In 2023, the government and whistleblowers were party to 543 settlements and judgments — the highest number in a single year — collecting over $2.68 billion. After announcing its Civil Cyber-Fraud Initiative in October 2021, the Justice Department proved that the initiative is dedicated to using the FCA as a mechanism to hold federal contractors accountable who fail to follow federal cybersecurity requirements. Settlements in 2023 included allegations against companies for their failure to provide secure systems to customers, failure to provide secure hosting of personal information, and failure to properly maintain, patch, and update software systems. The Justice Department has made clear that cybersecurity is one of its key enforcement priorities in 2024 and moving forward, meaning all federal contractors must be particularly mindful of federal cybersecurity requirements. To keep you apprised of the current enforcement trends and the status of the law, Bradley’s Government Enforcement and Investigations Practice Group is pleased to present the False Claims Act: 2023 Year in Review, our 12th annual review of significant FCA cases, developments and trends.
The frequency of class actions related to data breaches has significantly increased, with no indication that this upward trajectory will plateau. This raises the question: Are there more efficient alternatives to settling these disputes in the public eye of the courts? Moreover, is it possible to mitigate the financial burden associated with these legal battles? The short answer: Incorporating arbitration clauses and class action waivers into terms and conditions presents a viable strategy — if done correctly.
In a recent ruling by the Ninth Circuit, a significant message was sent to businesses about the critical nature of employing clear and effective website terms and conditions incorporating an arbitration clause and class action waiver. The case of Patrick v. Running Warehouse, LLC, — F.4th —- (2024), stemmed from a data breach in October 2021, leading to the alleged exposure of consumers’ personally identifiable information. The consumers’ attempt to bring forward class actions for negligence, breach of contract, and other claims against the retailer was met with a motion to compel arbitration.
The ruling underscores the necessity for businesses to ensure that their terms of service are not only present but also prominently displayed and easily accessible to consumers. In this instance, the court noted that the plaintiffs had acknowledged seeing a hyperlink to the Terms of Service, placing them on “inquiry notice” of the arbitration provision. This concept, supported by prior decisions, suggests that while consumers may choose not to read the terms, the availability of these terms still binds them legally, as they are considered to have been given sufficient notice.
For background, arbitration offers a practical alternative to the costly and time-consuming nature of court litigation. It is favored by many larger entities for its ability to circumvent protracted trial procedures, maintain the privacy of legal disputes, and allow involved parties to have a hand in selecting the arbitrator. Traditionally, the inclusion of class action waivers within arbitration clauses can deter the amalgamation of individual claims into a single, large-scale lawsuit. These advantages, combined with class action waivers, are particularly appealing to businesses aiming to reduce the financial and reputational risks associated with data breach lawsuits, which often involve extensive class sizes and substantial potential for reputational harm. However, recent developments have made arbitration less enticing with respect to the current surge in mass arbitration cases where thousands of identical claims from consumers or employees are filed against companies. This movement is propelled by a savvy group of plaintiff lawyers who are increasing the use of data breach and privacy class numbers to strong-arm settlements as an alternative to incurring single plaintiff arbitration fees for thousands of cases.
As the legal landscape surrounding mass arbitrations evolves, there are proactive measures a company can take to mitigate these risks. However, for these strategies to be effective, they need to be implemented before the company is notified of a mass arbitration. Companies must carefully revise their arbitration agreements to avoid any provisions that could be deemed unconscionable, potentially jeopardizing the entire agreement. Instituting a pre-dispute resolution process with mandatory individualized conferences before arbitration can ensure that only serious claims proceed, potentially decreasing costs. Additionally, requiring claimants to submit individual requests for arbitration with comprehensive details about the claim and a good faith estimate of the dispute amount can help deter baseless claims. Modifying cost-splitting provisions to remove blanket commitments to cover arbitration filing fees and introducing the possibility of fee shifting for frivolous claims can further protect companies. Moreover, adopting a clause for batch arbitration, where similar claims filed simultaneously are consolidated into manageable groups, can streamline the resolution process and benefit both companies and consumers by enabling more efficient adjudication with reduced administrative burdens. These measures, carefully tailored to comply with applicable laws and arbitration rules, can significantly mitigate the risks associated with mass arbitration scenarios.
It’s important to note that not every arbitration clause and class action waiver holds up legally. Errors and oversights can elevate the likelihood of a company having to face a class action lawsuit in court, despite efforts to circumvent such scenarios through waivers. This case is a clear reminder of the need for businesses to use terms and conditions effectively. By ensuring that these legal agreements are clearly communicated and accessible, companies can better protect themselves from legal disputes.
Bradley has extensive expertise in guiding clients through mass arbitration claims and stands in a unique position to help businesses tailor dispute resolution clauses that best fit their specific requirements. If you have any inquiries regarding mass arbitration, we encourage you to contact any of the Bradley representatives listed below for further assistance.
A recently introduced bill in the Florida Legislature would provide businesses operating in Florida, including health care providers, with a legal defense to data breach lawsuits if they maintain robust cybersecurity measures that meet government- and industry-recognized standards. Specifically, Florida House Bill No. 473 (H.B. 473), known as the Cybersecurity Incident Liability Act, was introduced and reported favorably in the Commerce Committee on Jan. 23, 2024, to provide a much-needed safe harbor from liability for businesses that implement sensible, industry-recognized cybersecurity measures. This act aims to incentivize businesses to achieve a higher level of cybersecurity by maintaining a cybersecurity program that substantially complies with industry-recommended frameworks.
