While the United States may not have data protections in place that are as extensive as those seen the European Union’s adoption of GDPR, there is still a comprehensive framework of state and federal regulations in place to protect personal information. Many industries are building on the foundation set by state and federal guidelines by creating industry-specific cyber standards. For example, various organizations in the insurance industry are taking steps to ensure their members have guidance on cyber security.

• The Insurance Industry’s Data Protection Standards

The National Association of Insurance Commissioners (“NAIC”), an organization that coordinates the efforts of state insurance regulators, provides one of the best examples of an industry taking steps on its own to regulate cyber security for the insurance industry. Early NAIC cyber security initiatives included creating Principles for Effective Cybersecurity Insurance Regulatory Guidance to “help state insurance departments identify uniform standards, promote accountability and provide access to essential information.” The NAIC’s initiatives are based on the realization that the insurance industry faces its own unique issues in protected sensitive data. In short, the NAIC’s initiatives provide one of the best examples of an industry taking steps to regulate itself rather than wait for state or federal regulations to plug the gaps.

• The Data Protections Found In The NAIC’s “Model Law.”

The NAIC furthered its track record on cyber security measures when it adopted the Insurance Data Security Model Law (“Model Law”) in October 2017 to encourage members of the insurance industry to adopt cyber security programs that would protect consumers’ personal information, create standards that would limit damage caused by a breach and create a protocols to investigate incidents and notify the state insurance commissioner. Specifically, the the Model Law is intended “to establish standards for data security and standards for the investigation of and notification to the Commission of a Cybersecurity Event” that involves an entity regulated under the insurance laws of a given state. (A copy of the Model Law can be found here.)

Insurance entities that operate in a state that has adopted a version of the Model Law may be subject to new regulations spanning the time prior to a cyber incident to points after an incident.  First, under the Model Law, an insurance entity may be required to create an “Information Security Program” and “Incident Response Plan” prior to an incident. The Model Law would also govern the insurance entities’ response to a cyber incident by creating guidelines to investigate and provide notification after an incident. The Model Law is currently being considered in a number of states (Connecticut, Mississippi, Nevada, Rhode Island and New Hampshire) and has been adopted in some form in Michigan and South Carolina.

• Ohio’s Adoption Of The “Model Law”

Ohio is one of the first states to adopt a version of the NAIC’s Model Law through Senate Bill 273. On December 19, 2018, John Kasich, Ohio’s governor, signed Bill 273 into law which requires entities subject to Ohio’s insurance laws to take certain steps to protect private information. While the Ohio legislature adopted a large portion of the Model Law, Senate Bill 273 had some notable changes that include:

• Affirmative Defense: Senate Bill 273 provides insurance entities that are in compliance with the statute with an affirmative defense to liability if they are sued for a cyber security incident;

• Other Considerations: The Ohio Department of Insurance can consider other factors related to a breach including the type of business and size of the insurance entity; and

• Easy Compliance: A streamlined process allows the insurance entity to file documents to comply with the provisions of this law with other corporate documents filed with the State of Ohio.

Ohio’s law is more than an abstract cyber security guideline. Rather, deadlines include all insurance entities must conduct a risk assessment to address the nature and likelihood of any internal threat to private information and implement a security program resulting from the risk assessment by March 19, 2020.  Therefore, Ohio’s insurance entities have work to do over the next year.

• Industry Standards Provide Guidance

While many data collectors struggle to comply with various state and federal privacy laws, industry standards provide a uniform set of regulations. Further, industry standards that are crafted by members of the industry provide guidance on the issues facing that particular industry. And, while there is an argument that more regulations may become burdensome, regulations such as Ohio’s Bill 273 are helpful to the extent they protect sensitive data, provide guidance to data collectors and may limit liability when there is a cyber security incident.

The post Industry Cyber Regulations Fill The Gaps Left By Federal And State Law appeared first on Privacy Risk Report.

On October 17, 2018, the American Bar Association published Formal Opinion (“F.O. 483) to directly address cyber security for lawyers. Specifically, F.O. 483 provides guidance on “attorney’s ethical obligations when a data breach exposes client confidential information.”  As an initial matter, F.O. 483 defines a “data breach” as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”  While F.O. 483 provides guidance based on a lawyer’s ethical responsibilities, F.O. 483 is not intended to address “other laws that may impose postbreach obligations, such as privacy laws or other statutory schemes that law firm data breaches might also implicate.”

F.O. 483 is based primarily on two ABA Model Rules.

First, ABA Model Rule 1.1 states “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” In recognizing the impact on the practice of law, F.O. 483 generally requires “lawyers to understand technologies that are being used to deliver legal services to their clients” and compels lawyers and their staff to use this technology to protect their clients’ private information.  F.O. 483 provides the following best practices to meet the lawyer’s ethical obligations:

• Monitoring for a Data Breach: F.O. 483 states “lawyers must make reasonable efforts to monitor their technology resources to detect a breach” in order to meet the requirements of Rule 1.1. In other words, F.O. 483 warns the “potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”

• Stopping the Breach and Restoring the System:  F.O. 483 also requires a “lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.” One method to meet this requirement is to adopt an incident response plan before an incident occurs.  Relying on the NIST standards, F.O. 483 reminds attorneys “[o]ne of the benefits of having an incident response capability is that it supports responding to incidents systematically (i.e., following a consistent incident handling methodology) so that the appropriate actions are taken. Incident response plans help personnel to minimize loss or theft of information and disruption of services caused by incidents.”

• Determining What Occurred: F.O. 483 obligates an attorney to “make reasonable attempts to determine whether electronic files were accessed, and if so, which ones” if a breach occurs.

Next, ABA Model Rule 1.6(a) requires that “‘[a] lawyer shall not reveal information relating to the representation of a client’ unless certain circumstances arise.”  As for cyber security, F.O. 483 requires an attorney to take “reasonable efforts” to preserve client confidentiality in order to meet their ethical obligations.

Finally, F.O. 483 provides guidance for lawyers to provide notice to current and former clients. Overall, a lawyer has a duty to notify their clients of an unauthorized disclosure of their personal information “irrespective of what type of security efforts were implemented prior to the breach.”  As with many data breach laws, F.O. 483 requires the client disclosure “to provide sufficient enough information for the client to make an informed decision as to what to do next, if anything.”  The lawyer should also inform the client of the plan to respond to the incident and efforts to protect the client’s data.  Finally, F.O. 483 directs lawyers to evaluate their obligations under state and federal law.

Law firms have been plagued by cyber issues. The ABA’s Formal Opinion concerning a lawyer’s cyber security obligations does not necessarily go beyond the obligations that any other data collector may have. That is, all data collectors, regardless of whether they are lawyers, must take reasonable steps to protect data and provide proper notification if personal data is disclosed without authorization.  While these obligations may not go beyond existing state and federal obligations, the Model Rules of Conduct make the analysis of cyber issues slightly different for lawyers when a cyber security issue may result in a ethical issue.

The post New ABA Formal Opinion Indicates Data Breach May Present Ethical Issue for Lawyers appeared first on Privacy Risk Report.

