A recent lawsuit filed by Tesla, Inc. provides a reminder of the potential threat caused by employees and other insiders to data collectors’ security. While there is a balance between proper security and creating a pleasant work environment for employees, data collectors should take a closer look at employees’ opportunities to steal information and employees’ motive to steal information.

On June 20, 2018, Tesla, Inc. filed suit in the United States District Court for Nevada alleging one of its former employees, Martin Tripp (“Tripp”) unlawfully hacked the company’s confidential and trade secret information to third parties.  Tesla did not waste any time filing suit as it alleges it began its investigation of this matter on June 14, 2018. Even after filing suit, Tesla still alleges that it has only begun to understand the full scope of Tripp’s illegal activity. Tesla claims Tripp admitted to writing software that hacked Tesla’s manufacturing operating system and transferring several gigabytes of Tesla data to outside entities. Tesla also alleges Tripp wrote computer code to periodically export Tesla’s data off its network and into the hands of third parties.

In additional to hacking Tesla’s data, Tesla claims Tripp made false claims to the media about the information he stole. In particular, Tesla asserts Tripp’s claims that punctured battery cells had been used in certain Model 3 vehicles were untrue. Tripp is also accused of spreading rumors that Tesla delayed bringing new manufacturing equipment online.

Despite providing limited background, the Complaint paints Tripp as a disgruntled employee while at Tesla. After being hired Tripp in October 2017 as a process technician, Tripp complained that he deserved a more senior role at Tesla. Further, within a few months of being hired, Tesla had identified Tripp as having problems with job performance and at times being disruptive and combative with his colleagues. Tripp was angry when he received word that he was transferred to a new role.

By mid-June, Tripp is confronted with evidence that he is the source of a hack at Tesla and admits to writing software that transferred Tesla’s data to entities outside Tesla. Tesla refers to its investigation as being still in the early stages.

In addition to causes of action for federal and state unfair trade practices violations and breach of contract, Tesla’s Complaint also contains a claim for breach of fiduciary duty of loyalty.  In this claim, Tesla claims Tripp as a “trusted employee,” had a duty to act in Tesla’s best interests. Tesla also claims Tripp’s actions violate Nevada’s Computer Crimes Law which prohibited all unauthorized access to Tesla’s “computers, computer systems, and/or computer networks.”

The allegations against Tripp provide the latest example of cyber security and privacy violations have a substantial employment law component. As this action was being filed, Elon Musk, Tesla’s Chief Executive sent an email to employees states that an unnamed Tesla had engaged in “extensive and damaging sabotage” to Tesla. Musk further stated “[t]he full extent of his actions are not yet clear, but what he has admitted to so far is pretty bad.”  And, moving past Tripp’s conduct, Musk continued in his email that there “may be considerably more to this situation than meets the eye,” since “there are a long list of organizations that want Tesla to die.” Musk included “oil & gas companies” and “Wall Street short sellers” as being included on this list.

Data collectors may want to look at this problem by analyzing the employee’s opportunity to hack and motive to hack. First, employers must decrease the opportunity to hack by limiting unnecessary access an employee has to data. Employers should not retain any data that is unnecessary to run their business. The risk of a hack increases with the amount of data stored. Here, there was a need for balance since it appears Tripp needed access to sensitive data in order to do his job. Employee training is another way to make sure the employee understands that while there may be an opportunity to access data, the employer is willing to entrust the employee with sensitive data.

Additionally, after limiting the opportunity to steal data, employers should monitor whether employees have motive to steal data. As seen in this case with Tesla, Tripp appeared “disruptive” and “combative” and gave the general impression of being angry that he was overlooked for a promotion. These are red flags.  Further, as seen in Musk’s recent comments, Tesla has a genuine fear of being hacked by competitors and other entities that want to slow the development of the electric car. Given these concerns, employees must understand the need for safeguards that are in place to protect data.  This is also where well-trained human resources professionals can be just as useful to an organization as well-trained tech professionals.

Regardless of whether this hack was the result of an employee simply being disgruntled or whether it is related to a conspiracy by corporations “that want Tesla to die,” this case makes it clear the cyber security has moved beyond merely having proper technological safeguards in place. Employees and other insiders present a completely different threat than a remote hacker trying to gain access from the outside.

The post Tesla Lawsuit Demonstrates Need To Take Closer Look At “Disruptive” Employees appeared first on Privacy Risk Report.

The litigation arising out of the data breach at Schnuck’s Markets (“Schnuck’s) occurring from December of 2012 through March of 2013 is still providing us with insight as to how courts may treat data breach claims.  The latest development related to this breach was recently seen in Community Bank of Trenton v. Schnuck Markets, 2017 WL 1551330 (May 1, 2017), when the District Court for the Southern District of Illinois granted Schnuck’s motion to dismiss Trenton’s complaint.

Trenton, a bank that issued credit cards allegedly compromised in this data breach, filed its complaint seeking recovery for damages based on a theory that it would have instructed its customers to shop elsewhere or use cash or checks for purchases if Schnucks had been more upfront about the security of its data network.  Specifically, Trenton attempted to support its cause of action with allegations “that they were intended or third-party beneficiaries to the contracts between [Schnucks] and others in the card processing network because [Trenton] received an interchange fee or interest for processing cards.”　 Trenton’s complaint further alleged that unencrypted data “was potentially compromised for 2.4 million cards swiped at Schnucks’ stores from December 1, 2012 through March 30, 2013.　 The Complaint alleged Schnucks’ learned of the breach on March 14, 2013, but did not notify the public of the incident until March 30, 2013.　 Trenton claimed that during this time an estimated 340,000 additional cards may have been compromised (based on its calculations that 20,000 cards were being used each day).

