One bright spot in recent events has been to see our kids stay focused as students and to see teachers continue their great work while bunkered down from their homes. Nevertheless, it may be worthwhile to pause to think about the technology that makes this all possible. One lawsuit recently filed in California sheds light on the privacy issues created when students, schools and teachers become increasingly reliant on “e-learning” and the technology that supports it.

On April 2, 2020, a class-action lawsuit was filed in the District Court for the Northern District of California entitled H.K. and J.C., through their legal guardian Clinton Farwell v. Google, LLC, 20-CV-2257 NC (N.D. Cal. 2020) which brings issues related to data gathered from students during e-learning front and center. Allegations that “Google has infiltrated the primary and secondary school system in this country by providing access to its ‘Chromebook’ laptops, which come pre-installed with its ‘G-Suite for Education’ platform…to over half of the nation’s schoolchildren, including those in Illinois, most of whom are under the age of 13” form the basis of this Class Action Complaint. (See Complaint at ¶ 6). In general, the minor plaintiffs in H.K. claim “[t]hese Google-manufactured and provided laptops come equipped with Google’s ‘G Suite for Education’ platform, which requires the children using it to speak into a microphone on the laptop that records their voices and look into a camera on the laptop that scans their faces.”(See Complaint at ¶ 46).

In providing the factual background for their claims, the minor plaintiffs in H.K. assert “Google provides its ‘Chromebook’ laptops to grade schools, elementary schools and high schools nationwide, who in turn make these computing devices available for use by children who attend their schools.” (See Complaint at ¶ 33). The Complaint alleges that Google collects the following student information through this program:

• The student’s physical location;
• The websites visited by each student;
• Every search term used by the student in Google’s search engines;
• Every video watched by the student on the device;
• The student’s personal contact lists;
• Voice recordings;
• Saved passwords; and
• “Other behavior information.”

The Complaint in H.K. has allegations that Google collects students’ “voiceprints” and face images. (See Complaint at ¶ 38). Next, the Complaint asserts “Google uses the voiceprints and face templates it collects to, inter alia, identify and track the children who its Chromebook laptops and the “G Suite for Education” platform that comes installed on them.”  (See Complaint at ¶ 38). Further, the minor plaintiffs allege “[t]he unique voiceprints and face templates that Google has collected from children in Illinois and across the country are not only used by Google to identify children by name, they are also used by Google to recognize…gender, age and location.” (See Complaint at ¶ 40).

As for the specific allegations by the minor plaintiffs in H.K., the Complaint alleges that H.K and J.C. were Illinois residents, under the age of 13 years old, when they used Google’s G Suite for Education platform in their elementary school located in Bushnell, Illinois. (See Complaint at ¶ 10). Further, the Complaint alleges that neither minor “was asked for verifiable or written parental consent authorizing Google extraction, collection, storage and use of their personal and uniquely identifying ‘biometric identifiers’ or ‘biometric information’…”

Based on these allegations, the plaintiffs in H.K. claim Google violated the Illinois Biometric Information Protection Act (“BIPA”) and the federal Children’s Online Privacy Protection Act (“COPPA”) in the following manner:

• The Complaint in K. states that Illinois enacted BIPA in 2008 to protect Illinois’ citizens’ biometric data which prohibits the collection or use of this information without providing notice to the individual and places a number of requirements on data collectors. (See Complaint at ¶ 17). The plaintiffs claim Google violated BIPA with its “practices of collecting, storing and using biometric identifiers and information from school children in Illinois without the requisite informed written consent…” (See Complaint at ¶ 19). Simply, plaintiffs in H.K. claim Google collected this information without obtaining parental consent. (See Complaint at ¶ 41). Based on these allegations the minor plaintiffs claim Google violated BIPA in their first cause of action.

Here, we may see Google argue that it is not subject to BIPA as a manufacturer of Chromebooks. BIPA lawsuits against the manufacturers of biometric equipment have not seen much success. As seen in the recent case Bray v. Lathem Time Co. 19-cv-3157 (C.D. Ill. March 27, 2020), in addition to suing his former employer, Bray sued Lathem, the company that designed and sold biometric-based timekeeping systems to employers to track time worked by hourly employees. “Lathem claims BIPA was not designed to apply to third-party technology vendors like itself. Although BIPA may give Bray a cause of action against his employer, Hixson—which he is pursuing in a separate action in state court—it does not give him a claim against Lathem.” Consequently, the District Court’s reasoning in Bray makes it more difficult to sue manufacturers of the equipment that collects biometric data.

• The Complaint in K. states that the federal government enacted COPPA in 1999 after “recognizing the vulnerability of children in the Internet age.” (See Complaint at ¶ 20).  “Under COPPA, developers of child-focused applications like Google’s ‘G Suite for Education’ service cannot lawfully obtain the personally identifiable information of children under 13 years of age without first obtaining verifiable consent from their parents.”

Privacy issues related to “e-learning” are developing at a rapid pace.  For example, on April 9, 2020, the Federal Trade Commission took a position that undercuts the plaintiffs’ assertions in H.K. that Google violated COPPA. In her blog post on the FTC’s website, Lisa Weintraub Schifferle wrote it was the FTC’s position that schools can consent to the collection of information for educational purposes:

If your child’s school is providing remote learning: Under COPPA, schools can consent on behalf of parents to the collection of student personal information by educational technology services. If your school has consented, then the service may only use that information for educational – not commercial – purposes. If you have questions about a service’s privacy and security practices, first review its online privacy notice. If you still have questions, consider asking your school. Remember, please, to be patient with your child’s school, as many schools are working hard to implement distance learning and may not be able to respond quickly. If you’d like to learn more, check out the U.S. Department of Education’s Student Privacy Policy Office’s new guidance on the Family Educational Rights and Privacy Act (FERPA) – “FERPA and Virtual Learning.”

Schools and educational technology companies can expect these privacy issues to become more prevalent once “brick and mortar” schools reopen. Further, in addition to seismic changes in this technology, schools will also need to monitor changes in the law. For example, the Illinois legislature’s recent amendments to the Illinois Student Online Personal Protection Act (“SOPPA”) by setting forth an extensive list of requirements that schools must implement by July 1, 2021.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post The ABC’s Of Privacy Law: New Lawsuit Provides Glimpse Of Privacy Issues For “E-Learning” In Schools Under COPPA, BIPA And SOPPA appeared first on Privacy Risk Report.

Understandably, there has been a lot of information concerning the novel coronavirus and its impact on insurance, business and, of course, people.  However, there has not been much discussion on what happens if there is a cyber event over the next couple of weeks as the world deals with the COVID-19 pandemic.  A cyber security breach during the novel coronavirus pandemic could sever the one thread connecting remote employees to their place of work.

While it is still early, there should be little dispute that the current pandemic will have a profound impact on the workplace, which, in turn, will have a profound impact on the use of data. Commentators have already offered the following concerning the new workplace:

If the future of work requires restructured workplaces, redefined roles, rapid learning, and reserves of trust—and it does, organizations are being challenged to do all that and more as they address the coronavirus pandemic. While we have long spoken about VUCA (volatile, uncertain, complex, and ambiguous) environments, we are finally and undoubtedly facing one.  In the span of a few weeks, the world’s economy traveled a path from cautious observation and common-sense health advisories to massive cancelations, business shutdowns, and work from home mandates. JPMorgan, AT&T, Google, Amazon, Nike, Facebook, among many, many more are hustling to virtualize business operations as social distancing continues to be the best practice to “flatten the curve” of contagion. 

Coronavirus, it turns out, might be the great catalyst for business transformation. 

Without a doubt, once we get through this pandemic, we will need to address how the new workplace impacts privacy.  The two most immediate concerns may be the opportunities for hackers and how regulations will be impacted by the overwhelming health and economic concerns.