A recent lawsuit filed by Tesla, Inc. provides a reminder of the potential threat caused by employees and other insiders to data collectors’ security. While there is a balance between proper security and creating a pleasant work environment for employees, data collectors should take a closer look at employees’ opportunities to steal information and employees’ motive to steal information.

On June 20, 2018, Tesla, Inc. filed suit in the United States District Court for Nevada alleging one of its former employees, Martin Tripp (“Tripp”) unlawfully hacked the company’s confidential and trade secret information to third parties.  Tesla did not waste any time filing suit as it alleges it began its investigation of this matter on June 14, 2018. Even after filing suit, Tesla still alleges that it has only begun to understand the full scope of Tripp’s illegal activity. Tesla claims Tripp admitted to writing software that hacked Tesla’s manufacturing operating system and transferring several gigabytes of Tesla data to outside entities. Tesla also alleges Tripp wrote computer code to periodically export Tesla’s data off its network and into the hands of third parties.

In additional to hacking Tesla’s data, Tesla claims Tripp made false claims to the media about the information he stole. In particular, Tesla asserts Tripp’s claims that punctured battery cells had been used in certain Model 3 vehicles were untrue. Tripp is also accused of spreading rumors that Tesla delayed bringing new manufacturing equipment online.

Despite providing limited background, the Complaint paints Tripp as a disgruntled employee while at Tesla. After being hired Tripp in October 2017 as a process technician, Tripp complained that he deserved a more senior role at Tesla. Further, within a few months of being hired, Tesla had identified Tripp as having problems with job performance and at times being disruptive and combative with his colleagues. Tripp was angry when he received word that he was transferred to a new role.

By mid-June, Tripp is confronted with evidence that he is the source of a hack at Tesla and admits to writing software that transferred Tesla’s data to entities outside Tesla. Tesla refers to its investigation as being still in the early stages.

In addition to causes of action for federal and state unfair trade practices violations and breach of contract, Tesla’s Complaint also contains a claim for breach of fiduciary duty of loyalty.  In this claim, Tesla claims Tripp as a “trusted employee,” had a duty to act in Tesla’s best interests. Tesla also claims Tripp’s actions violate Nevada’s Computer Crimes Law which prohibited all unauthorized access to Tesla’s “computers, computer systems, and/or computer networks.”

The allegations against Tripp provide the latest example of cyber security and privacy violations have a substantial employment law component. As this action was being filed, Elon Musk, Tesla’s Chief Executive sent an email to employees states that an unnamed Tesla had engaged in “extensive and damaging sabotage” to Tesla. Musk further stated “[t]he full extent of his actions are not yet clear, but what he has admitted to so far is pretty bad.”  And, moving past Tripp’s conduct, Musk continued in his email that there “may be considerably more to this situation than meets the eye,” since “there are a long list of organizations that want Tesla to die.” Musk included “oil & gas companies” and “Wall Street short sellers” as being included on this list.

Data collectors may want to look at this problem by analyzing the employee’s opportunity to hack and motive to hack. First, employers must decrease the opportunity to hack by limiting unnecessary access an employee has to data. Employers should not retain any data that is unnecessary to run their business. The risk of a hack increases with the amount of data stored. Here, there was a need for balance since it appears Tripp needed access to sensitive data in order to do his job. Employee training is another way to make sure the employee understands that while there may be an opportunity to access data, the employer is willing to entrust the employee with sensitive data.

Additionally, after limiting the opportunity to steal data, employers should monitor whether employees have motive to steal data. As seen in this case with Tesla, Tripp appeared “disruptive” and “combative” and gave the general impression of being angry that he was overlooked for a promotion. These are red flags.  Further, as seen in Musk’s recent comments, Tesla has a genuine fear of being hacked by competitors and other entities that want to slow the development of the electric car. Given these concerns, employees must understand the need for safeguards that are in place to protect data.  This is also where well-trained human resources professionals can be just as useful to an organization as well-trained tech professionals.

Regardless of whether this hack was the result of an employee simply being disgruntled or whether it is related to a conspiracy by corporations “that want Tesla to die,” this case makes it clear the cyber security has moved beyond merely having proper technological safeguards in place. Employees and other insiders present a completely different threat than a remote hacker trying to gain access from the outside.

The post Tesla Lawsuit Demonstrates Need To Take Closer Look At “Disruptive” Employees appeared first on Privacy Risk Report.

Over the last few years, we have seen a number of common themes and concepts run through privacy cases and legislation.  We have seen plaintiffs struggle with surviving motions to dismiss because they failed to properly allege an injury.  Likewise, we have seen courts struggle with how to protect unfamiliar types of data, including biometric information.

On May 31, 2018, the District Court for the Northern District of Illinois provided the latest analysis of what is necessary for a viable claim under the Illinois Biometric Information Privacy Act (“BIPA”). In finding that data collectors can be liable for merely failing to obtain proper consent to use biometric data, we are seeing another step in the trend where no breach is necessary to impose liability.

In Dixon v. The Washington and Jane Smith Community, 17-cv-08033 (May 31, 2018), the plaintiff, Cynthia Dixon (“Dixon”), claimed her former employer, Smith Senior Center (“Smith”)  violated her privacy by requiring her to use fingerprint scanners to punch in and punch out at work.  In particular, Dixon claimed the Senior Center’s use of her biometric information violated her rights in the following manner:

• “Smith did not inform Dixon of the specific purpose or length of time for which her fingerprint was to be collected, stored and/or used;”
• “Nor did Smith make available information about its biometric data retention policy (if it had such a policy) or other guidelines regarding the permanent destruction of the biometric information it possessed;”
• “Smith also neglected to obtain a written release from Dixon authorizing Smith to collect or store her fingerprints.”
• “Lastly, Dixon alleged that, in addition to collecting and storing her biometric information, Smith also ‘systematically disclosed’ that information to Kronos, the out-of-state, third-party vendor of Smith’s biometric clocks, without informing her that it was doing so.”

Motion To Remand Denied:  The Federal District Court Was The Proper Venue For This Litigation

The District Court’s first order of business was to deny Dixon’s motion to remand the case back to Illinois state court.  In arguing her case should be heard back in state court where she originally filed the action, Dixon took the position that the defendants’ motions to dismiss “effectively asserted that she does not meet the injury-in-fact requirement for Article III standing.”

As stated in many privacy cases before this one, the U.S. Supreme Court has held that a litigant cannot “avail themselves of the federal courts” unless they can show (1) they suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.”  Spokeo Inc. v. Robbins, 136 S. Ct. 1540, 1547 (2016).

After a substantial discussion on civil procedure and the legislative intent behind BIPA, the District Court found it had jurisdiction over this matter because “where privacy rights are concerned, the dissemination to a third party of information in which a person has a right to privacy is a sufficiently concrete injury for standing purposes.”  Of course, in this case, Dixon alleged Smith disseminated her biometric information to Kronos, the third-party vendor.  (“The Court concludes that this alleged violation of the right to privacy in and control over one’s biometric data, despite being an intangible injury, is sufficiently concrete to constitute an injury in fact that supports Article III standing.”)

Given the above, the District Court held it had subject matter jurisdiction over this matter and the case should not be remanded back to the state court.

