On October 17, 2018, the American Bar Association published Formal Opinion (“F.O. 483) to directly address cyber security for lawyers. Specifically, F.O. 483 provides guidance on “attorney’s ethical obligations when a data breach exposes client confidential information.”  As an initial matter, F.O. 483 defines a “data breach” as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”  While F.O. 483 provides guidance based on a lawyer’s ethical responsibilities, F.O. 483 is not intended to address “other laws that may impose postbreach obligations, such as privacy laws or other statutory schemes that law firm data breaches might also implicate.”

F.O. 483 is based primarily on two ABA Model Rules.

First, ABA Model Rule 1.1 states “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” In recognizing the impact on the practice of law, F.O. 483 generally requires “lawyers to understand technologies that are being used to deliver legal services to their clients” and compels lawyers and their staff to use this technology to protect their clients’ private information.  F.O. 483 provides the following best practices to meet the lawyer’s ethical obligations:

• Monitoring for a Data Breach: F.O. 483 states “lawyers must make reasonable efforts to monitor their technology resources to detect a breach” in order to meet the requirements of Rule 1.1. In other words, F.O. 483 warns the “potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”

• Stopping the Breach and Restoring the System:  F.O. 483 also requires a “lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.” One method to meet this requirement is to adopt an incident response plan before an incident occurs.  Relying on the NIST standards, F.O. 483 reminds attorneys “[o]ne of the benefits of having an incident response capability is that it supports responding to incidents systematically (i.e., following a consistent incident handling methodology) so that the appropriate actions are taken. Incident response plans help personnel to minimize loss or theft of information and disruption of services caused by incidents.”

• Determining What Occurred: F.O. 483 obligates an attorney to “make reasonable attempts to determine whether electronic files were accessed, and if so, which ones” if a breach occurs.

Next, ABA Model Rule 1.6(a) requires that “‘[a] lawyer shall not reveal information relating to the representation of a client’ unless certain circumstances arise.”  As for cyber security, F.O. 483 requires an attorney to take “reasonable efforts” to preserve client confidentiality in order to meet their ethical obligations.

Finally, F.O. 483 provides guidance for lawyers to provide notice to current and former clients. Overall, a lawyer has a duty to notify their clients of an unauthorized disclosure of their personal information “irrespective of what type of security efforts were implemented prior to the breach.”  As with many data breach laws, F.O. 483 requires the client disclosure “to provide sufficient enough information for the client to make an informed decision as to what to do next, if anything.”  The lawyer should also inform the client of the plan to respond to the incident and efforts to protect the client’s data.  Finally, F.O. 483 directs lawyers to evaluate their obligations under state and federal law.

Law firms have been plagued by cyber issues. The ABA’s Formal Opinion concerning a lawyer’s cyber security obligations does not necessarily go beyond the obligations that any other data collector may have. That is, all data collectors, regardless of whether they are lawyers, must take reasonable steps to protect data and provide proper notification if personal data is disclosed without authorization.  While these obligations may not go beyond existing state and federal obligations, the Model Rules of Conduct make the analysis of cyber issues slightly different for lawyers when a cyber security issue may result in a ethical issue.

The post New ABA Formal Opinion Indicates Data Breach May Present Ethical Issue for Lawyers appeared first on Privacy Risk Report.

A recent lawsuit filed by Tesla, Inc. provides a reminder of the potential threat caused by employees and other insiders to data collectors’ security. While there is a balance between proper security and creating a pleasant work environment for employees, data collectors should take a closer look at employees’ opportunities to steal information and employees’ motive to steal information.

On June 20, 2018, Tesla, Inc. filed suit in the United States District Court for Nevada alleging one of its former employees, Martin Tripp (“Tripp”) unlawfully hacked the company’s confidential and trade secret information to third parties.  Tesla did not waste any time filing suit as it alleges it began its investigation of this matter on June 14, 2018. Even after filing suit, Tesla still alleges that it has only begun to understand the full scope of Tripp’s illegal activity. Tesla claims Tripp admitted to writing software that hacked Tesla’s manufacturing operating system and transferring several gigabytes of Tesla data to outside entities. Tesla also alleges Tripp wrote computer code to periodically export Tesla’s data off its network and into the hands of third parties.

In additional to hacking Tesla’s data, Tesla claims Tripp made false claims to the media about the information he stole. In particular, Tesla asserts Tripp’s claims that punctured battery cells had been used in certain Model 3 vehicles were untrue. Tripp is also accused of spreading rumors that Tesla delayed bringing new manufacturing equipment online.

Despite providing limited background, the Complaint paints Tripp as a disgruntled employee while at Tesla. After being hired Tripp in October 2017 as a process technician, Tripp complained that he deserved a more senior role at Tesla. Further, within a few months of being hired, Tesla had identified Tripp as having problems with job performance and at times being disruptive and combative with his colleagues. Tripp was angry when he received word that he was transferred to a new role.

By mid-June, Tripp is confronted with evidence that he is the source of a hack at Tesla and admits to writing software that transferred Tesla’s data to entities outside Tesla. Tesla refers to its investigation as being still in the early stages.

In addition to causes of action for federal and state unfair trade practices violations and breach of contract, Tesla’s Complaint also contains a claim for breach of fiduciary duty of loyalty.  In this claim, Tesla claims Tripp as a “trusted employee,” had a duty to act in Tesla’s best interests. Tesla also claims Tripp’s actions violate Nevada’s Computer Crimes Law which prohibited all unauthorized access to Tesla’s “computers, computer systems, and/or computer networks.”