1. The Pandemic May Provide Opportunities For Hackers

While there are a number of uncertainties during this unprecedented situation, we have been able to piece together some information concerning our world in March of 2020:

• We are in pandemic caused by the novel coronavirus;
• In response to the pandemic, people are working from home transferring information without the security measures found in the workplace;
• The pandemic has created turmoil in the world’s financial and employment markets; and
• Workers are feeling not secure, which may lead to snap decisions.

Unfortunately, these four factors give rise to the perfect environment for opportunistic hackers.  Data collectors may want to take the following approach in the coming weeks:

• Protect data transfers. In the coming weeks, as the pandemic unfolds, employee training or discussions on data safety will be key.  Data collectors should remind their new remote workforce of the emerging risks they face in transferring data.

• Prepare for outages. There are new limitations on communicating with a remote workforce.  Data collectors should consider what their business may look like if there is an international, national or local outage that would cut this limited access even further.

• Think about permanent solutions for the new workplace. The remote workforce will be able to return to their traditional workplaces at some point.  Data collectors should think about what safeguards should be put into place if workers start working remotely more frequently.

Not surprisingly, we have already seen hackers target vital businesses that are essential during the coronavirus pandemic.  German newspapers have reported that “Cyber criminals have launched a distributed denial-of-service (DDoS) attack against German food delivery service Takeaway.com (Liefrando.de), demanding two bitcoins (about $11,000) to stop the flood of traffic.”  Commentators warn this may not be the end of cyber attacks:

Security experts anticipate these types of acts, intended to exploit essential services in times of crisis, will continue as restrictions due to COVID-19 remain in place. “Deplorably, we will likely see a further avalanche of cyberattacks targeting most susceptible online businesses,” says ImmuniWeb founder and CEO Ilia Kolochenko. As a result, many organizations may be forced to pay cybercriminals or invest in DDoS protection services to defend against advanced attacks.

Clearly, this will be a continuing threat over the next few weeks.

2. The Pandemic May Cause Privacy Regulations To Get Dialed Back.

A couple of months ago, business, insurers and governments were starting to get the hang of this privacy thing.  Previously, the biggest concern was compliance with privacy regulations such as the California Consumer Privacy Act (“CCPA”).  (By the way, a number of organizations are now calling for the delay of the enforcement of the CCPA: https://www.ciodive.com/news/CCPA-coronavirus-extension/574547/)  That was, of course, until the coronavirus pandemic sent workers home.

Being just a few weeks into the pandemic, we can be sure that privacy law will be profoundly impacted when deadlines are extended and the data is used by millions of workers that have moved offsite.  After the pandemic, we will need to watch deadlines and be ready to modify compliance with privacy law.

If the adoption or enforcement of privacy regulations is delayed by the coronavirus pandemic, we may see data collectors struggle to find guidance for proper data and storage and collection.  Looking at case law may fill this void left by relaxed deadlines and requirements.  For example, data collectors may look to decisions such as the March 26, 2018 opinion in Hopper v. Schletter Inc., 17-cv-01, 2018 WL 1472485 (W.D. North Carolina 2018) as an example where a court was prepared to hold employers liable if they disclose their employees’ information by mistake. And, if courts around the country adopt the reasoning in Hopper, employers can expect to have their cyber security protocols closely scrutinized after the coronavirus pandemic.

Further, the facts giving rise to the incident in Hopper are instructive to remote workplaces.  On April 19, 2016, the defendant in Hopper, Schletter Group, sent a letter advising its employees and former employees that Schletter had sent its employees’ W-2 forms by mistake to a third-party after it fell prey to a phishing scam. Schletter offered credit monitoring and identity theft protection to those impacted. After the plaintiffs filed a lawsuit seeking alleged damages as a result of this incident, Schletter filed a motion to dismiss the complaint. The District Court denied Schletter’s motion to dismiss the plaintiffs’ claims for negligence and breach of implied contract, invasion of privacy and violations of North Carolina’s Unfair Trade Practices and Privacy Acts. The District Court, however, dismissed the breach of fiduciary duty claim.

As an initial step, the District Court discussed all the warnings it believed Schletter had about phishing scams before it fell prey. In finding Schletter had ample notice of the potential for an incident, the District Court listed various FBI warnings, IRS alerts, articles and examples available of emails used in similar scams that it believed Schletter should have been aware of before the incident. After discussing all the ways the District Court believed the Defendant should have been aware of this scam, the District Court stated that “[d]espite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, [Schletter] provided its employees with unreasonably deficient training on cyber security and information transfer protocols prior to the Data Disclosure.” The District Court called Schletter’s preparation and response into question.

The District Court provided the following examples of how it believed Schletter failed to properly train its employees:

• How to detect phishing and spoofing emails and other scams including providing employees examples of these scams and guidance on how to verify if emails are legitimate;
• Effective password management and encryption protocols for internal and external emails;
• Avoidance of responding to emails that are suspicious or from unknown sources;
• Locking, encrypting and limiting access to computers and files containing sensitive information;
• Implementing guidelines for maintaining and communicating sensitive data; and
• Protecting sensitive employee information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients.

Based on this reasoning, the District Court concluded “[t]he Data Disclosure was caused by the Defendant’s failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems.” In further support of its conclusion, the District Court listed the various ways it found Schletter had failed to implement the proper security measures to protect the W-2s.

It will be interesting to see if courts are going to give data collectors a “pass” for lapses in cyber security once the coronavirus pandemic has come to an end.  Even though cyber security may be in flux, there is still a significant amount of guidance for data collectors.

The post Where Do We Begin? Two Immediate Threats to Cyber Security During the Coronavirus Pandemic appeared first on Privacy Risk Report.

The law related to Illinois Biometric Information Protection Act (“BIPA”) came to a halt over the last year or so while the Illinois Supreme Court analyzed what constitutes an injury under the Act. As expected, courts have started to once again visit the various legal issues related to biometric data now that the Rosenbach decision has been issued. Now that BIPA cases are moving through the courts again, one major issue will be what is the proper venue for these cases as many BIPA claims intertwine state and federal laws.

The Seventh Circuit recently undertook an analysis of the Illinois Biometric Information Protection Act (“BIPA”) by consolidating two cases involving claims by employees of two separate airlines. In Miller v. Southwest Airlines Co./Johnson v. United Airlines, Inc., 2019 WL 2462664 (June 13, 2019), the Seventh Circuit analyzed a number of procedural and statutory requirements involved in filing a BIPA claim. At first blush, the question presented by the Seventh Circuit appears to be narrow:  “whether persons who contend that air carriers have violated state law by using biometric identification in the workplace must present these contentions to an adjustment board under the Railway Labor Act (RLA), 45 U.S.C. §§ 151–88, which applies to air carriers as well as railroads. 45 U.S.C. § 181?”  However, while the analysis of these cases may be driven by the RLA–an act that applies only to unions–the Seventh Circuit decision provides insight on many procedural aspects related to alleged biometric violations.

The facts giving rise to the two lawsuits were similar to Southwest Airlines and United Airlines maintained timekeeping systems that requiring workers to clock in and out with their fingerprints. The class action plaintiffs in both cases claimed the airlines implemented biometric systems without proper consent, failed to publish protocols related to use of the systems and improperly disclosed their information when the airlines used a third-party vendor to oversee the system.

• Southwest Airlines Case

District Judge Marvin E. Aspen in the District Court for the Northern District of Illinois held the class action plaintiffs had standing under Article III but still dismissed the suit against Southwest Airlines for improper venue. Specifically, Judge Aspen found the matter should be litigated before an adjustment board under the Railway Act rather than in state or federal court in order to give the class action plaintiff’s union the opportunity to address the alleged BIPA violations.

• United Airlines Case

The litigation against United Airlines originated in state court but was removed by United Airlines to federal court based on United Airlines’ claim that there was a federal-question presented by the Railway Labor Act and the Class Action Fairness Act.  District Judge Virginia Kendall reached the same conclusion as Judge Aspen in the Southwest Airlines case but dismissed the United Airlines Case based on a finding that the complaint failed to present an actionable case or controversy.