In granting Schnucks’ motion to dismiss, the District Court first analyzed Trenton’s negligence claim brought under Missouri law.  Specifically, Trenton asserted Schnucks should be held liable under Missouri’s data breach notification law (Mo. Rev. Stat. § 407.500).  The District Court rejected Trenton’s argument finding “the data breach notification statute exclusively bestows the power to prosecute violations upon the Missouri Attorney General.”　 (“What is more, the statute does not contemplate a duty or remedies for anything other than a failure to notify.”)　 The District Court further rejected Trenton’s attempt to establish a private cause of action under Missouri’s breach notification laws by refusing to “read additional duties into a law carefully crafted by the legislature, particularly where the legislatures of other states have explicitly contemplated additional protections in legislation.”

After finding Trenton did not have a private cause of action based on Missouri’s breach notification laws, the District Court distinguished “out-of-circuit precedent” where courts have found defendants had a duty to safeguard data based on a business relationship.  (In re Home Depot, Inc. Customer Data Security Breach Litigation, 2016 WL 2897520 (N.D. Ga. 2016); Target Corp. Data Sec. Breach Litigation, 66 F. Supp.3d 1154 (Minn. D. Ct. 2014); and Sovereign Bank v. BJ’s Wholesale Club, Inc., 395 F. Supp.2d 183, 193-96 (M.D. Penn. 2005).  The District Court found these cases unpersuasive because the record in the Home Depot breach litigation suggest “Home Depot’s data security conduct…was egregious and intentional,” the Target Court relied on provisions that were unique to Minnesota law and the holding in BJ’s Wholesale Club “is frankly outdated.”

The holding in Schnuck’s provides clarity that many courts are not willing to find legislatures intended to create a private cause of action out of state breach notification laws. Rather, as pointed out by the Schnucks court, plaintiff’s may need to show a data breach resulted from the “egregious and intentional” conduct seen in the Home Depot breach litigation.  The Schnucks court distinguishes this case from the record in the Home Depot litigation where there was evidence showing Home Depot may have ignored warning signs of poor data security “and even went so far as to fire tech employees who tried to alert the company to the risks of the poor data security measures.”

The cyber security world has dramatically changed since the Home Depot breach and many data collectors have gained a better understanding of the importance of network security.  Therefore, there is less chance that a breach today would be handled in the same manner as the Home Depot breach.  Consequently, plaintiffs may have difficulty showing this level of intentional conduct giving rise to recent data breaches.

The post Schnucks Market Decision Discounts Argument That Breach Notification Law Gives Rise To Private Cause Of Action appeared first on Privacy Risk Report.

This article originally appeared in Advisen’s Front Page News, Cyber Edition, on March 16, 2017.

Over the last few months, there have been a number of news stories concerning allegations that the Russians may have hacked US political parties and the US intelligence community.  It is easy to dismiss these national and international stories as being too big to provide any real insight into our domestic cyber insurance market.  However, it may be too soon to write off all news of government or political cyber attacks and leaks.

Last week, WikiLeaks published a substantial amount of data hacked from the CIA, showing the agency’s hacking and cyber warfare techniques. While no one would reasonably want to see a leak that could compromise national security, this leak provides valuable information for the insurance industry to evaluate its cyber insurance products. And, with the information already being leaked, the insurance industry should use this information to examine current and future cyber threats.

Initial impact

In its largest leak ever, WikiLeaks dumped data and information showing the classified hacking activities and other cyber weapons of the CIA. The document dump showed the CIA created software code to hack smart technology in the following manner:

• Smart Phones: The CIA developed code to allow it to track an individual’s geolocation and allow remote access to audio, text communications, camera, and microphone features on a target’s smartphone before the data could be encrypted.

• Smart TVs:  The CIA’s code was able to transform a smart TV into a “covert microphone” capable of sending conversations occurring near the television through the internet to a CIA server while the television appears to be off.
• Smart Vehicles:  The WikiLeaks’ release showed that “[a]s of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks” which may be used to complete “nearly undetectable assassinations.”

Current cyber threats

This leak is important because it shows how the CIA and, presumably, other sophisticated hackers are trying to access various consumer products. In this first dump alone, WikiLeaks leaked 8,761 documents with more documents on the way. It is rare that the insurance industry would have access to such a huge amount of information concerning the threats that give rise to cyber risks.  This information can immediately be put to good use.  For example, the information dumped in this leak provides substantial data for automobile insurers to determine the threat posed by hackers compromising smart cars.  And, the data comes from sophisticated, real-world hacking attempts rather than controlled experiments.

Further, more than just the leaked data, the leak provides valuable insight into the current threat covered by cyber insurance.  The fact that this information may have been breached by a CIA employee or contractor shows the current threat of malicious insiders in determining cyber risks.  The insurance industry must wrestle with the fact that if the CIA cannot stop a breach of its most secretive data, there may be little chance for an insured to stop a determined hacker.

Future cyber threats

This leak also provides valuable information showing where cyber threats may be going over the next few years.  As stated in the WikiLeaks’ press release: “[o]nce a single cyber ‘weapon’ is ‘loose’ it can spread around the world in seconds, to be used by peer states, cyber mafia and teenage hackers alike.”  Therefore, in assessing future cyber risks, the insurance industry should consider the CIA’s current hacking capabilities in order to forecast where non-government hackers may be going in the coming years, especially now since this information is in the public domain.

For example, WikiLeaks’ data dump shows the CIA was not necessarily penetrating encryption applications on smart phones. Rather, the CIA was simply hijacking the entire device and gathering information before it was even encrypted. First, this may provide step-by-step instructions for hackers less sophisticated than CIA hackers.  It may be worthwhile for the insurance industry to start analyzing how this threat may impact cyber insurance policies in the near future.  Additionally, the insurance industry may look at whether stringent requirements requiring insureds encrypt their information would be useful in the future as such steps may not necessarily provide a safeguard or may take resources that could be applied elsewhere. The CIA’s technique to get around encrypted devices was not widely-known even two weeks ago.