The allegations against Tripp provide the latest example of cyber security and privacy violations have a substantial employment law component. As this action was being filed, Elon Musk, Tesla’s Chief Executive sent an email to employees states that an unnamed Tesla had engaged in “extensive and damaging sabotage” to Tesla. Musk further stated “[t]he full extent of his actions are not yet clear, but what he has admitted to so far is pretty bad.”  And, moving past Tripp’s conduct, Musk continued in his email that there “may be considerably more to this situation than meets the eye,” since “there are a long list of organizations that want Tesla to die.” Musk included “oil & gas companies” and “Wall Street short sellers” as being included on this list.

Data collectors may want to look at this problem by analyzing the employee’s opportunity to hack and motive to hack. First, employers must decrease the opportunity to hack by limiting unnecessary access an employee has to data. Employers should not retain any data that is unnecessary to run their business. The risk of a hack increases with the amount of data stored. Here, there was a need for balance since it appears Tripp needed access to sensitive data in order to do his job. Employee training is another way to make sure the employee understands that while there may be an opportunity to access data, the employer is willing to entrust the employee with sensitive data.

Additionally, after limiting the opportunity to steal data, employers should monitor whether employees have motive to steal data. As seen in this case with Tesla, Tripp appeared “disruptive” and “combative” and gave the general impression of being angry that he was overlooked for a promotion. These are red flags.  Further, as seen in Musk’s recent comments, Tesla has a genuine fear of being hacked by competitors and other entities that want to slow the development of the electric car. Given these concerns, employees must understand the need for safeguards that are in place to protect data.  This is also where well-trained human resources professionals can be just as useful to an organization as well-trained tech professionals.

Regardless of whether this hack was the result of an employee simply being disgruntled or whether it is related to a conspiracy by corporations “that want Tesla to die,” this case makes it clear the cyber security has moved beyond merely having proper technological safeguards in place. Employees and other insiders present a completely different threat than a remote hacker trying to gain access from the outside.

The post Tesla Lawsuit Demonstrates Need To Take Closer Look At “Disruptive” Employees appeared first on Privacy Risk Report.

The March 26, 2018 decision in Hopper v. Schletter Inc., 17-cv-01, 2018 WL 1472485 (W.D. North Carolina 2018) leaves no question that courts are now prepared to hold employers liable if they disclose their employees’ information by mistake. And, if courts around the country adopt the reasoning in Hopper, employers can expect to have their cybersecurity protocols closely scrutinized after a breach or other incident.

On April 19, 2016, the defendant in Hopper, Schletter Group, sent a letter advising its employees and former employees that Schletter had sent its employees’ W-2 forms by mistake to a third-party after it fell prey to a phishing scam. Schletter offered credit monitoring and identity theft protection to those impacted. After the plaintiffs filed a lawsuit seeking alleged damages as a result of this incident, Schletter filed a motion to dismiss the complaint. The District Court denied Schletter’s motion to dismiss the plaintiffs’ claims for negligence and breach of implied contract, invasion of privacy and violations of North Carolina’s Unfair Trade Practices and Privacy Acts. The District Court, however, dismissed the breach of fiduciary duty claim.

As an initial step, the District Court discussed all the warnings it believed Schletter had about phishing scams before it fell prey. In finding Schletter had ample notice of the potential for an incident, the District Court listed various FBI warnings, IRS alerts, articles and examples available of emails used in similar scams that it believed Schletter should have been aware of before the incident. After discussing all the ways the District Court believed the Defendant should have been aware of this scam, the District Court stated that “[d]espite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, [Schletter] provided its employees with unreasonably deficient training on cybersecurity and information transfer protocols prior to the Data Disclosure.” The District Court called Schletter’s preparation and response into question. The District Court provided the following examples of how it believed Schletter failed to properly train its employees:

• How to detect phishing and spoofing emails and other scams including providing employees examples of these scams and guidance on how to verify if emails are legitimate;
• Effective password management and encryption protocols for internal and external emails;
• Avoidance of responding to emails that are suspicious or from unknown sources;
• Locking, encrypting and limiting access to computers and files containing sensitive information;
• Implementing guidelines for maintaining and communicating sensitive data; and
• Protecting sensitive employee information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients.

Based on this criteria, the District Court concluded “[t]he Data Disclosure was caused by the Defendant’s failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems.” In further support of its conclusion, the District Court listed the various ways it found Schletter had failed to implement the proper security measures to protect the W-2s.

Finally, the District Court opined that the two years of identity protection provided to Schletter’s employees was inadequate because the service “has neither prevented the Plaintiffs from experiencing fraudulent activity using their Personal Information nor alerted them that they had fallen victim to identity theft.”

Based on these findings, the District Court held Plaintiffs could survive Schletter’s motion to dismiss. In particular, the District Court denied Schletter’s motion to dismiss on the following grounds:

• Negligence and Breach of Implied Contract Claims: The Plaintiffs claimed that they were required to provide their Personal Information as a condition of their employment and Schletter failed to protect that information. The District Court found the allegations were sufficient to survive a motion to dismiss on the negligence/breach of implied contract claims.
• Invasion of Privacy: The Plaintiffs claimed Schletter’s unauthorized disclosure of Personal Information resulted in an invasion of the Plaintiffs’ privacy by intrusion. The District Court found Plaintiffs’ allegations that their names, birthdates, addresses and Social Security numbers were disclosed without authorization was sufficient to survive a motion to dismiss.
• Breach of Fiduciary Duty: The Plaintiffs claimed that Schletter was a “fiduciary in matters connected with their employment.” The District Court rejected Plaintiffs’ claim by finding Plaintiffs’ allegations that Schletter had a fiduciary duty merely by virtue of being an employer was insufficient to survive a motion to dismiss.
• Unfair Trade Practices and Privacy Acts: The Plaintiffs final causes of action were based on claimed violations of North Carolina’s Unfair and Deceptive Trade Practices Act and Identity Protection Act. The District Court found Plaintiffs’ allegations were sufficient to survive a motion to dismiss when they allege that Schletter “intentionally disclosed their Social Security numbers to an unauthorized third party and that the Defendant should have known in the exercise of reasonable diligence that the third party lacked a legitimate purpose for obtaining this information.”

