On October 17, 2018, the American Bar Association published Formal Opinion (“F.O. 483) to directly address cyber security for lawyers. Specifically, F.O. 483 provides guidance on “attorney’s ethical obligations when a data breach exposes client confidential information.”  As an initial matter, F.O. 483 defines a “data breach” as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”  While F.O. 483 provides guidance based on a lawyer’s ethical responsibilities, F.O. 483 is not intended to address “other laws that may impose postbreach obligations, such as privacy laws or other statutory schemes that law firm data breaches might also implicate.”

F.O. 483 is based primarily on two ABA Model Rules.

First, ABA Model Rule 1.1 states “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” In recognizing the impact on the practice of law, F.O. 483 generally requires “lawyers to understand technologies that are being used to deliver legal services to their clients” and compels lawyers and their staff to use this technology to protect their clients’ private information.  F.O. 483 provides the following best practices to meet the lawyer’s ethical obligations:

• Monitoring for a Data Breach: F.O. 483 states “lawyers must make reasonable efforts to monitor their technology resources to detect a breach” in order to meet the requirements of Rule 1.1. In other words, F.O. 483 warns the “potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”

• Stopping the Breach and Restoring the System:  F.O. 483 also requires a “lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.” One method to meet this requirement is to adopt an incident response plan before an incident occurs.  Relying on the NIST standards, F.O. 483 reminds attorneys “[o]ne of the benefits of having an incident response capability is that it supports responding to incidents systematically (i.e., following a consistent incident handling methodology) so that the appropriate actions are taken. Incident response plans help personnel to minimize loss or theft of information and disruption of services caused by incidents.”

• Determining What Occurred: F.O. 483 obligates an attorney to “make reasonable attempts to determine whether electronic files were accessed, and if so, which ones” if a breach occurs.

Next, ABA Model Rule 1.6(a) requires that “‘[a] lawyer shall not reveal information relating to the representation of a client’ unless certain circumstances arise.”  As for cyber security, F.O. 483 requires an attorney to take “reasonable efforts” to preserve client confidentiality in order to meet their ethical obligations.

Finally, F.O. 483 provides guidance for lawyers to provide notice to current and former clients. Overall, a lawyer has a duty to notify their clients of an unauthorized disclosure of their personal information “irrespective of what type of security efforts were implemented prior to the breach.”  As with many data breach laws, F.O. 483 requires the client disclosure “to provide sufficient enough information for the client to make an informed decision as to what to do next, if anything.”  The lawyer should also inform the client of the plan to respond to the incident and efforts to protect the client’s data.  Finally, F.O. 483 directs lawyers to evaluate their obligations under state and federal law.

Law firms have been plagued by cyber issues. The ABA’s Formal Opinion concerning a lawyer’s cyber security obligations does not necessarily go beyond the obligations that any other data collector may have. That is, all data collectors, regardless of whether they are lawyers, must take reasonable steps to protect data and provide proper notification if personal data is disclosed without authorization.  While these obligations may not go beyond existing state and federal obligations, the Model Rules of Conduct make the analysis of cyber issues slightly different for lawyers when a cyber security issue may result in a ethical issue.

The post New ABA Formal Opinion Indicates Data Breach May Present Ethical Issue for Lawyers appeared first on Privacy Risk Report.

Over the last few years, we have seen a number of common themes and concepts run through privacy cases and legislation.  We have seen plaintiffs struggle with surviving motions to dismiss because they failed to properly allege an injury.  Likewise, we have seen courts struggle with how to protect unfamiliar types of data, including biometric information.

On May 31, 2018, the District Court for the Northern District of Illinois provided the latest analysis of what is necessary for a viable claim under the Illinois Biometric Information Privacy Act (“BIPA”). In finding that data collectors can be liable for merely failing to obtain proper consent to use biometric data, we are seeing another step in the trend where no breach is necessary to impose liability.

In Dixon v. The Washington and Jane Smith Community, 17-cv-08033 (May 31, 2018), the plaintiff, Cynthia Dixon (“Dixon”), claimed her former employer, Smith Senior Center (“Smith”)  violated her privacy by requiring her to use fingerprint scanners to punch in and punch out at work.  In particular, Dixon claimed the Senior Center’s use of her biometric information violated her rights in the following manner:

• “Smith did not inform Dixon of the specific purpose or length of time for which her fingerprint was to be collected, stored and/or used;”
• “Nor did Smith make available information about its biometric data retention policy (if it had such a policy) or other guidelines regarding the permanent destruction of the biometric information it possessed;”
• “Smith also neglected to obtain a written release from Dixon authorizing Smith to collect or store her fingerprints.”
• “Lastly, Dixon alleged that, in addition to collecting and storing her biometric information, Smith also ‘systematically disclosed’ that information to Kronos, the out-of-state, third-party vendor of Smith’s biometric clocks, without informing her that it was doing so.”

Motion To Remand Denied:  The Federal District Court Was The Proper Venue For This Litigation

The District Court’s first order of business was to deny Dixon’s motion to remand the case back to Illinois state court.  In arguing her case should be heard back in state court where she originally filed the action, Dixon took the position that the defendants’ motions to dismiss “effectively asserted that she does not meet the injury-in-fact requirement for Article III standing.”

As stated in many privacy cases before this one, the U.S. Supreme Court has held that a litigant cannot “avail themselves of the federal courts” unless they can show (1) they suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.”  Spokeo Inc. v. Robbins, 136 S. Ct. 1540, 1547 (2016).

After a substantial discussion on civil procedure and the legislative intent behind BIPA, the District Court found it had jurisdiction over this matter because “where privacy rights are concerned, the dissemination to a third party of information in which a person has a right to privacy is a sufficiently concrete injury for standing purposes.”  Of course, in this case, Dixon alleged Smith disseminated her biometric information to Kronos, the third-party vendor.  (“The Court concludes that this alleged violation of the right to privacy in and control over one’s biometric data, despite being an intangible injury, is sufficiently concrete to constitute an injury in fact that supports Article III standing.”)