Additionally, the WikiLeaks’ dump states the intention behind the hack was to have the public decide whether the CIA has too much power. In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.

Consequently, based on the stated intention of the hackers giving rise to the WikiLeaks’ leak, it may be worthwhile for the insurance industry to consider the place that “hacktivism” has for cyber insurance products in the future and whether there is an increased cyber threat to insureds that draw negative attention.

No such thing as “absolute privacy”

Finally, the public’s attitudes concerning privacy are an important component in assessing the risks for cyber insurance. The risks covered by cyber insurance and expectations for privacy can be better understood when events such as the CIA leak occur. For better or worse, after seeing their privacy compromised in large-scale data breaches at retailers and government institutions and after falling prey to ransomware and phishing scams, the public may start viewing their privacy differently than just a few years ago. Further demonstrating this point is the fact that after WikiLeaks’ leak, FBI director James Comey, stated “[t]here is no such thing as absolute privacy in America.” At a cybersecurity conference days after the hack, Comey further stated, “All of us have a reasonable expectation of privacy in our homes, in our cars, and in our devices. But it also means with good reason, in court, government, through law enforcement, can invade our private spaces.”

A few years ago, Comey’s statements would have caused waves in the news. Today, the public barely took notice of his statements. Therefore, while seeing our privacy being compromised may still be unacceptable, the insurance industry can begin looking at the risk associated with a breach of an individual’s privacy in a slightly different manner than how it viewed it just a couple of years ago. Not to mention the fact that many courts are finding plaintiffs lack standing to bring lawsuits unless they show they have suffered damages when they have their private information compromised. In a sense, the level of risk goes down for insuring cyber incidents as the public begins to accept their privacy may not be protected.

Even though they do not directly impact the insurance industry, cybersecurity issues facing government agencies and political parties should not be overlooked as a valuable resource for the insurance industry.  The insurance industry should take information from any source available, including WikiLeaks, to evaluate cyber products.

The post Rowe In Advisen: The WikiLeak’s Data Dump Cannot Be Undervalued By The Insurance Industry appeared first on Privacy Risk Report.

Over the last few weeks, the Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq.) has presented a number of unique questions for courts.  On February 14, 2017, we addressed Vigil v. Take-Two Interactive Software, Inc., where the U.S. District Court for the Southern District of New York found class action plaintiffs lacked standing to bring suit under BIPA for claims related to how their faces were used to create personalized avatars in a video game.  This week, the Eastern District for the Northern District of Illinois analyzed BIPA in Rivera v. Google Inc., 16 C 02714 (N.D. Ill 2016), and found allegations that Google created and stored face-scans taken from pictures taken on Google devices may constitute a violation under BIPA and at least may survive a motion to dismiss.

• Background on Claims Against Google

In Rivera, the Court found claims by Plaintiffs that Google collected, uploaded and scanned photographs to create “facial templates”  were sufficient to survive Google’s motion to dismiss.  In particular, Plaintiff Rivera alleged that the scans “located her face and zeroed in on its unique contours to create a ‘template’ that maps and records her distinct facial measurements.”  Likewise, Plaintiff Weiss claims he took approximately twenty-one photos which were uploaded to the cloud based server and were scanned “to create a custom face-template based on Weiss’s features.”  Plaintiffs claim their face-templates were used “to find and group together other photos of them” and to “recognize their gender, age, race, and location.”

• Google’s Motion To Dismiss

Under the section of the Rivera decision entitled “Face Geometry Scans,” Google asserted that Plaintiffs’ class action lawsuit should be dismissed because BIPA does not “apply to photographs or information derived from photographs.” Plaintiffs countered that face geometry scans constitute “biometric identifiers” under BIPA and, thus, must be protected.  The District Court denied Google’s motion to dismiss based on a finding that Plaintiffs sufficiently alleged that Google’s actions fell into the definitions found in BIPA and may have been violations of the Act.

• Analysis Of “Biometric Identifier” And “Biometric Information”

The District Court first examined the meaning of “Biometric Identifier” as used in BIPA.   The Act defines this term as a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  The District Court further noted that this list is “a biology-based set of measurements (“biometric”) that can be used to identify a person (“identifier”). BIPA also provides at lengthy list of items that are not biometric identifiers which include, but are not limited to photographs.  (“Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used fro valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color or eye color).

Based on the definition of “Biometric Identifier” and the list of items not included in the definition, the District Court found the allegations in Plaintiffs’ Complaint involving “face templates” qualified as a biometric identifier under BIPA. The District Court rejected Google’s argument that “only face scans that are done in person can qualify…” for protection under BIPA.

The District Court also rejected Google’s assertion that the face templates were not biometric identifiers since photographs were one of the items expressly removed from the definition of biometric identifier under BIPA. The District Court’s decision was based on its finding that the Plaintiffs were not alleging the photographs themselves were biometric identifiers.  The District Court rejected Google’s argument that the separate definitions of “biometric identifier” and “biometric information” somehow “distinguish the ‘source of the content.’”  The District Court’s decision provides the following excerpt from Google’s brief concerning this argument:

What is derived from a person is a ‘biometric identifier,’ and what is subsequently derived from a biometric identifier is “biometric information.’ The statute’s structure thus confirms that a ‘scan of…face geometry’ must be derived from the person herself.  Plaintiffs’ reading of the statute would collapse this careful structure, rendering the distinction between ‘biometric identifier’ and ‘biometric information’ meaningless. 

