The Matrix

Corporate policyholders, insurers and courts continue to grapple with the question of whether traditional “non-cyber” business insurance policies provide coverage for losses from cyberattacks.  The most recent decision addressing this “silent cyber” issue came last month in EMOI Services, LLC v. Owners Insurance Company, 2021 -Ohio- 3942, 2021 WL 5144828 (Ohio App. 2 Dist., Nov. 5, 2021).  In EMOI Services, an Ohio Court of Appeals panel reversed a trial court’s grant of summary judgment in favor of an insurer that found no coverage for a ransomware attack under a property insurance policy.   

Last week, the Federal Bureau of Investigation issued a private industry notification warning that “ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.” The FBI cautioned that ransomware attackers research publicly available information and target companies involved in significant, time-sensitive financial dealings such as M&A and other transactions. This initial reconnaissance, according to the FBI, is later followed by a ransomware attack and a subsequent threat that unless the victim pays the ransom, the attackers will disclose the information publicly, causing potential investor backlash and affecting the victim’s stock value.

The Federal Trade Commission recently announced a newly updated rule concerning the data security safeguards required for financial institutions to protect their customers’ financial information. The FTC’s updated Safeguards Rule, which originally was mandated by Congress under the 1999 Gramm-Leach-Bliley Act, requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe. The new rule more closely aligns with the NY Department of Financial Services Cybersecurity Regulation.

October is National Cybersecurity Awareness month, and the Department of Justice has chosen this month to roll out a new “Civil Cyber-Fraud Initiative.” The announced purpose of the Initiative is to actively pursue cybersecurity-related fraud claims by government contractors and grant recipients. 

A bipartisan bill was introduced on October 5, 2021, in the Michigan Senate to amend the Michigan Identity Theft Protection Act (the “Act”). The bill, linked below, would create an affirmative defense to tort claims arising out of a security breach. 

On September 21, 2021, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an updated ransomware advisory (the “2021 Guidance”), which supersedes its 2020 ransomware guidance (the “2020 Guidance”), discussed in a previous post on this blog. 

In the 2021 Guidance, OFAC notes that ransomware payment demands have escalated during the COVID-19 pandemic as U.S. businesses maintain significant online and internet-connected activities.  OFAC identifies a 21 percent increase in ransomware attacks and a 225 percent increase in ransomware losses as reported by the Federal Bureau of Investigation (FBI).  The  pandemic has presented numerous opportunities for cyber actors to target system vulnerabilities, particularly smaller businesses and municipal entities with limited resources for cybersecurity investments as well as entities supporting critical infrastructure, such as hospitals, that are likely to make quick payments to avoid service disruptions to patients. 

Post authored by Mahja D. Zeon, an Associate in Honigman's Detroit office and Lauren Legner, a 2021 Summer Associate in the firm's Detroit office.

Employers have a right, and in some industries, even a requirement, to implement vaccine-related policies to promote workplace safety, but they must be mindful of the privacy implications.  There are several competing concerns to weigh when deciding whether to implement vaccine-related policies. On the one hand, data regarding employee vaccination status may play an essential role in keeping the workplace safe from COVID-19 outbreaks. On the other hand, collecting and using such data implicates individual privacy and data security concerns. Should an employer choose to collect vaccine-related data, it must take the appropriate steps to keep this information safe. Here are three ways employers can implement vaccine-related, data-safe policies:

On the heels of Virginia’s Consumer Data Protection Act, Colorado recently passed its own comprehensive consumer privacy law. On July 8, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (“CPA”). The CPA takes effect on July 1, 2023.

Business transactions, management changes or investments involving non-U.S. companies or individuals receiving control or information rights to U.S. companies are subject to review by the U.S. government for national security purposes. There is a particular concern if any sensitive individual or government data is held by the U.S. company.  U.S. companies holding sensitive data should consider whether their business may be subject to CFIUS review prior to entering any investment or engaging in M&A activities.  

Michigan state courts have new privacy protections in court rules that become effective July 1, 2021 (links to the implementing orders are included below) after implementation was previously delayed.  Under revised Michigan Court Rule (“MCR”) 1.109 and 8.119, parties are no longer able to file papers – including pleadings, motions, and briefs – or attachments containing specified types of personally identifying information (PII) such as date of birth, financial account numbers, driver’s license numbers, state-issued personal identification card numbers, or passport numbers.  The existing prohibition on filing more than the last four digits of a social security number remains in force.  The revised MCR 1.109 calls for parties and their attorneys to redact any PII and to prepare a separate form listing the un-redacted information and reference codes to be used in the public document.  That separate form is considered a nonpublic document and is available only to the court, the parties, and other specified persons.  Anyone obtaining a copy of a publicly filed document will receive only the redacted copy and not the separate form.