Motion To Dismiss Denied: Dixon Has A Viable Claim

Both Smith and Kronos argued Dixon failed to assert an actual injury “sufficient to confer a right of action under BIPA.”  Prior to analyzing Dixon’s claim, the District Court provided the following background on BIPA:

“BIPA provides that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  The statute further provides that, for each negligent violation of the Act, a prevailing plaintiff may recover ‘liquidated damages of $1,000 or actual damages, whichever is greater,’ in addition ot obtaining other relief such as an injunction.”

Given this statutory framework, the District Court found Dixon could survive the motion to dismiss based on her allegations that “the defendants violated her right to privacy in and control over her personal biometric data.”  Further, the District Court found Dixon’s allegation that Smith “fails to inform its employees that it discloses employees’ fingerprint data to an out-of-state third-party-vendor, Kronos,” to be problematic.  In denying the motions to dismiss, the District Court held:

“BIPA established a right to privacy in such information and that obtaining or disclosing a person’s biometric data without her consent or knowledge necessarily infringes on the right to privacy in that data.  Even though this may not be tangible or pecuniary harm, it is an actual and concrete harm that stems directly from the defendants’ alleged violations of BIPA.” 

This case signals a willingness by a number of courts to acknowledge the significant risk with the storage and disclosure of biometric data. Importantly, there were no allegations of a breach in the classical sense of Dixon’s fingerprint information.  In Dixon, the data collector merely provided biometric data to its vendor and yet the District Court found Dixon’s allegations were sufficient because, “obtaining or disclosing a person’s biometric data without her consent or knowledge constitutes an actual and concrete injury because it infringes on the right to privacy in that data.”

Therefore, data collectors will need to make sure they are obtaining proper consent to store data and to provide it to third parties. A breach of this information is no longer required to impose liability.

The post No Breach Required: Illinois Court Finds Providing Biometric Data To Vendor Without Proper Consent May Give Rise To Injury appeared first on Privacy Risk Report.

The March 26, 2018 decision in Hopper v. Schletter Inc., 17-cv-01, 2018 WL 1472485 (W.D. North Carolina 2018) leaves no question that courts are now prepared to hold employers liable if they disclose their employees’ information by mistake. And, if courts around the country adopt the reasoning in Hopper, employers can expect to have their cybersecurity protocols closely scrutinized after a breach or other incident.

On April 19, 2016, the defendant in Hopper, Schletter Group, sent a letter advising its employees and former employees that Schletter had sent its employees’ W-2 forms by mistake to a third-party after it fell prey to a phishing scam. Schletter offered credit monitoring and identity theft protection to those impacted. After the plaintiffs filed a lawsuit seeking alleged damages as a result of this incident, Schletter filed a motion to dismiss the complaint. The District Court denied Schletter’s motion to dismiss the plaintiffs’ claims for negligence and breach of implied contract, invasion of privacy and violations of North Carolina’s Unfair Trade Practices and Privacy Acts. The District Court, however, dismissed the breach of fiduciary duty claim.

As an initial step, the District Court discussed all the warnings it believed Schletter had about phishing scams before it fell prey. In finding Schletter had ample notice of the potential for an incident, the District Court listed various FBI warnings, IRS alerts, articles and examples available of emails used in similar scams that it believed Schletter should have been aware of before the incident. After discussing all the ways the District Court believed the Defendant should have been aware of this scam, the District Court stated that “[d]espite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, [Schletter] provided its employees with unreasonably deficient training on cybersecurity and information transfer protocols prior to the Data Disclosure.” The District Court called Schletter’s preparation and response into question. The District Court provided the following examples of how it believed Schletter failed to properly train its employees:

• How to detect phishing and spoofing emails and other scams including providing employees examples of these scams and guidance on how to verify if emails are legitimate;
• Effective password management and encryption protocols for internal and external emails;
• Avoidance of responding to emails that are suspicious or from unknown sources;
• Locking, encrypting and limiting access to computers and files containing sensitive information;
• Implementing guidelines for maintaining and communicating sensitive data; and
• Protecting sensitive employee information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients.

Based on this criteria, the District Court concluded “[t]he Data Disclosure was caused by the Defendant’s failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems.” In further support of its conclusion, the District Court listed the various ways it found Schletter had failed to implement the proper security measures to protect the W-2s.

Finally, the District Court opined that the two years of identity protection provided to Schletter’s employees was inadequate because the service “has neither prevented the Plaintiffs from experiencing fraudulent activity using their Personal Information nor alerted them that they had fallen victim to identity theft.”

Based on these findings, the District Court held Plaintiffs could survive Schletter’s motion to dismiss. In particular, the District Court denied Schletter’s motion to dismiss on the following grounds:

• Negligence and Breach of Implied Contract Claims: The Plaintiffs claimed that they were required to provide their Personal Information as a condition of their employment and Schletter failed to protect that information. The District Court found the allegations were sufficient to survive a motion to dismiss on the negligence/breach of implied contract claims.
• Invasion of Privacy: The Plaintiffs claimed Schletter’s unauthorized disclosure of Personal Information resulted in an invasion of the Plaintiffs’ privacy by intrusion. The District Court found Plaintiffs’ allegations that their names, birthdates, addresses and Social Security numbers were disclosed without authorization was sufficient to survive a motion to dismiss.
• Breach of Fiduciary Duty: The Plaintiffs claimed that Schletter was a “fiduciary in matters connected with their employment.” The District Court rejected Plaintiffs’ claim by finding Plaintiffs’ allegations that Schletter had a fiduciary duty merely by virtue of being an employer was insufficient to survive a motion to dismiss.
• Unfair Trade Practices and Privacy Acts: The Plaintiffs final causes of action were based on claimed violations of North Carolina’s Unfair and Deceptive Trade Practices Act and Identity Protection Act. The District Court found Plaintiffs’ allegations were sufficient to survive a motion to dismiss when they allege that Schletter “intentionally disclosed their Social Security numbers to an unauthorized third party and that the Defendant should have known in the exercise of reasonable diligence that the third party lacked a legitimate purpose for obtaining this information.”

The District Court’s reasoning should cause all data collectors to look at their cybersecurity protocols. This case may signal a shift by courts to start holding data collectors responsible for cyber incidents even though the disclosure was the result of being tricked by a sophisticated criminal. The outcome of this case may have been dramatically different a few years back before there was a large body of information available on proper safeguards. The District Court’s decision should not be misinterpreted to require all data collectors be liable if they have an incident. Rather, this decision merely establishes that a data collector may be held liable if a court finds the data collector failed to take necessary steps which includes employee training.

The post Here It Is: The Decision That Tells Data Collectors Exactly What They Should Have Known Before They Had A Breach appeared first on Privacy Risk Report.

A class action entitled Wade v. ABM Indus. Inc., 2018 CH 3855 was initiated last week against ABM Industries (“ABM”) in Illinois based on allegations that ABM recently breached its employee’s Personal Information.  In summary, the class action plaintiff claims he was damaged by his employer, ABM, “when it ‘allowed hackers to obtain access to Plaintiff’s and other employees’ Personal Information.”  In particular, the class action plaintiff claims his Personal Information “should not have been susceptible to unauthorized access through the use of one of the oldest, and least sophisticated types of cyber-attacks – the ‘phishing email scheme.’”

