Not long ago, data collectors could feel secure in the fact that plaintiffs had a significant hurdle to establish standing to bring a lawsuit related to a data breach. However, on November 21, 2018, the Pennsylvania Supreme Court issued its decision in Dittman v. The Univ. of Pittsburgh Medical Center, 2018 WL 6072199 (2018), holding an employer can be liable under a negligence claim for breaching employees’ personal information if it does not have adequate security measures in place protecting that data. The reasoning in this decision may make it easier for employees to sustain a lawsuit against their employers after data breaches.

The Class Action Complaint filed in Dittman asserts that the Medical Center breached the personal information of its 62,000 employees. Furthermore, the Complaint alleged the Medical Center required Medical Center Employees provide this information as a condition of their employment. Ultimately, the Medical Center Employees claimed this information was used to file fraudulent tax returns after the breach.

The Medical Center Employees claimed the Medical Center was negligent when it breached “a duty to exercise reasonable care to protect their ‘personal and financial information within its possession or control from being compromised, lost, stolen, misused and/or disclosed to unauthorized parties.’” In particular, the Medical Center Employees argued the Medical Center failed to implement basic security measures protecting their information.

The Pennsylvania Supreme Court held first, the Medical Center owed employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm from breaching personal information and, second, the economic loss doctrine did not bar the Medical Center employee’s claim.

• An Employer Has A Duty To Use Reasonable Care And Safeguard Employee Personal Information.

The Medical Center Employees claimed the Medical Center had a duty to protect their data once it began collecting and storing the data.  The Medical Center countered it should not be liable for the breach since third-party criminals were responsible for the breach. That is, the Medical Center was merely employer and did not create the risk of harm. Therefore, the Medical Center claimed it had no duty.

The Pennsylvania Supreme Court rejected the Medical Center’s position and found it potentially could be at fault when it “collected and stored [personal information] on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol.”  In light of these allegations, the Supreme Court held the Medical Center “owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of the act.”

• Recovery For Pecuniary Damages Is Permissible Under Pennsylvania’s Economic Loss Doctrine.

Next, the Medical Center argued that even if it had a duty, the Medical Center Employees’ claims could still be barred by the economic loss doctrine.  Under Pennsylvania law (as with most other states) the economic loss doctrine bars negligence claims against a party that are based solely on economic damages. The Pennsylvania Supreme Court found the economic loss doctrine did not bar the Employees’ claims because “this legal duty exists independently from any contractual obligations between the parties…”  In other words, the Dittman Court rejected the Medical Center’s position that the economic loss doctrine was applicable because the duty to secure employee personal information arises out of negligence law rather than contractual obligations.

There is a significant body of law addressing whether plaintiffs have “standing” to bring lawsuits against data collectors. However, the Pennsylvania Supreme Court did not directly address whether there was a causal link between the breach at the Medical Center and the Employees’ allegations that fraudulent tax returns were filed in their names with the breached information.  Consequently, under the reasoning in the Dittman decision, the best strategy for employers to limit liability in Pennsylvania is to make sure they have “adequate” security measures in place if a breach occurs involving employee data.  And, this case should make it clear to employers outside of Pennsylvania that plaintiffs are beginning to clear the hurdles to establishing liability for data breach incidents.

Please contact Todd M. Rowe at Tressler LLP for a copy of the Dittman decision.

The post Pennsylvania Supreme Court Finds Collecting and Storing Employee Data Gives Rise To Duty: Is the Pendulum Swinging Back In Favor Of Data Breach Plaintiffs? appeared first on Privacy Risk Report.

The March 26, 2018 decision in Hopper v. Schletter Inc., 17-cv-01, 2018 WL 1472485 (W.D. North Carolina 2018) leaves no question that courts are now prepared to hold employers liable if they disclose their employees’ information by mistake. And, if courts around the country adopt the reasoning in Hopper, employers can expect to have their cybersecurity protocols closely scrutinized after a breach or other incident.

On April 19, 2016, the defendant in Hopper, Schletter Group, sent a letter advising its employees and former employees that Schletter had sent its employees’ W-2 forms by mistake to a third-party after it fell prey to a phishing scam. Schletter offered credit monitoring and identity theft protection to those impacted. After the plaintiffs filed a lawsuit seeking alleged damages as a result of this incident, Schletter filed a motion to dismiss the complaint. The District Court denied Schletter’s motion to dismiss the plaintiffs’ claims for negligence and breach of implied contract, invasion of privacy and violations of North Carolina’s Unfair Trade Practices and Privacy Acts. The District Court, however, dismissed the breach of fiduciary duty claim.

As an initial step, the District Court discussed all the warnings it believed Schletter had about phishing scams before it fell prey. In finding Schletter had ample notice of the potential for an incident, the District Court listed various FBI warnings, IRS alerts, articles and examples available of emails used in similar scams that it believed Schletter should have been aware of before the incident. After discussing all the ways the District Court believed the Defendant should have been aware of this scam, the District Court stated that “[d]espite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, [Schletter] provided its employees with unreasonably deficient training on cybersecurity and information transfer protocols prior to the Data Disclosure.” The District Court called Schletter’s preparation and response into question. The District Court provided the following examples of how it believed Schletter failed to properly train its employees:

• How to detect phishing and spoofing emails and other scams including providing employees examples of these scams and guidance on how to verify if emails are legitimate;
• Effective password management and encryption protocols for internal and external emails;
• Avoidance of responding to emails that are suspicious or from unknown sources;
• Locking, encrypting and limiting access to computers and files containing sensitive information;
• Implementing guidelines for maintaining and communicating sensitive data; and
• Protecting sensitive employee information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients.