Businesses that achieve substantial compliance with recognized frameworks outlined in H.B. 473 would be entitled to a “legal safe harbor,” which could be used as an affirmative defense against tort claims arising from data breaches linked to alleged failures to adopt reasonable cybersecurity measures.
Alexis Buese, a key member of Bradley’s Class Action Litigation team based in Tampa, played a pivotal role in introducing the bill by providing crucial testimony on behalf of the health care industry in favor of H.B. 473 before the Commerce Committee. Bradley has consistently been at the forefront of advocating for innovative solutions that empower businesses to mitigate unnecessary class action exposure. With H.B. 473, the approach to liability becomes proactive, encouraging businesses to enhance their cybersecurity practices while offering incentives for upscaling their security measures.
Safe Harbor Details
H.B. 473’s “safe harbor” does not grant blanket immunity to a business facing a data breach lawsuit. Rather, it specifically applies only to tort claims, such as negligence, and businesses seeking to utilize the safe harbor must plead it as an affirmative defense in a lawsuit and demonstrate that their cybersecurity program complies with the law’s requirements. Importantly, the safe harbor does not extend to contract-based claims arising from disputes with vendors or customers involving contractual relationships.
It’s important to note that H.B. 473 does not establish a minimum cybersecurity standard that businesses must achieve. Instead, it encourages businesses to adopt and maintain cybersecurity programs in substantial compliance with industry-recognized frameworks without imposing liability on those that do not. The frameworks recognized by H.B. 473 include the following:
- The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity
- NIST special publication 800-171
- NIST special publication 800-53 and 800-53a
- The Federal Risk and Authorization Management Program security assessment framework
- The Center for Internet Security (CIS) Critical Security Controls
- The International Organization for Standardization/International Electrotechnical Commission 27000- series (ISO/IEC 27000) family of standards
Additionally, H.B. 473 also considers cybersecurity programs substantially aligned with federal requirements, including the following:
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) security requirements in 45 CFR part 160 and part 164, subparts A and C
- The Health Information Technology for Economic and Clinical Health Act requirements in 45 CFR parts 160 and 164
- The Federal Information Security Modernization Act of 2014
Notably, H.B. 473 takes a flexible approach to cybersecurity, considering various business-specific factors in determining the necessary scale and scope of a cybersecurity program to determine substantial alignment with standards recognized in the bill. These factors include the size, complexity, and nature of the business and its activities, the sensitivity of the personal information it holds, the availability and cost of security improvement tools, and the resources available for cybersecurity efforts.
What Does This Mean for Companies in Florida?
While H.B. 473 is not yet law, it signifies a positive step forward in recognizing and rewarding businesses that proactively adopt and maintain robust cybersecurity programs. As we move into the future, companies of all types and sizes, across various industries in Florida, should take the opportunity to assess the confidentiality, proprietary nature, personal data, or other sensitive information they hold. It is crucial to review and evaluate the effectiveness of your privacy and security measures. This evaluation should encompass the organization’s overall culture concerning privacy and security, ensuring that both the leadership and employees are adequately focused on these critical issues.
Furthermore, businesses should conduct thorough risk assessments to identify vulnerabilities and areas at risk, implement additional security measures to mitigate these risks, review and enhance existing policies and procedures, establish a tested incident response plan, and update employee training to address the latest cyber threats. This proactive approach to cybersecurity aligns with the objectives of H.B. 473 and can help businesses in Florida stay ahead in safeguarding their data and operations. If you have any questions about H.B. 473 or data privacy and cybersecurity matters generally, please contact Alexis Buese or Eric Setterlund.
Ransomware attacks that shut business down to zero and data breaches that disclose the personal information of customers, vendors and employees justifiably strike fear in the hearts of executives everywhere. Organizations can suffer the reputational and financial consequences of these events for years to come. Due diligence in the current regulatory environment requires a plan for prevention and incident response.
But while ransomware and data breaches grab the headlines, business email compromise is overall the most prevalent and costly form of cybercrime. That’s because business email compromise is occurring every minute of every day. It’s a cybercriminal’s low hanging fruit.
Even the most sophisticated among us has been fooled by cybercriminals’ ever-more-savvy social engineering. Fraudsters can pose as a business partner more credibly than ever, through use of deceptively similar email addresses, alteration of the company’s real email chains, and alteration of familiar business forms. They learn the context of the financial transaction at issue in advance so they can cloak the crime in familiarity and take advantage of our reliance on email to get things done quickly. Millions in company funds have been unwittingly wired to fraudsters’ bank accounts, with discovery of the fraud occurring too late for claw back.
An Ounce of Prevention Is Worth a Pound of Cure
Combatting losses from business email compromise is straightforward. Institute an internal procedure for verification of authenticity prior to making payments, and regularly train your employees on social engineering techniques.
Many insurance policies covering social engineering losses require proof of such internal procedures and training as conditions of coverage. The limits available may also be insufficient to cover the entire loss. If sufficient coverage is unavailable, liability for diverted payments is typically apportioned to the party who was in the best position to avoid the loss.
Payment verification procedures and employee training – along with basic cybersecurity measures such as two-factor log-on identification and social engineering insurance – go a long way toward protecting the company’s bottom line from fraudsters and consequential harm to business relationships.