• Standing And Damages

After consolidating these cases and reviewing the issues, the Seventh Circuit held the airline employees had standing to sue and, while United’s motion to remove was granted based on federal question jurisdiction, the cases should be litigated before an adjustment board governed by the Railway Labor Act.

In short, the Seventh Circuit found the involvement of unions required the analysis of whether the plaintiffs have standing to be slightly different from most data breach or privacy cases:

The prospect of a material change in workers’ terms and conditions of employment gives these suits a concrete dimension that Spokeo, Groshek, and Casillas lacked. Either the discontinuation of the practice, or the need for the air carriers to agree to higher wages to induce unions to consent, presents more than a bare procedural dispute. See Robertson v. Allied Solutions, LLC, 902 F.3d 690, 697 (7th Cir. 2018). (“Article III’s strictures are met not only when a plaintiff complains of being deprived of some benefit, but also when a plaintiff complains that she was deprived of a chance to obtain a benefit.”)

With the Seventh Circuit’s reference to Spokeo and similar cases we can expect defendants to argue that the Seventh Circuit was not convinced that BIPA claimants can survive motions to dismiss without injuries that are “particular and concrete.”

On the other hand, we can expect plaintiffs to argue the Spokeo analysis has no relevance because lack of proper consent is a violation under BIPA and, therefore, employees and customer are “aggrieved” within the meaning of the Act. Many of the BIPA cases have not progressed far enough through the courts to allow a full analysis of whether class action plaintiffs need to show independent injury beyond improper notification.

• Notice To Union Representatives

In addressing whether the airlines gave proper notice as required by BIPA, the Seventh Circuit examined whether the unions were provided with sufficient information to consent to “how workers clock in and out.” The Seventh Circuit provided the following analysis concerning notification for union members:

BIPA “provides that a worker or an authorized agent may receive necessary notices and consent to the collection of biometric information.” 740 ILCS 14/15(b). Based on this statutory language, the Seventh Circuit states “We reject plaintiffs’ contention that a union is not a ‘legally authorized representative’ for this purpose. Neither the statutory text nor any decision by a state court suggests that Illinois wants to exclude a collective-bargaining representative from the category of authorized agents.

Admittedly, the involvement of the airline unions pushes the Seventh Circuit to examine issues that may not impact the vast majority of BIPA cases where the class action plaintiffs may not belong to a union. However, many defendants will be able to take the position that their case is not over merely because the class action plaintiffs did not receive notification.

• Removal From State Court To Federal Court

The Seventh Circuit did not have to address whether these matters could be removed from state court to federal court. That is, the Seventh Circuit could have left its analysis at an adjustment board operating under the Railway Act should address the BIPA claims. The Court still addresses this question and allows for the inference that removal is appropriate in BIPA cases based on diversity of citizenship:

Given our conclusion that the federal-question jurisdiction supports removal, we need not remand for the district court to explore the question whether on the date the case was removed, one class member was a citizen of Wisconsin or Indiana, or conceivably some third state other than Illinois or Delaware—say, a citizen of California temporarily detailed to work at O’Hare.

While the Seventh Circuit did not have to address this question, the Court acknowledged the fact that many BIPA cases filed in state court may be removed to federal court because there are likely going to be employees that reside outside of Illinois. Therefore, removal may be an option in the vast majority of BIPA class actions when Illinois corporations have a large number of employees. Further, this question will become even more important as BIPA claims brought by customers become more routine.

• These Questions Are Not Going Away

Outside the procedural aspects of BIPA ligation, the full impact of the use of equipment to collect and store biometric data will be unclear until courts provide guidance on these issues.  Further, the bounds of biometric laws will be tested as this equipment begins to be increasingly used on the general public outside the context of employees. For example, just last week, there were a number of reports about the use of biometric equipment on air travelers:

TSA is testing a biometrics system, including at the busy Atlanta airport, that uses Customs and Border Protection databases to verify customers’ identities when they check in, pass through security and board their flights.The ultimate goal: Eliminate the need to carry a boarding pass, passport or other identification — with cameras and computers verifying travelers’ identities.

It will be interesting to see how biometric equipment will be received by air travelers.  Of course, air travel customers are different from employees as they can simply switch to a competitor that does not use biometric gathering equipment to register their opposition to the collection and use of their information. Therefore, if there is a true backlash against this equipment, we may see companies abandon the use of this equipment for customers.

The post Seventh Circuit’s Recent Decision Indicates Courts May Be Willing To Chip Away At BIPA appeared first on Privacy Risk Report.

While the United States may not have data protections in place that are as extensive as those seen the European Union’s adoption of GDPR, there is still a comprehensive framework of state and federal regulations in place to protect personal information. Many industries are building on the foundation set by state and federal guidelines by creating industry-specific cyber standards. For example, various organizations in the insurance industry are taking steps to ensure their members have guidance on cyber security.

• The Insurance Industry’s Data Protection Standards

The National Association of Insurance Commissioners (“NAIC”), an organization that coordinates the efforts of state insurance regulators, provides one of the best examples of an industry taking steps on its own to regulate cyber security for the insurance industry. Early NAIC cyber security initiatives included creating Principles for Effective Cybersecurity Insurance Regulatory Guidance to “help state insurance departments identify uniform standards, promote accountability and provide access to essential information.” The NAIC’s initiatives are based on the realization that the insurance industry faces its own unique issues in protected sensitive data. In short, the NAIC’s initiatives provide one of the best examples of an industry taking steps to regulate itself rather than wait for state or federal regulations to plug the gaps.

• The Data Protections Found In The NAIC’s “Model Law.”

The NAIC furthered its track record on cyber security measures when it adopted the Insurance Data Security Model Law (“Model Law”) in October 2017 to encourage members of the insurance industry to adopt cyber security programs that would protect consumers’ personal information, create standards that would limit damage caused by a breach and create a protocols to investigate incidents and notify the state insurance commissioner. Specifically, the the Model Law is intended “to establish standards for data security and standards for the investigation of and notification to the Commission of a Cybersecurity Event” that involves an entity regulated under the insurance laws of a given state. (A copy of the Model Law can be found here.)

Insurance entities that operate in a state that has adopted a version of the Model Law may be subject to new regulations spanning the time prior to a cyber incident to points after an incident.  First, under the Model Law, an insurance entity may be required to create an “Information Security Program” and “Incident Response Plan” prior to an incident. The Model Law would also govern the insurance entities’ response to a cyber incident by creating guidelines to investigate and provide notification after an incident. The Model Law is currently being considered in a number of states (Connecticut, Mississippi, Nevada, Rhode Island and New Hampshire) and has been adopted in some form in Michigan and South Carolina.

• Ohio’s Adoption Of The “Model Law”

Ohio is one of the first states to adopt a version of the NAIC’s Model Law through Senate Bill 273. On December 19, 2018, John Kasich, Ohio’s governor, signed Bill 273 into law which requires entities subject to Ohio’s insurance laws to take certain steps to protect private information. While the Ohio legislature adopted a large portion of the Model Law, Senate Bill 273 had some notable changes that include:

• Affirmative Defense: Senate Bill 273 provides insurance entities that are in compliance with the statute with an affirmative defense to liability if they are sued for a cyber security incident;

• Other Considerations: The Ohio Department of Insurance can consider other factors related to a breach including the type of business and size of the insurance entity; and

• Easy Compliance: A streamlined process allows the insurance entity to file documents to comply with the provisions of this law with other corporate documents filed with the State of Ohio.

Ohio’s law is more than an abstract cyber security guideline. Rather, deadlines include all insurance entities must conduct a risk assessment to address the nature and likelihood of any internal threat to private information and implement a security program resulting from the risk assessment by March 19, 2020.  Therefore, Ohio’s insurance entities have work to do over the next year.