The District Court’s reasoning should cause all data collectors to look at their cybersecurity protocols. This case may signal a shift by courts to start holding data collectors responsible for cyber incidents even though the disclosure was the result of being tricked by a sophisticated criminal. The outcome of this case may have been dramatically different a few years back before there was a large body of information available on proper safeguards. The District Court’s decision should not be misinterpreted to require all data collectors be liable if they have an incident. Rather, this decision merely establishes that a data collector may be held liable if a court finds the data collector failed to take necessary steps which includes employee training.

The post Here It Is: The Decision That Tells Data Collectors Exactly What They Should Have Known Before They Had A Breach appeared first on Privacy Risk Report.

Tax season is quickly becoming peak season for cyber and data incidents.  As seen during every recent tax season, last January the IRS issued warnings about fraudulent inducement scams where a corporate officer’s name is used to fraudulently request employee information from a company’s human resources department.  While there are a number of examples of the data perils to avoid during tax season, a recent case illustrates that not every incident involving data or personal information constitutes a data breach incident.  On February 20, 2018, the United States District for the Central District of California, found the claims in Lomelli v. Jackson Hewitt, Inc., 2:17-CV-02899-ODW (2018), did not constitute a data breach.

In Lomelli, the plaintiff claimed he was defrauded by the Jackson Hewitt, or more particularly, Jackson Hewitt’s agent, when his tax returns were first filed correctly with his approval and then again with additional expenses included without his approval which resulted in a fraudulent tax return being issued.  The plaintiff also claimed that he was enrolled in an “Assisted Refund” program that charged him additional fees without his approval.  Plaintiff was unaware of the fraudulent tax refunds until he received a cashier’s check for an amount different than he was expecting his tax refund to be and he learned that a bank account had been opened in his name which Jackson Hewitt was withdrawing fees without his consent.

Plaintiff filed a complaint based on allegations of fraud and that Jackson Hewitt’s agent’s filing of a fraudulent tax and violations of the California Customer Records Act (“CRA”), Cal. Civ. Code § 1798.80.  The CRA provides a private right of action where a business fails to “disclose a breach of the security of the system following discovery or notification of the breach…in the most expedient time possible and without unreasonable delay.” Cal. Civ. Code § 1798.82.

Jackson Hewitt argued plaintiff’s CRA claims should be dismissed since plaintiff failed to allege a data breach by an unauthorized person that would have required notice under the statute.  Rather, Jackson Hewitt took the position that the plaintiff authorized Jackson Hewitt and its agent to have access to his personal information in order to prepare his tax returns.  Here, the District Court makes the distinction that the allegations are “not that the information was disclosed to an unauthorized person, but, rather, that the information included in his tax returns was unauthorized.”  Based on this distinction, the District Court found these allegations do not constitute a violation under CRA and, therefore, Jackson Hewitt was entitled to judgment in its favor.

The District Court further held that plaintiff lacked standing to bring a viable claim under the CRA because his allegations were limited to harm that “may” occur in the future.  In finding in favor of Jackson Hewitt on this point, the District Court rejected plaintiff’s position that he would not have returned to have his later tax returns prepared by Jackson Hewitt if he was notified of the disclosure of fraudulent information on the early returns.

This case demonstrates that while data breaches are becoming more frequent, not every disclosure constitutes a data breach.  The District Court finds a distinction in the fact that plaintiff can only allege the misuse of his information rather than the disclosure of that information.  Even though we may feel bad for the plaintiff in this case as he will need to unravel all the damage done by having fraudulent tax returns filed in his name, his allegations did not amount to a data breach.

The post California Court Finds Misuse Of Information Is Not A Data Breach appeared first on Privacy Risk Report.

Over the years there have been questions whether the term “cyber” is adequate in light of the exponential growth of privacy law.  First, the term “cyber” tried to do too much when it was used to describe everything from large-scale data breaches to small instances of corporate espionage.  Further, the term “cyber” did not do enough to distinguish between personal information being compromised through sophisticated computer attacks and information compromised through unsophisticated employee negligence.  Finally, the “one-size fits all” use of the term “cyber” has recently been called into question by a federal court.

In American Health Inc. v. Dr. Sergio Chevere, 2017 WL 6561156 (Dec. 22, 2017), the District Court for Puerto Rico examined the term “cyber” while determining the litigants’ cross-motions for summary judgment.  The dispute arose when the Defendant, Dr. Sergio Chevere, an employee of the Plaintiff, American Health Inc., forwarded fifty-four emails from his work email account, which was stored on the Plaintiff’s servers, to his personal email account.  Importantly, the District Court noted “Defendant did not cause damage to or erase data from plaintiffs’ computer systems.” Rather,  Plaintiff claims it was damaged because the emails contained confidential and proprietary information which violated state and federal law.  Plaintiffs further claim they spent more than $170,000 in litigation costs related to this incident.  Both parties moved for summary judgment thus prompting the District Court to decide if Plaintiff had a viable cause of action under federal or state laws.