Allegations Related To The Breach

The class action plaintiff claims his Personal Information, including documents containing medical information, was taken during a breach in August of 2017.  Specifically, the class action plaintiff claims ABM was the target of “cyber attackers” a number of times over the years and, therefore, should have taken better steps to protect its employees’ information prior to the “phishing” attack which led to the subject data breach.

The class action plaintiff claims ABM should have been better prepared for this incident since it had “been targeted by cyber-attacks many times in the last decade.”

Allegations Related To ABM’s Notification

The class action plaintiff further alleges that ABM should not have waited more than seven months to notify its employees of the incident on March 5, 2018.  In addition to failing to be timely, the class action plaintiff claims the notification letter failed to provide sufficient information concerning the incident to allow its employees to protect themselves.

Causes Of Action

The class action plaintiff claims he has had to take steps to protect against identity theft and fraud and has suffered mental anguish when “he experiences anxiety and anguish when he thinks about what would happen if his identity is stolen as a result of the Data Breach.”

In addition to claims for breach of contract, breach of implied contract and a violation of Illinois’ Consumer Fraud and Deceptive Business Practices Act, the class action plaintiff’s complaint also contains the following causes of action:

• Violation Of N.Y. Gen. Bus. Law §349 et. seq.: In his first cause of action, the class action plaintiff claims ABM engaged in “deceptive, unfair and unlawful trade acts or practices.”  Here, the class action plaintiff claims he had to provide his Personal Information as a condition of employment.

• Negligence: In his fourth cause of action, the class action plaintiff claims ABM was negligent when it failed to implement reasonable security measures and cybersecurity protocol and failed to timely notify the class action plaintiff of the incident involving his Personal Information.

The allegations found in the class action plaintiff’s complaint against ABM highlight the difficult position employers may find themselves in when employees claim their personal information has been compromised.  Of course, the employer-employee relationship requires the parties continue to work together and exchange information even after an employee claims their information has been compromised.  Further, these allegations are part of a growing trend calling into question not only the technical safeguards of a data collector, but also calling into question non-technical safeguards such as security protocols and the reasonableness of a data collector’s notification process.  In the end, liability for a breach involving customer data or employee data will be limited if a data collector can show it took as many reasonable steps as possible to protect that data.

The post Illinois Class Action Suit Highlights Issues When An Employer Allegedly Breaches Employee Data appeared first on Privacy Risk Report.

Unfortunately, the law governing cyber security and privacy issues has not kept pace with the technology giving rise to these issues.   However, a recent decision applying existing law to Bitcoin and other virtual currencies provides insight on how we may expect the law controlling cyber security and privacy law to develop.

In Commodity Futures Trading Commission v. McDonnell, 2018 WL 1175156 (March 6, 2018), the District Court for the Eastern District of New York held the Commodity Futures Trading Commission (“CFTC”) “has standing to exercise its enforcement power over fraud related to virtual currencies sold in interstate commerce…”  The CFTC is tasked with stopping fraud or manipulation in derivatives markets by enforcing the Commodity Exchange Act (“CEA”).  The CEA requires “any commodity traded as a future” to be “traded on a commodity exchange approved by the CFTC.  Title 7 U.S.C. § 2.  In McDonnell, the threshold question was whether virtual currency may be regulated by the CFTC as a commodity.  And, after a lengthy analysis of virtual currencies, the District Court held the CFTC had authority over these markets and was entitled to enjoin the defendants from continuing to sell virtual currencies to the public.

The facts underpinning the McDonnell decision involve allegations that the Defendant, Patrick McDonnell (“McDonnell”), and his investment companies, “offered fraudulent trading and investment services related to virtual currency.”  Specifically, “[c]ustomers from the United States and abroad paid defendants for ‘membership’ in virtual currency trading groups purported to provide exit prices and profits of up to ‘300%’ per week.”  Unfortunately, the defendants disappeared by deleting company social media accounts and ceasing all communications with investors after receiving the initial payment and subsequent investments from members.

After hearing evidence concerning the defendants’ actions, the District Court granted a preliminary injunction to the CFTC when it found that the defendants committed fraud through false trading advice and “promised future profits.”  The District Court held that an injunction was warranted in light of the reasonable likelihood that the defendants would continue to violate the CEA.

• Virtual Currencies Are Here To Stay

Before arriving at its decision, the McDonnell Court conducts an in-depth analysis of Bitcoin and other virtual currencies.  After addressing the basics related to virtual currencies, the District Court  finds these currencies “serve the same purposes as gold in terms of a currency, but much more efficiently because it does not have any mass and can be sent easily from place to place.”  Further, the District Court acknowledges that virtual currencies may be here to stay because “online exchanges have become more accessible allowing more members of the public to trade and invest in virtual currencies.”  The District Court concludes there is a greater chance for fraud and criminal activity as these currencies grow in popularity.

• While The Regulations Are Slightly Unclear, There Is No Doubt That Virtual Currencies Are Regulated By Some Governmental Agency.

After taking a closer look at how virtual currencies could potentially be regulated by the Department of Justice, the Security and Exchange Commission, the Treasury Department, the IRS, private exchanges or through state regulations, the District Court settles on the CFTC as the administrative body that is “currently exercising partial supervision of virtual currencies.”  The District Court’s analysis of these regulations provides further support for the finding that the CFTC has standing to seek injunctive relief against anyone violating the CEA.

• Virtual Currencies Are “Commodities” That Can Be Regulated By The CFTC

The McDonnell court must also address whether virtual currencies are “Commodities” as defined under the CEA. Therefore, the District Court must analyze whether virtual currencies fall within the definition of Commodities as defined in the CEA which protects agricultural products and all other goods and articles…and all services, rights, and interests…in which contracts for future delivery are presently or in the future dealt in.”  After a lengthy analysis of this issue, the District Court ultimately concludes “[v]irtual currencies can be regulated by CFTC as a commodity.”  In short, the District Court finds “[v]irtual currencies are ‘goods’ exchanged in a market for a uniform quality and value.”

• The CFTC Is Entitled To An Injunction When The Fraud Is Not Directly Related To The Sale Of Futures Or Derivative Contracts

After finding the CFTC has standing to seek an injunction against the defendants, the McDonnell court next determines there is sufficient evidence that the defendants “committed fraud by misappropriation of investors’ funds and misrepresentation of trading advice and future profits promised to customers.”  On this issue, the District Court concluded that a preliminary injunction in favor of the CFTC was warranted in light of the finding that a fraud had been committed.

• The Scope Of This Decision May Reach Beyond Virtual Currencies

First, the McDonnell decision makes clear that it is time for insurers to start considering whether virtual currency presents losses covered under traditional insurance policies or if new products should be developed.  Over the last few months we have seen more people invest in virtual currencies.  The McDonnell court quotes the December 1, 2017 Bloomberg Businessweek which sheds more light on virtual currencies: “The initial price of bitcoin, set in 2010, was less than 1 cent.  Now it’s crossed $16,000.  Once seen as the province of nerds, libertarians and drug dealers, bitcoin today is drawing millions of dollars from hedge funds.”  (While the price in December 2017 was $16,000, the price has since dropped). The McDonnell decision acknowledges that as the pool of investors increase, we can expect to see an increase in the potential for losses, theft and all the other things the defendants in this case are accused of doing.  Consequently, as virtual currencies become more ingrained in our daily lives, it may be time for insurers to start taking a closer look at losses involving virtual currencies.

