, will your traditional business owners’ insurance policy pay to replace the damaged computers and network?

Contrary to popular belief, paying a criminal’s ransom demand does not guarantee that you will get access back to your computers and data. The FBI does not advocate paying a ransom because in some cases, victims who paid a ransom were never provided with decryption keys to unlock their computers and data. Indeed, in a recent federal court case in Maryland, an embroidery company that was the victim of a ransomware demand paid the ransom and the criminal reneged. The company then had to hire a security firm to replace and reinstall the company’s software and install protective software on their computer system, but some software was lost forever. In the end, the computer system lost efficiency because the protective software slowed the system, and the company’s computer expert testified that there were likely dormant remnants of the computer virus on the system that could re-infect the entire system.

The State Auto business owners’ insurance policy appeared to cover the damage. But because the computer system was still operable, State Auto denied the claim. The case turned on the policy language that the insurer would pay for “direct physical loss of or damage to Covered Property,” where the term “Covered Property” included software and data stored on the computer. The court, citing other cases, held that “physical damage” was not restricted to the physical destruction of the computer, but included loss of access, loss of use, and loss of functionality. The court also rejected the insurer’s argument that the policy required an utter inability to function. Instead, the court reasoned:

The more persuasive cases are those suggesting that loss of use, loss of reliability, or impaired function demonstrate the required damage to a computer system, consistent with the “physical loss or damage to” policy language. Here, not only did Plaintiff sustain a loss of its data and software, but Plaintiff is left with a slower system, which appears to be harboring a dormant virus, and is unable to access a significant portion of software and stored data.

In the end, the court granted summary judgment for the embroidery company allowing it to recover more than $300,000 to replace its computer server, software, and data. The case is National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, No. SAG-18-2138 (D. Md. Jan. 23, 2020).

A list of the FBI’s cyber defense best practices can be found here.

The U.S. Food and Drug Administration (FDA) issued a press release on March 3, 2020, to inform patients, health care providers and manufacturers about a newly discovered cybersecurity vulnerability. A vulnerability set referred to as “SweynTooth” affects wireless communication technology known as Bluetooth Low Energy (BLE). BLE allows two devices to “pair” and exchange information to perform their intended functions while preserving battery life and can be found in medical devices, as well as other devices, such as consumer wearables and Internet of Things (IoT) devices. Microchips using BLE may be in a variety of medical devices, such as those that are implanted in or worn by a patient (such as pacemakers, stimulators, blood glucose monitors and insulin pumps), or larger devices that are in health care facilities (such as electrocardiograms, monitors and diagnostic devices like ultrasound devices). The SweynTooth vulnerabilities may allow an unauthorized user to wirelessly crash a device, stop it from working, or access device functions normally only available to the authorized user.

The FDA said it is not aware of any confirmed events related to SweynTooth, but noted that software to exploit the vulnerabilities is publicly available. Medical device manufacturers are currently assessing potential affected devices and are identifying risk and remediation actions.

In addition, several microchip manufacturers have already released patches. For more information about SweynTooth cybersecurity vulnerabilities – including a list of affected devices, see this ICS Alert from the Cybersecurity Infrastructure Security Agency.

The FDA has asked manufacturers to communicate to health care providers and patients which medical devices are affected by SweynTooth and offer ways to reduce the risk.  Patients should talk to their health care providers to determine if their device is affected.

“Medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches. These breaches potentially impact the safety and effectiveness of the device and, if not remedied, may lead to patient harm,” said Suzanne Schwartz, M.D., MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health. “The FDA recommends that medical device manufacturers stay alert for cybersecurity vulnerabilities and proactively address them by participating in coordinated disclosure of vulnerabilities as well as providing mitigation strategies. An essential part of the FDA’s strategy is working with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to address cybersecurity concerns that affect medical devices in order to keep patients safe.”

Companies making and selling any sort of connected devices, particularly medical device companies, need to be vigilant in addressing the security issues inherent in their products. If you are an executive or general counsel and have questions about what you need to do to address potential cybersecurity issues, please contact us.

With the stock market dropping 3,500 points last week, panicked over the latest coronavirus scare, COVID-19, public companies should expect plaintiff class action securities lawyers to pounce on any material misstatements or omissions made in their press releases and public disclosures, including misstatements about supply chain difficulties.

According to Thomas Insights, 60% of U.S. manufacturers have been impacted by COVID-19 in their production facilities and supply chains, with 46% of suppliers reporting that their shipping and logistics have been disrupted, 35% reporting incidents of offshore factory suspension and production restrictions, and 8% reporting that the outbreak has caused the costs of goods to surge. Given these difficulties and a declining market, company executives may feel compelled to quell investor panic about their supply chain difficulties.