In the section of the District Court’s opinion entitled “The Mise-En-Scène: An Overview of Malicious Cyber Acts and Plaintiffs’ Claims” the District Court first considered “some introductory notes on malicious cyber acts” that include:

Cyber technologies are a minefield of technical nuances. Naturally, the legal landscape that affects cyberspace can be seemingly riddled with gray areas and be difficult to navigate. Before jumping into the proverbial Minotaur’s maze, the court will, for clarity’s sake, consider some introductory notes on malicious cyber acts.

It is well-settled that malicious cyber acts can lead to civil liability and criminal prosecution. Indeed, criminal enterprises, malign actors, and those seeking to gain unfair advantages in their ventures increasingly turn to cyberspace to carry out or facilitate malicious acts.

 Based on this analysis, the District Court views malicious cyber acts as being separated into the following three distinct categories:

 Put plainly, malicious cyber acts consist of the use of computer driven technologies to commit malicious acts. They can be parceled into three distinct categories:

(1) acts in which a computer is the target of the malicious activity,

(2) acts in which a computer is used as a tool that is essential for the malicious activity, and

(3) acts in which the use of a computer is incidental to the malicious activity.

These distinctions are important when applying the law to malicious cyber acts. The court will discuss the first and second categories in more detail, insofar as the latter is immaterial to the issue at hand.

 In further developing the three distinct categories of malicious cyber acts, the District Court provided the following concerning the “first category:”

Acts in the first category, in which a computer is the target, can ordinarily only exist in cyberspace (e.g. hacking and distributed denial of service attacks). They are an entirely “new” breed of malicious activity. Traditional statutes are often ill-fitted or otherwise insufficient to carry civil claims and criminal prosecutions addressing malicious cyber acts of this sort. Thus, to properly make malicious cyber acts that fall into the first category actionable, specialized statutes that specifically target conduct in cyberspace are necessary.

And, the District Court provided the following concerning the “second category:”

On the other hand, acts in the second category, in which a computer is an essential tool, are mostly age-old malicious acts (e.g. fraud and theft) being committed in new ways. They are, in that sense, “old wine in new bottles.” Take, for example, a fraud committed in cyberspace and one committed in the physical world: both are fraud, but only the former is a malicious cyber act. They are different in that a computer was used as an essential tool in one but not in the other. A malicious cyber act falling into the second category can be properly addressed through a traditional statute, though specialized legislation could nonetheless streamline litigation or prescribe particular remedies. That is to say, while Congress could very well choose to enact legislation that specifically targets, say, instances of fraud committed through the use of a computer, traditional statutes addressing fraud could be perfectly adequate to carry the day.

After creating the framework for its decision, the American Health Court found Plaintiff’s allegations that Defendant engaged in the illegal misappropriation of confidential information was conduct falling within the second category of malicious cyber acts (acts in which a computer is essential for the alleged criminal action).  Using this methodology, the District Court found Plaintiff had no recourse under its alleged federal question claims (the Computer Fraud and Abuse Act (CFAA), the Wiretap Act, and the Stored Electronic Communications Act (SECA)). In particular, the District Court held “[t]hese three statutes are not catch-all nets for malicious cyber acts…[and] they target specific forms of conduct in cyberspace, under specific circumstances.” (“Hence, traditional laws may be more suitable conduits for plaintiffs legal action, rather than statutes that specifically target malicious cyber acts.”)  Consequently, the District Court found any relief due to the Plaintiff would be limited to traditional state laws.

While the District Court held Plaintiff may arguably be entitled to relief under state law, the Court did not have to analyze the state claims when the federal claims were dismissed.  Specifically, the District Court found it could not exercise supplement jurisdiction over Plaintiff’s state law claims (breach of contract, breach of duty of loyalty, breach of implied contractual and legal duty, and conversion under Puerto Rico’s Civil Code) when the federal claims were dismissed.  Consequently, Defendant’s motion for summary judgment was granted.

The American Health decision demonstrates the difficulty in using the term “cyber” for any activity that happens to involve a computer.  Here, the Defendant’s use of a computer was incidental to his alleged wrongful conduct.  That is, the Defendant could have printed out the confidential information found in the emails stored on the Plaintiff’s server and misappropriated the information with the hardcopies of the documents rather than transferring the information to his personal account through his computer.  Further, the District Court may have arrived at a different decision if Defendant actually destroyed the information stored on Plaintiff’s server.

Under the reasoning in the American Health decision, we may start to see the evolution of the term “cyber” be limited to incidents where “a computer is the target of the malicious activity.”  These activities, which may include hacking as an example, are what the District Court refers to as an “entirely ‘new’ breed of malicious activity.”  If the District Court’s analysis gains traction we may see legislation that would directly address this new breed of malicious activity rather than seeing various privacy claims being crammed into traditional laws.  Further, we may also see the evolution of cyber policies to be geared to providing coverage for this first category while possibly not providing coverage for the other two categories found in the American Health Court’s distinction of the use of the term “cyber.”

The post One-Size Does Not Fit All: Court Finds Not Every Crime Involving A Computer Is A Cyber Crime appeared first on Privacy Risk Report.

At this point in the development of data breach litigation, it is clear that plaintiffs may be on a sinking ship when they try to establish liability and damages against defendants. In order to meet their burden, a plaintiff must show they suffered a concrete injury from a data breach and that they were injured by that particular data breach and not another unrelated incident involving their personal information. Consequently, the potential causes of action available to data breach plaintiffs seem to decrease with each new decision.

