Booming internet usage means that virtually every company has a website, and many companies use their website to enhance the user experience and collect information about their users. As a result, company websites have terms of use and privacy policies that were developed to govern the interaction between the user and the company through its website. 

Many businesses, however, developed their website’s terms of use and privacy policy when their websites were last substantially revised, and no one has paid attention to them since. Of more concern, some companies “cut and pasted” terms of use and privacy policies from other websites or used template forms available on the internet. While these may be a good start, they may miss some key provisions that should be included to protect your company and comply with the law.

This article reviews what needs to be included in terms-of-use agreements and privacy policies for company websites so that you can determine whether your company needs to review and update any of the provisions in them to better protect your company. 

Terms-of-use agreements

These provisions are typically included in a hyperlink at the bottom of a webpage. They can also be named terms of service, terms and conditions, conditions of use, or similar phrases. The first rule about these provisions is that they should be easy to read and understand. The provisions are intended to be a legal agreement binding on the website user which establish the terms a user must abide by to use the website.

Terms-of-use provisions generally include:

• Agreement to use the website only for lawful purposes (prohibits use of malware or other software that interferes with the content or use of the website);

• Disclaimer that the information on the site is for general information purposes and there is no warranty regarding the accuracy, completeness, or usefulness of the information. The disclaimer should extend to third-party content if used on website;

• Acknowledgement that website content is owned by the company and is protected by copyright, trademark, and other intellectual-property laws, and the material cannot be reproduced or modified;

• If the website contains message boards, chat rooms, or other interactive features, terms governing user-generated content so that user-posted material does not violate laws or company standards;

• An explanation of what information the company may collect from its website users and a link to the company’s privacy policy;

• Notice that the terms of use may be revised and updated from time to time and that all changes are effective immediately upon posting; 

• Email address for feedback or comments relating to the website; and

• Traditional contract provisions such as disclaimer of warranties, limitations on liability, governing law, and indemnification.

Note that the terms-of-use agreement for your website should be tailored to fit your website, its functionality and your company. Terms of use are important if accounts can be created on your company’s website because they set the rules about how the account system operates. Moreover, if there are links to social-media features, specific concerns about copyright infringement (especially if there is user-generated content), concerns about collecting personal information of children using a site or industry-specific regulations (e.g. banking and financial services), there may be additional language that should be added to the terms-of-use agreement to protect your company.

“Browsewrap” vs. “clickwrap” agreements

A browsewrap terms-of-use agreement exists when the terms of use are referenced on the website’s main page by a hyperlink to the complete provisions where there is a conspicuous notice that, by using the website, the user agrees to the terms of use. The website user must click on the hyperlink to see the terms that bind the user. Generally, courts have held that browsewrap agreements will be binding on the user when the user is encouraged by the design and content of the website to examine the terms available through the hyperlink. However, courts have taken disparate views on whether a website is, in fact, appropriately designed to encourage the user to click on the terms-of-use hyperlink. If your company is using a browsewrap terms of use, a message should be displayed in a prominent position on the site’s pages, notifying users that the website is governed by the terms of use and that users who do not agree to the terms must not access or use the site. This message should provide a link to the full terms of use and be located so that users can see the notice without having to scroll down the page. 

A clickwrap terms-of-use agreement exists when a pop-up, or series of pop-ups, appear when users visit the website that informs them that they must review and agree to the terms of use to use the site by clicking to indicate agreement. This is a clearer means to show user agreement to the terms of use and are more likely to be found enforceable by a court than browsewrap terms. E-commerce sites where users are purchasing products or services and websites where social media is being uploaded or posted are advised to use clickwrap terms-of-use agreements to ensure enforceability of their terms.

Privacy policies

Your privacy policy should disclose your practices for the collection, use, handling, and sharing of data from your users. Privacy policies are now required by several federal, state, and foreign laws, particularly if your company is collecting data to identify individuals (e.g. email address, name, mailing address, social-media information, etc.). Any third-party advertising or analytics provider that your company engages to help optimize website use will require an acceptable privacy policy be posted by your company before it will integrate their services on your website.