Based on this criteria, the District Court concluded “[t]he Data Disclosure was caused by the Defendant’s failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems.” In further support of its conclusion, the District Court listed the various ways it found Schletter had failed to implement the proper security measures to protect the W-2s.

Finally, the District Court opined that the two years of identity protection provided to Schletter’s employees was inadequate because the service “has neither prevented the Plaintiffs from experiencing fraudulent activity using their Personal Information nor alerted them that they had fallen victim to identity theft.”

Based on these findings, the District Court held Plaintiffs could survive Schletter’s motion to dismiss. In particular, the District Court denied Schletter’s motion to dismiss on the following grounds:

• Negligence and Breach of Implied Contract Claims: The Plaintiffs claimed that they were required to provide their Personal Information as a condition of their employment and Schletter failed to protect that information. The District Court found the allegations were sufficient to survive a motion to dismiss on the negligence/breach of implied contract claims.
• Invasion of Privacy: The Plaintiffs claimed Schletter’s unauthorized disclosure of Personal Information resulted in an invasion of the Plaintiffs’ privacy by intrusion. The District Court found Plaintiffs’ allegations that their names, birthdates, addresses and Social Security numbers were disclosed without authorization was sufficient to survive a motion to dismiss.
• Breach of Fiduciary Duty: The Plaintiffs claimed that Schletter was a “fiduciary in matters connected with their employment.” The District Court rejected Plaintiffs’ claim by finding Plaintiffs’ allegations that Schletter had a fiduciary duty merely by virtue of being an employer was insufficient to survive a motion to dismiss.
• Unfair Trade Practices and Privacy Acts: The Plaintiffs final causes of action were based on claimed violations of North Carolina’s Unfair and Deceptive Trade Practices Act and Identity Protection Act. The District Court found Plaintiffs’ allegations were sufficient to survive a motion to dismiss when they allege that Schletter “intentionally disclosed their Social Security numbers to an unauthorized third party and that the Defendant should have known in the exercise of reasonable diligence that the third party lacked a legitimate purpose for obtaining this information.”

The District Court’s reasoning should cause all data collectors to look at their cybersecurity protocols. This case may signal a shift by courts to start holding data collectors responsible for cyber incidents even though the disclosure was the result of being tricked by a sophisticated criminal. The outcome of this case may have been dramatically different a few years back before there was a large body of information available on proper safeguards. The District Court’s decision should not be misinterpreted to require all data collectors be liable if they have an incident. Rather, this decision merely establishes that a data collector may be held liable if a court finds the data collector failed to take necessary steps which includes employee training.

The post Here It Is: The Decision That Tells Data Collectors Exactly What They Should Have Known Before They Had A Breach appeared first on Privacy Risk Report.

Over the years there have been questions whether the term “cyber” is adequate in light of the exponential growth of privacy law.  First, the term “cyber” tried to do too much when it was used to describe everything from large-scale data breaches to small instances of corporate espionage.  Further, the term “cyber” did not do enough to distinguish between personal information being compromised through sophisticated computer attacks and information compromised through unsophisticated employee negligence.  Finally, the “one-size fits all” use of the term “cyber” has recently been called into question by a federal court.

In American Health Inc. v. Dr. Sergio Chevere, 2017 WL 6561156 (Dec. 22, 2017), the District Court for Puerto Rico examined the term “cyber” while determining the litigants’ cross-motions for summary judgment.  The dispute arose when the Defendant, Dr. Sergio Chevere, an employee of the Plaintiff, American Health Inc., forwarded fifty-four emails from his work email account, which was stored on the Plaintiff’s servers, to his personal email account.  Importantly, the District Court noted “Defendant did not cause damage to or erase data from plaintiffs’ computer systems.” Rather,  Plaintiff claims it was damaged because the emails contained confidential and proprietary information which violated state and federal law.  Plaintiffs further claim they spent more than $170,000 in litigation costs related to this incident.  Both parties moved for summary judgment thus prompting the District Court to decide if Plaintiff had a viable cause of action under federal or state laws.

In the section of the District Court’s opinion entitled “The Mise-En-Scène: An Overview of Malicious Cyber Acts and Plaintiffs’ Claims” the District Court first considered “some introductory notes on malicious cyber acts” that include:

Cyber technologies are a minefield of technical nuances. Naturally, the legal landscape that affects cyberspace can be seemingly riddled with gray areas and be difficult to navigate. Before jumping into the proverbial Minotaur’s maze, the court will, for clarity’s sake, consider some introductory notes on malicious cyber acts.

It is well-settled that malicious cyber acts can lead to civil liability and criminal prosecution. Indeed, criminal enterprises, malign actors, and those seeking to gain unfair advantages in their ventures increasingly turn to cyberspace to carry out or facilitate malicious acts.

 Based on this analysis, the District Court views malicious cyber acts as being separated into the following three distinct categories:

 Put plainly, malicious cyber acts consist of the use of computer driven technologies to commit malicious acts. They can be parceled into three distinct categories:

(1) acts in which a computer is the target of the malicious activity,

(2) acts in which a computer is used as a tool that is essential for the malicious activity, and

(3) acts in which the use of a computer is incidental to the malicious activity.

These distinctions are important when applying the law to malicious cyber acts. The court will discuss the first and second categories in more detail, insofar as the latter is immaterial to the issue at hand.