The October 31, 2017 decision of the District Court for the Southern District of Ohio provides another example of a court limiting plaintiffs’ chances of recovery after a data breach and dismissing their claims via a motion to dismiss.  The plaintiffs in Galaria v. Nationwide Mut. Ins. Co., 13-cv-257, 2017 WL 4918634 (Oct. 31, 2017 S.D. Ohio), filed action in the District Court for the Southern District of Ohio when they learned in November of 2012 that Nationwide breached personally identifiable data provided in insurance applications. In August 2017, the District Court issued an order dismissing all plaintiffs’ claims with the exception of a bailment claim.  (The Privacy Risk Report has addressed the dismissal of Plaintiffs’ other claims here).

In order to establish a viable implied bailment claim, the plaintiffs in Galaria were required to show they delivered their personal information to Nationwide “for the specific purpose” that the “property ‘shall be returned or accounted for when this special purpose is accomplished or retained until the bailor reclaims the property.’” That is, Nationwide’s liability hinged on whether the property was returned undamaged.

Prior to getting into its analysis, the District Court reviewed the reasoning of other courts on this issue:

“A number of courts across the country have considered bailment claims in the context of data security breaches and concluded that the scenario in which a person provides personally identifiable information to a business and the information is stolen does not give rise to a bailment liability.”

***

Applying the law of various states, those courts have concluded that a person in that scenario has not transferred possession of the data with “the expectation that the recipient will return the date and does not base any claim for damages on the recipient’s unlawful retention of the data.”

In applying this reasoning found in a number of data breach cases including In re Target Data Security Breach Litig., 66 F. Supp. 3d 1154, 1177 (D. Minn. 2014) and In re Sony Gaming Networks and Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012), the District Court found “[i]ntangible property, including personally identifiable data, may or may not constitute the sort of personal property that may be bailed.” However, the District Court did not have to address this question “because Plaintiffs have not alleged that they transferred control or custody of their personal identifiers to Defendant with the expectation that Defendant would hold them for some purpose and then return them undamaged to Plaintiffs.”   Here, the Plaintiffs never relinquished custody or control over the data. (“They retained their personal identifiers and continued to use them throughout the period of the alleged bailment.”) The Plaintiffs’ bailment claim failed since plaintiffs did not allege “that they expected Defendant to return the data because they were never without their personal identifiers.”

The District Court’s analysis illustrates the struggle data breach plaintiffs face to establish viable causes of action. Even if they demonstrate they have standing to bring suit against a data collector, plaintiffs still must address the fact that their data is intangible and, therefore, may not be subject to laws protecting tangible property. Further, while many states have laws protecting data, most privacy laws do not create a private cause of action to recover after a breach.

It is important to remember these cases, which may be used to limit liability, do not support a decision to pass on cyber insurance.  The costs of defending these cases more than justify the cost of cyber insurance.  There is more at stake than third-party liability in most data breach incidents.  Therefore, the costs of dealing with a cyber incident more than justify paying the premium and deductible of a cyber insurance policy.

For more information, click here to contact a Tressler attorney.

The post Court Refuses To “Bail Out” Data Breach Plaintiffs By Dismissing Bailment Claim appeared first on Privacy Risk Report.

Cyber criminals’ entire business model is based on developing threats faster than the public can develop safeguards.  Privacy laws are fast becoming the first place data collectors look for guidance when they have suffered a cyber attack.  Unfortunately, the legislatures that develop privacy laws are not known for their efficient work.  For example, the Illinois Information Protection Act is one of the most comprehensive data laws found in the United States and provides the model for many states.  PIPA provides guidelines for data collectors, including how to properly respond to a breach of personal information.  However, even though it is generally considered to be on the cutting edge, PIPA still has trouble keeping up with technological developments created by criminals.

Is Ransomware An “Acquisition” Of Data Under The Illinois Information Protection Act?

As it stands, PIPA does not expressly state that it applies to data collectors that are attacked with ransomware.  Of course, ransomware has been a threat for a while and this threat appears to be on the increase. For example, a new strain of ransomware nicknamed “Bad Rabbit” is reportedly spreading in Russia, Ukraine and moving into other parts of the world. This new threat appears to be related to the WannaCry and Petya ransomware attacks that caused problems earlier this year. At present, this malware is not being detected by anti-virus programs.

While the extent of the damage caused by Bad Rabbit is still unknown, the threat created by ransomware is clear. Reports indicate the total value of ransomware sales on the dark web has rapidly increased from $250,000 to over $6m in just a year. The growth of ransomware will continue as criminals get more access to the malware and victims are resigned to the fact that they have no choice but to pay to regain access to their systems. The only hurdle for ransomware at this point appears to be an increased number of amateur criminals using malicious software and potentially not releasing encrypted files to victims.  These amateurs may destroy the credibility of the ransomware criminal enterprise.

For our purposes though, this is not a good environment for PIPA to have any ambiguity concerning whether it applies to ransomware attacks.   PIPA addresses a data collector’s obligations if they sustain a “breach.”  Specifically, PIPA requires that a data collector notify Illinois residents that their personal information has been involved in a “breach.” Of course, the ransomware threat is different than the threat created by a disclosure of personal information through a classic system breach or a disclosure caused by a phishing scam.  PIPA defines “breach” as:

Breach of the security of the system data” or “breach” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. “Breach of the security of the system data” does not include good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, provided that the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.

While PIPA does not mention ransomware by name, it does create a question as to whether ransomware falls under the definition of “breach of the security of the system data.” Oftentimes, ransomware may not arguably involve the “acquisition” of data and may be limited to the encryption of data until a ransom is paid. That is, there may be no “acquisition” of the data in a ransomware attack.  Therefore, a data collector may struggle with determining whether ransomware constitutes a “breach” under PIPA.