• Industry Standards Provide Guidance

While many data collectors struggle to comply with various state and federal privacy laws, industry standards provide a uniform set of regulations. Further, industry standards that are crafted by members of the industry provide guidance on the issues facing that particular industry. And, while there is an argument that more regulations may become burdensome, regulations such as Ohio’s Bill 273 are helpful to the extent they protect sensitive data, provide guidance to data collectors and may limit liability when there is a cyber security incident.

The post Industry Cyber Regulations Fill The Gaps Left By Federal And State Law appeared first on Privacy Risk Report.

The March 26, 2018 decision in Hopper v. Schletter Inc., 17-cv-01, 2018 WL 1472485 (W.D. North Carolina 2018) leaves no question that courts are now prepared to hold employers liable if they disclose their employees’ information by mistake. And, if courts around the country adopt the reasoning in Hopper, employers can expect to have their cybersecurity protocols closely scrutinized after a breach or other incident.

On April 19, 2016, the defendant in Hopper, Schletter Group, sent a letter advising its employees and former employees that Schletter had sent its employees’ W-2 forms by mistake to a third-party after it fell prey to a phishing scam. Schletter offered credit monitoring and identity theft protection to those impacted. After the plaintiffs filed a lawsuit seeking alleged damages as a result of this incident, Schletter filed a motion to dismiss the complaint. The District Court denied Schletter’s motion to dismiss the plaintiffs’ claims for negligence and breach of implied contract, invasion of privacy and violations of North Carolina’s Unfair Trade Practices and Privacy Acts. The District Court, however, dismissed the breach of fiduciary duty claim.

As an initial step, the District Court discussed all the warnings it believed Schletter had about phishing scams before it fell prey. In finding Schletter had ample notice of the potential for an incident, the District Court listed various FBI warnings, IRS alerts, articles and examples available of emails used in similar scams that it believed Schletter should have been aware of before the incident. After discussing all the ways the District Court believed the Defendant should have been aware of this scam, the District Court stated that “[d]espite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, [Schletter] provided its employees with unreasonably deficient training on cybersecurity and information transfer protocols prior to the Data Disclosure.” The District Court called Schletter’s preparation and response into question. The District Court provided the following examples of how it believed Schletter failed to properly train its employees:

• How to detect phishing and spoofing emails and other scams including providing employees examples of these scams and guidance on how to verify if emails are legitimate;
• Effective password management and encryption protocols for internal and external emails;
• Avoidance of responding to emails that are suspicious or from unknown sources;
• Locking, encrypting and limiting access to computers and files containing sensitive information;
• Implementing guidelines for maintaining and communicating sensitive data; and
• Protecting sensitive employee information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients.

Based on this criteria, the District Court concluded “[t]he Data Disclosure was caused by the Defendant’s failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems.” In further support of its conclusion, the District Court listed the various ways it found Schletter had failed to implement the proper security measures to protect the W-2s.

Finally, the District Court opined that the two years of identity protection provided to Schletter’s employees was inadequate because the service “has neither prevented the Plaintiffs from experiencing fraudulent activity using their Personal Information nor alerted them that they had fallen victim to identity theft.”

Based on these findings, the District Court held Plaintiffs could survive Schletter’s motion to dismiss. In particular, the District Court denied Schletter’s motion to dismiss on the following grounds:

• Negligence and Breach of Implied Contract Claims: The Plaintiffs claimed that they were required to provide their Personal Information as a condition of their employment and Schletter failed to protect that information. The District Court found the allegations were sufficient to survive a motion to dismiss on the negligence/breach of implied contract claims.
• Invasion of Privacy: The Plaintiffs claimed Schletter’s unauthorized disclosure of Personal Information resulted in an invasion of the Plaintiffs’ privacy by intrusion. The District Court found Plaintiffs’ allegations that their names, birthdates, addresses and Social Security numbers were disclosed without authorization was sufficient to survive a motion to dismiss.
• Breach of Fiduciary Duty: The Plaintiffs claimed that Schletter was a “fiduciary in matters connected with their employment.” The District Court rejected Plaintiffs’ claim by finding Plaintiffs’ allegations that Schletter had a fiduciary duty merely by virtue of being an employer was insufficient to survive a motion to dismiss.
• Unfair Trade Practices and Privacy Acts: The Plaintiffs final causes of action were based on claimed violations of North Carolina’s Unfair and Deceptive Trade Practices Act and Identity Protection Act. The District Court found Plaintiffs’ allegations were sufficient to survive a motion to dismiss when they allege that Schletter “intentionally disclosed their Social Security numbers to an unauthorized third party and that the Defendant should have known in the exercise of reasonable diligence that the third party lacked a legitimate purpose for obtaining this information.”

The District Court’s reasoning should cause all data collectors to look at their cybersecurity protocols. This case may signal a shift by courts to start holding data collectors responsible for cyber incidents even though the disclosure was the result of being tricked by a sophisticated criminal. The outcome of this case may have been dramatically different a few years back before there was a large body of information available on proper safeguards. The District Court’s decision should not be misinterpreted to require all data collectors be liable if they have an incident. Rather, this decision merely establishes that a data collector may be held liable if a court finds the data collector failed to take necessary steps which includes employee training.

The post Here It Is: The Decision That Tells Data Collectors Exactly What They Should Have Known Before They Had A Breach appeared first on Privacy Risk Report.

Unfortunately, the law governing cyber security and privacy issues has not kept pace with the technology giving rise to these issues.   However, a recent decision applying existing law to Bitcoin and other virtual currencies provides insight on how we may expect the law controlling cyber security and privacy law to develop.

In Commodity Futures Trading Commission v. McDonnell, 2018 WL 1175156 (March 6, 2018), the District Court for the Eastern District of New York held the Commodity Futures Trading Commission (“CFTC”) “has standing to exercise its enforcement power over fraud related to virtual currencies sold in interstate commerce…”  The CFTC is tasked with stopping fraud or manipulation in derivatives markets by enforcing the Commodity Exchange Act (“CEA”).  The CEA requires “any commodity traded as a future” to be “traded on a commodity exchange approved by the CFTC.  Title 7 U.S.C. § 2.  In McDonnell, the threshold question was whether virtual currency may be regulated by the CFTC as a commodity.  And, after a lengthy analysis of virtual currencies, the District Court held the CFTC had authority over these markets and was entitled to enjoin the defendants from continuing to sell virtual currencies to the public.

The facts underpinning the McDonnell decision involve allegations that the Defendant, Patrick McDonnell (“McDonnell”), and his investment companies, “offered fraudulent trading and investment services related to virtual currency.”  Specifically, “[c]ustomers from the United States and abroad paid defendants for ‘membership’ in virtual currency trading groups purported to provide exit prices and profits of up to ‘300%’ per week.”  Unfortunately, the defendants disappeared by deleting company social media accounts and ceasing all communications with investors after receiving the initial payment and subsequent investments from members.

After hearing evidence concerning the defendants’ actions, the District Court granted a preliminary injunction to the CFTC when it found that the defendants committed fraud through false trading advice and “promised future profits.”  The District Court held that an injunction was warranted in light of the reasonable likelihood that the defendants would continue to violate the CEA.

• Virtual Currencies Are Here To Stay

Before arriving at its decision, the McDonnell Court conducts an in-depth analysis of Bitcoin and other virtual currencies.  After addressing the basics related to virtual currencies, the District Court  finds these currencies “serve the same purposes as gold in terms of a currency, but much more efficiently because it does not have any mass and can be sent easily from place to place.”  Further, the District Court acknowledges that virtual currencies may be here to stay because “online exchanges have become more accessible allowing more members of the public to trade and invest in virtual currencies.”  The District Court concludes there is a greater chance for fraud and criminal activity as these currencies grow in popularity.

• While The Regulations Are Slightly Unclear, There Is No Doubt That Virtual Currencies Are Regulated By Some Governmental Agency.