The Florida Telephone Solicitation Act (FTSA), effective July 1, 2021, has undergone significant amendments as of May 25, 2023, reshaping the legal landscape for businesses in Florida. Initially, the FTSA created a private right of action for unwanted calls and texts, leading to over 500 complaints within a year. To clarify the FTSA’s ambiguities, Florida legislators introduced new bills, resulting in Gov. Ron DeSantis signing HB 761 into law, modifying the FTSA to bring more clarity for businesses contacting consumers via calls and texts. One crucial aspect of the amendment is its applicability to cases without granted class certification as of the amendment’s effective date. This change aimed to address the surge in “gotcha” litigation. Despite arguments from the plaintiff’s bar challenging the amendment’s constitutionality, two recent court decisions have upheld its validity. This blog post will discuss the implications that these decisions may have on the future landscape of the FTSA in Florida.
Effective July 1, 2021, the FTSA created a private right of action for consumers who receive unwanted calls and text messages. The FTSA applies to any business sending inbound text or calls into Florida, even if they are not organized under Florida law and have no physical presence in Florida. The FTSA removed many of the protections that businesses rely upon in defending claims under the Telephone Consumer Protection Act (TCPA). The FTSA prohibits the use of certain automated dialers to call (or text) consumers without their consent and enables consumers to recover $500 per call. Those damages are trebled for willful violations, resulting in a maximum potential liability of $1,500 per call.
The FTSA triggered a host of lawsuits and caused numerous challenges due to its ambiguity. The FTSA was thus amended in 2023.
The definition of an “auto-dialer” was substantially narrowed. The original FTSA language described an “automated system” as a tool for either “selection or dialing” of phone numbers. The updated definition shifts to “selection and dialing,” tightening the criteria for what constitutes an “auto-dialer.” As amended, a violation of the FTSA would only occur where the automated system is used to both select and dial telephone numbers. This clarifies that calling technology must meet a two-part test to qualify as an automated system.
The FTSA originally prohibited “telephonic sales calls” if it involved the use of an automated system for the selection or dialing of phone numbers. This created ambiguity as to whether the prohibition applied to calls made pursuant to a nonwritten request to be called, such as inbound calls from a consumer. The amendment clarifies that the prohibition applies to certain “unsolicited” telephonic sales calls. Unsolicited calls, among other things, are calls made other than in response to an express request of the person called or to a person with whom the telephone solicitor has a prior or existing business relationship.
Additionally, the amendments introduce a 15-day opt-out period for text message communications. Before initiating legal action over unsolicited texts, consumers must respond with a “STOP” message. The sender then has 15 days to cease sending texts, except for a confirmation of the opt-out. Legal action is permissible only if the sender fails to comply after this period. This provision significantly diminishes the legal exposure for marketers sending text messages in Florida, underscoring the importance of diligently recording and respecting opt-out requests.
Significantly, under Section 2, the amended FTSA applies “to any suit filed on or after the effective date of this act and to any putative class action not certified on or before the effective date of this act.” The effective date of the amended FTSA is May 25, 2023.
Recent Decisions Upholding the FTSA Amendment
In Holton v. eXp Realty, LLC, CASE NO. 8:23-cv-734-SDM-AEP (M.D. Fl. Dec. 28, 2023), the plaintiff, on behalf of himself and putative class members, sued eXp Realty, LLC, and alleged that eXp’s text messages violated FTSA. eXp argued that because Holton never alleged replying “STOP” and because Holton failed to certify his class action on or before May 25, 2023, the amended FTSA bared both Holton’s individual claim and his class action. The plaintiff responded that “retroactively” applying the amended FTSA unconstitutionally infringed his and each class member’s vested rights. The defendant countered that the plaintiff enjoys no vested right to represent a class.
The court reasoned that “the amended FTSA’s application to a class is wholly prospective and the amended FTSA applies only to a class certified after May 25, 2023.” Because the plaintiff’s class remains uncertified and he fails to allege that each member of his proposed class replied “STOP” to an unsolicited message, the amended FTSA bars the plaintiff’s class action. The court further noted that “Holton possesses no vested and inviolable right to represent a class.” And, similarly, “the proposed class members hold no vested and inviolable right, free from lawfully imposed requirements, to coalesce and litigate as a class.” The court thus remanded to state court as the Class Action Fairness Act (CAFA) no longer supported subject matter jurisdiction.
In a different case recently heard in state court, Leigue v. Everglades College, Inc. (Case No. 2022-008872-CA-01), the court also faced a legal challenge against the amended FTSA. The contention in that case was that the amendment unconstitutionally overstepped by improperly regulating procedural law. The court ultimately determined it was precluded from considering constitutional challenges when the defendant failed to promptly serve the attorney general with notice of the constitutionality challenge. Although the court declined to rule, it did take time to point out that it “agrees with Defendant that even if Section 768.734 contains some procedural aspects, Florida courts have consistently upheld the constitutionality of statutes containing both substantive and procedural provisions.”
Businesses currently entangled in class action lawsuits under the FTSA should take full advantage of the recent FTSA amendment. These legal shifts offer valuable tools for navigating the complexities of such litigation. Additionally, it is crucial for businesses engaged in consumer texting to diligently maintain records of opt-outs. This practice is essential not only for compliance but also as a strategic measure to mitigate the risk of future class action exposure under the FTSA. As the legal landscape continues to evolve, proactive and informed management of these issues will be key for businesses operating in this space.
On December 13, 2023, the Federal Communications Commission (FCC) ushered in a new era by enacting transformative rules, marked by a 4-1 vote, aimed at addressing what it viewed as the lead generation loophole. The FCC’s Second Report and Order, released on November 22, 2023, was poised to signify a monumental shift in lead generation practices, mandating prior express written consent for calls or texts specifically on behalf of one seller at a time. Despite voracious opposition from small business and industry groups, the FCC adopted Report and Order. With six months to become compliant, this blog post delves into an analysis of the implications of these new rules on lead generation practices, offering insights into the components of the adopted Report and Order, legal implications, and concluding with recommendations for businesses navigating this evolving regulatory landscape.