It is a good practice to have a privacy policy even if your company is not collecting data that could identify individuals, if for no other purpose than to inform your users that you are not collecting any individually identifying data.

Your privacy policy should be easy for users to read and understand. It should be clearly and conspicuously accessible on the website. A link to the policy must be conspicuously placed wherever personal information is collected. It should truly reflect the company’s actual business practices. The policy should not make any statements about the company’s privacy practices that may turn out to be untrue.

A privacy policy that meets the requirements of most data privacy-laws should include the following provisions:

•  A description of what kind of information you collect from users, why you collect it, how you use it, how long you store it, and what information is shared with third parties;

• Disclosure on whether and how you use cookies or other tracking technology;

• Disclosure that the company may have to release collected user information in response to warrants, subpoenas, or other legal process;

• How to request changes to, or a review of, any information of the user that is collected and stored;

• An opt-out procedure for users who do not want their information shared with third parties or used by the company;

• The method that will be used by the company to notify users of any changes to its privacy policy; and

• The policy should identify the date it was last revised.

The word “privacy” should be used in the title of the policy and any links to the policy. 

Note that if your company sells advertising for its website that has click-through features or uses a vendor’s technology for analytics, those third parties may be collecting user data as well and your privacy policy also needs to disclose the privacy practices of those third parties.

Template privacy policy should not be used for most websites. Instead, a privacy policy should be carefully drafted that is informed by the company’s actual information collection and privacy practices.

Importantly, as technology evolves, so does the information that might be mined from company websites. Your company should periodically audit its compliance with its posted privacy policy and confirm that its practices, such as allowing users to opt-out of certain uses or disclosures (for example, to unsubscribe to a mailing list), are being followed. Failure to comply with what you have promised to do in your privacy policy exposes the company to potential liability.

While provisions in terms-of-use agreements and privacy policies on company websites may look “boilerplate,” they are not. These must be tailored to the capabilities and functions of your website and to the specific information that is being collected and stored from user use.        

Gail M. Norris is a senior counsel in the Rochester office of the Syracuse–based law firm of Bond, Schoeneck & King PLLC. She works in Bond’s Cybersecurity and Data Privacy practice. Contact Norris at gnorris@bsk.com. This article is drawn from the law firm’s Cybersecurity and Data Privacy Information Memo.

While hacking, data theft, and corruption dominate the headlines, the threats to businesses posed by cyberattacks stretch far beyond the digital realm. Consumers are increasingly concerned about the security of their information that is held by companies they patronize and are negatively influenced if they believe a business is not adequately protecting data. A PricewaterhouseCoopers survey found that 87 percent of consumers are willing to take their business elsewhere if or when a company has a data breach.

In the wake of highly publicized attacks, business expenditures for cybersecurity reached $123 billion in 2020 according to the research firm Gartner. At the same time, studies conducted by the insurance firm Hiscox found that more than 70 percent of businesses are still unprepared for a cyberattack. The rapid race by businesses of all sizes to leverage technology to improve efficiency and gain competitive advantage has brought with it an unprecedented host of complex threats that most are ill-prepared to protect themselves against.

For centuries, entrepreneurs have had to overcome physical threats such as fire, flood, and theft to avoid being the next shop with a “Going Out of Business” sign in the front window. These risks were largely visible, tangible, local, and not likely to change quickly over time. On the contrary, threats to digital assets are everything that physical risks are not. They are virtual, invisible, global, and rapidly evolving. Mitigation strategies that are effective against a particular computer attack right now might be rendered permanently obsolete in the next few seconds.

While the world’s consumers create a seemingly insatiable demand for connectivity and 24/7-anywhere access to information of all kinds, businesses are racing to stay relevant in an increasingly tech-dominated world. Unfortunately, security is the often-overlooked component of this race forward, falling victim to budget constraints, ignorance, and apathy.