Given the above, the District Court held it had subject matter jurisdiction over this matter and the case should not be remanded back to the state court.

Motion To Dismiss Denied: Dixon Has A Viable Claim

Both Smith and Kronos argued Dixon failed to assert an actual injury “sufficient to confer a right of action under BIPA.”  Prior to analyzing Dixon’s claim, the District Court provided the following background on BIPA:

“BIPA provides that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  The statute further provides that, for each negligent violation of the Act, a prevailing plaintiff may recover ‘liquidated damages of $1,000 or actual damages, whichever is greater,’ in addition ot obtaining other relief such as an injunction.”

Given this statutory framework, the District Court found Dixon could survive the motion to dismiss based on her allegations that “the defendants violated her right to privacy in and control over her personal biometric data.”  Further, the District Court found Dixon’s allegation that Smith “fails to inform its employees that it discloses employees’ fingerprint data to an out-of-state third-party-vendor, Kronos,” to be problematic.  In denying the motions to dismiss, the District Court held:

“BIPA established a right to privacy in such information and that obtaining or disclosing a person’s biometric data without her consent or knowledge necessarily infringes on the right to privacy in that data.  Even though this may not be tangible or pecuniary harm, it is an actual and concrete harm that stems directly from the defendants’ alleged violations of BIPA.” 

This case signals a willingness by a number of courts to acknowledge the significant risk with the storage and disclosure of biometric data. Importantly, there were no allegations of a breach in the classical sense of Dixon’s fingerprint information.  In Dixon, the data collector merely provided biometric data to its vendor and yet the District Court found Dixon’s allegations were sufficient because, “obtaining or disclosing a person’s biometric data without her consent or knowledge constitutes an actual and concrete injury because it infringes on the right to privacy in that data.”

Therefore, data collectors will need to make sure they are obtaining proper consent to store data and to provide it to third parties. A breach of this information is no longer required to impose liability.

The post No Breach Required: Illinois Court Finds Providing Biometric Data To Vendor Without Proper Consent May Give Rise To Injury appeared first on Privacy Risk Report.

The March 26, 2018 decision in Hopper v. Schletter Inc., 17-cv-01, 2018 WL 1472485 (W.D. North Carolina 2018) leaves no question that courts are now prepared to hold employers liable if they disclose their employees’ information by mistake. And, if courts around the country adopt the reasoning in Hopper, employers can expect to have their cybersecurity protocols closely scrutinized after a breach or other incident.

On April 19, 2016, the defendant in Hopper, Schletter Group, sent a letter advising its employees and former employees that Schletter had sent its employees’ W-2 forms by mistake to a third-party after it fell prey to a phishing scam. Schletter offered credit monitoring and identity theft protection to those impacted. After the plaintiffs filed a lawsuit seeking alleged damages as a result of this incident, Schletter filed a motion to dismiss the complaint. The District Court denied Schletter’s motion to dismiss the plaintiffs’ claims for negligence and breach of implied contract, invasion of privacy and violations of North Carolina’s Unfair Trade Practices and Privacy Acts. The District Court, however, dismissed the breach of fiduciary duty claim.

As an initial step, the District Court discussed all the warnings it believed Schletter had about phishing scams before it fell prey. In finding Schletter had ample notice of the potential for an incident, the District Court listed various FBI warnings, IRS alerts, articles and examples available of emails used in similar scams that it believed Schletter should have been aware of before the incident. After discussing all the ways the District Court believed the Defendant should have been aware of this scam, the District Court stated that “[d]espite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, [Schletter] provided its employees with unreasonably deficient training on cybersecurity and information transfer protocols prior to the Data Disclosure.” The District Court called Schletter’s preparation and response into question. The District Court provided the following examples of how it believed Schletter failed to properly train its employees:

• How to detect phishing and spoofing emails and other scams including providing employees examples of these scams and guidance on how to verify if emails are legitimate;
• Effective password management and encryption protocols for internal and external emails;
• Avoidance of responding to emails that are suspicious or from unknown sources;
• Locking, encrypting and limiting access to computers and files containing sensitive information;
• Implementing guidelines for maintaining and communicating sensitive data; and
• Protecting sensitive employee information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients.

Based on this criteria, the District Court concluded “[t]he Data Disclosure was caused by the Defendant’s failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems.” In further support of its conclusion, the District Court listed the various ways it found Schletter had failed to implement the proper security measures to protect the W-2s.

Finally, the District Court opined that the two years of identity protection provided to Schletter’s employees was inadequate because the service “has neither prevented the Plaintiffs from experiencing fraudulent activity using their Personal Information nor alerted them that they had fallen victim to identity theft.”

Based on these findings, the District Court held Plaintiffs could survive Schletter’s motion to dismiss. In particular, the District Court denied Schletter’s motion to dismiss on the following grounds:

• Negligence and Breach of Implied Contract Claims: The Plaintiffs claimed that they were required to provide their Personal Information as a condition of their employment and Schletter failed to protect that information. The District Court found the allegations were sufficient to survive a motion to dismiss on the negligence/breach of implied contract claims.
• Invasion of Privacy: The Plaintiffs claimed Schletter’s unauthorized disclosure of Personal Information resulted in an invasion of the Plaintiffs’ privacy by intrusion. The District Court found Plaintiffs’ allegations that their names, birthdates, addresses and Social Security numbers were disclosed without authorization was sufficient to survive a motion to dismiss.
• Breach of Fiduciary Duty: The Plaintiffs claimed that Schletter was a “fiduciary in matters connected with their employment.” The District Court rejected Plaintiffs’ claim by finding Plaintiffs’ allegations that Schletter had a fiduciary duty merely by virtue of being an employer was insufficient to survive a motion to dismiss.
• Unfair Trade Practices and Privacy Acts: The Plaintiffs final causes of action were based on claimed violations of North Carolina’s Unfair and Deceptive Trade Practices Act and Identity Protection Act. The District Court found Plaintiffs’ allegations were sufficient to survive a motion to dismiss when they allege that Schletter “intentionally disclosed their Social Security numbers to an unauthorized third party and that the Defendant should have known in the exercise of reasonable diligence that the third party lacked a legitimate purpose for obtaining this information.”