Lead generation has long been the secret sauce for connecting with potential customers. Lead generation on comparison shopping websites involves users sharing preferences and contact details, which are then converted into leads. These leads are subsequently relayed to relevant businesses, enabling them to engage with potential customers. The overarching aim is to nurture these leads through effective follow-up, providing additional information, and ultimately converting interested users into customers, a process applicable to various industries and lead generation platforms.
However, enter the FCC’s new rules, and the landscape undergoes a seismic transformation. On December 13, 2023, the FCC voted 4-1 to enact the Proposed Rules, limiting consent to one-to one, allowing the blocking of “red flagged” robotexting numbers, codifying do-not-call rules for texting, and promoting an opt-in approach for delivering email-to-text messages. These changes are set to take effect six months after enactment.
Once the new rules take effect, businesses will be required to secure a consumer’s prior express written consent, but here’s the twist – exclusively for calls and texts initiated through an automatic telephone dialing system (ATDS), prerecorded message, or artificial voice, and limited to “a single seller at a time.” This isn’t just a rule; it’s a game-changing move that reshapes how consumers provide consent in a world brimming with lead generation and comparison-shopping websites. Obtaining consent individually for each seller involved in lead generation can be administratively complex and inefficient. It requires a separate process for each seller, potentially leading to a cumbersome experience for both businesses and consumers.
Report and Order Insights
The recently embraced FCC Report and Order redefines the landscape for marketing calls and texts. Here’s a detailed exploration of the pivotal legal aspects:
First, the FCC orchestrated a paradigm shift, requiring businesses to secure a consumer’s prior express written consent from a single seller. This marks a departure from the past, emphasizing the need for distinct consents even in a digital marketplace teeming with multiple sellers.
While lead generators enjoy some flexibility, constraints accompany the privilege. The expectation is that consumers can consent to multiple sellers on a single page, but the FCC demands a direct, explicit mechanism, sidelining the efficacy of mere hyperlinks.
Transparency takes center stage as the FCC underscores the necessity for clear and conspicuous disclosures. Sellers must now possess concrete evidence of consent, moving away from reliance on lead generators for proof.
For the first time, the FCC asserts that calls and texts to DNC Registry numbers necessitate prior express invitation or permission, substantiated by a signed, written agreement.
Terminating providers now shoulder the responsibility of blocking all texts from specified numbers upon FCC notification. The “block-upon-notice” requirement reshapes provider responsibilities, elevating vigilance to a new level.
Finally, while not mandatory, the FCC nudges businesses towards adopting email-to-text as an opt-in service. The prospect of a potential rulemaking looms on the horizon, hinting at a transformative shift in email-to-text compliance.
Practical Steps Forward
Considering these regulatory changes, it is crucial for businesses to proactively reassess their lead generation practices and vendor relationships, particularly under the guidance of experienced legal counsel, such as Bradley. The granted six-month implementation period provides a window of opportunity for businesses to conduct thorough investigations and align with these new regulations. In anticipation of an expected wave of TCPA class action lawsuits, working closely with seasoned Bradley counsel will help businesses adopt a strategic and compliant approach to lead generation. This proactive stance ensures that businesses are well-prepared to navigate the dynamic and evolving regulatory framework.
If you have any questions about this transformative new FCC rule, please do not hesitate to reach out to Alexis Buese.
The Department of Health & Human Services (HHS) released a concept paper outlining its strategy for improving cybersecurity infrastructure within the healthcare sector. The paper calls for proposing healthcare-specific cybersecurity performance goals that will include both minimum foundational practices and advanced goals for cybersecurity performance. By centralizing these performance goals into the Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs), HHS hopes to provide clear directives for stakeholders. This paper comes on the heels of the White House’s March National Cybersecurity Strategy and HHS’s April 2023 Hospital Cyber Resiliency Landscape Analysis.
HHS initially intends to incentivize the adoption of these performance goals by working with Congress to increase funding, develop incentives, and increase enforcement authority to improve cybersecurity. Specifically, HHS has stated that it will take the following concurrent steps:
- Establish voluntary cybersecurity performance goals for the healthcare sector
- Provide resources to incentivize and implement these cybersecurity practices
- Implement an HHS-wide strategy to support greater enforcement and accountability
- Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity
Notably, HHS will also seek to incorporate the HPH CPGs into existing regulations and programs, including (1) by working with CMS to adopt new cybersecurity requirements for hospitals participating in Medicare and Medicaid; and (2) through proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in Spring 2024. These revisions are notable in that HIPAA’s security standards have not been revised in over 18 years, and hospitals would be subject to compliance surveys from state health departments and The Joint Commission (TJC) pursuant to the Medicare Conditions of Participation for Hospitals.
Bradley will continue to monitor this development and provide updates as HHS moves forward with these implementation strategies.
A previous installment discussed the centrality of network topology to an organization’s data security and outlined the legal framework and obligations incumbent upon many organizations in the U.S. The first installment can be found here. The second and final part of this series will discuss strategies for optimizing network topology and data security, focusing on the NIST Cybersecurity Framework as one of several security frameworks with broad industry recognition.
The NIST Cybersecurity Framework is a voluntary set of standards, guidelines, and best practices for improving the security and resilience of critical infrastructure sectors. It was developed by the National Institute of Standards and Technology (NIST) in collaboration with various stakeholders from the public and private sectors, and it is widely recognized as a valuable tool for enhancing data security practices across different industries and organizations. Network topology plays a pivotal role within this framework, as it is the foundational blueprint upon which the security measures are built.