As technology evolves, so do the threats to its security. The first hackers often focused on gaining access to systems just to prove they could. Damage to, or theft of data was rare. Much has changed in just a few short decades. Modern cyberattacks are coordinated, sophisticated, and well-funded operations often run by criminal enterprises or even nation states. The goals of exploiting security weaknesses are largely financial, but also increasingly include corporate or political espionage.

Of all the modern cybersecurity threats, ransomware has rightly dominated the headlines. In the simplest terms, this attack traditionally involved “kidnapping” the victim’s data in place by encrypting it with a password only known to the attacker. The data was technically still on the victim’s systems; however, it was completely inaccessible. The key to unlock the data would ostensibly be provided after the victim paid the demanded ransom. Attackers would indiscriminately attempt to infect millions of computers without regard to the importance of the systems, or the potential victim’s ability or desire to pay the demanded fee. Surviving a traditional ransomware attack was largely a mixed bag. Sometimes victims paid the ransom and regained access to their files, sometimes the ransom was paid, and the key was never provided and, in some cases, even the attackers lost track of how to decrypt the files. For years, mitigation steps for ransomware relied heavily on restoring lost data from backups and eliminating the security gaps that allowed the attack to occur in the first place.

In the past few years, ransomware attacks have evolved into much more sinister and sophisticated attacks. Businesses and government entities are now the preferred targets, with a preference for critical infrastructure and services. The “kidnapping in place” model has also been modified to include the theft of sensitive data and attempts to establish long-term, persistent access to the victim’s computer systems that can be used to conduct further malicious acts. Stolen data is increasingly being used to further extort the victim through threats to release it publicly if the ransom is not paid. This was recently highlighted when the Washington D.C Police Department was attacked by ransomware and the attackers subsequently posted police officers’ personnel records and street-gang intelligence information on the Internet when their demands were not met.

Contrary to the beliefs of some people, ransomware attacks can be prevented, mitigated, and you can recover from them. Like the attacks themselves, cyber protection and prevention mechanisms are rapidly evolving and necessarily must be complex and comprehensive. The need for sophisticated prevention, protection, and response mechanisms places modern cybersecurity outside the reach of traditional information technology departments and do-it-yourself operations.

Ransomware prevention, like all other cybersecurity, requires a multi-faceted approach from numerous disciplines. There is no single tool, software, or procedure that can do it all. The following list highlights a comprehensive methodology for ransomware prevention and preparedness:

• Be proactive. Recovery after an attack is more difficult and expensive than preventive measures

• Engage cybersecurity specialists

• Conduct periodic vulnerability assessments and penetration tests of all networks and systems

• Remediate all known and identified security gaps

• Create, test, and utilize comprehensive disaster recovery and business-continuity plans

• Ceate and test full, offline backups of all critical data

• Create, test, and utilize incident-response plans that address cybersecurity threats

• Establish retainer agreements for cyber-incident response specialists

• Budget appropriately. Security costs are necessary and recurring.

Cyberattacks and risks to data security represent a clear and present danger to the ability of companies of all sizes and sectors to grow and prosper. A single attack against an ill-prepared business can cause crippling recovery costs and damage customer confidence beyond repair. The takeaway from the many entities that have suffered and recovered from cyber incidents in the past is that it does not have to be a death sentence. In the end, those that are proactive, plan, and prepare will be the ones most likely to survive and thrive in this rapidly changing landscape.                                                     

Tony Martino is co-founder and chief operating officer of Anjolen Inc. Contact him at Tony@anjolen.com.

On April 14. 2021, the U.S. Department of Labor (DOL)  issued much-needed guidance concerning best practices for plan sponsors, fiduciaries, record-keepers, participants and beneficiaries pertaining to cybersecurity for retirement plans. 