After taking a closer look at how virtual currencies could potentially be regulated by the Department of Justice, the Security and Exchange Commission, the Treasury Department, the IRS, private exchanges or through state regulations, the District Court settles on the CFTC as the administrative body that is “currently exercising partial supervision of virtual currencies.”  The District Court’s analysis of these regulations provides further support for the finding that the CFTC has standing to seek injunctive relief against anyone violating the CEA.

• Virtual Currencies Are “Commodities” That Can Be Regulated By The CFTC

The McDonnell court must also address whether virtual currencies are “Commodities” as defined under the CEA. Therefore, the District Court must analyze whether virtual currencies fall within the definition of Commodities as defined in the CEA which protects agricultural products and all other goods and articles…and all services, rights, and interests…in which contracts for future delivery are presently or in the future dealt in.”  After a lengthy analysis of this issue, the District Court ultimately concludes “[v]irtual currencies can be regulated by CFTC as a commodity.”  In short, the District Court finds “[v]irtual currencies are ‘goods’ exchanged in a market for a uniform quality and value.”

• The CFTC Is Entitled To An Injunction When The Fraud Is Not Directly Related To The Sale Of Futures Or Derivative Contracts

After finding the CFTC has standing to seek an injunction against the defendants, the McDonnell court next determines there is sufficient evidence that the defendants “committed fraud by misappropriation of investors’ funds and misrepresentation of trading advice and future profits promised to customers.”  On this issue, the District Court concluded that a preliminary injunction in favor of the CFTC was warranted in light of the finding that a fraud had been committed.

• The Scope Of This Decision May Reach Beyond Virtual Currencies

First, the McDonnell decision makes clear that it is time for insurers to start considering whether virtual currency presents losses covered under traditional insurance policies or if new products should be developed.  Over the last few months we have seen more people invest in virtual currencies.  The McDonnell court quotes the December 1, 2017 Bloomberg Businessweek which sheds more light on virtual currencies: “The initial price of bitcoin, set in 2010, was less than 1 cent.  Now it’s crossed $16,000.  Once seen as the province of nerds, libertarians and drug dealers, bitcoin today is drawing millions of dollars from hedge funds.”  (While the price in December 2017 was $16,000, the price has since dropped). The McDonnell decision acknowledges that as the pool of investors increase, we can expect to see an increase in the potential for losses, theft and all the other things the defendants in this case are accused of doing.  Consequently, as virtual currencies become more ingrained in our daily lives, it may be time for insurers to start taking a closer look at losses involving virtual currencies.

Additionally, the McDonnell decision discusses a number of issues currently facing cyber and privacy law.  First, while the District Court finds virtual currencies fall into the definition of “commodities,” the Court has to work to get there.  In the end, the District Court finds that the same law can protect agricultural products and virtual currencies at the same time.  We face many of these same issues in cyber security and privacy law as we try to fit these emerging issues into laws and regulations that may have been on the books for decades.

Finally, the section of the McDonnell decision entitled “concurrent oversight from Other Agencies” discusses how a number of governmental agencies could regulate virtual currencies.  Likewise, cyber security and privacy faces a similar situation as a number of state and federal agencies fight to regulate this emerging area of law. Therefore, while the McDonnell decision provides insight into the regulation of virtual currencies, it also provides guidance for cyber security and privacy law.

The post Court Finds Virtual Currencies Are “Commodities” Subject To Existing Laws appeared first on Privacy Risk Report.

Tax season is quickly becoming peak season for cyber and data incidents.  As seen during every recent tax season, last January the IRS issued warnings about fraudulent inducement scams where a corporate officer’s name is used to fraudulently request employee information from a company’s human resources department.  While there are a number of examples of the data perils to avoid during tax season, a recent case illustrates that not every incident involving data or personal information constitutes a data breach incident.  On February 20, 2018, the United States District for the Central District of California, found the claims in Lomelli v. Jackson Hewitt, Inc., 2:17-CV-02899-ODW (2018), did not constitute a data breach.

In Lomelli, the plaintiff claimed he was defrauded by the Jackson Hewitt, or more particularly, Jackson Hewitt’s agent, when his tax returns were first filed correctly with his approval and then again with additional expenses included without his approval which resulted in a fraudulent tax return being issued.  The plaintiff also claimed that he was enrolled in an “Assisted Refund” program that charged him additional fees without his approval.  Plaintiff was unaware of the fraudulent tax refunds until he received a cashier’s check for an amount different than he was expecting his tax refund to be and he learned that a bank account had been opened in his name which Jackson Hewitt was withdrawing fees without his consent.

Plaintiff filed a complaint based on allegations of fraud and that Jackson Hewitt’s agent’s filing of a fraudulent tax and violations of the California Customer Records Act (“CRA”), Cal. Civ. Code § 1798.80.  The CRA provides a private right of action where a business fails to “disclose a breach of the security of the system following discovery or notification of the breach…in the most expedient time possible and without unreasonable delay.” Cal. Civ. Code § 1798.82.

Jackson Hewitt argued plaintiff’s CRA claims should be dismissed since plaintiff failed to allege a data breach by an unauthorized person that would have required notice under the statute.  Rather, Jackson Hewitt took the position that the plaintiff authorized Jackson Hewitt and its agent to have access to his personal information in order to prepare his tax returns.  Here, the District Court makes the distinction that the allegations are “not that the information was disclosed to an unauthorized person, but, rather, that the information included in his tax returns was unauthorized.”  Based on this distinction, the District Court found these allegations do not constitute a violation under CRA and, therefore, Jackson Hewitt was entitled to judgment in its favor.

The District Court further held that plaintiff lacked standing to bring a viable claim under the CRA because his allegations were limited to harm that “may” occur in the future.  In finding in favor of Jackson Hewitt on this point, the District Court rejected plaintiff’s position that he would not have returned to have his later tax returns prepared by Jackson Hewitt if he was notified of the disclosure of fraudulent information on the early returns.

This case demonstrates that while data breaches are becoming more frequent, not every disclosure constitutes a data breach.  The District Court finds a distinction in the fact that plaintiff can only allege the misuse of his information rather than the disclosure of that information.  Even though we may feel bad for the plaintiff in this case as he will need to unravel all the damage done by having fraudulent tax returns filed in his name, his allegations did not amount to a data breach.

The post California Court Finds Misuse Of Information Is Not A Data Breach appeared first on Privacy Risk Report.

There should be little dispute that the current patchwork of foreign, federal, state and industry cybersecurity regulations need to be harmonized in order to protect data. While these varying laws and proposed laws can be dizzying even for large corporations, it is virtually impossible for small businesses to feel confident they are meeting their obligations under these various laws.  As it stands today, a data collector, regardless of size, has to balance a number of conflicting sources when considering cyber security.  Suffice it to say, the current framework of competing laws and regulations may overwhelm data collectors causing them to simply give up on trying to meet their obligations.  In the end, data protection laws may become useless if they are too complex to be worth a data collector’s effort.

• A Case Study:  Mom and Pop’s Cleaners

As 2018 unfolds, a hypothetical “mom and pop” dry cleaner in Tucson, Arizona keeps a registry of its customers’ names, addresses, phone numbers and email addresses.  We learn that “Mom and Pop’s Cleaners” has customers that include international citizens visiting the United States and others who work at nearby businesses, as well as Arizona residents and residents from other U.S. states.  In an effort to not skirt any laws, Mom and Pop have asked the Privacy Risk Report for assistance in understanding the laws and proposed laws that may impact them in 2018.  The following will take a real world approach and spot the issues presented by the laws and regulations that may impact Mom and Pop’s business in 2018.

• Foreign Regulations Must Be Part Of The Cycle.  

Mom and Pop’s Cleaners does a brisk business with international workers at the nearby regional office of French corporation.  Accordingly, Mom and Pop have questions concerning the data they are collecting on these French residents and residents of other EU nations in 2018.