The District Court’s reasoning should cause all data collectors to look at their cybersecurity protocols. This case may signal a shift by courts to start holding data collectors responsible for cyber incidents even though the disclosure was the result of being tricked by a sophisticated criminal. The outcome of this case may have been dramatically different a few years back before there was a large body of information available on proper safeguards. The District Court’s decision should not be misinterpreted to require all data collectors be liable if they have an incident. Rather, this decision merely establishes that a data collector may be held liable if a court finds the data collector failed to take necessary steps which includes employee training.

The post Here It Is: The Decision That Tells Data Collectors Exactly What They Should Have Known Before They Had A Breach appeared first on Privacy Risk Report.

Over the years there have been questions whether the term “cyber” is adequate in light of the exponential growth of privacy law.  First, the term “cyber” tried to do too much when it was used to describe everything from large-scale data breaches to small instances of corporate espionage.  Further, the term “cyber” did not do enough to distinguish between personal information being compromised through sophisticated computer attacks and information compromised through unsophisticated employee negligence.  Finally, the “one-size fits all” use of the term “cyber” has recently been called into question by a federal court.

In American Health Inc. v. Dr. Sergio Chevere, 2017 WL 6561156 (Dec. 22, 2017), the District Court for Puerto Rico examined the term “cyber” while determining the litigants’ cross-motions for summary judgment.  The dispute arose when the Defendant, Dr. Sergio Chevere, an employee of the Plaintiff, American Health Inc., forwarded fifty-four emails from his work email account, which was stored on the Plaintiff’s servers, to his personal email account.  Importantly, the District Court noted “Defendant did not cause damage to or erase data from plaintiffs’ computer systems.” Rather,  Plaintiff claims it was damaged because the emails contained confidential and proprietary information which violated state and federal law.  Plaintiffs further claim they spent more than $170,000 in litigation costs related to this incident.  Both parties moved for summary judgment thus prompting the District Court to decide if Plaintiff had a viable cause of action under federal or state laws.

In the section of the District Court’s opinion entitled “The Mise-En-Scène: An Overview of Malicious Cyber Acts and Plaintiffs’ Claims” the District Court first considered “some introductory notes on malicious cyber acts” that include:

Cyber technologies are a minefield of technical nuances. Naturally, the legal landscape that affects cyberspace can be seemingly riddled with gray areas and be difficult to navigate. Before jumping into the proverbial Minotaur’s maze, the court will, for clarity’s sake, consider some introductory notes on malicious cyber acts.

It is well-settled that malicious cyber acts can lead to civil liability and criminal prosecution. Indeed, criminal enterprises, malign actors, and those seeking to gain unfair advantages in their ventures increasingly turn to cyberspace to carry out or facilitate malicious acts.

 Based on this analysis, the District Court views malicious cyber acts as being separated into the following three distinct categories:

 Put plainly, malicious cyber acts consist of the use of computer driven technologies to commit malicious acts. They can be parceled into three distinct categories:

(1) acts in which a computer is the target of the malicious activity,

(2) acts in which a computer is used as a tool that is essential for the malicious activity, and

(3) acts in which the use of a computer is incidental to the malicious activity.

These distinctions are important when applying the law to malicious cyber acts. The court will discuss the first and second categories in more detail, insofar as the latter is immaterial to the issue at hand.

 In further developing the three distinct categories of malicious cyber acts, the District Court provided the following concerning the “first category:”

Acts in the first category, in which a computer is the target, can ordinarily only exist in cyberspace (e.g. hacking and distributed denial of service attacks). They are an entirely “new” breed of malicious activity. Traditional statutes are often ill-fitted or otherwise insufficient to carry civil claims and criminal prosecutions addressing malicious cyber acts of this sort. Thus, to properly make malicious cyber acts that fall into the first category actionable, specialized statutes that specifically target conduct in cyberspace are necessary.

And, the District Court provided the following concerning the “second category:”

On the other hand, acts in the second category, in which a computer is an essential tool, are mostly age-old malicious acts (e.g. fraud and theft) being committed in new ways. They are, in that sense, “old wine in new bottles.” Take, for example, a fraud committed in cyberspace and one committed in the physical world: both are fraud, but only the former is a malicious cyber act. They are different in that a computer was used as an essential tool in one but not in the other. A malicious cyber act falling into the second category can be properly addressed through a traditional statute, though specialized legislation could nonetheless streamline litigation or prescribe particular remedies. That is to say, while Congress could very well choose to enact legislation that specifically targets, say, instances of fraud committed through the use of a computer, traditional statutes addressing fraud could be perfectly adequate to carry the day.

After creating the framework for its decision, the American Health Court found Plaintiff’s allegations that Defendant engaged in the illegal misappropriation of confidential information was conduct falling within the second category of malicious cyber acts (acts in which a computer is essential for the alleged criminal action).  Using this methodology, the District Court found Plaintiff had no recourse under its alleged federal question claims (the Computer Fraud and Abuse Act (CFAA), the Wiretap Act, and the Stored Electronic Communications Act (SECA)). In particular, the District Court held “[t]hese three statutes are not catch-all nets for malicious cyber acts…[and] they target specific forms of conduct in cyberspace, under specific circumstances.” (“Hence, traditional laws may be more suitable conduits for plaintiffs legal action, rather than statutes that specifically target malicious cyber acts.”)  Consequently, the District Court found any relief due to the Plaintiff would be limited to traditional state laws.