Additionally, the McDonnell decision discusses a number of issues currently facing cyber and privacy law.  First, while the District Court finds virtual currencies fall into the definition of “commodities,” the Court has to work to get there.  In the end, the District Court finds that the same law can protect agricultural products and virtual currencies at the same time.  We face many of these same issues in cyber security and privacy law as we try to fit these emerging issues into laws and regulations that may have been on the books for decades.

Finally, the section of the McDonnell decision entitled “concurrent oversight from Other Agencies” discusses how a number of governmental agencies could regulate virtual currencies.  Likewise, cyber security and privacy faces a similar situation as a number of state and federal agencies fight to regulate this emerging area of law. Therefore, while the McDonnell decision provides insight into the regulation of virtual currencies, it also provides guidance for cyber security and privacy law.

The post Court Finds Virtual Currencies Are “Commodities” Subject To Existing Laws appeared first on Privacy Risk Report.

There should be little dispute that the current patchwork of foreign, federal, state and industry cybersecurity regulations need to be harmonized in order to protect data. While these varying laws and proposed laws can be dizzying even for large corporations, it is virtually impossible for small businesses to feel confident they are meeting their obligations under these various laws.  As it stands today, a data collector, regardless of size, has to balance a number of conflicting sources when considering cyber security.  Suffice it to say, the current framework of competing laws and regulations may overwhelm data collectors causing them to simply give up on trying to meet their obligations.  In the end, data protection laws may become useless if they are too complex to be worth a data collector’s effort.

• A Case Study:  Mom and Pop’s Cleaners

As 2018 unfolds, a hypothetical “mom and pop” dry cleaner in Tucson, Arizona keeps a registry of its customers’ names, addresses, phone numbers and email addresses.  We learn that “Mom and Pop’s Cleaners” has customers that include international citizens visiting the United States and others who work at nearby businesses, as well as Arizona residents and residents from other U.S. states.  In an effort to not skirt any laws, Mom and Pop have asked the Privacy Risk Report for assistance in understanding the laws and proposed laws that may impact them in 2018.  The following will take a real world approach and spot the issues presented by the laws and regulations that may impact Mom and Pop’s business in 2018.

• Foreign Regulations Must Be Part Of The Cycle.  

Mom and Pop’s Cleaners does a brisk business with international workers at the nearby regional office of French corporation.  Accordingly, Mom and Pop have questions concerning the data they are collecting on these French residents and residents of other EU nations in 2018.

European Union General Data Protection Regulation

European Union (EU) member states will begin enforcement of the General Data Protection Regulation (“GDPR”) on May 25, 2018.  The GDPR website states this legislation “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”  (A guide to the EU GDPR can be found here.)

Importantly, GDPR will apply to all data collectors holding the personal data of EU residents regardless of whether the data collector may be located.  The definition of personal data is broadened to the extent it includes any information “that can be used to directly or indirectly identify the person.”  Therefore, under GDPR, this information can include “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

GDPR also imposes new obligations on how the data is to handled and stored.  For example, EU residents will have a “right of access” that requires data collectors provide specific details about how information is processed.  GDPR grants EU residents a right to have their personal data deleted or erased by a data collector upon their request.  Further, under GDPR, data collectors will be required to perform routine assessments to identify risks for private data.  Finally, the penalties for non-compliance may total anywhere from 4% of annual global turnover of the breaching data collector or €20 Million (whichever is greater).

Mom and Pop should not dismiss the upcoming enforcement of the GDPR as something that only concerns large, multi-national corporations.  Mom and Pop, as with many data collectors of all sizes, may be surprised to find the amount of data they are storing that belongs to EU residents.  Here, there is no question that Mom and Pop have data belonging to customers that are EU residents and should at least consider whether they have obligations under GDPR and how a breach of this information could become a stain on their business.  Further, the GDPR may give some insight to Mom and Pop as to the direction of U.S. privacy laws in the coming years.

Just as Mom and Pop seem to understand their obligations under GDPR, they wonder if GDPR applies to their British customers in light of Brexit.  The GDPR website offers the following stitch of advice:

“If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear.”

Mom and Pop may not be ready to consider how Brexit impacts their collection of data belonging to their British customers.  They have already made more progress in this area than many of their competitors.

• Federal Regulations Need To Be More Tailored

Mom and Pop’s Cleaners also has a number of customers that are tourists from other U.S. states.  Mom and Pop have questions concerning the data they are collecting for these customers in 2018.

The Data Breach Prevention and Compensation Act of 2018

U.S. lawmakers have taken steps to directly regulate credit reporting agencies in response to the Equifax breach.  In its current form, The Data Breach Prevention and Compensation Act of 2018 would create new regulations by expanding the powers of the Federal Trade Commission (FTC).  Specifically, the proposed Act would create an Office of Cybersecurity to monitor large credit reporting agencies.  The Office of Cybersecurity would have the authority to impose fines on any credit reporting agency that breached data or failed to properly report a breach.  Under the current draft of the law, consumers would receive 50% of any fine imposed by the Office of Cybersecurity.

This legislation has been introduced by Senators Elizabeth Warren and Mark Warner after seeing the Equifax breach in 2017.  While this legislation is unlikely to pass, it still makes clear that credit reporting agencies will continue to be under heightened scrutiny in 2018 and beyond.

Of course, even if this legislation passes, Mom and Pop will not need to worry about it since they do not qualify as a credit reporting agency.

IoT Cybersecurity Improvement Act of 2017

The IoT Cybersecurity Improvement Act of 2017 would provide security practices for any company before it can sell interconnected devices to the federal government.  Importantly, this legislation would not regulate all IoT devices.  Commentators have stated that “’[b]road IoT legislation isn’t practical in the current Congress…which is was why the bill’s authors had narrowed its focus to federal procurement.”  There are further questions as to whether this is a good first step that will lead to broad IoT regulation or if these regulations will lose momentum after devices for the federal government are regulated.

Mom and Pop do not have any immediate concerns with this proposed legislation.  Down the road, their business may be safer if any interconnected device they purchase has the same security as that imposed on devices sold to the U.S. government.  However, this legislation does not appear to be of any concern to Mom and Pop over the next year.

• State Regulations Create Wrinkles For Smaller Data Collectors.

Mom and Pop do not have to worry about any national data breach notification requirements.  All attempts to create breach notification standards at the federal level have lost steam.  In particular, the bill referred to as the Data Security and Breach Notification Act appears to have no chance becoming law in 2018.  Unfortunately, as data collectors for Arizona residents, Mom and Pop will face some uncertainty in 2018.