To read the full Taft law bulletin on this topic, click here.

The list of ERP software system train wrecks is legendary – and growing. Hardly a month passes without news appearing of another lawsuit being filed against a vendor or integrator by a customer who claims they wasted tens of millions of dollars – sometimes hundreds of millions – only to discover than an upgrade or a new system went off the rails.

We’ve written about many of these failures, most recently on problems faced by the state of Maryland, Revlon, and National Grid. And ERP consultant Eric Kimberling created a list of his Top 10 Worst ERP Failures of All Time.

The specifics of each failure differ. Yet as attorneys who’ve spent our careers negotiating and drafting ERP contracts, and litigating disputes when a project goes sideways, we’ve seen a number of issues that each failure has in common. Here is our list of the six most frequent reasons why an ERP project is likely to come undone.

1 – The customer didn’t start its selection process with a consultant. A technology-agnostic authority with deep ERP experience in a range of industries will help a company with everything from framing the RFP to assessing proposals and then riding herd on the vendor and integrator as the project is being implemented. A good consultant will know when suppliers are blowing smoke to upsell their services and when they’re drawing attention to a legitimate problem.

2 – The customer accepts at face value what vendors and integrators tell them. This is related to No. 1. The sales teams sent out by vendors such as SAP, Oracle and Microsoft, as well as from integrators such as Accenture, have only one job: get you to sign the order. They will say what they believe you want to hear. “We have deep experience in the widget business,” even if they’ve never stepped foot in a widget plant. Customers unfamiliar with these tactics who proceed without a consultant at their side can easily fall prey. In the same vein, the product demo shown to potential customers often doesn’t work the way the actual version being sold functions in a real-time situation.

3 – Top management didn’t “own” the project. Many times, top executives assume that because they have an integrator they don’t need to spend time managing the project.  What they overlook is that an ERP software system touches nearly every aspect of the business from the supply chain and production to distribution, invoicing, accounting and even payroll. Yet despite its far-reaching impact and enormous amount of company money and people’s time that are required to make it operational and useful, we’ve seen companies hand off responsibility for the integration to either their IT department or a third party integrator with little or no active oversight from the top. No other aspect of a business is dealt with this way and ERP must receive the same attention that is given to cash flow and head counts.

4 – ERP is viewed as a “tech” project. An ERP software system is a technology tool that provides a business management solution. When the person in the corner office thinks of ERP only as a tech project, it can get relegated to the same category as an upgrade to Windows or iOS. Sign the contract and let the folks over in IT worry about the implementation and any problems that might arise. Unfortunately, many integrators are guilty of trying to let the CEO, COO and CFO think in these terms because it reduces the chance of being asked tough questions when there are problems.

5 – Template contracts are signed without negotiating. When a company tells a vendor and integrator “we’ll do it!” the contracts that get slid across the desk are one-sided in favor of the seller. To the extent possible, a customer’s contracts should:

  • Include all of the sales material presented and the proposal that was accepted.
  • Be as specific and detailed as possible.
  • Define the exact responsibilities of the customer, the vendor and the integrator.
  • Detail how changes will be made during integration and who is authorized to approve any changes.
  • Include a list of the subcontractors to be used by the vendor or integrator, their role in the project and their experience on similar ERP software systems in a similar industry.
  • Specify the warranty limits and include language detailing what remedies will be available in the event of a project meltdown.

6 – Management sees the vendor and integrator as their partner. Too often, the reality is just the opposite. The large vendors and integrators are skilled at lulling the customer into a false feeling of “we’re in this together.” While sometimes this is true, in a growing number of instances the sellers are only selling – and upselling – their services and view the customer as their adversary to be “handled.” This can result in a company agreeing to pay now for licenses it won’t need for years in the future, if ever. A partner would not do this.

Management’s Responsibility

Vendors and integrators may not be angels when it comes to their dealing with a customer, however, frequently, management must shoulder part of the blame when an ERP implementation fails. As ERP attorneys who have litigated many ERP disasters, we often find that if the C-suite had been doing its job the problem may not have escalated in the first place.

If you are a general counsel or other senior executive at a company or public sector body considering an upgrade to your ERP software system, or thinking about installing one for the first time, we’d be happy to speak with you about how to do the project the right way. We’ll answer your questions and can refer you to several of the top consultants in the ERP space.

Much of the business world has been focusing on ensuring it is compliant with California’s tough Consumer Privacy Act (CCPA) that took effect Jan. 1, 2020. Far less attention has been paid to a second law enacted by the state legislature that came into force at the same time regulating the data security of connected “smart” devices.

Called the IoT law, the far-reaching act covers everything from connected bathroom scales and fitness trackers to printers, major appliances and some GPS devices. About the only products exempt from California’s rules are those regulated by federal law, such as medical devices covered by the FDA and vehicles that come under the purview of the National Highway and Transportation Safety Act.