While the District Court held Plaintiff may arguably be entitled to relief under state law, the Court did not have to analyze the state claims when the federal claims were dismissed.  Specifically, the District Court found it could not exercise supplement jurisdiction over Plaintiff’s state law claims (breach of contract, breach of duty of loyalty, breach of implied contractual and legal duty, and conversion under Puerto Rico’s Civil Code) when the federal claims were dismissed.  Consequently, Defendant’s motion for summary judgment was granted.

The American Health decision demonstrates the difficulty in using the term “cyber” for any activity that happens to involve a computer.  Here, the Defendant’s use of a computer was incidental to his alleged wrongful conduct.  That is, the Defendant could have printed out the confidential information found in the emails stored on the Plaintiff’s server and misappropriated the information with the hardcopies of the documents rather than transferring the information to his personal account through his computer.  Further, the District Court may have arrived at a different decision if Defendant actually destroyed the information stored on Plaintiff’s server.

Under the reasoning in the American Health decision, we may start to see the evolution of the term “cyber” be limited to incidents where “a computer is the target of the malicious activity.”  These activities, which may include hacking as an example, are what the District Court refers to as an “entirely ‘new’ breed of malicious activity.”  If the District Court’s analysis gains traction we may see legislation that would directly address this new breed of malicious activity rather than seeing various privacy claims being crammed into traditional laws.  Further, we may also see the evolution of cyber policies to be geared to providing coverage for this first category while possibly not providing coverage for the other two categories found in the American Health Court’s distinction of the use of the term “cyber.”

The post One-Size Does Not Fit All: Court Finds Not Every Crime Involving A Computer Is A Cyber Crime appeared first on Privacy Risk Report.

At this point in the development of data breach litigation, it is clear that plaintiffs may be on a sinking ship when they try to establish liability and damages against defendants. In order to meet their burden, a plaintiff must show they suffered a concrete injury from a data breach and that they were injured by that particular data breach and not another unrelated incident involving their personal information. Consequently, the potential causes of action available to data breach plaintiffs seem to decrease with each new decision.

The October 31, 2017 decision of the District Court for the Southern District of Ohio provides another example of a court limiting plaintiffs’ chances of recovery after a data breach and dismissing their claims via a motion to dismiss.  The plaintiffs in Galaria v. Nationwide Mut. Ins. Co., 13-cv-257, 2017 WL 4918634 (Oct. 31, 2017 S.D. Ohio), filed action in the District Court for the Southern District of Ohio when they learned in November of 2012 that Nationwide breached personally identifiable data provided in insurance applications. In August 2017, the District Court issued an order dismissing all plaintiffs’ claims with the exception of a bailment claim.  (The Privacy Risk Report has addressed the dismissal of Plaintiffs’ other claims here).

In order to establish a viable implied bailment claim, the plaintiffs in Galaria were required to show they delivered their personal information to Nationwide “for the specific purpose” that the “property ‘shall be returned or accounted for when this special purpose is accomplished or retained until the bailor reclaims the property.’” That is, Nationwide’s liability hinged on whether the property was returned undamaged.

Prior to getting into its analysis, the District Court reviewed the reasoning of other courts on this issue:

“A number of courts across the country have considered bailment claims in the context of data security breaches and concluded that the scenario in which a person provides personally identifiable information to a business and the information is stolen does not give rise to a bailment liability.”

***

Applying the law of various states, those courts have concluded that a person in that scenario has not transferred possession of the data with “the expectation that the recipient will return the date and does not base any claim for damages on the recipient’s unlawful retention of the data.”

In applying this reasoning found in a number of data breach cases including In re Target Data Security Breach Litig., 66 F. Supp. 3d 1154, 1177 (D. Minn. 2014) and In re Sony Gaming Networks and Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012), the District Court found “[i]ntangible property, including personally identifiable data, may or may not constitute the sort of personal property that may be bailed.” However, the District Court did not have to address this question “because Plaintiffs have not alleged that they transferred control or custody of their personal identifiers to Defendant with the expectation that Defendant would hold them for some purpose and then return them undamaged to Plaintiffs.”   Here, the Plaintiffs never relinquished custody or control over the data. (“They retained their personal identifiers and continued to use them throughout the period of the alleged bailment.”) The Plaintiffs’ bailment claim failed since plaintiffs did not allege “that they expected Defendant to return the data because they were never without their personal identifiers.”

The District Court’s analysis illustrates the struggle data breach plaintiffs face to establish viable causes of action. Even if they demonstrate they have standing to bring suit against a data collector, plaintiffs still must address the fact that their data is intangible and, therefore, may not be subject to laws protecting tangible property. Further, while many states have laws protecting data, most privacy laws do not create a private cause of action to recover after a breach.

It is important to remember these cases, which may be used to limit liability, do not support a decision to pass on cyber insurance.  The costs of defending these cases more than justify the cost of cyber insurance.  There is more at stake than third-party liability in most data breach incidents.  Therefore, the costs of dealing with a cyber incident more than justify paying the premium and deductible of a cyber insurance policy.

For more information, click here to contact a Tressler attorney.

The post Court Refuses To “Bail Out” Data Breach Plaintiffs By Dismissing Bailment Claim appeared first on Privacy Risk Report.