The DOL’s guidance focuses on three specific topics: hiring service providers, managing cybersecurity risks, and online-security tips for participants to avoid risk of fraud and loss. Although the guidance was couched as “best practices,” it is reasonable to interpret it as creating minimum cybersecurity standards and practices for retirement plans. The guidance specifies the duty of plan fiduciaries to protect plan data against cybersecurity breaches and attacks, and potentially signifies a precursor for the DOL to assess liability for damages stemming from plan data breaches in the future. Although the guidance did not address health and welfare plans, those plans may also wish to consider implementing these measures. 

Here is a summation of some of the key points raised in the guidance, as well as some helpful insights to be considered in connection with the DOL’s recommendations. 

I. Hiring service providers 

Under ERISA, plan fiduciaries must act prudently when selecting and retaining plan-service providers. Since plan-service providers are often relied upon to preserve and secure plan records and participant data, it is essential that fiduciaries ensure that service providers implement strong measures to defend this information against potential cyber threats. When retaining service providers, the DOL recommends that plan sponsors make certain that vendors have sufficient security systems in place to guard against attacks and prevent potential breaches. The DOL offered the following suggested practices when contracting with service providers: 

• Security standards: Review providers’ security standards, practices, and policies. Request audit results verifying the sufficiency of their security systems and compare these results to industry standards. Plan fiduciaries should look for vendors who follow a recognized information security standard that validates its compliance and utilize an independent auditor to verify information security, system/data availability, processing integrity, and data confidentiality. 

• Effectiveness review: Verify the security standards employed by service providers and their validation process to ensure their security practices comply with these requirements and ensure that their audit results reflecting compliance are available for review. 

• Reputation in the industry: Check service providers’ track record in the industry, including any public information related to prior security incidents, as well as any litigation and legal proceedings related to their services. 

• Prior incidents: Consider vendors’ previous security breaches, reviewing all details regarding those incidents and their response to the attacks. 

• Insurance coverage: Review the service providers’ cybersecurity-insurance policies and their scope of coverage to address losses incurred from security breaches or identity thefts. Confirm whether their insurance coverage will cover breaches caused by both their own workforce, as well as external attacks. Consider requiring vendors to maintain additional insurance coverage (i.e., professional liability, errors and omissions liability, cyber liability and privacy breach insurance, and/or fidelity bond or blanket crime coverage). Confirm policy limitations before counting on such coverage for loss protection. 

• Ongoing compliance: Ensure that contracts require vendors to maintain their cybersecurity and information security standards originally agreed to by the parties throughout the term of the contract, and beyond (if applicable). Consider requiring notice in the event of a change in their systems which impacts their ability to meet these criteria, or deviations from their prescribed security standards. 

• Limitation of liability: Address any contractual provisions which seek to limit responsibility or liability of the service provider for cybersecurity breaches. 

• Reporting: Require annual third-party audits to determine compliance with cybersecurity policies and procedures and require access to the results of those reviews. 

• Data usage: Specifically dictate vendors’ obligations to preserve the privacy of all confidential data, prevent any use or disclosure of confidential information without written permission, and incorporate a stringent standard of care to guard against the unauthorized use (or misuse), access, loss, disclosure, or modification of confidential information. 

• Records retention and destruction: Specify vendors’ obligations to comply with all applicable federal, state, and local laws, rules, regulations, directives, and other governmental requirements pertaining to the privacy, confidentiality, or security of confidential information.

• Notice: Include terms requiring vendors to provide notice for any incident or breach, specifying the timeframe for such notice and mandating service providers’ cooperation to investigate and address the cause of the breach. 

II. Cybersecurity best practices 

The DOL has provided this list of best practices for plan record keepers and other service providers to follow: 

• Save a formal, well-documented cybersecurity program; 

• Conduct prudent annual risk assessments; 

• Have a reliable annual third-party audit of security controls; 

• Clearly define and assign information security roles and responsibilities; 

• Have strong access control procedures; 

• Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments; 

• Conduct periodic cybersecurity-awareness training; 

• Implement and manage a secure-system development life-cycle program; 

• Have an effective business-resiliency program addressing business continuity, disaster recovery, and incident response; 

• Encrypt sensitive data, both stored and in transit; 

• Implement strong technical controls in accordance with best security practices; and 

• Appropriately respond to any past cybersecurity incidents. 