Five Functions of the NIST Framework
For each of the five core functions of the NIST Cybersecurity Framework – Identify, Protect, Detect, Respond, and Recover – network topology influences the implementation and performance of the corresponding subcategories. Network topology helps organizations identify and protect their network assets and data, detect and respond to network incidents, and recover from network breaches. Some examples are:
- Identify (ID) Function: This function involves developing an organizational understanding of the systems, assets, data, and capabilities that must be protected. Network topology supports this function by helping organizations inventory their physical devices and systems (ID.AM-1), map their organizational communication and data flows (ID.AM-3), and identify their network boundaries (ID.BE-5).
- Protect (PR) Function: This function involves developing and implementing appropriate safeguards to ensure the delivery of critical services. Network topology helps organizations protect the integrity of their network (PR.AC-5), implement network segmentation (PR.AC-6), encrypt data in transit and at rest (PR.DS-2), and manage network access rights (PR.AC-1).
- Detect (DE) Function: This function involves developing and implementing appropriate activities to identify the occurrence of a cybersecurity event, with network topology supporting the monitoring network activity (DE.AE-1), detecting anomalies and events (DE.AE-2), and implementing continuous monitoring capabilities (DE.CM-1).
- Respond (RS) Function: This function involves developing and implementing appropriate activities to take action regarding a detected cybersecurity event. Network topology helps organizations analyze network incidents (RS.AN-1), contain network incidents (RS.CO-1), eradicate network incidents (RS.ER-1), and communicate network incidents internally and externally (RS.CO-2).
- Recover (RC) Function: This function involves developing and implementing appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. Network topology aids organizations to restore network services (RC.RP-1), improve network recovery planning (RC.IM-1), and incorporate lessons learned from network incidents (RC.IM-2).
Maintaining a secure network topology in alignment with the NIST Cybersecurity Framework can be challenging for organizations due to the complexity and diversity of network environments, the evolving nature of cyber threats, and the variability of legal standards. In consideration of these complexities, organizations can be guided by some best practices, such as:
- Conducting regular risk assessments to identify and prioritize network vulnerabilities and threats.
- Updating network diagrams and documentation to reflect changes in network configuration, devices, data, and legal requirements.
- Implementing industry-standard security controls, such as firewalls, antivirus software, encryption, authentication, authorization, etc., to protect network assets and data.
- Using network discovery tools, diagramming software, and monitoring systems to automate and simplify the network mapping process.
- Training employees on security awareness and best practices for using network resources.
FTC Endorsement of the NIST Framework
The Federal Trade Commission (FTC), the primary federal agency responsible for protecting consumers and promoting competition, has recognized the value and consistency of the NIST Framework with its approach to data security, acknowledging its usefulness and relevance for businesses of all sizes and sectors, without formally endorsing it. The NIST Framework is aligned with the FTC’s data security guidance and enforcement actions, which are based on a case-by-case evaluation of the reasonableness of data security practices, considering factors such as the nature and size of the business, the sensitivity and volume of the data, and the availability and cost of tools to improve security and reduce vulnerabilities. The FTC has recognized the NIST Framework in various official publications, statements, and collaborative efforts with NIST. Some examples are:
- The FTC published a blog post explaining how the NIST Framework is consistent with the FTC’s data security guidance, summarized in its “Start with Security” initiative. The blog post links other resources to help businesses implement the NIST Framework.
- The FTC’s “Data Breach Response: A Guide for Business” mentions the NIST Framework as one of several sources of additional information on data security. The guide provides practical advice on effectively preparing for and responding to data breaches.
- In various congressional testimonies, the FTC chairperson has acknowledged the relevance and usefulness of the NIST Framework for improving data security. The chair also highlighted the FTC’s collaboration with NIST on developing standards and guidelines for privacy and consumer protection, such as the Privacy Framework and the Consumer Privacy Bill of Rights.
Cross-Mapping the NIST Framework with Data Security Standards
Network topology not only assists with implementing the NIST Cybersecurity Framework, it also supports compliance with various information security standards that apply to different sectors and contexts. Several of the NIST Framework’s core functions, such as “Identify” and “Protect,” require organizations to understand their network layout, assets and vulnerabilities. Network topology directly supports these functions by identifying and prioritizing critical assets, assessing risks, and implementing protective measures. These standards provide specific controls and guidelines directly related to network topology and mapping and help organizations achieve data security objectives such as confidentiality, integrity, availability, accountability, and resilience. These standards are:
Center for Internet Security (CIS) Controls: These universally recognized controls provide actionable guidance for enhancing an organization’s cybersecurity stance. Network topology intertwines closely with CIS Control 1 (Inventory and Control of Hardware Assets) and Control 2 (Inventory and Control of Software Assets). Accurate mapping of network assets and their configurations is central to these controls, specifically aligning with CIS Control 1.1 (Active Physical Asset Inventory) and CIS Control 2.1 (Inventory of Authorized and Unauthorized Software).
COBIT 2019: The COBIT framework aids organizations in governing and managing enterprise IT, aligning IT with business objectives. Network topology is particularly relevant within the COBIT control framework, notably in Control APO12 (Managed Business Process Controls) and Control DSS02 (Manage Service Requests and Incidents). Accurate network mapping substantiates COBIT’s objectives by facilitating efficient resource allocation, directly supporting Control APO12.05 (Managed Business Process Controls Monitoring and Reporting), and enhancing risk management, aligning with Control DSS02.03 (Incident and Service Request Data).