The District Court summarized Google’s position as: “…Google is arguing that if biometric information cannot be ‘based on’ something from the biometric-identifier paragraph’s ‘do not include’ list (for example, ‘photographs’), then an identifier may also not be ‘based on’ something from that same list.” And, the District Court rejects this argument by making the following distinction between these terms:

…the things on the list of biometric identifiers are just that—specific, biology based measurements used to identify a person, without reference to how the measurements were taken. And,…the ‘biometric information’ goes on to ensure that private entities cannot to an end-around the Privacy Act by converting biometric identifiers into some other format.” 

In the alternative, Google argued that BIPA does not apply even if it collected and used the photographs since Google did not act in Illinois. We will address the District Court’s analysis of this issue in our next post.

It is important to note that, in denying Google’s motion to dismiss, the District Court leaves the question open of whether Google’s arguments would hold up “once further factual development has occurred in discovery.” Therefore, in finding additional discovery is needed on this issue, the Court finds Plaintiffs adequately stated a claim under BIPA to survive the motion to dismiss.  The District Court further held that “[i]t is conceivable that discovery will reveal that what Google is actually doing does not fit within the definition of biometric identifier as interpreted by the Court.”  This case, and many cases currently in the courts involving these issues, will provide a unique opportunity to watch the development of various privacy legislative acts and allow us to see whether the current laws keep up with the development of technology.

The post Face It, We Are Going To See A Lot Of The Illinois’ Biometric Information Protection Act In Courts appeared first on Privacy Risk Report.

The Privacy Risk Report has previously reported on the necessity to safeguard personal information such as names, addresses, social security numbers and credit card information to avoid risk resulting from data breaches. The latest trend we are seeing now involves a push by state legislatures to enact new laws that also protect biometric data, such as the Illinois Biometric Information Privacy Act (BIPA).

“Biometrics” defines “the field of science relating to the identification of humans based upon unique biological traits, such as fingerprints, DNA, and retinas” and recently “has produced new ways of conducting commercial transactions.” In particular, the protection of biometrics is a growing concern as this technology is turning up in everything from watches that may collect health data, finger-scanners at grocery stores and gas stations to retina scanners for financial transactions. Not only is this technology is here to stay, but it is already involved in litigation across the country.

For example, in Vigil v. Take-Two Interactive Software, Inc., the U.S. District Court for the Southern District of New York found class action plaintiffs lacked standing to bring suit under BIPA for claims related to how their faces were used to create personalized avatars in a video game.

Illinois Biometric Information Privacy Act

The Illinois legislature enacted BIPA (740 Ill. Comp. Stat. 14/1 et seq.), “which sets forth disclosure, consent, and retention requirements for private entities that collect, store, and disseminate biometric data.”

Before reaching its decision to grant Take-Two’s motion to dismiss, the District Court provided the following exhaustive background on BIPA:

As the Illinois legislature observed, biometric data are by definition unique, and thus—unlike a credit card number—cannot realistically be changed if they are subject to identity theft. See 740 Ill. Comp. Stat. 14/5(c). The Illinois legislature was concerned that the failure of businesses to implement reasonable safeguards for such data would deter Illinois citizens from “partaking in biometric identifier-facilitated transactions” in the first place, and would thus discourage the proliferation of such transactions as a form of engaging in commerce. 740 Ill. Comp. Stat. 14/5(e). The BIPA represents the Illinois legislature’s judgment that the collection and storage of biometrics to facilitate financial transactions is not in-of-itself undesirable or impermissible; instead, the purpose of the BIPA is to ensure that, when an individual engages in a biometric-facilitated transaction, the private entity protects the individual’s biometric data, and does not use that data for an improper purpose, especially a purpose not contemplated by the underlying transaction. See 740 Ill. Comp. Stat. 14/5(a–g).

Under the BIPA, a “biometric identifier” is “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” while “biometric information” is information based on “biometric identifiers.” 740 Ill. Comp. Stat. 14/10.

Take-Two’s Video Game — NBA 2K16

The defendant, Take-Two, collects and uses biometric data for its video games, including NBA 2K16. The plaintiffs allege that they used a feature in the video game “to scan their respective faces to create personalized virtual basketball players, exclusively for in-game play.” The plaintiffs did not allege the images of their faces were used for anything beyond use in their own games. The “MyPlayer” feature was specifically at issue, “which allows a gamer to create a ‘personalized basketball avatar’ based on a three-dimensional rendition of the gamer’s face.”

Plaintiffs’ Claims of BIPA Violations

Plaintiffs claimed that Take-Two’s violations of BIPA included the following:

• Take-Two did not publicly provide “a retention schedule or guidelines for permanently destroying biometric identifiers;”
• Take-Two failed to inform the plaintiffs in writing that their biometric information was being collected;
• Take-Two collected biometric information without obtaining a proper release from the plaintiffs;
• Take-Two disclosed and disseminated plaintiffs’ biometric information without adequate consent;
• Take-Two did not employ “industry-standard reasonable care;” and,
• Take-Two profited from plaintiffs’ biometric information.

Dismissal of Plaintiffs’ Complaint

Unconvinced by the plaintiffs’ arguments, the District Court granted Take-Two’s motion to dismiss the plaintiffs’ second amended complaint based on a finding that plaintiffs’ lacked standing to bring suit against Take-Two. As with many data storage cases, plaintiffs’ had to demonstrate they had standing to bring suit. In order to avoid Take-Two’s motion to dismiss, the plaintiffs attempted to support their claims with allegations of procedural violations of BIPA, without any allegations of additional harm in order to establish standing.

The District Court rejected the plaintiffs’ position because “[n]one of the plaintiffs’ allegations of procedural violations, on their own, demonstrate a material risk of harm to BIPA’s concrete data protection interest because there is no plausible allegation that there is a material risk that plaintiffs’ biometrics may be used in a way not contemplated by the underlying use of the MyPlayer feature.