III. Online-security tips

The DOL also outlined a number of security tips, reflecting that participants and beneficiaries also play a large role in the security of their plan accounts. The DOL recommends that users utilize strong and unique passwords for their accounts, add multi-factor authentication to log in, and regularly monitor accounts to guard against the risk of fraud and loss. In addition, the DOL suggests that participants and beneficiaries update their contact information with plans and sign up for account activity notifications to ensure they are notified of any unauthorized account activity. Among the other tips offered, the DOL urges users to avoid public Wi-Fi networks, remain mindful of phishing attacks, and use up-to-date antivirus software. 

Retirement-plan precautions

Retirement plans are literal treasure troves for cyber criminals — holding large amounts of fund and personal information concerning participants and beneficiaries. Recognizing this concern, the DOL’s new cybersecurity guidance may provide a glimpse into future enforcement actions and criteria to assess prudence by fiduciaries in the event of a cyberattack. Plans should consider these tips and insights when engaging new service providers to ensure vendors are taking appropriate precautions to safeguard plan data. They may also wish to revisit current contracts with their present vendors to address any areas where their contracts are silent, as well as consider whether additional measures are necessary to ensure the security and confidentiality of plan data. 

Administrators may also wish to review and update their plans’ document and retention policies to reflect this new guidance and review their vendors’ policies to confirm if amendments are warranted — with a particular focus on how vendors handle plan data upon expiration or termination of their agreement. 

Despite recognizing the important role played by participants and beneficiaries in securing their plan accounts, recommendations regarding cybersecurity education were notably absent from this guidance. Nonetheless, plans may wish to consider passing along the DOL’s online-security tips to account holders.      

 Lawrence J. Finnell is a senior counsel in the New York City office of the Syracuse–based law firm of Bond, Schoeneck & King PLLC. Contact him at lfinnell@bsk.com. This article is drawn from the firm’s Employee Benefits Law Information Memo.

A look at recent news headlines continues to show the impact that ransomware has on our everyday life. Whether it be the attack on Colonial Pipeline which set off a potential gas-supply shortage or the attack on JBS, a meat packer, the news keeps coming. Last year in the U.S. alone, more than 100 federal, state, and local governments; 500 health-care centers; 1,600 educational organizations; and thousands of businesses were victims to ransomware. That’s according to “The State of Ransomware in the US: Report and Statistics 2020,” published by Emsisoft Malware Lab in January.

That impact is also felt by small and mid-sized businesses (SMBs) as it was found in 2020 that the average cost of a ransomware event for SMBs totaled $505,827 per incident (including downtime, lost business, rebuilding and upgrades, etc.). The cost is only increasing, especially when you consider lost revenue and reputational harm to your business. According to the Beazley Group, a cyber-liability insurance provider, small and medium businesses are most at risk of ransomware, with more than 62 percent of claims. Beazley also reports that ransomware attacks increased 130 percent in 2020. 

In the past two years, the Cyber Defense Institute has assisted clients with ransomware incidents that ranged in cost from $600,000 to over $10 million right here in Central New York. Many ransomware attacks do not get reported as companies fear reputation loss and bad press. As a result, experts agree that the true number of attacks and cost of those attacks is grossly underestimated.

Ransomware is a type of computer malware that has a specific goal in mind — holding your data hostage until you pay a ransom. Early variants of ransomware would install on a single computer in your network and wreak havoc on your shared files. Today’s variants are using more sophisticated techniques in which they worm their way through your network, sometimes for months without detection, before detonating on as many systems as they can at once. This increases the likelihood you’ll pay the ransom because all your servers and workstations are infected all at once. 