ISA Standards: The International Society of Automation has formulated standards such as ISA-95 (Enterprise-Control System Integration) and ISA-99 (Industrial Automation and Control Systems Security). In industrial contexts, network topology is pivotal for securing process control systems. Notably, ISA-99 includes standards such as ISA-99-02-01 (Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control System Security Program) and ISA-99-02-02 (Security for Industrial Automation and Control Systems: Technical Security Requirements for Industrial Automation and Control Systems), which emphasize the critical role of network topology in ensuring the security of these systems.
ISO/IEC 27001:2017: The ISO 27001 standard concerns information security management systems (ISMS). Network topology is pivotal in ISO 27001, particularly in Control A.12.1.1 (Control Objective: Control of Network Perimeter), which mandates assessing and managing network security risks. Additionally, Control A.12.1.2 (Control Objective: Management of Security in Networks) underscores the importance of secure network management, reinforcing the relevance of network topology.
NIST SP 800-53 Rev.5: This exhaustive catalog of security and privacy controls for federal information systems and organizations encompasses controls deeply rooted in network-centricity. Specifically, NIST SP 800-53 Rev.5 includes control families such as “Access Control” (AC) and “Audit and Accountability” (AU), which directly involve knowledge of network topology. Control AC-2 (Account Management) and Control AU-4 (Audit Storage Capacity) emphasize the importance of network configuration and monitoring. Additionally, Control AC-17 (Remote Access) addresses secure network access, highlighting the indispensable role of network topology knowledge. These controls harmonize seamlessly with the NIST Cybersecurity Framework, further underlining the significance of network topology in government and private-sector cybersecurity initiatives.
Network Topology Optimization for Data Security
Optimizing network topology for data security is an ongoing process that requires constant monitoring, evaluation, and improvement as organizations work towards efficiency, scalability, reliability, and security. Here are some strategies for optimizing network topology for data security:
- Network Segmentation: Network segmentation involves dividing the network into smaller subnetworks or segments based on function, location, or access level criteria. This strategy reduces the network’s attack surface by limiting the exposure of sensitive data and devices to unauthorized users or malicious actors. It also improves network performance by reducing congestion and latency.
- Network Isolation: Network isolation involves creating separate networks for different purposes or data types. This strategy enhances the security of sensitive data by preventing interaction or communication between networks that are not authorized or necessary. It also reduces the risk of network compromise by isolating potential sources of infection or intrusion.
- Network Encryption: Network encryption involves using cryptographic techniques to protect data in transit over the network from unauthorized access or modification. This strategy ensures the confidentiality and integrity of data by preventing eavesdropping or tampering by third parties. It also protects against man-in-the-middle attacks by verifying the identity of network endpoints.
- Network Access Control: Network access control involves policies and mechanisms regulating who can access what on the network. This strategy enforces the principle of least privilege by granting only the minimum level of access required for each user or device to perform their tasks. It also prevents unauthorized access by requiring authentication, authorization, and accounting for network resources.
- Network Monitoring: Network monitoring involves collecting and analyzing network activity and performance data. This strategy enables the detection and prevention of network anomalies and incidents by providing visibility into network traffic, devices, and configurations. It also supports network optimization by identifying and resolving network issues, bottlenecks, or inefficiencies.
Data security is a top concern for organizations in today’s digital landscape. It protects data from unauthorized access, use, modification, or disclosure. Data security requires implementing technical, administrative, and physical measures to safeguard data from internal and external threats. Network topology and network mapping can strengthen data security strategy. They provide a comprehensive view of the organization’s digital infrastructure. Network topology and mapping also can be aligned with various legal frameworks and standards that regulate data security and privacy. Organizations can develop and implement tailored security strategies that address specific vulnerabilities and risks, leveraging the information gained through network topology and mapping, guiding data security practices and meeting compliance requirements.
Data security is a top concern for organizations in today’s digital landscape. It protects data from unauthorized access, use, modification, or disclosure, and requires implementing technical, administrative, and physical measures to safeguard data from internal and external threats. Securing data is challenging in the current environment of multiplying cyber threats against small and large organizations alike. It is a journey, with no finish line and no perfect solution guaranteeing 100% security.
This two-part article will explore the ways in which network topology and mapping can strengthen organizations’ data security strategy. This part will discuss the ways in which network topology and mapping both intersect with various legal frameworks and standards that regulate data security and privacy. The second part will provide some strategies for optimizing network topology for data security and outline the National Institute of Standards and Technology (NIST) Cybersecurity Framework industry standard for data security.
Network Topology and Mapping: The Foundation of Data Security
Organizations should seek to ensure their data’s confidentiality, integrity, and availability to secure personal and proprietary data and to comply with legal and ethical obligations. Data security involves implementing technical, administrative, and physical measures to safeguard data from internal and external threats, and network topology and mapping are the foundational elements of any robust data security strategy. In an age where the digital realm is intertwined with every facet of modern life, understanding the structure and flow of your organization’s network is a necessary first step in securing your data.
Network topology refers to the physical and logical layout of an organization’s interconnected devices and systems. It serves as the digital blueprint, defining how data travels within an organization and outlining the relationships between various network components. Network mapping takes the concept of network topology a step further. It involves creating detailed visual representations of the network’s structure, including all devices, connections, and configurations. This process provides a granular view of the organization’s digital infrastructure. Understanding network topology and mapping is useful for several reasons: It helps identify vulnerabilities, optimizes resource allocation, and expedites incident response.
- Identifying Vulnerabilities: By comprehensively mapping out the network, potential vulnerabilities become apparent. These vulnerabilities could range from unsecured access points to outdated software or hardware.