Additionally, the District Court held the plaintiffs failed to establish that there was “an imminent risk of harm that Take-Two’s storage and dissemination of their facial scans could compromise the data protection interest of the BIPA.” The District Court held the allegations that Take-Two’s practices may have subjected plaintiffs’ facial scans to an “‘enhanced risk of harm’ of somehow falling into the ‘wrong hands’” was too speculative to demonstrate plaintiffs had standing to sue Take-Two.

The District Court also rejected the plaintiffs’ argument that their damages were more than merely “speculative and abstract” by arguing that “face scans are relatively immutable, and, unlike (for example) passwords, cannot be changed.”

Initial Impact of this Decision

One fundamental principle in each section of the District Court’s lengthy opinion is that the plaintiffs scan their own faces in order to create avatars for the video game. And, the plaintiffs failed to allege that the biometric information was used for any purpose other than what plaintiffs had consented. That being said, this will not be the last time a court will be called on to interpret BIPA or similar statutes across the country. It is only a matter of time before data collectors find other uses for biometric information.

The post Use of Biometric Data Enters the Courts appeared first on Privacy Risk Report.

It is evident that password security is one economical way to decrease the chances of a cyber incident, but recent litigation sheds light on a situation involving a password having too much protection. The American College of Education (ACE), which provides professional development programs for educators, filed suit against its former systems administrator because he would not provide the password for a student email system. The former employee, Triano Williams, filed his own discrimination lawsuit alleging, among many other accusations, that the passwords were stored on a laptop he returned to ACE, and that he offered to help them find the password for a fee.

The first lawsuit was initiated on July 19, 2016, when ACE filed suit against Williams, in Marian County, Indiana, based on allegations that Williams would not provide the password for a Google account that held e-mail and course materials for 2,000 students after ACE fired him from his position as Systems Administrator. When ACE contacted Williams after he was terminated about gaining access to the Google account, Williams stated he would provide the passwords for $200,000.

ACE’s complaint (Paragraph 2) contained the following allegations containing Williams’ employment and termination:

• “As the Systems Administrator for ACE, Mr. Williams had access to ACE’s confidential information and trade secrets.”
• “Following his termination, Mr. Williams returned the company-issued computer which he had been using to perform his work duties.”
• “The computer had been wiped of all information, included information needed by ACE to conduct its business. Specifically, at the time his employment with ACE ended, Mr. Williams was the sole administrator of ACE’s email account (hosted by Google), which is used by its students to communicate with the college and conduct their coursework.”
• “Mr. Williams claims the login and administrator password to access ACE’s email was “autosaved” on his work laptop, but because Mr. Williams wiped his hard drive before returning to ACE, the administrator login information was lost.”
• “The college has been unable to access its email account.”
• “Without access to its email system, ACE is unable to administer its email account, without the administrator username and password which is causing immeasurable harm to the College’s reputation as its students are unable to access their email and coursework.”
• “ACE has also requested the login information multiple times from Mr. Williams, but he has refused to provide that information without ACE paying him $200,000.”

Based on these general allegations, ACE claims it suffered harm from Williams’ actions and sought recovery under theories of: (1) intentional interference with a contractual relationships and business relationships, (2) violation of the Indiana Uniform Trade Secret Act, (3) conversion, (4) offense against intellectual property, (5) breach of fiduciary duty, and (6) criminal mischief. ACE further sought a restraining order requiring Williams to immediately provide the password for ACE’s Google-hosted student e-mail account.

On December 30, 2016, Williams struck back when he filed a complaint in the U.S. District Court for the Northern District of Illinois alleging he was subjected to a hostile work environment and disparate treatment prior to and when ACE fired him. The complaint filed in Williams’ discrimination action sheds some light on Williams’ side of this story. In particular, Williams claims that he “was the sole remaining administrator when ACE decided to terminate him and lock him out of ACE’s Google email system.” Williams refused to assist ACE in retrieving the password because he was no longer an employee at the time and ACE was not offering any compensation for his work. Further, Williams’ complaint alleges that ACE had faced a similar situation with another employee and “paid…a sizable consultant fee to perform the task needed by ACE.”

In discussing this situation, cyber security experts warn that “[a] lot of organizations are using cloud-based services and online services like this [and] [e]ven under a good situation, somebody could leave and then you find out the cloud service you depend on gets canceled because maybe the bill didn’t get paid.” Further, this situation shows the important role employees play in cyber security. While it has always been clear that employees can supplement the technological safeguards put in place, this litigation shows how the technology ACE relied on may have actually made ACE’s life more difficult. Regardless of whether ACE or Williams prevails in their competing lawsuits, the takeaway here is that the dispute may have been defused to some extent if ACE had stored the passwords in multiple (and safe) places.

The post Recent Litigation Provides Example of Password Being Possibly Too Safe appeared first on Privacy Risk Report.

As 2016 draws to a close, predictions for 2017 regarding cyber security have already been made (some are discussed below). However, the Privacy Risk Report will take a safer route and predict, even guarantee, that there will definitely be changes to a number of laws addressing cyber security in 2017.

In looking at some of the 2017 predictions, the common themes appear to be: (1) ransomware will continue to cause trouble; (2) the Internet of Things (IoT) will give rise to new security risks; and (3) cloud computing may not be completely safe. These predictions, even if they are proven to be wrong, are worth considering for risk assessment and to forecast possible damage.

Prediction: Ransomware Incidents Will Increase

In Symantec’s report entitled “Ransomware: A Growing Menace,” ransomware is described as “a category of malicious software which, when run, disables the functionality of a computer in some way.” McAfee Labs, in its “2017 Threats Predictions,” predicts that ransomware will peak in the middle of 2017, “but then begin to recede.” McAfee’s report states its prediction is based on the increase in ransomware giving rise to “decisive actions” by the cyber security industry.