 In further developing the three distinct categories of malicious cyber acts, the District Court provided the following concerning the “first category:”

Acts in the first category, in which a computer is the target, can ordinarily only exist in cyberspace (e.g. hacking and distributed denial of service attacks). They are an entirely “new” breed of malicious activity. Traditional statutes are often ill-fitted or otherwise insufficient to carry civil claims and criminal prosecutions addressing malicious cyber acts of this sort. Thus, to properly make malicious cyber acts that fall into the first category actionable, specialized statutes that specifically target conduct in cyberspace are necessary.

And, the District Court provided the following concerning the “second category:”

On the other hand, acts in the second category, in which a computer is an essential tool, are mostly age-old malicious acts (e.g. fraud and theft) being committed in new ways. They are, in that sense, “old wine in new bottles.” Take, for example, a fraud committed in cyberspace and one committed in the physical world: both are fraud, but only the former is a malicious cyber act. They are different in that a computer was used as an essential tool in one but not in the other. A malicious cyber act falling into the second category can be properly addressed through a traditional statute, though specialized legislation could nonetheless streamline litigation or prescribe particular remedies. That is to say, while Congress could very well choose to enact legislation that specifically targets, say, instances of fraud committed through the use of a computer, traditional statutes addressing fraud could be perfectly adequate to carry the day.

After creating the framework for its decision, the American Health Court found Plaintiff’s allegations that Defendant engaged in the illegal misappropriation of confidential information was conduct falling within the second category of malicious cyber acts (acts in which a computer is essential for the alleged criminal action).  Using this methodology, the District Court found Plaintiff had no recourse under its alleged federal question claims (the Computer Fraud and Abuse Act (CFAA), the Wiretap Act, and the Stored Electronic Communications Act (SECA)). In particular, the District Court held “[t]hese three statutes are not catch-all nets for malicious cyber acts…[and] they target specific forms of conduct in cyberspace, under specific circumstances.” (“Hence, traditional laws may be more suitable conduits for plaintiffs legal action, rather than statutes that specifically target malicious cyber acts.”)  Consequently, the District Court found any relief due to the Plaintiff would be limited to traditional state laws.

While the District Court held Plaintiff may arguably be entitled to relief under state law, the Court did not have to analyze the state claims when the federal claims were dismissed.  Specifically, the District Court found it could not exercise supplement jurisdiction over Plaintiff’s state law claims (breach of contract, breach of duty of loyalty, breach of implied contractual and legal duty, and conversion under Puerto Rico’s Civil Code) when the federal claims were dismissed.  Consequently, Defendant’s motion for summary judgment was granted.

The American Health decision demonstrates the difficulty in using the term “cyber” for any activity that happens to involve a computer.  Here, the Defendant’s use of a computer was incidental to his alleged wrongful conduct.  That is, the Defendant could have printed out the confidential information found in the emails stored on the Plaintiff’s server and misappropriated the information with the hardcopies of the documents rather than transferring the information to his personal account through his computer.  Further, the District Court may have arrived at a different decision if Defendant actually destroyed the information stored on Plaintiff’s server.

Under the reasoning in the American Health decision, we may start to see the evolution of the term “cyber” be limited to incidents where “a computer is the target of the malicious activity.”  These activities, which may include hacking as an example, are what the District Court refers to as an “entirely ‘new’ breed of malicious activity.”  If the District Court’s analysis gains traction we may see legislation that would directly address this new breed of malicious activity rather than seeing various privacy claims being crammed into traditional laws.  Further, we may also see the evolution of cyber policies to be geared to providing coverage for this first category while possibly not providing coverage for the other two categories found in the American Health Court’s distinction of the use of the term “cyber.”

The post One-Size Does Not Fit All: Court Finds Not Every Crime Involving A Computer Is A Cyber Crime appeared first on Privacy Risk Report.

Last week, toymaker Mattel announced that it was not moving forward with its Aristotle product, which has been described as a “kid-focused smart hub.” The device was an artificial intelligence babysitter that could “switch on a night light to soothe a crying baby [and] was also designed to keep changing its activities, even to the point where it could help a preteen with homework.”  This is not the first time that Mattel has struggled with the integration of technology into its products.  Mattel’s product development was scrutinized a couple of years ago when it announced its “Hello Barbie,” which contained an embedded microphone in the doll’s belt, to record a child’s response to the doll’s questions. The child’s responses were then sent back to Mattel through the doll’s WiFi capabilities.  Mattel released the doll and had to immediately go on the defense of integrating this technology into its toys.

Mattel’s decision to not move forward with the Aristotle shows how much the climate for products that provide pathways into our homes and personal lives has changed in the last few years. That is, recent litigation and legislation have made it clear to many companies that the risk of holding customers’ personal data may not be worth the damage done if they fail to protect that data.

A court’s decision from last week provides further evidence of how rapidly the climate is changing for the commercial storage of personal data.  Rent-to-own stores, and the relationship they share with their customers, have been the subject of a substantial amount of privacy litigation.  For example, on October 28, 2015, we addressed an insurance coverage case involving a rental store’s tender of its defense of two lawsuits under three primary insurance policies and three umbrella policies. The underlying complaints in those cases involved allegations that Aspen Way installed software on its computers that it rented out to monitor their use.  Specifically, it was alleged that Aspen Way used this software, which could secretly monitor users by taking pictures and monitoring keystrokes, to help it repossess computers when its customers defaulted on their lease agreements.

On October 3, 2017, the District Court for the Northern District of Georgia revisited the thorny privacy issues presented when rent-to-own stores install this monitoring software.  In Peterson v. Aaron’s, 2017 WL 4390260 (N.D. Ga. Oct. 3, 2017), the plaintiffs obtained computers for their law firm that they allege had software allowing Aaron’s to obtain their private information without their consent.  The Complaint filed in this litigation contained allegations that Aaron’s worked with a third-party developer that allowed Aaron’s “to locate and shut down a computer in the event of theft or missed payment.”  The Plaintiffs claim they were unaware this software was installed on their computers.