European Union General Data Protection Regulation

European Union (EU) member states will begin enforcement of the General Data Protection Regulation (“GDPR”) on May 25, 2018.  The GDPR website states this legislation “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”  (A guide to the EU GDPR can be found here.)

Importantly, GDPR will apply to all data collectors holding the personal data of EU residents regardless of whether the data collector may be located.  The definition of personal data is broadened to the extent it includes any information “that can be used to directly or indirectly identify the person.”  Therefore, under GDPR, this information can include “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

GDPR also imposes new obligations on how the data is to handled and stored.  For example, EU residents will have a “right of access” that requires data collectors provide specific details about how information is processed.  GDPR grants EU residents a right to have their personal data deleted or erased by a data collector upon their request.  Further, under GDPR, data collectors will be required to perform routine assessments to identify risks for private data.  Finally, the penalties for non-compliance may total anywhere from 4% of annual global turnover of the breaching data collector or €20 Million (whichever is greater).

Mom and Pop should not dismiss the upcoming enforcement of the GDPR as something that only concerns large, multi-national corporations.  Mom and Pop, as with many data collectors of all sizes, may be surprised to find the amount of data they are storing that belongs to EU residents.  Here, there is no question that Mom and Pop have data belonging to customers that are EU residents and should at least consider whether they have obligations under GDPR and how a breach of this information could become a stain on their business.  Further, the GDPR may give some insight to Mom and Pop as to the direction of U.S. privacy laws in the coming years.

Just as Mom and Pop seem to understand their obligations under GDPR, they wonder if GDPR applies to their British customers in light of Brexit.  The GDPR website offers the following stitch of advice:

“If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear.”

Mom and Pop may not be ready to consider how Brexit impacts their collection of data belonging to their British customers.  They have already made more progress in this area than many of their competitors.

• Federal Regulations Need To Be More Tailored

Mom and Pop’s Cleaners also has a number of customers that are tourists from other U.S. states.  Mom and Pop have questions concerning the data they are collecting for these customers in 2018.

The Data Breach Prevention and Compensation Act of 2018

U.S. lawmakers have taken steps to directly regulate credit reporting agencies in response to the Equifax breach.  In its current form, The Data Breach Prevention and Compensation Act of 2018 would create new regulations by expanding the powers of the Federal Trade Commission (FTC).  Specifically, the proposed Act would create an Office of Cybersecurity to monitor large credit reporting agencies.  The Office of Cybersecurity would have the authority to impose fines on any credit reporting agency that breached data or failed to properly report a breach.  Under the current draft of the law, consumers would receive 50% of any fine imposed by the Office of Cybersecurity.

This legislation has been introduced by Senators Elizabeth Warren and Mark Warner after seeing the Equifax breach in 2017.  While this legislation is unlikely to pass, it still makes clear that credit reporting agencies will continue to be under heightened scrutiny in 2018 and beyond.

Of course, even if this legislation passes, Mom and Pop will not need to worry about it since they do not qualify as a credit reporting agency.

IoT Cybersecurity Improvement Act of 2017

The IoT Cybersecurity Improvement Act of 2017 would provide security practices for any company before it can sell interconnected devices to the federal government.  Importantly, this legislation would not regulate all IoT devices.  Commentators have stated that “’[b]road IoT legislation isn’t practical in the current Congress…which is was why the bill’s authors had narrowed its focus to federal procurement.”  There are further questions as to whether this is a good first step that will lead to broad IoT regulation or if these regulations will lose momentum after devices for the federal government are regulated.

Mom and Pop do not have any immediate concerns with this proposed legislation.  Down the road, their business may be safer if any interconnected device they purchase has the same security as that imposed on devices sold to the U.S. government.  However, this legislation does not appear to be of any concern to Mom and Pop over the next year.

• State Regulations Create Wrinkles For Smaller Data Collectors.

Mom and Pop do not have to worry about any national data breach notification requirements.  All attempts to create breach notification standards at the federal level have lost steam.  In particular, the bill referred to as the Data Security and Breach Notification Act appears to have no chance becoming law in 2018.  Unfortunately, as data collectors for Arizona residents, Mom and Pop will face some uncertainty in 2018.

Arizona’s Data Breach Notification Law: Changes in 2018

At present, the Arizona legislature is considering changes to Arizona’s data protection laws.  The current Arizona law requires data collectors to notify individuals of any breach that compromises their information and may cause “substantial economic loss” to that individual.  The new law under consideration in 2018 for Arizona would remove this “substantial economic loss” requirement, and, therefore, would require notice in many more situations.  Additionally, the current law defines “personal information” as an individual’s name combined with a social security number, driver’s license number, non-operating i.d. or financial account number, credit card or debit card number in combination with a security code, access code or password for that account.  The new legislation would no longer require a security code, access code or password to be compromised in order to trigger a data collector’s notification obligations.

In 2018, Arizona’s notification law may also be changed to require notice to affected individuals within 30 days of the breach.  The law presently only requires notification to take place in the “most expedient manner possible without unreasonable delay.”

Based on these changes, Mom and Pop are going to need to take a close look at the data they are storing on Arizona residents and how that data is being protected.  Further, Mom and Pop may also need to take a closer look at their procedures if a breach occurs.  The time frame for their response and the notification to their customers has been taken from a subjective deadline to an objective, 30-day deadline.  Mom and Pop have a lot of work in order to make sure they are in compliance with this law.

Other States Data Breach Notification Laws

Even if Mom and Pop happen to figure out their obligations under Arizona law, they still have to consider the laws for other states where their customers may reside.  As data collectors for residents for a number of states, Mom and Pop face even more uncertainty.  As it stands today, each state has its own data breach notification laws.  Consequently, Mom and Pop may have different obligations, including numerous deadlines to provide notification, for a single breach that includes data for residents of different states.

• Mom And Pop’s Approach For 2018

From a practical standpoint, Mom and Pop are not realistically going to put much thought into complying with GDRP.  However, they may make efforts to comply with their state data protection laws.  While Arizona’s new data law may not be in perfect harmony with GDRP, it is an important first step to get Mom and Pop to at least begin to consider Arizona’s law and make an effort to comply.  Maybe if things go right, Mom and Pop may consider buying an endorsement to their insurance policy for cyber protection in 2019.

Additionally, while it is great to see lawmakers begin to tackle these issues, it will be important to not overwhelm data collectors.  2018 promises to be an interesting year for data protection laws.

The post Ironing Out The Wrinkles In Data Legislation: A Case Study appeared first on Privacy Risk Report.

Barring a major development in the final weeks of this year, we appear to be ready to close the books on privacy/cyber law for 2017.  Of course, with two weeks left in 2017, there is still time for last-minute data breaches, cyber incidents or other surprises.  Just this week, we saw major news stories which include the US government blaming North Korea for the WannaCry cyberattack earlier this year and Sonic Drive-Ins being sued in a class action for its data breach.  Therefore, while we are hesitant to put together a list with a couple of weeks left in 2017, it is safe to form at least some broad conclusions about 2017.

Cyber has been a moving target for years and 2017 has been no different.  In 2017, we saw privacy laws evolve while legislatures attempted to keep up with the various threats.   While we did not see a pivotal cyber insurance law case, 2017 had a fair share of cases that deserve further analysis. We saw a number of cyber incidents and data breaches that should keep litigants and our courts busy for many years.  Overall, we saw a scenario where smaller data collectors have less personal information to protect and can make adjustments in 2018.  The fact that large-scale data breaches are still occurring may indicate that, despite having better information concerning data protection, large-scale data collectors may not be able to make adjustments within their organizations quickly enough to keep up with changes rules and evolving threats.

The body of information concerning data collectors’ obligations is growing and 2017 provided the following insight for consideration in 2018 and beyond:

The Further Development Of State Privacy Laws

Without having a significant body of law to rely upon, state privacy laws typically provide the most guidance for data collectors.  These laws regulate the type of information that must be protected, how to protect that information and the consequences if the information is not protected properly.  In 2017, we analyze revisions and modifications to these laws that should be addressed.