Based on this ambiguity, if a data collector is hit with ransomware, the most prudent course may involve notifying all Illinois residents of the incident.

Is It A Good Idea To Send People To Equifax In Notification Letters?

PIPA also provides notification requirements if a data collector experiences a breach.   Specifically, if a data collector breaches the personal information of an Illinois resident, the data collector must send a “disclosure notification” which provides “the toll-free numbers and addresses for consumer reporting agencies.” After the recent breach at Equifax, a consumer reporting agency, data collectors may be hesitant to tell people involved in an incident to contact Equifax. Further, even if Equifax’s information is provided merely to comply with this requirement, Illinois residents may not be willing to reach out to Equifax. As we see recent events make this requirement useless, the Illinois legislature may want to amend PIPA to remove this requirement for notification letters.

Even if Bad Rabbit does not develop into a major threat in the United States, we can be certain that criminals are already working on their next crime involving our home, government and business computer systems.   Therefore, the Bad Rabbit outbreak provides the perfect opportunity to take a look at a data collector’s responsibilities if they are hit with ransomware or some cyber crime that may not even be in the news at this time.

Even though there may be some uncertainty, privacy laws are still the first place data collectors should still go if they are involved in an incident.  At this point, it may be slightly unrealistic to expect legislatures to create privacy laws that move as quickly as the criminals that we are trying to protect ourselves against.  Further, most criminals will have moved on from ransomware to the next threat by the time the legislature is able to pass laws addressing ransomware.  Data collectors may need to look to the intent behind privacy laws and notify impacted individuals if there is a chance that their information has been exposed to another person without authorization, regardless of whether information was compromised through employee negligence, a classic breach, ransomware or some threat presently unknown.

The post It May Be Time To Admit That Criminals Will Outpace Privacy Laws appeared first on Privacy Risk Report.

Last week, toymaker Mattel announced that it was not moving forward with its Aristotle product, which has been described as a “kid-focused smart hub.” The device was an artificial intelligence babysitter that could “switch on a night light to soothe a crying baby [and] was also designed to keep changing its activities, even to the point where it could help a preteen with homework.”  This is not the first time that Mattel has struggled with the integration of technology into its products.  Mattel’s product development was scrutinized a couple of years ago when it announced its “Hello Barbie,” which contained an embedded microphone in the doll’s belt, to record a child’s response to the doll’s questions. The child’s responses were then sent back to Mattel through the doll’s WiFi capabilities.  Mattel released the doll and had to immediately go on the defense of integrating this technology into its toys.

Mattel’s decision to not move forward with the Aristotle shows how much the climate for products that provide pathways into our homes and personal lives has changed in the last few years. That is, recent litigation and legislation have made it clear to many companies that the risk of holding customers’ personal data may not be worth the damage done if they fail to protect that data.

A court’s decision from last week provides further evidence of how rapidly the climate is changing for the commercial storage of personal data.  Rent-to-own stores, and the relationship they share with their customers, have been the subject of a substantial amount of privacy litigation.  For example, on October 28, 2015, we addressed an insurance coverage case involving a rental store’s tender of its defense of two lawsuits under three primary insurance policies and three umbrella policies. The underlying complaints in those cases involved allegations that Aspen Way installed software on its computers that it rented out to monitor their use.  Specifically, it was alleged that Aspen Way used this software, which could secretly monitor users by taking pictures and monitoring keystrokes, to help it repossess computers when its customers defaulted on their lease agreements.

On October 3, 2017, the District Court for the Northern District of Georgia revisited the thorny privacy issues presented when rent-to-own stores install this monitoring software.  In Peterson v. Aaron’s, 2017 WL 4390260 (N.D. Ga. Oct. 3, 2017), the plaintiffs obtained computers for their law firm that they allege had software allowing Aaron’s to obtain their private information without their consent.  The Complaint filed in this litigation contained allegations that Aaron’s worked with a third-party developer that allowed Aaron’s “to locate and shut down a computer in the event of theft or missed payment.”  The Plaintiffs claim they were unaware this software was installed on their computers.

Aaron’s filed a motion for summary judgment which was granted based on the following reasoning:

• Standing:  A seen in a number of privacy cases, the first and most burdensome hurdle for plaintiffs is whether they have standing to bring suit based under Spokeo v. Robins, 136 S. Ct. 1540, 1543 (2016). Here, the District Court, as seen with a number of other decisions in data breach and related cases, found a plaintiff must show (1) that they have suffered an “injury-in-fact;” (2) that there is a causal connection between the injury and the defendants’ alleged actions; and (3) that the injury will be redressed by a favorable decision.

In applying the Spokeo standard, the District Court first found one of the plaintiffs did not meet this standard when he was not on the lease for the laptop and, therefore, was found not to have a “legally protected interest.” The District Court found the plaintiff that leased the computer suffered harm when the computers were put into “Detective Mode” which logged screenshots and keystrokes. Consequently, at least one of the plaintiffs was able to establish standing and survive Aaron’s motion on this point.

• Intrusion Upon Seclusin Claim: While applying Oklahoma law (where the plaintiff was located when he was allegedly injured) the plaintiff was required to prove that there was “(1) an intrusion upon his privacy, and (2) that a reasonable person would find it highly offensive.”