Like CCPA, California’s IoT law covers California residents and households regardless of where the manufacturer is based or when an item is actually made. But because of the state’s huge population and massive economic impact – by some estimates, California is the world’s fifth-largest economy – in many respects its IoT law became a national law.

Complying with the IoT Law

For the first time, IoT devices must have what the legislation calls “reasonable” security features that are appropriate to the nature of the device, and the information being collected, transmitted and stored, and are intended to protect both the device and its information from unauthorized access, use, modification, disclosure or destruction.

The law doesn’t actually define what a “reasonable” security feature might be other than if it can be accessed outside of a home’s local network – a basic function of any consumer-focused IoT device. Each must have a unique password, and the requirement for users to be able to create their own method of authenticating before access to the device is allowed the first time it is used.

As a result, businesses making and selling smart IoT devices need to review and reconsider what information is being collected and how it is used. The law repeatedly refers specifically to traditional household items, such as microwaves and children’s toys, which often have the ability to collect more data than is really needed to function properly.

In the legislative report that accompanied the law, the Assembly referred to a smart doll with Bluetooth that allowed the doll to talk with kids. It prompted children to provide all sorts of irrelevant information, such as their addresses and the names of their schools. A hacker could use this data to do all sorts of horrible things to vulnerable children.

As yet another related example, a business owner in Buffalo, New York, complained on LinkedIn when she discovered to her horror that her Google Home Assistant began recommending nursery rhymes to her two-year-old when the child asked for her favorite song to be played. The woman said she disconnected the device immediately and now only plays music to the little girl from a computer. Given Google’s history, she worried about what third-parties had purchased the information about her daughter and the family.

California legislators also referred to the ability of malware to spread across a network of IoT devices simply because a user made dinner.

So, manufacturers of connected devices need to take into account the potential of a virus, malware or ransomware spreading across its network.

It is not difficult to do. A researcher hacked into his own smart insulin pump. This allowed him to control the amount and frequency his insulin was delivered. A lethal dose could be delivered remotely by a hacker.

A Need to be Proactive

All companies making and selling any sort of consumer-focused smart devices need to be proactive in addressing the security issues inherent in their product.

If a device is hacked and the data stolen or misused, one of the strong defenses against a complaint filed by the state after a security incident would be that the business took “reasonable steps” – the wording in the legislation – to prevent it from happening. This makes ensuring the safety of an IoT device the responsibility of the CEO and the board.

As data security and privacy attorneys, we are tracking the growing expansion of state legislation designed to protect consumers and their families. We are also following the progress of proposed federal legislation as various bills move through House subcommittees.

If you are in senior management as an executive or general counsel and have questions about what you need to do to comply with California’s IoT security law, feel free to contact us. We will be happy to share with you ideas on how to stay in compliance.

Last summer, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The SHIELD Act’s data breach notification requirements are already effective and the law’s data security requirements go into effect on March 21. Any company that does business in New York or has customers in New York needs to understand what the law requires.

New York, like many other states, has a data breach notification law that requires businesses to notify consumers when a breach occurs. The SHIELD Act goes further than New York’s previous law, both in its definition of what type of information is covered and in reaching companies that may not have any connection to New York except for having information about New York residents in their database. The SHIELD Act:

  • Expanded the scope of information subject to New York’s previous data breach notification law. Previously, the law covered “personal information,” meaning information which, because of name, number, personal mark, or other identifier, can be used to identify a person. The scope of information has been expanded to include what the law now calls “private information,” which also includes biometric information, email addresses and their corresponding passwords or security questions and answers, and protected health information as defined under HIPAA.
  • Broadened the definition of a data breach to include unauthorized access to private information. Previously, information had to be “acquired” in order for a data breach to occur, now only “access” is necessary. In determining whether information has been “accessed” without valid authorization, businesses may consider, among other factors, indications that the information was viewed, communicated with, used, or altered.
  • Updated the notification procedures companies must follow when there has been a breach. Importantly, the law applies the notification requirement to any person or entity with the private information of a New York resident, not just to persons or entities that conduct business in New York. Notice is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of the information. If a determination that notice is not required is made, the determination must be documented in writing and maintained for at least five years, and if the incident affects over five hundred residents of New York, the written determination must be provided to the state attorney general.
  • Requires businesses to enact “reasonable” security practices. The law creates data security requirements tailored to the size of a business. For instance, a small business (based on revenues and number of employees) will be deemed to have reasonable security practices in place if its security program “contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” Businesses that are not small businesses must implement a data security program that includes reasonable administrative safeguards (including risk identification and assessment, employee training, and monitoring), reasonable technical safeguards, and reasonable physical safeguards. A business that is subject to and meets the data security requirements of other federal or New York laws that include cybersecurity protections (including HIPAA-HITECH and Gramm-Leach-Bliley) is deemed to have met the data security requirements of the SHIELD Act.