Arizona’s Data Breach Notification Law: Changes in 2018

At present, the Arizona legislature is considering changes to Arizona’s data protection laws.  The current Arizona law requires data collectors to notify individuals of any breach that compromises their information and may cause “substantial economic loss” to that individual.  The new law under consideration in 2018 for Arizona would remove this “substantial economic loss” requirement, and, therefore, would require notice in many more situations.  Additionally, the current law defines “personal information” as an individual’s name combined with a social security number, driver’s license number, non-operating i.d. or financial account number, credit card or debit card number in combination with a security code, access code or password for that account.  The new legislation would no longer require a security code, access code or password to be compromised in order to trigger a data collector’s notification obligations.

In 2018, Arizona’s notification law may also be changed to require notice to affected individuals within 30 days of the breach.  The law presently only requires notification to take place in the “most expedient manner possible without unreasonable delay.”

Based on these changes, Mom and Pop are going to need to take a close look at the data they are storing on Arizona residents and how that data is being protected.  Further, Mom and Pop may also need to take a closer look at their procedures if a breach occurs.  The time frame for their response and the notification to their customers has been taken from a subjective deadline to an objective, 30-day deadline.  Mom and Pop have a lot of work in order to make sure they are in compliance with this law.

Other States Data Breach Notification Laws

Even if Mom and Pop happen to figure out their obligations under Arizona law, they still have to consider the laws for other states where their customers may reside.  As data collectors for residents for a number of states, Mom and Pop face even more uncertainty.  As it stands today, each state has its own data breach notification laws.  Consequently, Mom and Pop may have different obligations, including numerous deadlines to provide notification, for a single breach that includes data for residents of different states.

• Mom And Pop’s Approach For 2018

From a practical standpoint, Mom and Pop are not realistically going to put much thought into complying with GDRP.  However, they may make efforts to comply with their state data protection laws.  While Arizona’s new data law may not be in perfect harmony with GDRP, it is an important first step to get Mom and Pop to at least begin to consider Arizona’s law and make an effort to comply.  Maybe if things go right, Mom and Pop may consider buying an endorsement to their insurance policy for cyber protection in 2019.

Additionally, while it is great to see lawmakers begin to tackle these issues, it will be important to not overwhelm data collectors.  2018 promises to be an interesting year for data protection laws.

The post Ironing Out The Wrinkles In Data Legislation: A Case Study appeared first on Privacy Risk Report.

Over the years there have been questions whether the term “cyber” is adequate in light of the exponential growth of privacy law.  First, the term “cyber” tried to do too much when it was used to describe everything from large-scale data breaches to small instances of corporate espionage.  Further, the term “cyber” did not do enough to distinguish between personal information being compromised through sophisticated computer attacks and information compromised through unsophisticated employee negligence.  Finally, the “one-size fits all” use of the term “cyber” has recently been called into question by a federal court.

In American Health Inc. v. Dr. Sergio Chevere, 2017 WL 6561156 (Dec. 22, 2017), the District Court for Puerto Rico examined the term “cyber” while determining the litigants’ cross-motions for summary judgment.  The dispute arose when the Defendant, Dr. Sergio Chevere, an employee of the Plaintiff, American Health Inc., forwarded fifty-four emails from his work email account, which was stored on the Plaintiff’s servers, to his personal email account.  Importantly, the District Court noted “Defendant did not cause damage to or erase data from plaintiffs’ computer systems.” Rather,  Plaintiff claims it was damaged because the emails contained confidential and proprietary information which violated state and federal law.  Plaintiffs further claim they spent more than $170,000 in litigation costs related to this incident.  Both parties moved for summary judgment thus prompting the District Court to decide if Plaintiff had a viable cause of action under federal or state laws.

In the section of the District Court’s opinion entitled “The Mise-En-Scène: An Overview of Malicious Cyber Acts and Plaintiffs’ Claims” the District Court first considered “some introductory notes on malicious cyber acts” that include:

Cyber technologies are a minefield of technical nuances. Naturally, the legal landscape that affects cyberspace can be seemingly riddled with gray areas and be difficult to navigate. Before jumping into the proverbial Minotaur’s maze, the court will, for clarity’s sake, consider some introductory notes on malicious cyber acts.

It is well-settled that malicious cyber acts can lead to civil liability and criminal prosecution. Indeed, criminal enterprises, malign actors, and those seeking to gain unfair advantages in their ventures increasingly turn to cyberspace to carry out or facilitate malicious acts.

 Based on this analysis, the District Court views malicious cyber acts as being separated into the following three distinct categories:

 Put plainly, malicious cyber acts consist of the use of computer driven technologies to commit malicious acts. They can be parceled into three distinct categories:

(1) acts in which a computer is the target of the malicious activity,

(2) acts in which a computer is used as a tool that is essential for the malicious activity, and

(3) acts in which the use of a computer is incidental to the malicious activity.

These distinctions are important when applying the law to malicious cyber acts. The court will discuss the first and second categories in more detail, insofar as the latter is immaterial to the issue at hand.

 In further developing the three distinct categories of malicious cyber acts, the District Court provided the following concerning the “first category:”

Acts in the first category, in which a computer is the target, can ordinarily only exist in cyberspace (e.g. hacking and distributed denial of service attacks). They are an entirely “new” breed of malicious activity. Traditional statutes are often ill-fitted or otherwise insufficient to carry civil claims and criminal prosecutions addressing malicious cyber acts of this sort. Thus, to properly make malicious cyber acts that fall into the first category actionable, specialized statutes that specifically target conduct in cyberspace are necessary.

And, the District Court provided the following concerning the “second category:”

On the other hand, acts in the second category, in which a computer is an essential tool, are mostly age-old malicious acts (e.g. fraud and theft) being committed in new ways. They are, in that sense, “old wine in new bottles.” Take, for example, a fraud committed in cyberspace and one committed in the physical world: both are fraud, but only the former is a malicious cyber act. They are different in that a computer was used as an essential tool in one but not in the other. A malicious cyber act falling into the second category can be properly addressed through a traditional statute, though specialized legislation could nonetheless streamline litigation or prescribe particular remedies. That is to say, while Congress could very well choose to enact legislation that specifically targets, say, instances of fraud committed through the use of a computer, traditional statutes addressing fraud could be perfectly adequate to carry the day.

After creating the framework for its decision, the American Health Court found Plaintiff’s allegations that Defendant engaged in the illegal misappropriation of confidential information was conduct falling within the second category of malicious cyber acts (acts in which a computer is essential for the alleged criminal action).  Using this methodology, the District Court found Plaintiff had no recourse under its alleged federal question claims (the Computer Fraud and Abuse Act (CFAA), the Wiretap Act, and the Stored Electronic Communications Act (SECA)). In particular, the District Court held “[t]hese three statutes are not catch-all nets for malicious cyber acts…[and] they target specific forms of conduct in cyberspace, under specific circumstances.” (“Hence, traditional laws may be more suitable conduits for plaintiffs legal action, rather than statutes that specifically target malicious cyber acts.”)  Consequently, the District Court found any relief due to the Plaintiff would be limited to traditional state laws.

While the District Court held Plaintiff may arguably be entitled to relief under state law, the Court did not have to analyze the state claims when the federal claims were dismissed.  Specifically, the District Court found it could not exercise supplement jurisdiction over Plaintiff’s state law claims (breach of contract, breach of duty of loyalty, breach of implied contractual and legal duty, and conversion under Puerto Rico’s Civil Code) when the federal claims were dismissed.  Consequently, Defendant’s motion for summary judgment was granted.