Aaron’s argued it is entitled to judgment because there was no intrusion on the plaintiff’s property because the plaintiff did not have a reasonable expectation of privacy in his computer because the computer was leased for a business and was not intended for personal uses. The District Court rejected Aaron’s position that there are no property rights for lessees because “[a] lessee in possession of property expects reasonably similar levels of privacy as an owner.” The District Court also found the fact that the computer was used by employees for business purposes (“employees have less privacy expectations”) to be irrelevant since the plaintiff himself used the computer in addition to other employees. Lastly, the District Court rejected Aaron’s argument that the plaintiff waived his expectation of privacy since he was in default on his lease of the computer.

The District Court also found sufficient evidence that a reasonable person would find the monitoring of the laptop to be offensive.

• Aiding and Abetting: In finding the plaintiff may be able to meet the elements of an intrusion upon seclusion claim, the plaintiff must also show Aaron’s had the requisite knowledge about this conduct.

Here, Aaron’s franchises made the decision to monitor the laptops. Therefore, to hold Aaron’s liable, the plaintiff must show Aaron’s had knowledge of the alleged wrongful conduct. The District Court found the plaintiff failed to show Aaron’s had the requisite knowledge that its franchisees monitored the plaintiff’s laptop. On this point, the District Court granted Aaron’s motion for summary judgment.

It is important to note that Aaron’s only escaped liability because it did not monitor the customers.  The franchisers may still be found liable for monitoring customers.  Even though Aaron’s was entitled to judgment in this case when it was found Aaron’s did not have the requisite amount of knowledge that its customers were being monitored, the growing body of privacy law appears to be having a direct impact on product development for many American companies.   For example, in speaking about the decision concerning Mattel’s Aristotle this week, Mattel publicly stated the the decision was made by the company’s new chief of technology officer that “conducted an extensive review of the Aristotle product and decided that it did not fully align with Mattel’s new technology strategy.”  Now more than ever, companies are having to determine if developing products using this technology is worth the amount of safeguards that must be in place once these products have gathered customers’ personal data.

The post Even Though Court Finds No Liability For Monitoring Customers, New Products Show Technology Presents Many Thorny Issues appeared first on Privacy Risk Report.

Toymakers have recently received more than their share of scrutiny concerning the collection, storage and breaches of data belonging to children.  Cases involving this data move past questions of whether a data breach was avoidable and, instead, ask whether certain data can be collected in the first place.  A recent lawsuit against The Walt Disney Company and its related companies (“Disney”) sheds new light on how companies may be using “free” apps to gather data on their youngest customers and how that data can be used.

On August 3, 2017, a class action lawsuit was filed against in the United States District Court for the Northern District of California against Disney seeking recovery based on allegations “by parents of children, who while playing online games via smart phone apps, have had their personally identifying information exfiltrated by [Disney], for future commercial exploitation…”  (Complaint at ¶1)  In particular, the plaintiff, Amanda Rushing (“Rushing”), claims her child’s private information was improperly stored as her child used Disney’s app “Princess Palace Pets.” The Class Action Complaint includes claims against the “SDK Defendants” which were the companies that provided their own code to Disney’s apps for use in the games, known as “software development kits.”  The Complaint asserts that the SDK Defendants embedded software in Disney’s gaming apps that allowed for the app users’ personal information to be collected without authorization and “to facilitate subsequent behavior advertising.”  (Complaint at ¶7)

Before the specific allegations against Disney and the SDK Defendants, the Complaint contains a number of allegations against the app and gaming industry in general including that “[m]ost consumers, including parents of children consumers, do not know that apps created for children are engineered to surreptitiously and unlawfully collect the child-users’ personal information, and then exfiltrate that information off the smart device for advertising and commercial purposes.” (Complaint at 16) The plaintiff’s theories underpinning the allegations against Disney include:

“When children are tracked over time across the internet, various activities are linked to a unique and persistent identifier to construct a profile of the user of a given smart device.  Viewed in isolation, a persistent identifier is merely a string of numbers uniquely identifying a user, but when linked to other data point about the same user, such as app usage, geographic location (including likely domicile), and internet navigation, it discloses a personal profile that can be exploited in a commercial context.” (Complaint at ¶22)

The Complaint contains allegations that these actions taken by Disney and the SDK Defendants give rise to a violation of the Children’s Online Privacy Protection Act (“COPPA”) In short, COPPA prohibits gathering personal information of children under the age of 13 “without first obtaining verifiable consent from their parents.”   While the plaintiffs acknowledge that COPPA typically protects data more commonly understood to be personal information (names, email addresses, social security numbers, etc.), it also protects against the authorized collection of “persistent indentifier[s] that can be used to recognize a user over time and across different Web sites or online services.” (Complaint at ¶28)  In short, the Class Action Plaintiff claims the defendants violated COPPA by “incorporating the SDK Defendants’ behavioral advertising SDK’s into their child-directed apps and permitting them to track children by collecting, using, or disclosing their persistent identifiers without verifiable parental consent…”) (Complaint at ¶63)

The Complaint contains two causes of action against the defendants. Under the first cause of action for Intrusion Upon Seclusion, the Plaintiff claims Disney and the other defendants intentionally intruded on Plaintiff’s “solitude, seclusion, or private affairs by intentionally designing the Game Tracking Apps…to surreptitiously obtain, improperly gain knowledge of, review and/or retain Plaintiffs…activities through monitoring technologies and activities” as described in the Class Action Complaint.  Under the Plaintiff’s second cause of action entitled California Constitutional Right to Privacy, the Plaintiff claims her and the other class members have “reasonable expectations of privacy in their mobile devices and their online behavior” which Disney and the other defendants “intentionally intruded on.”