Aaron’s filed a motion for summary judgment which was granted based on the following reasoning:

• Standing:  A seen in a number of privacy cases, the first and most burdensome hurdle for plaintiffs is whether they have standing to bring suit based under Spokeo v. Robins, 136 S. Ct. 1540, 1543 (2016). Here, the District Court, as seen with a number of other decisions in data breach and related cases, found a plaintiff must show (1) that they have suffered an “injury-in-fact;” (2) that there is a causal connection between the injury and the defendants’ alleged actions; and (3) that the injury will be redressed by a favorable decision.

In applying the Spokeo standard, the District Court first found one of the plaintiffs did not meet this standard when he was not on the lease for the laptop and, therefore, was found not to have a “legally protected interest.” The District Court found the plaintiff that leased the computer suffered harm when the computers were put into “Detective Mode” which logged screenshots and keystrokes. Consequently, at least one of the plaintiffs was able to establish standing and survive Aaron’s motion on this point.

• Intrusion Upon Seclusin Claim: While applying Oklahoma law (where the plaintiff was located when he was allegedly injured) the plaintiff was required to prove that there was “(1) an intrusion upon his privacy, and (2) that a reasonable person would find it highly offensive.”

Aaron’s argued it is entitled to judgment because there was no intrusion on the plaintiff’s property because the plaintiff did not have a reasonable expectation of privacy in his computer because the computer was leased for a business and was not intended for personal uses. The District Court rejected Aaron’s position that there are no property rights for lessees because “[a] lessee in possession of property expects reasonably similar levels of privacy as an owner.” The District Court also found the fact that the computer was used by employees for business purposes (“employees have less privacy expectations”) to be irrelevant since the plaintiff himself used the computer in addition to other employees. Lastly, the District Court rejected Aaron’s argument that the plaintiff waived his expectation of privacy since he was in default on his lease of the computer.

The District Court also found sufficient evidence that a reasonable person would find the monitoring of the laptop to be offensive.

• Aiding and Abetting: In finding the plaintiff may be able to meet the elements of an intrusion upon seclusion claim, the plaintiff must also show Aaron’s had the requisite knowledge about this conduct.

Here, Aaron’s franchises made the decision to monitor the laptops. Therefore, to hold Aaron’s liable, the plaintiff must show Aaron’s had knowledge of the alleged wrongful conduct. The District Court found the plaintiff failed to show Aaron’s had the requisite knowledge that its franchisees monitored the plaintiff’s laptop. On this point, the District Court granted Aaron’s motion for summary judgment.

It is important to note that Aaron’s only escaped liability because it did not monitor the customers.  The franchisers may still be found liable for monitoring customers.  Even though Aaron’s was entitled to judgment in this case when it was found Aaron’s did not have the requisite amount of knowledge that its customers were being monitored, the growing body of privacy law appears to be having a direct impact on product development for many American companies.   For example, in speaking about the decision concerning Mattel’s Aristotle this week, Mattel publicly stated the the decision was made by the company’s new chief of technology officer that “conducted an extensive review of the Aristotle product and decided that it did not fully align with Mattel’s new technology strategy.”  Now more than ever, companies are having to determine if developing products using this technology is worth the amount of safeguards that must be in place once these products have gathered customers’ personal data.

The post Even Though Court Finds No Liability For Monitoring Customers, New Products Show Technology Presents Many Thorny Issues appeared first on Privacy Risk Report.

For many years, governmental bodies and some commercial companies have had a responsibility to provide information conveniently to the public.  Specifically, under Open Records Acts, Freedom of Information Action requests and other similar requirements, many governmental bodies have to provide sensitive information to the public.  However, over the last few years, these same governmental bodies and commercial companies have also started to face additional requirements to adopt cyber security safety measures to protect data.  It is not difficult to see how these various requirements may become competing interests that cause confusion.  Therefore, we are starting to see new methods to address the need to provide information to the public in a convenient format while properly securing information.

One recent example of the need to strike a balance between providing information and safeguarding information is seen in Taylor v. School Administrative Unit #55, 2017 WL 4172944 (September 21, 2017), when the New Hampshire Supreme Court found providing information on a thumb drive, rather than through email, was acceptable given the cyber security concerns in protecting that information.

On May 12, 2016, the School Administrative Unit #55 (“School District”) voted to go into a nonpublic session to discuss the superintendent’s evaluation and “emergency functions.”  The School District voted to seal the minutes while in the nonpublic session.  The following month, the plaintiff, David Taylor, requested the superintendant’s office send him the minutes of the May 12, 2016 nonpublic session. Taylor was told the minutes could not be provided because they were sealed.  In response to a second email sent by Taylor, the superintendent’s office denied the request based on the School District’s “Right-To-Know” procedure which allowed records to only be provided  to a member of the public that brings a sealed thumb drive (or purchases a thumb drive directly from the School District) for the records to be downloaded.

By August of 2016,  Taylor had filed a complaint initiating this lawsuit based on allegations that the School District had violated New Hampshire law by voting in a closed session to seal the minutes of the nonpublic meeting and “refusing to forward to him, by email, the records he requested.” Taylor sought a declaration that the School District’s policy requiring information to be downloaded on a thumb drive violated New Hampshire and an order requiring the records be transferred via email.