The American Health decision demonstrates the difficulty in using the term “cyber” for any activity that happens to involve a computer.  Here, the Defendant’s use of a computer was incidental to his alleged wrongful conduct.  That is, the Defendant could have printed out the confidential information found in the emails stored on the Plaintiff’s server and misappropriated the information with the hardcopies of the documents rather than transferring the information to his personal account through his computer.  Further, the District Court may have arrived at a different decision if Defendant actually destroyed the information stored on Plaintiff’s server.

Under the reasoning in the American Health decision, we may start to see the evolution of the term “cyber” be limited to incidents where “a computer is the target of the malicious activity.”  These activities, which may include hacking as an example, are what the District Court refers to as an “entirely ‘new’ breed of malicious activity.”  If the District Court’s analysis gains traction we may see legislation that would directly address this new breed of malicious activity rather than seeing various privacy claims being crammed into traditional laws.  Further, we may also see the evolution of cyber policies to be geared to providing coverage for this first category while possibly not providing coverage for the other two categories found in the American Health Court’s distinction of the use of the term “cyber.”

The post One-Size Does Not Fit All: Court Finds Not Every Crime Involving A Computer Is A Cyber Crime appeared first on Privacy Risk Report.

Barring a major development in the final weeks of this year, we appear to be ready to close the books on privacy/cyber law for 2017.  Of course, with two weeks left in 2017, there is still time for last-minute data breaches, cyber incidents or other surprises.  Just this week, we saw major news stories which include the US government blaming North Korea for the WannaCry cyberattack earlier this year and Sonic Drive-Ins being sued in a class action for its data breach.  Therefore, while we are hesitant to put together a list with a couple of weeks left in 2017, it is safe to form at least some broad conclusions about 2017.

Cyber has been a moving target for years and 2017 has been no different.  In 2017, we saw privacy laws evolve while legislatures attempted to keep up with the various threats.   While we did not see a pivotal cyber insurance law case, 2017 had a fair share of cases that deserve further analysis. We saw a number of cyber incidents and data breaches that should keep litigants and our courts busy for many years.  Overall, we saw a scenario where smaller data collectors have less personal information to protect and can make adjustments in 2018.  The fact that large-scale data breaches are still occurring may indicate that, despite having better information concerning data protection, large-scale data collectors may not be able to make adjustments within their organizations quickly enough to keep up with changes rules and evolving threats.

The body of information concerning data collectors’ obligations is growing and 2017 provided the following insight for consideration in 2018 and beyond:

The Further Development Of State Privacy Laws

Without having a significant body of law to rely upon, state privacy laws typically provide the most guidance for data collectors.  These laws regulate the type of information that must be protected, how to protect that information and the consequences if the information is not protected properly.  In 2017, we analyze revisions and modifications to these laws that should be addressed.

What are “Reasonable Measures” For Data Collectors?

One central issue playing out in 2017 has been how “data collectors” adapt to modifications of state privacy laws. For example, Illinois amended its breach notification statute the Personal Information Act (815 ILCS §530/5) (“PIPA”) to include a requirement that any data collector holding “personal information concerning an Illinois resident” must “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” Illinois joined a number of other states that have expanded the definition of “personal information” to include an individual’s “user name or email address.” Therefore, an entity may have obligations to notify any individual who has had their user name or email address improperly disclosed. The Illinois legislature further broadened the definition of “personal information” to include medical information, health insurance information or biometric data.

PIPA was also amended in 2017 to require data collectors to take “reasonable measures” to protect personal information.  While we really did not get much insight on what the legislature believes may constitute “reasonable measures,” by mid-January of 2017 we had already seen courts provide some guidance.  In our January 19, 2017 post, we analyzed the Dittman decision in Pennsylvania to determine obligations for “data collectors” in the absence of controlling law. With scant law, a “data collector” may want to consider the advice in the Dittman concurrence opinion and take steps to encrypt data, establish adequate firewalls and implement an appropriate authentication protocol to protect data. Otherwise, we are still waiting on a court to address what the “Reasonable Measures” standards means.

On August 15, 2017, the Department of Commerce released Draft NIST Publication 800-53, entitled, Security and Privacy Controls for Information Systems and Organizations, which is intended to provide a “catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks.”

The stated objectives of the NIST publication includes: “…to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.” And, in meeting these objectives, the NIST publication provided the following “key questions that should be answered by organizations when addressing their security and privacy concerns”:

• What security and privacy controls are needed to satisfy the organization’s security and privacy requirements and to adequately manage risk?
• Have the security and privacy controls been implemented or is there an implementation plan in place?
• What is the desired or required level of assurance (i.e., confidence) that the selected security and privacy controls, as implemented, are effective in their application?”

At this point, NIST anticipates having a final draft of this publication complete by October 2017 and a final version published by December 29, 2017.  While there may be no requirement to meet the NIST Standards, a data collector has a better chance of showing they took “reasonable measures” if they can demonstrate they attempted to address the NIST standards in addition to the vague requirements found in state privacy laws and the general standards of some industries.

States And Courts Take Steps To Protect Biometric Data

While we saw some changes concerning the storage of “personal data” in 2017, we also received a glimpse of the importance of protecting biometric data.

In late 2016 and 2017, we saw a push by state legislatures to enact new laws that also protect biometric data, such as the Illinois Biometric Information Privacy Act (BIPA). “Biometrics” defines “the field of science relating to the identification of humans based upon unique biological traits, such as fingerprints, DNA, and retinas” and recently “has produced new ways of conducting commercial transactions.” In particular, the protection of biometrics is a growing concern as this technology is turning up in everything from watches that may collect health data, finger-scanners at grocery stores and gas stations to retina scanners for financial transactions.

Not only is this technology is here to stay, but it is already involved in litigation across the country.  For example, in Vigil v. Take-Two Interactive Software, Inc., the U.S. District Court for the Southern District of New York found class action plaintiffs lacked standing to bring suit under BIPA for claims related to how their faces were used to create personalized avatars in a video game. Without a doubt, this will not be the last time a court will be called on to interpret BIPA or similar statutes across the country.  In 2018, we can expect to see data collectors find other uses for biometric information and, therefore, more effort will be needed to protect this information.

By March of 2017, we saw another biometric data case when the Eastern District for the Northern District of Illinois analyzed BIPA in Rivera v. Google Inc., 16 C 02714 (N.D. Ill 2016), and found allegations that Google created and stored face-scans from pictures taken on Google devices may constitute a violation under BIPA and at least may survive a motion to dismiss.

As we move into 2018, we can expect the protection of biometric data will continue to grow in importance for data collectors.

Another Large-Scale Data Breach in 2017: Equifax

While it appeared in 2017 that large-scale data breaches may not occur as frequently as we saw a couple of years ago with Target Stores, Home Depot, Best Buy or the federal government, 2017 still had its fair share of large data breaches. The growing consensus that fewer data breaches may indicate large data collectors were taking better precautions with personal information was called into question when it was announced in September that Equifax had a significant breach.  Admittedly, we are still learning the full scope of Equifax Inc.’s massive data breach which was announced on September 8, 2017. While different numbers have been discussed, it appears about 143 million people may have been impacted. Suffice it to say, this was a huge data breach.