- Resource Allocation: Knowledge of network topology aids in efficient resource allocation. It allows organizations to determine where security measures, such as firewalls or intrusion detection systems, could be deployed most effectively. This targeted approach ensures that security investments are optimized and aligned with business priorities. However, resource allocation is not a one-time process but rather an ongoing one that requires constant monitoring and evaluation. Therefore, organizations may want to consider using network mapping tools and technologies to automate and simplify the resource allocation process.
- Incident Response: A well-documented network topology can expedite incident response efforts in a security incident. Knowing how data flows through the network and where critical assets are located allows for swift identification and containment of threats.
- Risk Assessment: Network mapping facilitates a thorough risk assessment. It helps identify potential weak points in the network, such as single points of failure or areas susceptible to unauthorized access. For example, in 2016, Dyn, a domain name system (DNS) provider, was hit by a distributed denial-of-service (DDoS) attack that disrupted the internet access of millions of users. The attack was carried out by a botnet of compromised devices that flooded Dyn’s servers with traffic. Although it is not the only factor that influenced the outcome of the attack, a comprehensive network map may have helped Dyn assess its network resilience and redundancy. As discussed, a network map is a visual representation of the network devices, connections, and configurations, which can help identify potential vulnerabilities, bottlenecks, and dependencies. A network map can also help implement mitigation strategies, such as load balancing, traffic filtering, and backup servers, to prevent or reduce the impact of DDoS attacks.
- Compliance Requirements: Many industries and sectors have specific regulatory requirements regarding data security and privacy. Accurate network mapping assists in demonstrating compliance by showcasing security measures in place, access controls, and data flow tracking. For example, HIPAA requires covered entities and business associates to implement reasonable and appropriate security measures to protect electronic protected health information (e-PHI) from threats and risks. Network mapping can help organizations document their compliance efforts by showing how they inventory their e-PHI assets, map their e-PHI flows, encrypt their e-PHI in transit and at rest, limit access to e-PHI, and monitor e-PHI activity.
- Capacity Planning: For organizations experiencing growth or evolving technology needs, network mapping aids in capacity planning. It allows for predicting future infrastructure requirements, ensuring the network can scale effectively without compromising security.
Network Security Challenges and Best Practices
Maintaining a secure network topology can be challenging due to the complexity and diversity of network environments, the evolving nature of cyber threats, and the variability of legal standards. Organizations may consider adopting some of the best practices to guide the process, such as:
- Conducting regular risk assessments to identify and prioritize network vulnerabilities and threats in recognition that network environments constantly change and evolve, exposing new risks and challenges.
- Updating network diagrams and documentation to reflect changes in network configuration, devices, data, and legal requirements. Outdated or inaccurate network information can lead to security gaps or compliance issues.
- Implementing industry-standard security controls, such as firewalls, antivirus software, encryption, authentication, authorization, etc., to protect network assets and data, as these controls can prevent or mitigate common cyberattacks, such as malware infections, phishing scams, ransomware attacks, etc.
- Using network discovery tools, diagramming software, and monitoring systems to automate and simplify the network mapping process, as manual network mapping can be time consuming, error prone, and incomplete.
- Training employees on security awareness and best practices for using network resources, given that human error or negligence can be a major source of data breaches or cyberattacks.
The Law of Data Security: The Nexus Between Network Topology and Framework Implementation
The legal framework governing data security is multifaceted, encompassing federal and state laws and industry-specific regulations. One of the central tenets of this framework is the requirement for organizations to implement security measures to safeguard sensitive data. Network topology, the physical or logical arrangement of nodes, and the connections between them in a computer network can assist in meeting this requirement and help organizations protect sensitive data from unauthorized access, modification, or disclosure. Here’s how this intersects with network topology:
Federal and state laws, such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Children’s Online Privacy Protection Act (COPPA), Fair Credit Reporting Act (FCRA), and several state data privacy laws like the California Consumer Privacy Act (CCPA), impose specific obligations on organizations to secure sensitive data. Network topology directly influences an organization’s ability to comply with these obligations, as it affects the efficiency, scalability, and reliability of the network, as well as its security and integrity. For example:
- HIPAA requires covered entities and business associates to implement reasonable and appropriate security measures to protect e-PHI from threats and risks. Network topology can support this requirement by helping organizations identify and control their network assets, encrypt and decrypt e-PHI, limit physical and logical access to e-PHI, and monitor network activity.
- GLBA regulates how financial institutions collect, use, and protect consumers’ personal financial information. Network topology aids compliance with GLBA by enabling organizations to secure their network perimeter, manage access to financial data, and monitor network activity.
- COPPA requires online services that collect personal information from children under 13 to obtain verifiable parental consent, provide notice of their data practices, and maintain reasonable security measures. Organizations can use network topology to help segregate children’s data, encrypt data in transit and at rest, and implement parental controls.
- FCRA regulates how consumer reporting agencies collect, use, and disclose consumers’ credit information. Network topology assists organizations with compliance with FCRA by facilitating the identification and protection of credit data, detecting and responding to data breaches, and providing consumers access to their credit reports.
- CCPA gives California residents the right to access, delete, and opt out of the sale of their personal information stored online. Using network topology, organizations can locate and segregate personal information within their network, encrypt personal information in transit and at rest, implement opt-out mechanisms, and respond to consumer requests.