While Disney and the defendants have not responded to the allegations in the Complaint, The Hollywood Reporter reports that it received a statement from Disney related to the lawsuit indicating that it is taking the position that: “Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court.”

Of course, it is still early in this litigation and it may be years before we see whether the class action the Class Action Plaintiffs’ allegations have merit.  Nevertheless, the Class Action Complaint is clear that even if something is being given away for free (in this case apps based on Disney characters), people still expect to control their personal information.  As this area of the law continues to develop, data collectors must consider more than if they have the proper safeguards in place to protect data from a breach.  Rather, data collectors must consider if they have permission to collect data in the first place.  This case provides another example of where a party claims to be injured without their information being breached and what harm, if any, results from the unauthorized collection of data.

For more information, click here to contact a Tressler attorney.

The post Class Action Lawsuit Asks Whether Free Apps Were “Goofy” When They Collected Children’s Data appeared first on Privacy Risk Report.

On December 1, 2015, VTech Holdings Ltd., a manufacturer of digital toys and telephones, reported that it suffered a data breach on November 14, 2015.  VTech’s “smart toys” breached the personal information of at least 6.4 million children in addition to the records of 4.9 million adult customers. VTech further reported that this breach involved “child profile information,” including the name, gender and birth date of the child. The “unauthorized party” gained access to information stored as part of VTech’s “Learning Lodge” app store on the company’s website.  (In 2015, the Privacy Risk Report addressed the facts related to VTech’s breach on December 2, 2015 at great length.)

Now that we are a few years down the road since the breach, we have seen VTech’s customers file lawsuits and we have been able to get a better picture of how the breach may have impacted VTech’s business.  Therefore, even though we have no information concerning VTech’s insurance program, we still have sufficient information about VTech’s breach to analyze the value of third party liability and first party coverage in data breaches.

• VTech’s Good News: No Liability For The Breach (So Far)

On July 5, 2017, the District Court for the Northern District of Illinois granted VTech’s motion to dismiss related to its data breach. As seen in numerous other data breaches cases, the plaintiffs in this litigation could not establish that they had standing to bring a lawsuit against VTech. That is, the District Court found that the plaintiffs “fail to make the connection between the data breach they allege and the identity theft they fear.” On this point alone the District Court held the plaintiffs did not have standing to proceed against VTech.

The plaintiffs also argued that VTech breached its contractual obligations when there was a “temporary (and in some cases ongoing or permanent) suspension of the apps that were used on VTech’s products.” Of course, there was no contract to use the apps.  Rather than pointing to any contractual provision, the plaintiffs argued that pictures and descriptions of the apps on the product’s packaging obligated VTech to continually provide access to the apps. The plaintiffs alleged that “the toys were priced at a premium in part due to their ability to access” the apps. On the other hand, VTech argued that “each plaintiff’s initial purchase transaction as relating to the fully-functioning, physical toy itself, rather than a combination of the physical product and online services…” That is, VTech argued it could not breach its obligations to provide the apps when the apps were separately “offered to plaintiffs after they purchased the toys.”  The District Court was not persuaded by plaintiffs’ argument when they could have easily used the toys without downloading the apps or uploading their personal information.  And, the District Court agreed with VTech when it found “there is a difference between selling a product that combines a physical toy and a service, and selling a physical toy whose features may be supplemented by a separate service that VTech provided for free.” Ultimately, the District Court held “[t]he complaint does not allege facts sufficient to show that the initial purchase transaction included both the toy and VTech’s furnishing of online services” and, therefore, VTech did not breach any contractual obligations if the plaintiffs did not enter into an online services contract at the time of purchase.

Even though the plaintifffs failed to show they had damages and could survive a motion to dismiss, the value of third party cyber liability coverage is clear.  The costs related to briefing the complex issues on a motion to dismiss related to whether the plaintiffs have standing can be too much for many companies.  Further, if the plaintiffs survive a motion to dismiss, which is happening on a more routine basis, a company will need to endure possibly years of litigation leading to a settlement or adverse judgment.  Therefore, the VTech case (even though the plaintiffs case was dismissed) still underscores the need for third party liability insurance found in cyber policies. This coverage is an essential tool when defending against any liability claims related to a data breach.

• VTech’s Bad News: Potential First Party Losses

Even though VTech’s motion to dismiss was successful, a new study shows this breach may still have had a detrimental impact on VTech. A recent analysis by Comparitech, specialists in security and privacy, shows how a data breach can impact a company’s stock price.  Comparitech’s analysis examined data breaches involving anywhere from one million to 100 million records and included the breach at VTech along with Apple, Adobe, Anthem, Community Health Systems, Dun & Bradstreet, eBay, Experian, Global Payments, Home Depot, Health Net, JP Morgan Chase, LinkedIn, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Vodafone, Yahoo.  In particular, Comparitech examined the closing share prices of these 24 companies from the day prior to the disclosure of a data breach and determined the following:

Admittedly, while Comparitech’s in-depth study of these large scale breaches easily demonstrates the importance of the first party coverage found in cyber policies for business loss at  large companies, it is not able to address the consequences of a data breach at smaller corporations. However, we have already seen proof that smaller companies suffer equally dire consequences when in January 2016, there were a number of reports concerning a cyber incident at FACC AG, an Austrian airplane component maker, that resulted in damages exceeding $50 million.   And, while a company may not be able to obtain insurance to cover losses in stock value, having a sophisticated cyber insurance portfolio may  provide confidence for investors and customers which, in turn, may limit a drop in stock value in the case of a breach.

The post 2015 Data Breach At Toy Manufacturer VTech Continues To Provide Insight In 2017 appeared first on Privacy Risk Report.