The School District argued a number of “cyber security concerns” validated its procedure for using thumb drives rather than transferring the information through email. In agreeing with the School District, the New Hampshire Supreme Court held “we find valid the [School District’s] concern that responding to records requests by e-mail ‘would introduce unreliability into the process because sometimes e-mails are too big to be received, and there is no way for the [School District] to confirm receipt of e-mails it sends.” The Supreme Court was further concerned over the potential for mistakes once the School District started sending a number of responses to “Right-To-Know” requests via email.  Specifically, the Supreme Court agreed with the trial court’s finding that “while plaintiff may be correct that the simple forwarding of one email poses a very small cyber security risk, the greater potential risk comes from repeated email exchanges with multiple parties making Right-To-Know-Requests.”  Further, the Supreme Court held that the thumb drive policy did not necessarily diminish the use of records provided on thumb drives and “serves the governmental interest of protecting public bodies’ and agencies’ information technology systems…”

Governmental bodies have to walk a thin line between the need to make information available to the public and the need to have cyber security safeguards in place to protect the public. Here, the School District was required to provide access to information, but it also had a fiduciary duty to protect private information.  The School District’s agreement to provide the requested information on a thumb drive provides another example of how entities can use all available technology to overcome cyber security concerns.  While downloading data to a thumb drive may not be the most convenient method to provide this information, it allowed the School District to meet is fiduciary obligation to protect information.

The post The Line Between Obligations To Disclose Information And Obligations To Protect Private Information appeared first on Privacy Risk Report.

As courts and legislatures around the country struggle with issues related to data breaches, cyber, technology and privacy, they are finding a lack of standards to guide them through their struggles. Of course, a court may struggle to determine whether a duty was breached in a data breach case if there is no standard to determine what the duty is, what a breach is, or what constitutes data. Likewise, a legislature will not be able to create a statutory framework to protect its citizens if it does not speak the “language” of data protection.  Further, even if a court can understand the fundamentals related to a particular cyber issue, a court may find a patchwork of state and federal law may govern the analysis of that issue.

A recent example was seen when the United States District for the District of Columbia was called upon to address questions related to a search warrant issued for electronically information stored on the “cloud.” Specifically, in In Re Search Of Information Associated With [Redacted]@gmail.com That Is Stored At Premises Controlled By Google, Inc., 2017 WL 3445634 (D.C. Cir. July 31, 2017 D) the D.C. District Court analyzed whether the government was entitled to data held by Google on its cloud. (“The basic legal question confronting us is not a total stranger to this Court. [citation omitted] With the growing interdependence of world trade and the increased mobility of persons and companies, the need arises not infrequently, whether related to civil or criminal proceedings, for the production of evidence located in foreign jurisdictions.”) In Google, the D.C. District Court summed up this issue as follows:

As a result, the judiciary and legislature have been challenged to keep up with precipitous advancements in technology and global interconnectedness. Traditional notions of “territoriality” and “jurisdiction” have been muddied, especially when it comes to determining the scope of statutes governing access and disclosure of electronic records and communications. The picture is murkier still with the advent of so-called “cloud” computing, which is “the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself.”

And, while grappling with these new technological concepts, courts are beginning to look to the few common standards available, such as those created by National Institute of Standards and Technology (“NIST”) to form the structure for their decisions. For example, the D.C. District Court relied on a definition of “cloud computing” found in the NIST standards.

In its simplest terms, as the NIST standards gain acceptance, we may soon see a court find liability for a cyber incident when a litigant fails to meet the NIST standards to safeguard data. Therefore, it is even more important to keep current on the NIST standards, which are constantly in transition, as these standards continue to be relied upon to determine legal duty and responsibility.

On August 15, 2017, the Department of Commerce released Draft NIST Publication 800-53, entitled, Security and Privacy Controls for Information Systems and Organizations, which is intended to provide a “catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks.”  The stated objectives of the NIST publication includes: “…to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.” And, in meeting these objectives, the NIST publication provides the following “key questions that should be answered by organizations when addressing their security and privacy concerns:

• What security and privacy controls are needed to satisfy the organization’s security and privacy requirements and to adequately manage risk?
• Have the security and privacy controls been implemented or is there an implementation plan in place?
• What is the desired or required level of assurance (i.e., confidence) that the selected security and privacy controls, as implemented, are effective in their application?”

At this point, NIST is seeking public comment from August 15, 2017 through September 12, 2017. NIST anticipates having a final draft of this publication complete by October 2017 and a final version published by December 29, 2017.

While the NIST Standards are intended to create “minimum requirements for federal information systems,” these standards have proven to be the most-comprehensive set of standards for industries that have not adopted their own standards.  Consequently, we can expect to see courts and legislatures continue to borrow terms and concepts from NIST when there are no other standards to rely upon.   Further, insurers may soon require their insureds show they meet NIST standards during the application process as well as through the effective dates of coverage.

The post New NIST Standards Allow Courts And Legislatures To Learn The Language Of Data appeared first on Privacy Risk Report.

Toymakers have recently received more than their share of scrutiny concerning the collection, storage and breaches of data belonging to children.  Cases involving this data move past questions of whether a data breach was avoidable and, instead, ask whether certain data can be collected in the first place.  A recent lawsuit against The Walt Disney Company and its related companies (“Disney”) sheds new light on how companies may be using “free” apps to gather data on their youngest customers and how that data can be used.