Enforcement and Liability
The consequences of non-compliance with data security laws can be severe, involving fines, legal action, and damage to reputation. Here’s how network topology and framework implementation intersect with legal consequences, particularly in the context of data breach litigation:
- Liability Assessment: In the aftermath of a data breach, assessing liability is a complex task, especially when facing data breach litigation. Network topology and mapping enable organizations to identify the root causes of a breach and allocate responsibility, inform decision-making, defend against legal action or negotiate settlements.
- Evidence in Data Breach Litigation: Network diagrams and security framework documentation can be invaluable evidence in data breach litigation. They provide a clear and verifiable picture of an organization’s security measures and can be used to demonstrate due diligence in the face of legal proceedings related to data breaches. Judges and juries rely on such evidence to evaluate the organization’s commitment to data security.
Data security law is intricately woven into an organization’s network topology and the implementation of data security frameworks. By understanding how legal obligations influence network security practices, organizations can navigate the complex terrain of data security while safeguarding sensitive information and complying with the law.
For many, responding to an incident feels chaotic — questions swirling, uncertainties piling up, and no clear direction. Even when prepared with a well-rehearsed incident response plan, a data security incident places a company’s response team in a precarious situation of juggling numerous variables at once. In the chaos of determining whether a breach has occurred, companies may forget to think through the most important issues. For example, restoring network access and network security is typically the response team’s primary objective, while legal obligations and strategies are often forgotten. Though business continuity is a crucial step in the process, failure to prioritize the following critical aspects in responding to a breach could have consequences later.
1. Don’t get lost, preserve the breadcrumb
When responding to a cyberattack, there may be pressure to retain business continuity by immediately restoring information system integrity and availability. For example, the business may decide to wipe or erase data on existing computers, systems, and servers and rebuild them from the ground up. As part of any preservation strategy, companies should image all devices that may have been affected by the attack. This includes affected laptops and desktop computers, which are often overlooked during this process. Failure to preserve these breadcrumbs often leaves large gaps in the investigation.
Though incident response teams may be focused on restoring systems and resources, they must also recognize that cyber incidents often lead to government investigations and consumer litigation. The evidence gathered during the breach response will help counsel and cyber experts to determine what data was compromised. If the data is properly preserved, counsel can more accurately determine what data was accessed or stolen, and whether any personal information was compromised. Without this critical evidence, uncertainty may remain, forcing a business to rely on assumptions in making decisions about the existence and scope of a breach.
2. Phone a friend (aka trusted legal advisors)
The existence of these issues should make clear the importance of including outside counsel in all serious, or potentially serious, incident responses. Counsel will help ensure evidence of the data breach is preserved, as well as determine the company’s notification requirements without interrupting the forensics or recovery team’s efforts to re-establish business operations. Critically, outside counsel can help a company prepare for impending litigation or regulatory inquiries under attorney-client privilege, substantially increasing the confidentiality of the company’s response and mitigation efforts following the breach. Moreover, counsel will assist incident response teams in determining a proper course of action that aligns with applicable state and federal legal requirements, such as a company’s remediation decisions post-breach. Indeed, companies often fail to take initial intrusions seriously, because they believe the issue is contained, when in fact the attacker is merely waiting to continue the malicious activity after the logs showing the intrusion have been automatically deleted. Because breach response counsel is well-versed in this area of law, counsel can provide advice on potential blind spots to investigate, leading to a more fulsome response that mitigates unforeseen risks.
3. Notify your insurance carrier
Any company in any industry can experience a data breach, particularly those handling sensitive or numerous amounts of personal information. Notification to affected individuals alone, as discussed further below, routinely costs millions of dollars if the breach is large enough. Legal fees, engaging forensics experts to investigate, potential government enforcement actions, and consumer class actions can cost even more.
Whether your company has cyber-specific insurance or not, companies should immediately put their insurance provider(s) on notice upon experiencing a data breach. There’s always a possibility that your company’s insurance policies may cover some of the costs of your breach response. Moreover, if a company fails to timely notify their insurance carriers, those carriers may deny coverage outright. In addition, the insurance policy may require the company to use specific firms and forensics teams that are on a pre-approved list. The insurance company may also require detailed billing practices that should be considered before an incident response investigation begins.
4. Determine your legal requirements
Each state places unique data breach notification obligations on companies to notify all affected state residents of the data breach. It’s not uncommon for larger companies to notify residents in all 50 states and the several territories. Beyond standard state data breach notification statutes, the company may be subject to other regulatory frameworks. If the company is publicly traded, then the company must consider SEC rules. If the company maintains protected health information, then HIPAA’s notification requirements would apply and a likely investigation from the Department of Health and Human Services could follow. Among other agencies, state departments of insurance may require notice, as well certain licensing agencies like the New York Department of Financial Services. Additionally, companies will likely receive inquiries and demands from their partners, investors, and key personnel, among other third parties to whom the company has a contractual obligation. Thus, counsel must be prepared to fully understand all aspects of the client’s business to ensure all notification requirements are met, which generally follow a 30-to-60-day timeline after a company discovers the data breach.
5. Contact law enforcement
Companies often struggle to decide whether to engage law enforcement following a cyber incident. Though these decisions are not easy, working with law enforcement can allow a company some extra time to notify consumers and regulators, as well as show that they are concerned about their customers and all affected individuals. Often, insurance policies require the company to notify law enforcement of the incident. We encourage companies to periodically review their policies and coordinate with their counsel to ensure proper compliance with those policies. Regardless, law enforcement — especially the Federal Bureau of Investigations — may have access to additional technical and legal resources that could be valuable. This could include advice, technical knowledge, and assistance in working with third parties. Importantly, law enforcement may have investigations ongoing against your attackers and may be able to use the knowledge you gain from the attack to pursue legal action against the criminals.