Last week, toymaker Mattel announced that it was not moving forward with its Aristotle product, which has been described as a “kid-focused smart hub.” The device was an artificial intelligence babysitter that could “switch on a night light to soothe a crying baby [and] was also designed to keep changing its activities, even to the point where it could help a preteen with homework.”  This is not the first time that Mattel has struggled with the integration of technology into its products.  Mattel’s product development was scrutinized a couple of years ago when it announced its “Hello Barbie,” which contained an embedded microphone in the doll’s belt, to record a child’s response to the doll’s questions. The child’s responses were then sent back to Mattel through the doll’s WiFi capabilities.  Mattel released the doll and had to immediately go on the defense of integrating this technology into its toys.

Mattel’s decision to not move forward with the Aristotle shows how much the climate for products that provide pathways into our homes and personal lives has changed in the last few years. That is, recent litigation and legislation have made it clear to many companies that the risk of holding customers’ personal data may not be worth the damage done if they fail to protect that data.

A court’s decision from last week provides further evidence of how rapidly the climate is changing for the commercial storage of personal data.  Rent-to-own stores, and the relationship they share with their customers, have been the subject of a substantial amount of privacy litigation.  For example, on October 28, 2015, we addressed an insurance coverage case involving a rental store’s tender of its defense of two lawsuits under three primary insurance policies and three umbrella policies. The underlying complaints in those cases involved allegations that Aspen Way installed software on its computers that it rented out to monitor their use.  Specifically, it was alleged that Aspen Way used this software, which could secretly monitor users by taking pictures and monitoring keystrokes, to help it repossess computers when its customers defaulted on their lease agreements.

On October 3, 2017, the District Court for the Northern District of Georgia revisited the thorny privacy issues presented when rent-to-own stores install this monitoring software.  In Peterson v. Aaron’s, 2017 WL 4390260 (N.D. Ga. Oct. 3, 2017), the plaintiffs obtained computers for their law firm that they allege had software allowing Aaron’s to obtain their private information without their consent.  The Complaint filed in this litigation contained allegations that Aaron’s worked with a third-party developer that allowed Aaron’s “to locate and shut down a computer in the event of theft or missed payment.”  The Plaintiffs claim they were unaware this software was installed on their computers.

Aaron’s filed a motion for summary judgment which was granted based on the following reasoning:

• Standing:  A seen in a number of privacy cases, the first and most burdensome hurdle for plaintiffs is whether they have standing to bring suit based under Spokeo v. Robins, 136 S. Ct. 1540, 1543 (2016). Here, the District Court, as seen with a number of other decisions in data breach and related cases, found a plaintiff must show (1) that they have suffered an “injury-in-fact;” (2) that there is a causal connection between the injury and the defendants’ alleged actions; and (3) that the injury will be redressed by a favorable decision.

In applying the Spokeo standard, the District Court first found one of the plaintiffs did not meet this standard when he was not on the lease for the laptop and, therefore, was found not to have a “legally protected interest.” The District Court found the plaintiff that leased the computer suffered harm when the computers were put into “Detective Mode” which logged screenshots and keystrokes. Consequently, at least one of the plaintiffs was able to establish standing and survive Aaron’s motion on this point.

• Intrusion Upon Seclusin Claim: While applying Oklahoma law (where the plaintiff was located when he was allegedly injured) the plaintiff was required to prove that there was “(1) an intrusion upon his privacy, and (2) that a reasonable person would find it highly offensive.”

Aaron’s argued it is entitled to judgment because there was no intrusion on the plaintiff’s property because the plaintiff did not have a reasonable expectation of privacy in his computer because the computer was leased for a business and was not intended for personal uses. The District Court rejected Aaron’s position that there are no property rights for lessees because “[a] lessee in possession of property expects reasonably similar levels of privacy as an owner.” The District Court also found the fact that the computer was used by employees for business purposes (“employees have less privacy expectations”) to be irrelevant since the plaintiff himself used the computer in addition to other employees. Lastly, the District Court rejected Aaron’s argument that the plaintiff waived his expectation of privacy since he was in default on his lease of the computer.

The District Court also found sufficient evidence that a reasonable person would find the monitoring of the laptop to be offensive.

• Aiding and Abetting: In finding the plaintiff may be able to meet the elements of an intrusion upon seclusion claim, the plaintiff must also show Aaron’s had the requisite knowledge about this conduct.

Here, Aaron’s franchises made the decision to monitor the laptops. Therefore, to hold Aaron’s liable, the plaintiff must show Aaron’s had knowledge of the alleged wrongful conduct. The District Court found the plaintiff failed to show Aaron’s had the requisite knowledge that its franchisees monitored the plaintiff’s laptop. On this point, the District Court granted Aaron’s motion for summary judgment.

It is important to note that Aaron’s only escaped liability because it did not monitor the customers.  The franchisers may still be found liable for monitoring customers.  Even though Aaron’s was entitled to judgment in this case when it was found Aaron’s did not have the requisite amount of knowledge that its customers were being monitored, the growing body of privacy law appears to be having a direct impact on product development for many American companies.   For example, in speaking about the decision concerning Mattel’s Aristotle this week, Mattel publicly stated the the decision was made by the company’s new chief of technology officer that “conducted an extensive review of the Aristotle product and decided that it did not fully align with Mattel’s new technology strategy.”  Now more than ever, companies are having to determine if developing products using this technology is worth the amount of safeguards that must be in place once these products have gathered customers’ personal data.

The post Even Though Court Finds No Liability For Monitoring Customers, New Products Show Technology Presents Many Thorny Issues appeared first on Privacy Risk Report.

As courts and legislatures around the country struggle with issues related to data breaches, cyber, technology and privacy, they are finding a lack of standards to guide them through their struggles. Of course, a court may struggle to determine whether a duty was breached in a data breach case if there is no standard to determine what the duty is, what a breach is, or what constitutes data. Likewise, a legislature will not be able to create a statutory framework to protect its citizens if it does not speak the “language” of data protection.  Further, even if a court can understand the fundamentals related to a particular cyber issue, a court may find a patchwork of state and federal law may govern the analysis of that issue.