Like the EU’s General Data Protection Regulation (GDPR) and like the California Consumer Privacy Act (CCPA), the SHIELD Act has extraterritorial effect—if you have private data of a New York resident, you have to comply with the law. Given the size of the state of New York, companies that do business on any but the most hyperlocal level need to evaluate whether they must comply.

On Feb. 5, 2020, the United States Patent and Trademark Office (USPTO) announced that U.S. Secretary of Commerce Wilbur Ross had appointed David Gooder as the new commissioner for trademarks. Gooder replaces Mary Boney Denison who retired from the position with the agency on Dec. 31, 2019.

To read the full law bulletin on this topic, click here.

Ever wonder how so many devices can operate together on a unified network like 4G or Wi-Fi? Ever stop to think about why you can send a selfie from your iPhone to someone else’s Galaxy halfway across the world without distorting your smile?

Smartphones can operate together with other smartphones because hundreds of the inventions powering those smartphones are covered by Standard-Essential Patents (SEPs).

And on Dec. 19, 2019, the United States Patent and Trademark Office (USPTO) joined the Department of Justice’s (DOJ) new policy permitting injunctive relief in SEP cases, giving SEP owners a lot more leverage when licensing their inventions to other companies.

To read the full law bulletin authored by Minneapolis associate Joey Balthazor, click here.

Over the years, we have written quite a bit about the many “train wrecks” that seem to plague a disturbing number of ERP software systems. We have also litigated many of these disputes on behalf of companies whose systems did not meet the promises made by software vendors or integrators during the software sales process.

But litigation is a costly, time-consuming, energy-draining and lengthy process. Receiving compensation for a failure years after it occurs does not replace anything that was lost in the meantime.

In our decades-long career of negotiating, drafting and litigating contracts for ERP software systems, we have come to understand how and why many of the train wrecks occurred. In fact, there are definite signs that an ERP software implementation or digital transformation is running into trouble. Knowing the signs and acting quickly to remedy it can keep a bad situation from spinning totally out of control.

Below are six common signs that indicate an organization’s ERP software system might be heading for trouble:

1 – Difficulty billing customers. Often, the invoicing process is the first to encounter difficulties. Either invoices can’t be generated in a timely fashion or they are inaccurate and customers start contacting suppliers because they are confused or angry.

2 – The supply chain is interrupted. An extreme example of this came when Revlon was unable to ship to retailers because it was getting late deliveries from suppliers. Shareholders filed three separate class action suits to recover the money they lost when Revlon’s stock price took a hit. If there are supply chain issues, it’s very likely rooted in an ERP problem.

3 – Inventory control is uncontrollable. When there are supply chain issues, it usually spills over into inventory control. Managing inventory is tricky at best: too much inventory and inventory is tied up; too little and production is slowed, meaning shipments are delayed. If inventory controls are not functioning properly, it is often a sign the ERP software system is not performing as needed.

4 – Problems moving data between divisions. The great strength of ERP is it assembles actionable data across many functions and facilitates management decisions. However, if silos begin to appear, or are not removed, it greatly inhibits comparing data streams. A business also loses the ability to spot correlations and patterns that can produce key insights. If this becomes a problem for the c-suite, they need to look for the root issue in their ERP.

5 – ERP isn’t integrating smoothly. For any ERP software system to generate value it must integrate seamlessly with an organization’s other systems, especially those involving payroll and finance. When this does not happen, it quickly snowballs into widespread inefficiency, to say nothing of employees’ irritation with incorrect paychecks.

6 – System agility is awkward. Because ERP technology is rapidly changing, the introduction of enhancements can happen before they are fully mature and bug-free. If an upgraded ERP software system does not integrate smoothly, it becomes more disruptive than beneficial. Difficulties loom when the system is not agile.

Benefits and Challenges

An ERP software system is a challenge to maintain due to its integrated nature. In a worst-case scenario, an undetected problem may cause it to shut down entirely, causing a massive disruption that ripples through an entire organization.

A system that does not integrate properly will create more disadvantages than advantages for an organization. Preventing a train wreck is possible, but senior people in a private or public sector business need to spot any early warning signals that trouble is brewing. Don’t rely on your vendor or integrator to do it for you.

Whether you are installing ERP for the first time, are upgrading a legacy system, or simply have concerns about what might be happening with your ERP software system, feel free to contact us. We’ve devoted our careers to working with clients on ERP-related matters and will be happy to share what we have learned.