Experian’s “Fourth Annual 2017 Data Breach Industry Forecast,” predicts that ransomware will go from being a mere nuisance to potentially having a “catastrophic” impact on healthcare facilities. Based on ransomware attacks on hospitals in 2016, Experian predicts “big healthcare hacks will make the headlines, but small breaches will cause the most damage.” In order to avoid an incident where ransomware limits or precludes access to lifesaving medical equipment, Experian recommends medical facilities invest in proper security measures and employee training.

Prediction: Internet of Things (IoT) Incidents Will Increase

IoT is the network of household appliances, vehicles, industrial machines, medical equipment and a number of other familiar devices connected through the internet. McAfee states the current threat involving IoT is driven by two main forces: “[t]hey are a potential source of data or metadata” and they provide “a potential attack vector to cause damage.” McAfee tempers the concern related to IoT based on the fact that there are few ways to currently profit off hacking IoT devices.

McAfee also sees a scenario combining ransomware and the IoT in its prediction that we may see interconnected devices held hostage until a ransom is paid to the hacker.

The McAfee Report also addresses the risk created by “hacktivists” attempting to disrupt a corporation or government through the IoT. For example, hacktivists may try to make a political statement by “taking control and altering voting machine tallies, opening valves at a dam, or overriding safety systems at a chemical plant.” The McAfee Report states that “[w]ithin the next two to four years, we expect hacktivists to try, but few if any will succeed.”

Prediction: Incidents Involving Cloud Computing Will Increase

In recent years, cloud computing has provided an option to shift risk by moving data storage to cloud computing providers based on the premise that data will be safer. Consequently, hackers and other criminals have identified cloud computing providers as worthwhile targets. McAfee predicts that the increased trust in cloud computing has lead to the cloud  storing more sensitive data, which in turn, could result in more attacks on cloud computing providers. McAfee’s experts believe the increased number of incidents involving cloud computing will give rise to more litigation against cloud providers, businesses and their customers as plaintiffs argue the efforts to protect their personal information were not “reasonable.”

Prediction: The Term “Dronejacking” Will Enter Our Vocabulary

If there was not enough to worry about already, McAfee coins the phrase “dronejacking” to describe how drones can be used by hackers. Similar to the problems related to the increased number of devices giving rise to the IoT, the increased number of drones used not just as toys but used in law enforcement, real estate, news media and shipping increase the chances that drones will be compromised. McAfee predicts that 2017 will bring “drone exploit toolkits,” which will make dronejacking easier. While the full impact of dronejacking is not entirely known at this time, McAfee’s Report discusses how drones can land on a roof and hack into the building’s wireless network.

Not a Prediction: A Number of Cyber Security Laws Will Change in 2017

There is no question that a number of laws addressing cyber security will definitely change in 2017. For example, Illinois has amended its breach notification statute, which means real changes will be seen on January 1, 2017. Specifically, Illinois’s Personal Information Act (815 ILCS §530/5) will now include a requirement that any entity holding “personal information concerning an Illinois resident” must “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.”

Additionally, Illinois joins a number of other states that have expanded the definition of “personal information” to include an individual’s “user name or email address.” Therefore, an entity may have obligations to notify any individual that has had their user name or email address improperly disclosed. The Illinois legislature further broadened the definition of “personal information” to include medical information, health insurance information or biometric data.

Other states that also will see revisions to their data breach/cyber laws include California, Nebraska, Oregon and Rhode Island.

While predictions are important to get businesses to consider cyber security issues, businesses are required to know the changes in the law and meet those new requirements. For example, Illinois businesses need to determine whether they have implemented “reasonable security measures” to protect personal information to meet the requirements under Illinois law. Contact Tressler’s Privacy Group attorneys for advice on how to get ready for the changes imposed on data collectors under Illinois’ Personal Information Protection Act, effective January 1, 2017.

The post A Safe Prediction for 2017: Cyber Security Laws Will Change on January 1, 2017 appeared first on Privacy Risk Report.

In the last few days, Hillary Clinton’s campaign has backed efforts to recount votes in key states. In addition to being a close election, many commentators have endorsed the recount efforts to address concerns over hackers tampering with the election process. Coincidentally, a court decision from last week provides a glimpse of the concerns the Federal Election Commission (FEC) had prior to election night.

In Levinthal v. Federal Election Commission, Dave Levinthal, an investigative reporter for the Center for Public Integrity, filed a request under the Freedom of Information Act (FOIA) seeking information from the FEC. Specifically, the plaintiff was seeking a copy of a study that reviewed vulnerabilities in the FEC’s information technology systems and the recommendations to address those vulnerabilities and any emails and documents related to the study. The FEC produced non-exempt materials related to the study, but withheld the study itself. Levinthal filed suit based on allegations that the FEC did not fully comply with the FOIA request.

The FEC conducted this study to determine how to implement new guidelines published by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST Study). The NIST Study was intended to seek out measures for the FEC to implement “to protect its infrastructure from ‘wrongful interference, circumvention, or unlawful action by unauthorized persons.’”

After refusing to disclose the results from the NIST Study, the FEC filed a motion for summary judgment arguing the NIST Study was exempt from disclosure as a “law enforcement record.” Specifically, FOIA allows an agency to withhold information: (1) if it is “compiled for law enforcement purposes;” (2) if its release “would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions;” and (3) such “disclosure could reasonably be expected to risk circumvention of the law.”

Importantly, the FEC’s Chief Information Officer provided evidence to the court that the NIST Study “provides a blueprint to the Commission’s networks” and that its public disclosure “could thus enable hackers to bypass the Commission’s current protection mechanisms.” And, in agreeing with this premise, the District Court stated:

This court observed in Long v. Immigration and Customs Enforcement, 149 F. Supp. 3d 39, 53 (D.D.C. 2015), that “[j]udges are not cyber specialists, and it would be the height of judicial irresponsibility for a court to blithely disregard…a claimed risk” of a cyber-attack or a security breach. The court will not disregard such risk in this case. Accordingly, the court finds that the NIST Study satisfies the second prong of the “compiled for law enforcement purposes” inquiry.