A recent example was seen when the United States District for the District of Columbia was called upon to address questions related to a search warrant issued for electronically information stored on the “cloud.” Specifically, in In Re Search Of Information Associated With [Redacted]@gmail.com That Is Stored At Premises Controlled By Google, Inc., 2017 WL 3445634 (D.C. Cir. July 31, 2017 D) the D.C. District Court analyzed whether the government was entitled to data held by Google on its cloud. (“The basic legal question confronting us is not a total stranger to this Court. [citation omitted] With the growing interdependence of world trade and the increased mobility of persons and companies, the need arises not infrequently, whether related to civil or criminal proceedings, for the production of evidence located in foreign jurisdictions.”) In Google, the D.C. District Court summed up this issue as follows:

As a result, the judiciary and legislature have been challenged to keep up with precipitous advancements in technology and global interconnectedness. Traditional notions of “territoriality” and “jurisdiction” have been muddied, especially when it comes to determining the scope of statutes governing access and disclosure of electronic records and communications. The picture is murkier still with the advent of so-called “cloud” computing, which is “the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself.”

And, while grappling with these new technological concepts, courts are beginning to look to the few common standards available, such as those created by National Institute of Standards and Technology (“NIST”) to form the structure for their decisions. For example, the D.C. District Court relied on a definition of “cloud computing” found in the NIST standards.

In its simplest terms, as the NIST standards gain acceptance, we may soon see a court find liability for a cyber incident when a litigant fails to meet the NIST standards to safeguard data. Therefore, it is even more important to keep current on the NIST standards, which are constantly in transition, as these standards continue to be relied upon to determine legal duty and responsibility.

On August 15, 2017, the Department of Commerce released Draft NIST Publication 800-53, entitled, Security and Privacy Controls for Information Systems and Organizations, which is intended to provide a “catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks.”  The stated objectives of the NIST publication includes: “…to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.” And, in meeting these objectives, the NIST publication provides the following “key questions that should be answered by organizations when addressing their security and privacy concerns:

• What security and privacy controls are needed to satisfy the organization’s security and privacy requirements and to adequately manage risk?
• Have the security and privacy controls been implemented or is there an implementation plan in place?
• What is the desired or required level of assurance (i.e., confidence) that the selected security and privacy controls, as implemented, are effective in their application?”

At this point, NIST is seeking public comment from August 15, 2017 through September 12, 2017. NIST anticipates having a final draft of this publication complete by October 2017 and a final version published by December 29, 2017.

While the NIST Standards are intended to create “minimum requirements for federal information systems,” these standards have proven to be the most-comprehensive set of standards for industries that have not adopted their own standards.  Consequently, we can expect to see courts and legislatures continue to borrow terms and concepts from NIST when there are no other standards to rely upon.   Further, insurers may soon require their insureds show they meet NIST standards during the application process as well as through the effective dates of coverage.

The post New NIST Standards Allow Courts And Legislatures To Learn The Language Of Data appeared first on Privacy Risk Report.

On December 1, 2015, VTech Holdings Ltd., a manufacturer of digital toys and telephones, reported that it suffered a data breach on November 14, 2015.  VTech’s “smart toys” breached the personal information of at least 6.4 million children in addition to the records of 4.9 million adult customers. VTech further reported that this breach involved “child profile information,” including the name, gender and birth date of the child. The “unauthorized party” gained access to information stored as part of VTech’s “Learning Lodge” app store on the company’s website.  (In 2015, the Privacy Risk Report addressed the facts related to VTech’s breach on December 2, 2015 at great length.)

Now that we are a few years down the road since the breach, we have seen VTech’s customers file lawsuits and we have been able to get a better picture of how the breach may have impacted VTech’s business.  Therefore, even though we have no information concerning VTech’s insurance program, we still have sufficient information about VTech’s breach to analyze the value of third party liability and first party coverage in data breaches.

• VTech’s Good News: No Liability For The Breach (So Far)

On July 5, 2017, the District Court for the Northern District of Illinois granted VTech’s motion to dismiss related to its data breach. As seen in numerous other data breaches cases, the plaintiffs in this litigation could not establish that they had standing to bring a lawsuit against VTech. That is, the District Court found that the plaintiffs “fail to make the connection between the data breach they allege and the identity theft they fear.” On this point alone the District Court held the plaintiffs did not have standing to proceed against VTech.

The plaintiffs also argued that VTech breached its contractual obligations when there was a “temporary (and in some cases ongoing or permanent) suspension of the apps that were used on VTech’s products.” Of course, there was no contract to use the apps.  Rather than pointing to any contractual provision, the plaintiffs argued that pictures and descriptions of the apps on the product’s packaging obligated VTech to continually provide access to the apps. The plaintiffs alleged that “the toys were priced at a premium in part due to their ability to access” the apps. On the other hand, VTech argued that “each plaintiff’s initial purchase transaction as relating to the fully-functioning, physical toy itself, rather than a combination of the physical product and online services…” That is, VTech argued it could not breach its obligations to provide the apps when the apps were separately “offered to plaintiffs after they purchased the toys.”  The District Court was not persuaded by plaintiffs’ argument when they could have easily used the toys without downloading the apps or uploading their personal information.  And, the District Court agreed with VTech when it found “there is a difference between selling a product that combines a physical toy and a service, and selling a physical toy whose features may be supplemented by a separate service that VTech provided for free.” Ultimately, the District Court held “[t]he complaint does not allege facts sufficient to show that the initial purchase transaction included both the toy and VTech’s furnishing of online services” and, therefore, VTech did not breach any contractual obligations if the plaintiffs did not enter into an online services contract at the time of purchase.

