Developing an information security program is good business, and for auto dealers that are considered “financial institutions” under the Gramm-Leach-Bliley Act (GLB) it is the law. As part of the GLB, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires “financial institutions” to develop a written security plan to protect customer information. Dealers are considered “financial institutions” if they extend credit, facilitate financing through another bank or manufacturer, or provide financial advice or counseling to individuals. Although the Safeguards Rule has been in place since 2003, consumers’ heightened awareness regarding data security makes the Rule even more relevant today.
In August 2017, Wisconsin technology company, 3 Square Market, may have been the first U.S. company to offer employees the ability to have radio frequency identification device (“RFID”) chips implanted under their skin. The chips, the size of a grain of rice, are injected between the employee’s thumb and index finger. After that, employees can swipe their hands over chip readers to get into the office building, purchase food in the cafeteria and potentially log onto computer and other systems. For now, the chips are voluntary, and numerous employees have signed up to have them implanted.
Much to the dismay of companies, on August 1, 2017, the U.S. Court of Appeals for the D.C. Circuit made it easier for plaintiffs, and their attorneys, to bring class action data breach cases. In Attias v. CareFirst, Inc., Case No. 16-7108, the Court concluded that the plaintiffs’ heightened risk of future identity theft was sufficient to show standing at the pleading stage. With CareFirst, the D.C. Circuit becomes the second U.S. Court of Appeals to reach this conclusion. The 7th Circuit, in Remijas v. Neiman Marcus Grp., 794 F.3d 688 (7th Cir. 2015), was the first.
Apple’s removal of VPN apps from its app store in China could signal a difficult road ahead for companies doing business there. In March 2017, we posted a summary of China’s new cyber security law (Law) that went into effect on June 1, 2017. Now, less than one month later, Apple announced over the weekend that it had “been required to remove some VPN apps in China that do not meet the new regulations,” according to Carolyn Wu, Apple’s China spokeswoman.
Due to the increasing number of successful and attempted cyber-attacks and increased government scrutiny surrounding protection of confidential information, companies cannot ignore the various risks associated with potential data breaches. The result is that more and more companies are considering and purchasing cyber insurance. Companies are increasingly recognizing that customer names, customer financial data, credit card information, social security numbers, passwords, employee information, medical information, confidential commercial information and intellectual property are all vulnerable to a data breach. Some companies’ entire business model relies on the confidentiality of trade secrets or other propriety information, the compromise of which could cripple the business. Loss or disclosure of this data can result in lost revenue and negative publicity. Not surprisingly, more and more companies are buying cyber insurance to minimize or mitigate their risks. But selecting the right policy can be tricky, especially given the relative newness of this line of coverage.