The U.S. Department of Health and Human Services (“HHS”) recently announced the publication of “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (the “Cybersecurity Practices”). The Cybersecurity Practices were developed by the Healthcare & Public Health Sector Coordinating Councils Public Private Partnership, a group comprised of over 150 cybersecurity and healthcare experts from government and private industry.
Recently, the Sixth Circuit rejected Travelers Casualty & Surety Company’s request for reconsideration of the court’s July 13, 2018, decision confirming that the insured’s transfer of more than $800,000 to a fraudster after receipt of spoofed emails was a “direct” loss that was “directly caused by” the use of a computer under the terms of American Tooling Company’s (“ATC’s”) crime policy. In doing so, the court likewise confirmed that intervening steps by the insured, such as following the directions contained in the bogus emails, did not break the causal chain so as to defeat coverage for “direct” losses.
As reported on Hunton’s Insurance Recovery blog, the Second Circuit has rejected Chubb subsidiary Federal Ins. Co.’s request for reconsideration of the court’s July 6, 2018, decision, confirming that the insurer must cover Medidata’s $4.8 million loss under its computer fraud insurance policy. In July, the court determined that the loss resulted directly from the fraudulent emails. The court again rejected the insurer’s argument that the fraudster did not directly access Medidata’s computer systems. But the court again rejected that argument, finding that access indeed occurred when the “spoofing” code in emails sent to Medidata employees ended up in Medidata’s computer system. Continue Reading Second Circuit Stands By Medidata “Spoofing” Decision
On March 3, 2017, the FTC announced the results of a study about online businesses’ use of proper email authentication technology to prevent phishing attacks. The study’s sample included 569 large online businesses with strong ties to the U.S. The FTC found that 86 percent of those businesses use Sender Policy Framework—an email authentication technology that enables Internet Service Providers (“ISPs”) to determine whether an email is from a legitimate source (e.g., whether an email that claims to be from a business’s domain in fact came from the business). Continue Reading FTC Study Recommends Wider Implementation of DMARC to Combat Phishing Attacks
On February 6, 2017, the House of Representatives suspended its rules and passed by voice vote H.R 387, the Email Privacy Act. As we previously reported, the Email Privacy Act amends the Electronic Communications Privacy Act (“ECPA”) of 1986. In particular, the legislation would require government entities to obtain a warrant, based on probable cause, before accessing the content of any emails or electronic communications stored with third-party service providers, regardless of how long the communications have been held in electronic storage by such providers. Continue Reading House of Representatives Passes Email Privacy Act
On January 9, 2017, Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO) reintroduced the Email Privacy Act, which would amend the Electronic Communications Privacy Act (“ECPA”) of 1986. In particular, the legislation would require government entities to obtain a warrant, based on probable cause, before accessing the content of any emails or electronic communications stored with third-party service providers, regardless of how long the communications have been held in electronic storage by such providers. Although ECPA currently requires law enforcement agencies to obtain a warrant to search the contents of electronic communications held by service providers that are less than 180 days old, communications that are more than 180 days old can be obtained with a subpoena. Continue Reading Email Privacy Act Reintroduced in Congress
On December 27, 2016, the Securities and Exchange Commission (“SEC”) announced charges against three Chinese traders who allegedly made almost $3 million in illegal profits by fraudulently trading on nonpublic information that had been hacked from two New York-based law firms. This is the first action in which the SEC has brought charges in connection with an incident involving hacking into a law firm’s computer network.
On October 18, 2016, the United States Court of Appeals for the Fifth Circuit held in Apache Corp. v. Great American Ins. Co., No 15-20499 (5th Cir. Oct. 18, 2016), that a crime protection insurance policy does not cover loss resulting from a fraudulent email directing funds to be sent electronically to the imposter’s bank account because the scheme did not constitute “computer fraud” under the policy. Continue Reading Court Rules Fraud Involving a Computer Is Not ‘Computer Fraud’ under Crime Protection Policy
This post has been updated.
On July 14, 2016, the U.S. Court of Appeals for the Second Circuit held that Microsoft Corporation (“Microsoft”) cannot be compelled to turn over customer emails stored abroad to U.S. law enforcement authorities. Continue Reading Second Circuit Holds Microsoft Cannot Be Compelled to Turn Over Emails Stored Abroad
On October 23, 2015, the United States District Court for the District of Minnesota, in large part, upheld Target’s assertion of the attorney-client privilege and work-product protections for information associated with a privileged, internal investigation of Target’s 2013 data breach.