The FTC’s website provides the following facts on the Equifax breach:

The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.

Equifax’s breach response at this point initially included offering one free year of its credit monitoring service and provides information via its website created just for this breach.  However, Equifax soon faced a backlash including the following complaints related to its response:

• News reports indicate that a number of people are struggling to determine if their information was included in Equifax’s breach using a website provided by Equifax. After making a number of attempts to use the website, many commentators found the website “hopelessly broken.” By September 8, 2017, Equifax had to issue a statement claiming to have fixed the problems with its website.
• Equifax’s offer to provide free credit monitoring for a year is being called into question as not providing sufficient time to properly monitor one’s credit and as a marketing ploy to get subscribers after the first year has expired. Leaving some commentators to say “so, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach.”                                                                            
• Equifax had to issue a statement to address growing concerns that the terms of service that consumers must accept before enrolling in the free credit monitoring service required them to waive their rights to sue Equifax for a breach. Equifax’s statement attempted to clarify its position that nothing in the terms of service would apply to this breach.
• More than 20 proposed class-action lawsuits were filed around the country in less than a week since the breach was announced.
• Shares of Equifax closed down 8.2% on September 11, 2017 after falling more that 13% on September 8, 2017.
• SEC filings show that three Equifax executives sold nearly $2 million in shares of the company days after the cyberattack was discovered.  Equifax had to issue another statement after its announcement indicating that while the three executives sold a “small percentage” of their shares August 1 and August 2, 2017, they “had no knowledge that an intrusion had occurred at the time they sold their shares.”

Unfortunately, Equifax’s various supplemental announcements after the initial announcement placed Equifax’s response under further scrutiny.  After the Equifax breach, it became clear that not all large data collectors, despite seeing breach scenarios play out over and over, may not be prepared for a data breach.

Allegations in Uber Breach Demonstrate Need For Clear Response To Incident

If Equifax made it clear that we are not out of the woods on large-scale data breaches, the allegations against Uber after its breach may have shed more light on how large-scale data collectors are handling breaches.  On November 28, 2017 when the City of Chicago and Illinois (“plaintiffs”) filed their Complaint in a case entitled City of Chicago et al. v. Uber Technologies, Inc., Case No. 2017CH15594 (Nov. 28, 2017). The Complaint is based on allegations that “[f]or the past several years, Uber has repeatedly failed to protect the privacy of its customers’ and drivers’ personal information.”  More specifically, the plaintiffs assert Uber took steps to cover up its breach in an effort to avoid negative publicity.  This case, regardless of whether the allegations are proven, should cause “data collectors” to consider what information they are putting (or not putting) out concerning any incidents prior to notification of the incident.

In particular, the plaintiffs contend that, in order to avoid “negative public attention, Uber paid hackers $100,000 to delete the data based on the hackers’ agreement to never speak publicly of the incident.” The plaintiffs claim the alleged cover up came to light because “criminal hackers couldn’t possibly be trusted to protect user data” and they ultimately disclosed the breach. The Complaint states that “Uber went so far as to even track down the criminal hackers and enter into nondisclosure agreements with them as if they were common business partners…”  Further, the plaintiffs claim Uber made this payment so that it appeared to be related to its “bug bounty program” rather than a ransom payment.  The Complaint asserts “[t]his concealment kept riders, drivers, and government agencies in the dark for over a year about Uber’s substandard security practices…”

The alleged cover up continued until November 21, 2017, when Uber’s Board of Directors investigated the practices of Uber’s security team. Uber has still not disclosed this incident to its customers or drivers.

Litigation In 2017 Looked Like Litigation In 2016:  “Standing” To Bring Suit Still Questionable In 2017

As seen in prior years, the threshold question in data breach lawsuits during 2017 is still whether a litigant has “standing” to bring a cause of action against the party that allegedly caused a breach. This hurdle for litigants rises out of Article III of the Constitution that limits the jurisdiction of federal courts to “Cases” and “Controversies” “which are appropriately resolved through the judicial process.” Simply, litigants have not been able to move their cases forward unless they can show a concrete injury and demonstrate that future injuries are more than merely speculative.  Nevertheless, while a number of data breach cases have been lost at the initial pleadings states, some plaintiffs have been able to persuade courts that they suffered concrete injuries and could show the source of their alleged damages to survive a motion to dismiss.

As this body of law has developed over the years, one case in particular, Lewert v. P.F. Chang’s China Bistro, Inc., 14-3700 (7^th Cir. 2014), in the Seventh Circuit, has provided hope for data breach plaintiffs.  Developments in 2017 in the P.F. Chang’s litigation  should provide more hope for plaintiffs.

The P.F. Chang’s data breach litigation traces its origins back to a 2014 data breach where plaintiffs claim their debit and credit card information had been hacked after they had visited a P.F. Chang’s in Illinois. P.F. Chang’s filed a motion to dismiss asserting first, that “the parties’ express contract precludes both an implied contract and a consumer fraud count.” (“Plaintiffs’ claims are that they purchased a meal at P.F. Chang’s and that, while P.F. Chang’s came through on the main course, it dropped the ball on the side order of data security.”) Additionally, P.F. Chang’s claimed plaintiffs’ case should have been dismissed because plaintiffs lacked standing and had no damage. The District Court dismissed plaintiffs’ data breach action for lack of standing and, therefore, did not have to address P.F. Chang’s other arguments for dismissal.

On April 26, 2017 the District Court filed a minute order which merely stated the “motion to dismiss is denied for the reasons stated in open court.” The District Court further granted plaintiffs’ motion to compel P.F. Chang’s to participate in a Rule 26(f) conference and begin discovery.

While it took a while to get here, we are finally at the point in this case where we will see if plaintiffs can gather sufficient evidence to support their claims. Data breach plaintiffs have struggled to survive the pleadings stage as many courts found their damages were too speculative to survive a motion to dismiss. It will be important to watch this case get through the discovery phases and move toward trial in order to get the full picture regarding liability for cyber security. Further, the P.F. Chang’s litigation is even more important since the Neiman Marcus case recently settled before we could see how that litigation unfolds through discovery and further motion practice.

Take-Away For 2018

Based on the developments in 2017, we can expect smaller data collectors to have a wealth of information to use when determining their obligations for storage of personal information.  Smaller data collectors have state privacy laws, industry regulations and cases to look to for guidance. On the other hand, Equifax may show us that larger data collectors may have trouble in 2018.  Even though all data collectors have the same information available concerning their obligations, large data collectors may have too much information and too much red tape to properly prepare for an incident. Out of all the large-scale data collectors, one would hope Equifax was prepared for a breach and had a response ready to go. We may see a scenario where smaller data collectors, despite fewer resources, have a better chance to protect data.

The post A Tale Of Two Worlds: 2017 Shows Us That Small Data Collectors May Have Advantages Over Large Data Collectors appeared first on Privacy Risk Report.