What are “Reasonable Measures” For Data Collectors?

One central issue playing out in 2017 has been how “data collectors” adapt to modifications of state privacy laws. For example, Illinois amended its breach notification statute the Personal Information Act (815 ILCS §530/5) (“PIPA”) to include a requirement that any data collector holding “personal information concerning an Illinois resident” must “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” Illinois joined a number of other states that have expanded the definition of “personal information” to include an individual’s “user name or email address.” Therefore, an entity may have obligations to notify any individual who has had their user name or email address improperly disclosed. The Illinois legislature further broadened the definition of “personal information” to include medical information, health insurance information or biometric data.

PIPA was also amended in 2017 to require data collectors to take “reasonable measures” to protect personal information.  While we really did not get much insight on what the legislature believes may constitute “reasonable measures,” by mid-January of 2017 we had already seen courts provide some guidance.  In our January 19, 2017 post, we analyzed the Dittman decision in Pennsylvania to determine obligations for “data collectors” in the absence of controlling law. With scant law, a “data collector” may want to consider the advice in the Dittman concurrence opinion and take steps to encrypt data, establish adequate firewalls and implement an appropriate authentication protocol to protect data. Otherwise, we are still waiting on a court to address what the “Reasonable Measures” standards means.

On August 15, 2017, the Department of Commerce released Draft NIST Publication 800-53, entitled, Security and Privacy Controls for Information Systems and Organizations, which is intended to provide a “catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks.”

The stated objectives of the NIST publication includes: “…to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.” And, in meeting these objectives, the NIST publication provided the following “key questions that should be answered by organizations when addressing their security and privacy concerns”:

• What security and privacy controls are needed to satisfy the organization’s security and privacy requirements and to adequately manage risk?
• Have the security and privacy controls been implemented or is there an implementation plan in place?
• What is the desired or required level of assurance (i.e., confidence) that the selected security and privacy controls, as implemented, are effective in their application?”

At this point, NIST anticipates having a final draft of this publication complete by October 2017 and a final version published by December 29, 2017.  While there may be no requirement to meet the NIST Standards, a data collector has a better chance of showing they took “reasonable measures” if they can demonstrate they attempted to address the NIST standards in addition to the vague requirements found in state privacy laws and the general standards of some industries.

States And Courts Take Steps To Protect Biometric Data

While we saw some changes concerning the storage of “personal data” in 2017, we also received a glimpse of the importance of protecting biometric data.

In late 2016 and 2017, we saw a push by state legislatures to enact new laws that also protect biometric data, such as the Illinois Biometric Information Privacy Act (BIPA). “Biometrics” defines “the field of science relating to the identification of humans based upon unique biological traits, such as fingerprints, DNA, and retinas” and recently “has produced new ways of conducting commercial transactions.” In particular, the protection of biometrics is a growing concern as this technology is turning up in everything from watches that may collect health data, finger-scanners at grocery stores and gas stations to retina scanners for financial transactions.

Not only is this technology is here to stay, but it is already involved in litigation across the country.  For example, in Vigil v. Take-Two Interactive Software, Inc., the U.S. District Court for the Southern District of New York found class action plaintiffs lacked standing to bring suit under BIPA for claims related to how their faces were used to create personalized avatars in a video game. Without a doubt, this will not be the last time a court will be called on to interpret BIPA or similar statutes across the country.  In 2018, we can expect to see data collectors find other uses for biometric information and, therefore, more effort will be needed to protect this information.

By March of 2017, we saw another biometric data case when the Eastern District for the Northern District of Illinois analyzed BIPA in Rivera v. Google Inc., 16 C 02714 (N.D. Ill 2016), and found allegations that Google created and stored face-scans from pictures taken on Google devices may constitute a violation under BIPA and at least may survive a motion to dismiss.

As we move into 2018, we can expect the protection of biometric data will continue to grow in importance for data collectors.

Another Large-Scale Data Breach in 2017: Equifax

While it appeared in 2017 that large-scale data breaches may not occur as frequently as we saw a couple of years ago with Target Stores, Home Depot, Best Buy or the federal government, 2017 still had its fair share of large data breaches. The growing consensus that fewer data breaches may indicate large data collectors were taking better precautions with personal information was called into question when it was announced in September that Equifax had a significant breach.  Admittedly, we are still learning the full scope of Equifax Inc.’s massive data breach which was announced on September 8, 2017. While different numbers have been discussed, it appears about 143 million people may have been impacted. Suffice it to say, this was a huge data breach.

The FTC’s website provides the following facts on the Equifax breach:

The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.

Equifax’s breach response at this point initially included offering one free year of its credit monitoring service and provides information via its website created just for this breach.  However, Equifax soon faced a backlash including the following complaints related to its response:

• News reports indicate that a number of people are struggling to determine if their information was included in Equifax’s breach using a website provided by Equifax. After making a number of attempts to use the website, many commentators found the website “hopelessly broken.” By September 8, 2017, Equifax had to issue a statement claiming to have fixed the problems with its website.
• Equifax’s offer to provide free credit monitoring for a year is being called into question as not providing sufficient time to properly monitor one’s credit and as a marketing ploy to get subscribers after the first year has expired. Leaving some commentators to say “so, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach.”                                                                            
• Equifax had to issue a statement to address growing concerns that the terms of service that consumers must accept before enrolling in the free credit monitoring service required them to waive their rights to sue Equifax for a breach. Equifax’s statement attempted to clarify its position that nothing in the terms of service would apply to this breach.
• More than 20 proposed class-action lawsuits were filed around the country in less than a week since the breach was announced.
• Shares of Equifax closed down 8.2% on September 11, 2017 after falling more that 13% on September 8, 2017.
• SEC filings show that three Equifax executives sold nearly $2 million in shares of the company days after the cyberattack was discovered.  Equifax had to issue another statement after its announcement indicating that while the three executives sold a “small percentage” of their shares August 1 and August 2, 2017, they “had no knowledge that an intrusion had occurred at the time they sold their shares.”

Unfortunately, Equifax’s various supplemental announcements after the initial announcement placed Equifax’s response under further scrutiny.  After the Equifax breach, it became clear that not all large data collectors, despite seeing breach scenarios play out over and over, may not be prepared for a data breach.

Allegations in Uber Breach Demonstrate Need For Clear Response To Incident

If Equifax made it clear that we are not out of the woods on large-scale data breaches, the allegations against Uber after its breach may have shed more light on how large-scale data collectors are handling breaches.  On November 28, 2017 when the City of Chicago and Illinois (“plaintiffs”) filed their Complaint in a case entitled City of Chicago et al. v. Uber Technologies, Inc., Case No. 2017CH15594 (Nov. 28, 2017). The Complaint is based on allegations that “[f]or the past several years, Uber has repeatedly failed to protect the privacy of its customers’ and drivers’ personal information.”  More specifically, the plaintiffs assert Uber took steps to cover up its breach in an effort to avoid negative publicity.  This case, regardless of whether the allegations are proven, should cause “data collectors” to consider what information they are putting (or not putting) out concerning any incidents prior to notification of the incident.

In particular, the plaintiffs contend that, in order to avoid “negative public attention, Uber paid hackers $100,000 to delete the data based on the hackers’ agreement to never speak publicly of the incident.” The plaintiffs claim the alleged cover up came to light because “criminal hackers couldn’t possibly be trusted to protect user data” and they ultimately disclosed the breach. The Complaint states that “Uber went so far as to even track down the criminal hackers and enter into nondisclosure agreements with them as if they were common business partners…”  Further, the plaintiffs claim Uber made this payment so that it appeared to be related to its “bug bounty program” rather than a ransom payment.  The Complaint asserts “[t]his concealment kept riders, drivers, and government agencies in the dark for over a year about Uber’s substandard security practices…”

The alleged cover up continued until November 21, 2017, when Uber’s Board of Directors investigated the practices of Uber’s security team. Uber has still not disclosed this incident to its customers or drivers.