On August 3, 2017, a class action lawsuit was filed against in the United States District Court for the Northern District of California against Disney seeking recovery based on allegations “by parents of children, who while playing online games via smart phone apps, have had their personally identifying information exfiltrated by [Disney], for future commercial exploitation…”  (Complaint at ¶1)  In particular, the plaintiff, Amanda Rushing (“Rushing”), claims her child’s private information was improperly stored as her child used Disney’s app “Princess Palace Pets.” The Class Action Complaint includes claims against the “SDK Defendants” which were the companies that provided their own code to Disney’s apps for use in the games, known as “software development kits.”  The Complaint asserts that the SDK Defendants embedded software in Disney’s gaming apps that allowed for the app users’ personal information to be collected without authorization and “to facilitate subsequent behavior advertising.”  (Complaint at ¶7)

Before the specific allegations against Disney and the SDK Defendants, the Complaint contains a number of allegations against the app and gaming industry in general including that “[m]ost consumers, including parents of children consumers, do not know that apps created for children are engineered to surreptitiously and unlawfully collect the child-users’ personal information, and then exfiltrate that information off the smart device for advertising and commercial purposes.” (Complaint at 16) The plaintiff’s theories underpinning the allegations against Disney include:

“When children are tracked over time across the internet, various activities are linked to a unique and persistent identifier to construct a profile of the user of a given smart device.  Viewed in isolation, a persistent identifier is merely a string of numbers uniquely identifying a user, but when linked to other data point about the same user, such as app usage, geographic location (including likely domicile), and internet navigation, it discloses a personal profile that can be exploited in a commercial context.” (Complaint at ¶22)

The Complaint contains allegations that these actions taken by Disney and the SDK Defendants give rise to a violation of the Children’s Online Privacy Protection Act (“COPPA”) In short, COPPA prohibits gathering personal information of children under the age of 13 “without first obtaining verifiable consent from their parents.”   While the plaintiffs acknowledge that COPPA typically protects data more commonly understood to be personal information (names, email addresses, social security numbers, etc.), it also protects against the authorized collection of “persistent indentifier[s] that can be used to recognize a user over time and across different Web sites or online services.” (Complaint at ¶28)  In short, the Class Action Plaintiff claims the defendants violated COPPA by “incorporating the SDK Defendants’ behavioral advertising SDK’s into their child-directed apps and permitting them to track children by collecting, using, or disclosing their persistent identifiers without verifiable parental consent…”) (Complaint at ¶63)

The Complaint contains two causes of action against the defendants. Under the first cause of action for Intrusion Upon Seclusion, the Plaintiff claims Disney and the other defendants intentionally intruded on Plaintiff’s “solitude, seclusion, or private affairs by intentionally designing the Game Tracking Apps…to surreptitiously obtain, improperly gain knowledge of, review and/or retain Plaintiffs…activities through monitoring technologies and activities” as described in the Class Action Complaint.  Under the Plaintiff’s second cause of action entitled California Constitutional Right to Privacy, the Plaintiff claims her and the other class members have “reasonable expectations of privacy in their mobile devices and their online behavior” which Disney and the other defendants “intentionally intruded on.”

While Disney and the defendants have not responded to the allegations in the Complaint, The Hollywood Reporter reports that it received a statement from Disney related to the lawsuit indicating that it is taking the position that: “Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court.”

Of course, it is still early in this litigation and it may be years before we see whether the class action the Class Action Plaintiffs’ allegations have merit.  Nevertheless, the Class Action Complaint is clear that even if something is being given away for free (in this case apps based on Disney characters), people still expect to control their personal information.  As this area of the law continues to develop, data collectors must consider more than if they have the proper safeguards in place to protect data from a breach.  Rather, data collectors must consider if they have permission to collect data in the first place.  This case provides another example of where a party claims to be injured without their information being breached and what harm, if any, results from the unauthorized collection of data.

For more information, click here to contact a Tressler attorney.

The post Class Action Lawsuit Asks Whether Free Apps Were “Goofy” When They Collected Children’s Data appeared first on Privacy Risk Report.

Many litigants are struggling with how to fit the “square peg” of cyber security claims into the “round hole” of law that may have been around for a number of decades.  One recent example was seen on June 27, 2017, when the United States District Court for the Central District of California dismissed a case entitled Casillas v. Berkshire Hathaway Homestate Companies, et al., 15-04763, 2017 WL 2813145 (June 27, 2017). In Casillas, the plaintiffs alleged two insurance investigators hacked an online database created by HQSU Sign Up Services, Inc. (“HQSU”) which stored workers’ compensation litigation files.  In serving as an “administrative services” contractor to various workers’ compensation attorneys, HQSU stored everything from “personal data” (including the client’s full name, Social Security Number, birth date, home address, legal status, driver’s license information, and salary information) to the attorneys’ communications with their clients and personal notes about the various cases. In particular, the plaintiffs allege that over the course of two years, the investigators accessed and downloaded over 30,000 workers’ compensation files.  The complaint further alleges the hackers took this information to provide the insurance companies with “a counsel’s advantage” in pending litigation and to “intimidate and force concessions” from various plaintiffs.

The Casillas Court closely analyzed what is necessary to bring a viable cause of action under 18 U.S.C. § 2701(a)(1), the Stored Communications Act. This Act was designed decades ago to “protect against the unauthorized interception” of “stored wire and electronic communications and transactional records.” The Act creates a private right of action against anyone who:

(1)       “intentionally accesses without authorization”

(2)       a “facility through which an electronic communication service is provided” and

(3)       “thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage.