Recommendations

Awareness training. The most-common method of infection from ransomware is still malicious emails. Another common method is so called “drive by downloads” in which a malicious file is downloaded from an infected website. Because of this, end-user security awareness training is one of the key strategies you should be implementing to protect your business from ransomware. This end user-training should include continuous phishing training and at least one hour several times per year of direct computer-based training content. This phishing training should include a system that sends fake phishing emails to your users to give them real-world experience dealing with phishing emails. Weekly security reminders that detail the most-current threats and scams are also highly effective. 

Two-factor authentication for applications and email is another easy win. Stolen credentials allow criminals to steal data and send malicious emails using legitimate email addresses to unsuspecting friends and colleagues. 

Anti-virus/malware software. Another critical component to your anti-ransomware strategy needs to be anti-virus/malware software that can prevent advanced threats such as ransomware. Traditional antivirus is no longer enough and the need for advanced-threat protection is critical. Software that includes endpoint detection and response (EDR) features are commonly used in cases of ransomware to help clean it up and stop it from spreading. For this reason, you should consider a similar product to help protect your environment. It also goes without saying that it is critical that you maintain your subscriptions with your antivirus vendor. There is nothing worse than getting a malware infection because you forgot to renew your antivirus license or update your current product regularly.

Implement a SIEM — Security Information and Event Management System — to provide continuous monitoring of your network 24/7, 365 days a year, which can also be coupled with a dedicated Security Operations Center (SOC) to notify you of incidents. These systems provide real-time alerts of suspicious or malicious activity on your network, enabling a fast response and prevention.

System patches and updates are another key component to reducing the risk of ransomware. Making sure you run your Windows updates on every machine, all the time, keeps your systems protected from the latest vulnerabilities. Don’t forget to keep your firewalls, printers, and other network devices up to date as well. These commonly forgotten devices are also frequently attacked by malicious actors and can lead to ransomware or other harm to your network.

Cyber-liability insurance. When you buy an insurance policy, it should specifically cover ransomware or data-extortion costs. And do not skimp on coverage limits. We recommend a minimum of $1 million for any size of business. 

Develop and practice an incident-response plan. A solid incident-response plan that is documented, known to all involved, and practiced at least once a year will save critical time when responding to an incident. Remember those fire drills in grade school? 

Layer your defenses. This is also known as defense in depth. Develop multiple roadblocks and segment networks wherever possible.

Carefully consider the options before you pay the ransom. This is easy to say when you are in crisis mode, but the research by Sophos and others points to increased costs for those that do pay. Even after paying the ransom, the cost for upfront protection, user training, and a solid backup strategy is the least-expensive way to stay safe and recover if you do get hit.

Backups. Finally, and perhaps the most important protection against the harms of ransomware, is to have excellent backups of your systems. The difference between quickly recovering from ransomware while not paying the ransom is directly correlated to the quality of your backups. A restore from backup can many times be a quick way to give a ransomware extortionist the boot. However, you need to make sure your backup system includes more than one copy of your data. Typically for an SMB this includes a copy in your office and a copy in the cloud. We also recommend keeping backups for at least 90 days as malware sometimes remains dormant for several months before calling out to the ransomware host. There are several other backup tactics that can be implemented depending on your overall IT infrastructure. 

Unfortunately, for most, ransomware is a matter of “when” and not “if.” However, you can reduce the impact it has on your business by taking steps now to better prepare for the inevitable. Ransomware does not have to be a potentially business-killing event if you properly prepare your business now. Doing nothing and ignoring the threat is no longer an option.        

Jim Shea is president of Cyber Defense Institute, Inc. (www.cyberd.us), a Syracuse–based, regional cybersecurity consulting and training firm specializing in cybersecurity regulatory compliance, cyber risk management, and cybersecurity assessments. Contact Shea at jrshea@cyberd.us. Brandon Finton is the senior security engineer at Cyber Defense Institute. Contact him at bfinton@cyberd.us.