Litigation In 2017 Looked Like Litigation In 2016:  “Standing” To Bring Suit Still Questionable In 2017

As seen in prior years, the threshold question in data breach lawsuits during 2017 is still whether a litigant has “standing” to bring a cause of action against the party that allegedly caused a breach. This hurdle for litigants rises out of Article III of the Constitution that limits the jurisdiction of federal courts to “Cases” and “Controversies” “which are appropriately resolved through the judicial process.” Simply, litigants have not been able to move their cases forward unless they can show a concrete injury and demonstrate that future injuries are more than merely speculative.  Nevertheless, while a number of data breach cases have been lost at the initial pleadings states, some plaintiffs have been able to persuade courts that they suffered concrete injuries and could show the source of their alleged damages to survive a motion to dismiss.

As this body of law has developed over the years, one case in particular, Lewert v. P.F. Chang’s China Bistro, Inc., 14-3700 (7^th Cir. 2014), in the Seventh Circuit, has provided hope for data breach plaintiffs.  Developments in 2017 in the P.F. Chang’s litigation  should provide more hope for plaintiffs.

The P.F. Chang’s data breach litigation traces its origins back to a 2014 data breach where plaintiffs claim their debit and credit card information had been hacked after they had visited a P.F. Chang’s in Illinois. P.F. Chang’s filed a motion to dismiss asserting first, that “the parties’ express contract precludes both an implied contract and a consumer fraud count.” (“Plaintiffs’ claims are that they purchased a meal at P.F. Chang’s and that, while P.F. Chang’s came through on the main course, it dropped the ball on the side order of data security.”) Additionally, P.F. Chang’s claimed plaintiffs’ case should have been dismissed because plaintiffs lacked standing and had no damage. The District Court dismissed plaintiffs’ data breach action for lack of standing and, therefore, did not have to address P.F. Chang’s other arguments for dismissal.

On April 26, 2017 the District Court filed a minute order which merely stated the “motion to dismiss is denied for the reasons stated in open court.” The District Court further granted plaintiffs’ motion to compel P.F. Chang’s to participate in a Rule 26(f) conference and begin discovery.

While it took a while to get here, we are finally at the point in this case where we will see if plaintiffs can gather sufficient evidence to support their claims. Data breach plaintiffs have struggled to survive the pleadings stage as many courts found their damages were too speculative to survive a motion to dismiss. It will be important to watch this case get through the discovery phases and move toward trial in order to get the full picture regarding liability for cyber security. Further, the P.F. Chang’s litigation is even more important since the Neiman Marcus case recently settled before we could see how that litigation unfolds through discovery and further motion practice.

Take-Away For 2018

Based on the developments in 2017, we can expect smaller data collectors to have a wealth of information to use when determining their obligations for storage of personal information.  Smaller data collectors have state privacy laws, industry regulations and cases to look to for guidance. On the other hand, Equifax may show us that larger data collectors may have trouble in 2018.  Even though all data collectors have the same information available concerning their obligations, large data collectors may have too much information and too much red tape to properly prepare for an incident. Out of all the large-scale data collectors, one would hope Equifax was prepared for a breach and had a response ready to go. We may see a scenario where smaller data collectors, despite fewer resources, have a better chance to protect data.

The post A Tale Of Two Worlds: 2017 Shows Us That Small Data Collectors May Have Advantages Over Large Data Collectors appeared first on Privacy Risk Report.

Cyber criminals’ entire business model is based on developing threats faster than the public can develop safeguards.  Privacy laws are fast becoming the first place data collectors look for guidance when they have suffered a cyber attack.  Unfortunately, the legislatures that develop privacy laws are not known for their efficient work.  For example, the Illinois Information Protection Act is one of the most comprehensive data laws found in the United States and provides the model for many states.  PIPA provides guidelines for data collectors, including how to properly respond to a breach of personal information.  However, even though it is generally considered to be on the cutting edge, PIPA still has trouble keeping up with technological developments created by criminals.

Is Ransomware An “Acquisition” Of Data Under The Illinois Information Protection Act?

As it stands, PIPA does not expressly state that it applies to data collectors that are attacked with ransomware.  Of course, ransomware has been a threat for a while and this threat appears to be on the increase. For example, a new strain of ransomware nicknamed “Bad Rabbit” is reportedly spreading in Russia, Ukraine and moving into other parts of the world. This new threat appears to be related to the WannaCry and Petya ransomware attacks that caused problems earlier this year. At present, this malware is not being detected by anti-virus programs.

While the extent of the damage caused by Bad Rabbit is still unknown, the threat created by ransomware is clear. Reports indicate the total value of ransomware sales on the dark web has rapidly increased from $250,000 to over $6m in just a year. The growth of ransomware will continue as criminals get more access to the malware and victims are resigned to the fact that they have no choice but to pay to regain access to their systems. The only hurdle for ransomware at this point appears to be an increased number of amateur criminals using malicious software and potentially not releasing encrypted files to victims.  These amateurs may destroy the credibility of the ransomware criminal enterprise.

For our purposes though, this is not a good environment for PIPA to have any ambiguity concerning whether it applies to ransomware attacks.   PIPA addresses a data collector’s obligations if they sustain a “breach.”  Specifically, PIPA requires that a data collector notify Illinois residents that their personal information has been involved in a “breach.” Of course, the ransomware threat is different than the threat created by a disclosure of personal information through a classic system breach or a disclosure caused by a phishing scam.  PIPA defines “breach” as:

Breach of the security of the system data” or “breach” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. “Breach of the security of the system data” does not include good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, provided that the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.

While PIPA does not mention ransomware by name, it does create a question as to whether ransomware falls under the definition of “breach of the security of the system data.” Oftentimes, ransomware may not arguably involve the “acquisition” of data and may be limited to the encryption of data until a ransom is paid. That is, there may be no “acquisition” of the data in a ransomware attack.  Therefore, a data collector may struggle with determining whether ransomware constitutes a “breach” under PIPA.

Based on this ambiguity, if a data collector is hit with ransomware, the most prudent course may involve notifying all Illinois residents of the incident.

Is It A Good Idea To Send People To Equifax In Notification Letters?

PIPA also provides notification requirements if a data collector experiences a breach.   Specifically, if a data collector breaches the personal information of an Illinois resident, the data collector must send a “disclosure notification” which provides “the toll-free numbers and addresses for consumer reporting agencies.” After the recent breach at Equifax, a consumer reporting agency, data collectors may be hesitant to tell people involved in an incident to contact Equifax. Further, even if Equifax’s information is provided merely to comply with this requirement, Illinois residents may not be willing to reach out to Equifax. As we see recent events make this requirement useless, the Illinois legislature may want to amend PIPA to remove this requirement for notification letters.

Even if Bad Rabbit does not develop into a major threat in the United States, we can be certain that criminals are already working on their next crime involving our home, government and business computer systems.   Therefore, the Bad Rabbit outbreak provides the perfect opportunity to take a look at a data collector’s responsibilities if they are hit with ransomware or some cyber crime that may not even be in the news at this time.

Even though there may be some uncertainty, privacy laws are still the first place data collectors should still go if they are involved in an incident.  At this point, it may be slightly unrealistic to expect legislatures to create privacy laws that move as quickly as the criminals that we are trying to protect ourselves against.  Further, most criminals will have moved on from ransomware to the next threat by the time the legislature is able to pass laws addressing ransomware.  Data collectors may need to look to the intent behind privacy laws and notify impacted individuals if there is a chance that their information has been exposed to another person without authorization, regardless of whether information was compromised through employee negligence, a classic breach, ransomware or some threat presently unknown.

The post It May Be Time To Admit That Criminals Will Outpace Privacy Laws appeared first on Privacy Risk Report.