However, before finding the plaintiffs’ complaint should be dismissed, the Court analyzed what it refers to as the “technical distinction between “electronic communication services” and “remote computing services.” Specifically, in addressing this distinction, the Court held that “…though they aren’t mutually exclusive categories, the Act establishes ‘different standards of care” for different types of communication.’” The Court provides the following distinction between these two phrases:

• Electronic Communications Service: “Congress defined an ‘electronic communication service’ as ‘any service which provides to users thereof the ability to send or receive wire or electronic communications.’ Think email: ‘[C]ommunication by which private correspondence is … typed into a computer terminal, and then transmitted over telephone lines to a recipient computer operated by an electronic mail company.’”
• Remote Computing Service: “A ‘remote computing service,’ by contrast, is one that ‘provi[des] to the public [a] computer storage or processing service[ ] by means of an electronic communications system.’ Think off-site storage: ‘In the age of rapid computerization, … remote computer service companies have developed to provide sophisticated and convenient computing services to subscribers and customers from remote facilities.’”

Indeed, this importance of this distinction is seen firsthand as the portion of the Act which the plaintiffs sought relief under, 18 U.S.C. § 2701(a)(1), “applies only to the provision of electronic communication services, and therefore excludes the provision of remote computing services from its strictures.” The Casillas court found plaintiffs’ complaint was limited to allegations that their attorneys “used HQSU’s administrative services in a limited fashion—by ‘uploading and downloading documents’ to the online database and appending case-related ‘notes’ to those documents.” These allegations, the court opined, describe “remote computing service” which does not give rise to a private cause of action under the Act. In conclusion, the court found “it’s plain that the plaintiffs have mixed up their claims under the Stored Communications Act.

Litigants bringing claims related to cyber security, data breaches and privacy not only have to overcome significant hurdles to establish standing, but often have to work with law that was developed before the technology was developed that forms the basis for their claims.   Admittedly, it may be difficult to seek relief for damage caused by modern technology under laws that precede this technology by decades.  Even though the Casillas court acknowledges the distinction between “electronic communication services” and “remote computing services” may be “a bit dated,” the parties still must meet the requirements for a viable action under the Act.  This case demonstrates the complexity with cyber security and privacy claims and the need to retain counsel that has experience in this developing, highly-specialized area.

The post Square Pegs: Recent Case Shows Problems With Fitting Cyber Liability Claims Into Law That Is “A Bit Dated” appeared first on Privacy Risk Report.

This article originally appeared in Advisen’s Front Page News, Cyber Edition, on March 16, 2017.

Over the last few months, there have been a number of news stories concerning allegations that the Russians may have hacked US political parties and the US intelligence community.  It is easy to dismiss these national and international stories as being too big to provide any real insight into our domestic cyber insurance market.  However, it may be too soon to write off all news of government or political cyber attacks and leaks.

Last week, WikiLeaks published a substantial amount of data hacked from the CIA, showing the agency’s hacking and cyber warfare techniques. While no one would reasonably want to see a leak that could compromise national security, this leak provides valuable information for the insurance industry to evaluate its cyber insurance products. And, with the information already being leaked, the insurance industry should use this information to examine current and future cyber threats.

Initial impact

In its largest leak ever, WikiLeaks dumped data and information showing the classified hacking activities and other cyber weapons of the CIA. The document dump showed the CIA created software code to hack smart technology in the following manner:

• Smart Phones: The CIA developed code to allow it to track an individual’s geolocation and allow remote access to audio, text communications, camera, and microphone features on a target’s smartphone before the data could be encrypted.

• Smart TVs:  The CIA’s code was able to transform a smart TV into a “covert microphone” capable of sending conversations occurring near the television through the internet to a CIA server while the television appears to be off.
• Smart Vehicles:  The WikiLeaks’ release showed that “[a]s of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks” which may be used to complete “nearly undetectable assassinations.”

Current cyber threats

This leak is important because it shows how the CIA and, presumably, other sophisticated hackers are trying to access various consumer products. In this first dump alone, WikiLeaks leaked 8,761 documents with more documents on the way. It is rare that the insurance industry would have access to such a huge amount of information concerning the threats that give rise to cyber risks.  This information can immediately be put to good use.  For example, the information dumped in this leak provides substantial data for automobile insurers to determine the threat posed by hackers compromising smart cars.  And, the data comes from sophisticated, real-world hacking attempts rather than controlled experiments.

Further, more than just the leaked data, the leak provides valuable insight into the current threat covered by cyber insurance.  The fact that this information may have been breached by a CIA employee or contractor shows the current threat of malicious insiders in determining cyber risks.  The insurance industry must wrestle with the fact that if the CIA cannot stop a breach of its most secretive data, there may be little chance for an insured to stop a determined hacker.

Future cyber threats

This leak also provides valuable information showing where cyber threats may be going over the next few years.  As stated in the WikiLeaks’ press release: “[o]nce a single cyber ‘weapon’ is ‘loose’ it can spread around the world in seconds, to be used by peer states, cyber mafia and teenage hackers alike.”  Therefore, in assessing future cyber risks, the insurance industry should consider the CIA’s current hacking capabilities in order to forecast where non-government hackers may be going in the coming years, especially now since this information is in the public domain.

For example, WikiLeaks’ data dump shows the CIA was not necessarily penetrating encryption applications on smart phones. Rather, the CIA was simply hijacking the entire device and gathering information before it was even encrypted. First, this may provide step-by-step instructions for hackers less sophisticated than CIA hackers.  It may be worthwhile for the insurance industry to start analyzing how this threat may impact cyber insurance policies in the near future.  Additionally, the insurance industry may look at whether stringent requirements requiring insureds encrypt their information would be useful in the future as such steps may not necessarily provide a safeguard or may take resources that could be applied elsewhere. The CIA’s technique to get around encrypted devices was not widely-known even two weeks ago.