Based the evidence provided by the FEC’s Chief Information Officer, the District Court granted the FEC’s motion for summary judgment and found the NIST Study was exempted from disclosure.

This opinion provides insight beyond the questions concerning the IT systems underpinning the recent Presidential Election. From a practical standpoint, while this decision addresses the narrow issue of whether the NIST Study was subject to a FIOA request, it also provides guidance on the broader proposition that courts are willing to acknowledge cyber risks. And, more than merely acknowledging that risk, this court was willing to base its decision on the FEC’s “cyber specialist’s” opinion that there was a cyber risk.

The post Recent Court Opinion Provides Insight Into Presidential Vote Recount Efforts appeared first on Privacy Risk Report.

In Camp’s Grocery, Inc. v. State Farm Fire & Cas. Co., 4:16-cv-00204 (October 25, 2016), the U.S. District Court for the Northern District of Alabama granted summary judgment to defendant State Farm and denied plaintiff Camp’s Grocery (Camp’s) cross-motion to establish coverage for a data breach incident under a first party property policy and Inland Marine endorsements.

Camp’s was sued in the underlying litigation when the computer systems at a grocery store it operated in Alabama were hacked and confidential customer data including credit card, debit card and check card information was compromised. The plaintiffs in the underlying lawsuit, three credit unions, alleged that Camp’s breach caused them to suffer damages related to their customers’ accounts, including costs to reissue credit cards, reimbursing customers for losses, lost interest and transaction fees, lost customers, diminished good will and administrative expenses. The credit unions claim Camp’s was liable for these damages because Camp’s failed “to provide adequate computer systems and employee training and/or maintain adequate encryption and intrusion detection and prevention systems.”

While the District Court addressed coverage under two principal sections of the property policy issued by State Farm, the decision is clear in stating that Camp’s argument focused on establishing coverage under two Inland Marine endorsements. Nevertheless, the District Court still addressed whether there was coverage under the first party property and liability sections of the Policy even though Camp’s only attached copies of the Inland Marine endorsements to its complaint.

No Coverage Under the First Party Property Sections of the State Farm Policy

The District Court held there was no coverage under Section I of the Policy entitled “Property.” The insuring clause of Section I stated that State Farm would “pay for accidental direct physical loss to…Covered Property,” which included “Buildings” and “Business Personal Property.” The Policy defined “Business Personal Property” as “Property, used in your business, that you own, lease from other or rent from others, or that is loaned to you,” in addition to “Property of others that is in your care, custody or control….”  However, the Policy further defined “Covered Property to expressly not include “electronic data.”  And, “Accident” was defined as not including “any defect, programming error, programming limitation, computer virus, malicious code, loss of ‘electronic data,’ loss of access, loss of use, loss of functionality or other condition within or involving ‘electronic data’ of any kind.”  Given this policy language, the District Court found there was no coverage for the underlying litigation under Section I.

No Coverage Under the Liability Sections of the State Farm Policy

Likewise, the District Court held there was no coverage under Section II of the Policy entitled “Liability.” The insuring clause of Section II stated that State Farm would pay those sums “the insured becomes legally obligated to pay as damages because of ‘bodily injury,’ ‘property damage,’ or ‘personal and advertising injury’ to which this insurance applies.” The District Court also noted that Section II of the Policy also contained the following provisions related to computers and electronic data:

First, the term “property damage” as used in Section II is limited to liability for harm to “tangible property,” which is defined not to include “electronic data.” And expressly excluded from liability coverage under Section II are “damages arising out of the loss of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

Based on these provisions, the District Court found the liability section of the Policy was not triggered by the allegations in the underlying litigation.

No Coverage Under the Inland Marine Endorsements

Camp’s central argument was that it was entitled to coverage under two Inland Marine endorsements attached to the Policy entitled “Inland Marine Computer Property Form” and “Inland Marine Conditions.” The Insuring Agreement for the Computer Property Form provides that State Farm will pay for physical loss to “‘computer equipment,’ used in your business operations, that you own, lease from other, or that is loaned to you” and “removable data storage media used in your business operations to store ‘electronic data.’”

State Farm asserted it was entitled to summary judgment because the Computer Property Form is a “first party insuring agreement” and, therefore, does not provide for defense or indemnity against claims brought against Camp’s by a third party related to lost or compromised electronic data. In response, Camp’s argued that even if the Computer Property Form did not contain a defense or indemnity obligation, a provision found in Section II of the Policy (Liability) provides that State Farm assumed a duty to defend and indemnify Camp’s.  That is, Camp’s takes the position that the Inland Marine endorsements “expand the scope of liability insurance coverage” under Section II to require State Farm to provide a defense and indemnity for claims involving computers and electronic data.

In rejecting Camp’s argument, the District Court was persuaded by State Farm’s position that the liability provision in Section II of the Policy “is triggered where the insured becomes legally obligated to pay damages because of bodily injury, property damage or personal and advertising injury.” And, while Camp’s was not claiming the underlying litigation contained any allegations of bodily injury or personal and advertising injury, Camp’s did claim the underlying litigation sought damages for property damage when the credit unions claimed damages to replace credit and debit cards. The District Court rejected Camp’s argument on the basis that Section II of the Policy defines “property damage” as being limited to “tangible property” and the Policy is careful to state “electronic data is not tangible property.” The District Court found “the Credit Unions assert that Camp’s lax computer network security allowed the intangible electronic data contained on the cards to be compromised such that the magnetically encoded card numbers could no longer be used, causing purely economic loss flowing from the need to issue replacement cards with new electronic data.” Further, Section II contained an exclusion for “damages arising out of the loss of, loss of use of, corruption of, inability to access, or inability to manipulate electronic data.” Given these provisions the District Court found there was not coverage for the Credit Union’s claims.