Even though the plaintifffs failed to show they had damages and could survive a motion to dismiss, the value of third party cyber liability coverage is clear.  The costs related to briefing the complex issues on a motion to dismiss related to whether the plaintiffs have standing can be too much for many companies.  Further, if the plaintiffs survive a motion to dismiss, which is happening on a more routine basis, a company will need to endure possibly years of litigation leading to a settlement or adverse judgment.  Therefore, the VTech case (even though the plaintiffs case was dismissed) still underscores the need for third party liability insurance found in cyber policies. This coverage is an essential tool when defending against any liability claims related to a data breach.

• VTech’s Bad News: Potential First Party Losses

Even though VTech’s motion to dismiss was successful, a new study shows this breach may still have had a detrimental impact on VTech. A recent analysis by Comparitech, specialists in security and privacy, shows how a data breach can impact a company’s stock price.  Comparitech’s analysis examined data breaches involving anywhere from one million to 100 million records and included the breach at VTech along with Apple, Adobe, Anthem, Community Health Systems, Dun & Bradstreet, eBay, Experian, Global Payments, Home Depot, Health Net, JP Morgan Chase, LinkedIn, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Vodafone, Yahoo.  In particular, Comparitech examined the closing share prices of these 24 companies from the day prior to the disclosure of a data breach and determined the following:

Admittedly, while Comparitech’s in-depth study of these large scale breaches easily demonstrates the importance of the first party coverage found in cyber policies for business loss at  large companies, it is not able to address the consequences of a data breach at smaller corporations. However, we have already seen proof that smaller companies suffer equally dire consequences when in January 2016, there were a number of reports concerning a cyber incident at FACC AG, an Austrian airplane component maker, that resulted in damages exceeding $50 million.   And, while a company may not be able to obtain insurance to cover losses in stock value, having a sophisticated cyber insurance portfolio may  provide confidence for investors and customers which, in turn, may limit a drop in stock value in the case of a breach.

The post 2015 Data Breach At Toy Manufacturer VTech Continues To Provide Insight In 2017 appeared first on Privacy Risk Report.

Many litigants are struggling with how to fit the “square peg” of cyber security claims into the “round hole” of law that may have been around for a number of decades.  One recent example was seen on June 27, 2017, when the United States District Court for the Central District of California dismissed a case entitled Casillas v. Berkshire Hathaway Homestate Companies, et al., 15-04763, 2017 WL 2813145 (June 27, 2017). In Casillas, the plaintiffs alleged two insurance investigators hacked an online database created by HQSU Sign Up Services, Inc. (“HQSU”) which stored workers’ compensation litigation files.  In serving as an “administrative services” contractor to various workers’ compensation attorneys, HQSU stored everything from “personal data” (including the client’s full name, Social Security Number, birth date, home address, legal status, driver’s license information, and salary information) to the attorneys’ communications with their clients and personal notes about the various cases. In particular, the plaintiffs allege that over the course of two years, the investigators accessed and downloaded over 30,000 workers’ compensation files.  The complaint further alleges the hackers took this information to provide the insurance companies with “a counsel’s advantage” in pending litigation and to “intimidate and force concessions” from various plaintiffs.

The Casillas Court closely analyzed what is necessary to bring a viable cause of action under 18 U.S.C. § 2701(a)(1), the Stored Communications Act. This Act was designed decades ago to “protect against the unauthorized interception” of “stored wire and electronic communications and transactional records.” The Act creates a private right of action against anyone who:

(1)       “intentionally accesses without authorization”

(2)       a “facility through which an electronic communication service is provided” and

(3)       “thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage.

However, before finding the plaintiffs’ complaint should be dismissed, the Court analyzed what it refers to as the “technical distinction between “electronic communication services” and “remote computing services.” Specifically, in addressing this distinction, the Court held that “…though they aren’t mutually exclusive categories, the Act establishes ‘different standards of care” for different types of communication.’” The Court provides the following distinction between these two phrases:

• Electronic Communications Service: “Congress defined an ‘electronic communication service’ as ‘any service which provides to users thereof the ability to send or receive wire or electronic communications.’ Think email: ‘[C]ommunication by which private correspondence is … typed into a computer terminal, and then transmitted over telephone lines to a recipient computer operated by an electronic mail company.’”
• Remote Computing Service: “A ‘remote computing service,’ by contrast, is one that ‘provi[des] to the public [a] computer storage or processing service[ ] by means of an electronic communications system.’ Think off-site storage: ‘In the age of rapid computerization, … remote computer service companies have developed to provide sophisticated and convenient computing services to subscribers and customers from remote facilities.’”

Indeed, this importance of this distinction is seen firsthand as the portion of the Act which the plaintiffs sought relief under, 18 U.S.C. § 2701(a)(1), “applies only to the provision of electronic communication services, and therefore excludes the provision of remote computing services from its strictures.” The Casillas court found plaintiffs’ complaint was limited to allegations that their attorneys “used HQSU’s administrative services in a limited fashion—by ‘uploading and downloading documents’ to the online database and appending case-related ‘notes’ to those documents.” These allegations, the court opined, describe “remote computing service” which does not give rise to a private cause of action under the Act. In conclusion, the court found “it’s plain that the plaintiffs have mixed up their claims under the Stored Communications Act.

Litigants bringing claims related to cyber security, data breaches and privacy not only have to overcome significant hurdles to establish standing, but often have to work with law that was developed before the technology was developed that forms the basis for their claims.   Admittedly, it may be difficult to seek relief for damage caused by modern technology under laws that precede this technology by decades.  Even though the Casillas court acknowledges the distinction between “electronic communication services” and “remote computing services” may be “a bit dated,” the parties still must meet the requirements for a viable action under the Act.  This case demonstrates the complexity with cyber security and privacy claims and the need to retain counsel that has experience in this developing, highly-specialized area.

The post Square Pegs: Recent Case Shows Problems With Fitting Cyber Liability Claims Into Law That Is “A Bit Dated” appeared first on Privacy Risk Report.

Last week, the parties in Remijas v. Neiman Marcus, Case No. 14-cv-1735, a class action lawsuit related to a data breach at retailer Neiman Marcus was settled in the Northern District of Illinois.  The Seventh Circuit’s reversal of the District Court’s decision to grant Neiman Marcus’ motion to dismiss was widely considered to be a favorable decision for data breach plaintiffs because it showed that plaintiffs may be able to adequately allege damages to demonstrate they had standing to bring suit.  Even though we may not get to see how discovery and further motion practice may play out, the settlement provides a significant amount of guidance on the value of damages for data breach cases and the securty measures companies are expected in the short time since this breach occurred.

In 2013, the credit card information of approximately 350,000 Neiman Marcus customers was stolen by hackers. Several affected customers filed a class action against under the Class Action Fairness Act, 28 U.S.C. §1332(d). The District Court dismissed the class action suit based on its finding that the individual plaintiffs and the class member lacked standing under Article III. The Seventh Circuit found the District Court erred and held the plaintiffs satisfied Article III requirements with allegations that the Neiman Marcus data breach inflicted concrete, particularized harm on them. The Seventh Circuit was persuaded that plaintiffs suffered injury when they lost time and money resolving fraudulent charges and protecting themselves against future identity theft as well as the financial loss suffered when they bought items at Neiman Marcus that they would not have purchased had they “known of the store’s careless approach to cybersecurity.”

In reversing the District Court, the Seventh Circuit held that “[a]llegations of future harm can establish Article III standing if that harm is ‘certainly impending,’ but ‘allegations of possible future injury are not sufficient.’” In short, the Seventh Circuit found the plaintiffs met the requirement under Clapper  “that injury either already [has] occurred or [was] ‘certainly impending.’”  After the Seventh Circuit reversed the District Court’s decision, the case was remanded back to the District Court for further proceedings before the parties settled the matter.

The Plaintiffs’ Amended Motion for Preliminary Approval of Class Action Settlement and Certification of Settlement Class (“Motion for Preliminary Approval”) filed with the District Court filed with the District Court last week indicates a Settlement Fund will be created in the amount of one million, six hundred thousand dollars $1,600,000 which will be used to pay “ eligible claimants who submit valid and timely Claims.”   The Motion for Preliminary Approval also includes statements that this settlement will allow “Settlement Class Members and other customers shopping at Defendant’s stores since this action was filed also benefit from changes to Defendant’s business practices designed to further strengthen its information technology security.”

Specifically, Neiman Marcus’ Memorandum filed in support of the settlement agreement states that in addition to the settlement amount, Neiman Marcus has taken the following security measures to protect customer information:

• Chief Information Security Officer. Neiman Marcus created and filled the position of Chief Information Security Officer (CISO), an executive position with responsibility to coordinate and be responsible for Neiman Marcus’s program(s) to protect the security of customers’ payment card data including account numbers, expiration dates, card verification values, and cardholder names;
• Information Security Organization. Neiman Marcus created a new organizational unit responsible for information security and has hired employees to fill the organization, including a Director of Security Operations and a Director of Security, Risk Management and Compliance;
• Senior Leadership Reporting. Neiman Marcus increased the frequency and depth of reporting to its executive team and members of its board of directors about its cybersecurity efforts and the cybersecurity threat landscape;
• Chip-Based Payment Card Infrastructure. Neiman Marcus equipped all of its stores with devices that allow customers to pay for purchases using payment cards containing embedded computer chips;
• Employee Education. Neiman Marcus expanded its program to educate and train its workforce on methods to protect the privacy and security of its customers’ information;
• Information Sharing. Neiman Marcus joined several public-private partnerships that facilitate information sharing concerning cybersecurity and threat awareness.

Even though it would have been interesting to see how the parties would have handled discovery and further motion practice, this settlement is still important for the following reasons:

First, the small settlement amount indicates that even if plaintiffs survive a motion to dismiss and a court is willing to find allegations may give rise to the potential for damages in data breach cases, plaintiffs still may have a substantial hurdle to show they are entitled to a substantial damage award. Here, with allegations of 350,000 customers being impacted the settlement amount of $1.6 million may not provide an incentive for plaintiffs to bring these actions.

Next, the non-monetary portion of the settlement agreement is worthy of examination because it shows the shift in how companies approach data protection since the breach at Neiman Marcus in 2013.  At the time of the breach in 2013, the fact that corporation did not have a Chief Security Information Officer and train employees on these issues may not have been surprising. Of course, a corporation that is not implementing such procedures today is operating at its own peril.

Finally, the Seventh Circuit’s reversal of the District Court’s decision granting Neiman Marcus’ motion to dismiss was often cited by plaintiffs attempting to demonstrate they had standing to bring these actions. The Neiman Marcus case could have provided even more solid ground for plaintiffs if the class action plaintiffs continued their success through discovery and into trial.  Of course, it could have also shown plaintiffs’ allegations may survive a motion to dismiss, but would struggle supporting those allegations as the case proceeded through discovery.

We will discuss this settlement and more at Horton Group’s Anatomy Of A Cyber Attack: Risks And Threat Mitigation this Thursday, April 6, 2017 at the Hilton Chicago/Oak Brook Hills Resort & Conference Center.

The post Neiman Marcus Case Settles After Years Of Haggling Over Price Of Data Breach Cases appeared first on Privacy Risk Report.