The District Court additionally rejected any attempt by Camp’s to “selectively read[] the Policy in a piecemeal fashion, picking and choosing parts of different coverages that would preclude or exclude their application to the Credit Unions’ claims.”

This decision further demonstrates the need for cyber insurance and how traditional insurance may not offer protection against these emerging claims. Here, despite Camp’s efforts to establish coverage under the various provisions of its property policy, the District Court ultimately finds the various coverage parts to a first party insurance policy cannot be twisted into providing cyber coverage for data breach litigation.

The post Court Rejects Insured’s Attempt at “Selectively Reading” Property Policy to Cover Data Breach appeared first on Privacy Risk Report.

In January 2016, Affinity Gaming (Affinity), the owner of several casinos, filed a complaint in the District Court of Nevada against Trustwave Holdings, Inc. (Trustwave), a data security investigator, for Trustwave’s work in securing data after Affinity suffered a data breach.

Affinity’s Complaint contained allegations that after learning of the breach involving the use of stolen credit cards, Affinity contacted its cyber insurer, ACE, and was provided a list of data security investigators. Affinity contacted Trustwave, one of the firms on the list, to investigate and remedy the data breach. Affinity’s Complaint further alleged that after investigating the breach, Trustwave “represented to Affinity that the data breach was ‘contained’ and purported to provide recommendations for Affinity to implement that would help fend off future data attacks.” However, after Trustwave completed its work, Affinity learned that it suffered an ongoing breach and hired a second data security consulting firm, Mandiant.

Trustwave filed a Motion to Dismiss Affinity’s Complaint, arguing that it “agreed to investigate certain specific cardholder data components of Affinity’s network; not Affinity’s entire network.” Regardless of whether the allegations against Trustwave are proven, this case provides further evidence that not hiring a breach response team isn’t worth the gamble.

On September 30, 2016, the District Court  of Nevada dismissed in part and granted in part Trustwave’s Motion to Dismiss. The District Court’s Order provided the following reasoning for allowing Affinity to continue to pursue its claims for breach of contract, fraud and deceptive trade practices:

Motion to Dismiss Denied

• Breach of Contract: Regardless of whether Delaware or Nevada law is applied, the District Court held Affinity sufficiently alleged a breach of contract claim. In particular, the court found Affinity alleged that Trustwave breached its contract by failing to “perform a forensic investigation to identify, and remedy or contain, the causes of [Plaintiff’s] data breach, and to issue recommendations for measures [Plaintiff] would undertake to prevent further breaches in the future.”
• Fraud Counts: The District Court examined Affinity’s tort claims in the context of the economic loss doctrine, which “allows a party to recover in tort only if losses are accompanied by bodily harm or property damage; in other words, the doctrine prevents plaintiffs from recovering in tort for losses suffered that are solely economic in nature.” First, the court held Affinity had sufficiently pled its fraudulent inducement claim. Next, it found Affinity’s allegations that Trustwave “misrepresented its ‘capabilities and experience as a data security service provider,’ ‘that it had undertaken a proper investigation,’ that the breach had been secured, and that its recommendations ‘would help to prevent…further data breaches from occurring.’” Further, Affinity alleged these representations were untrue and it relied on these representations which, in turn, provided sufficient support for this cause of action.
• Deceptive Trade Practices: Affinity pled a claim under Nevada’s Deceptive Trade Practices Act, which prohibits a seller from making false statements or misrepresentations about his or her goods or services, or failing to disclose material facts about his or her goods or services. Here, Affinity alleged that Trustwave “engaged in deceptive trade practices by falsely representing that [Trustwave] had the capabilities to perform the obligations under the Agreement, that [Truswave] undertook a proper investigation to determine the cause of the data breach, that the data breach was “contained” and the backdoor was “inert,” when it was not, and that [Trustwave’s] recommendations would prevent further data breaches.” The District Court was not prepared to dismiss this claim because it could still be viable if the court found the contract between the parties was invalid.

Motion to Dismiss Granted

• Breach of Implied Duty of Good Faith and Fair Dealing: The District Court opined that to successfully plead a breach of an implied covenant of good faith and fair dealing, “a plaintiff must allege ‘a specific implied contractual obligation, a breach of that obligation by the defendant, and resulting damage to the plaintiff.’” The court also held Affinity’s cause of action should be dismissed because it failed to allege facts demonstrating a specific implied contractual obligation as required under controlling law.
• Gross Negligence: Affinity claimed Trustwave owed it a “duty of care in performing its data security services, and in providing information that was truthful and accurate regarding Trustwave’s investigation, the causes of Affinity’s data breach, and the remediation or containment of that breach.” Under controlling law, Affinity was required to establish that Trustwave failed “to exercise even the slightest degree of care” in its conduct. The court granted Trustwave’s motion because Affinity’s complaint failed to allege Trustwave breached any duty independent of its contractual duties.
• Negligent Representation: Affinity claims that Trustwave misrepresented its capabilities to protect against a breach. The District Court found this claim should be dismissed to the extent the complaint failed to allege that Trustwave’s alleged misrepresentation was made in the course of Trustwave’s business or “or that these representations were ‘for the guidance of others in their business transactions.’”

This litigation demonstrates the high stakes involved in responding to a data breach even for highly-sophisticated companies with a developed expertise in data security. That is, if Affinity is able to support its allegations against Trustwave, the scenario of hackers outmaneuvering the “good guys” would exist. Therefore, it is easy to see how the cards are stacked against those companies whose breach response team doesn’t include the expertise of a data consulting firm or other such professionals.

The post Casino’s Lawsuit Shows High Stakes for Breach Response appeared first on Privacy Risk Report.