Additionally, the WikiLeaks’ dump states the intention behind the hack was to have the public decide whether the CIA has too much power. In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.

Consequently, based on the stated intention of the hackers giving rise to the WikiLeaks’ leak, it may be worthwhile for the insurance industry to consider the place that “hacktivism” has for cyber insurance products in the future and whether there is an increased cyber threat to insureds that draw negative attention.

No such thing as “absolute privacy”

Finally, the public’s attitudes concerning privacy are an important component in assessing the risks for cyber insurance. The risks covered by cyber insurance and expectations for privacy can be better understood when events such as the CIA leak occur. For better or worse, after seeing their privacy compromised in large-scale data breaches at retailers and government institutions and after falling prey to ransomware and phishing scams, the public may start viewing their privacy differently than just a few years ago. Further demonstrating this point is the fact that after WikiLeaks’ leak, FBI director James Comey, stated “[t]here is no such thing as absolute privacy in America.” At a cybersecurity conference days after the hack, Comey further stated, “All of us have a reasonable expectation of privacy in our homes, in our cars, and in our devices. But it also means with good reason, in court, government, through law enforcement, can invade our private spaces.”

A few years ago, Comey’s statements would have caused waves in the news. Today, the public barely took notice of his statements. Therefore, while seeing our privacy being compromised may still be unacceptable, the insurance industry can begin looking at the risk associated with a breach of an individual’s privacy in a slightly different manner than how it viewed it just a couple of years ago. Not to mention the fact that many courts are finding plaintiffs lack standing to bring lawsuits unless they show they have suffered damages when they have their private information compromised. In a sense, the level of risk goes down for insuring cyber incidents as the public begins to accept their privacy may not be protected.

Even though they do not directly impact the insurance industry, cybersecurity issues facing government agencies and political parties should not be overlooked as a valuable resource for the insurance industry.  The insurance industry should take information from any source available, including WikiLeaks, to evaluate cyber products.

The post Rowe In Advisen: The WikiLeak’s Data Dump Cannot Be Undervalued By The Insurance Industry appeared first on Privacy Risk Report.

Over the last few weeks, the Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq.) has presented a number of unique questions for courts.  On February 14, 2017, we addressed Vigil v. Take-Two Interactive Software, Inc., where the U.S. District Court for the Southern District of New York found class action plaintiffs lacked standing to bring suit under BIPA for claims related to how their faces were used to create personalized avatars in a video game.  This week, the Eastern District for the Northern District of Illinois analyzed BIPA in Rivera v. Google Inc., 16 C 02714 (N.D. Ill 2016), and found allegations that Google created and stored face-scans taken from pictures taken on Google devices may constitute a violation under BIPA and at least may survive a motion to dismiss.

• Background on Claims Against Google

In Rivera, the Court found claims by Plaintiffs that Google collected, uploaded and scanned photographs to create “facial templates”  were sufficient to survive Google’s motion to dismiss.  In particular, Plaintiff Rivera alleged that the scans “located her face and zeroed in on its unique contours to create a ‘template’ that maps and records her distinct facial measurements.”  Likewise, Plaintiff Weiss claims he took approximately twenty-one photos which were uploaded to the cloud based server and were scanned “to create a custom face-template based on Weiss’s features.”  Plaintiffs claim their face-templates were used “to find and group together other photos of them” and to “recognize their gender, age, race, and location.”

• Google’s Motion To Dismiss

Under the section of the Rivera decision entitled “Face Geometry Scans,” Google asserted that Plaintiffs’ class action lawsuit should be dismissed because BIPA does not “apply to photographs or information derived from photographs.” Plaintiffs countered that face geometry scans constitute “biometric identifiers” under BIPA and, thus, must be protected.  The District Court denied Google’s motion to dismiss based on a finding that Plaintiffs sufficiently alleged that Google’s actions fell into the definitions found in BIPA and may have been violations of the Act.

• Analysis Of “Biometric Identifier” And “Biometric Information”

The District Court first examined the meaning of “Biometric Identifier” as used in BIPA.   The Act defines this term as a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  The District Court further noted that this list is “a biology-based set of measurements (“biometric”) that can be used to identify a person (“identifier”). BIPA also provides at lengthy list of items that are not biometric identifiers which include, but are not limited to photographs.  (“Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used fro valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color or eye color).

Based on the definition of “Biometric Identifier” and the list of items not included in the definition, the District Court found the allegations in Plaintiffs’ Complaint involving “face templates” qualified as a biometric identifier under BIPA. The District Court rejected Google’s argument that “only face scans that are done in person can qualify…” for protection under BIPA.

The District Court also rejected Google’s assertion that the face templates were not biometric identifiers since photographs were one of the items expressly removed from the definition of biometric identifier under BIPA. The District Court’s decision was based on its finding that the Plaintiffs were not alleging the photographs themselves were biometric identifiers.  The District Court rejected Google’s argument that the separate definitions of “biometric identifier” and “biometric information” somehow “distinguish the ‘source of the content.’”  The District Court’s decision provides the following excerpt from Google’s brief concerning this argument:

What is derived from a person is a ‘biometric identifier,’ and what is subsequently derived from a biometric identifier is “biometric information.’ The statute’s structure thus confirms that a ‘scan of…face geometry’ must be derived from the person herself.  Plaintiffs’ reading of the statute would collapse this careful structure, rendering the distinction between ‘biometric identifier’ and ‘biometric information’ meaningless. 

The District Court summarized Google’s position as: “…Google is arguing that if biometric information cannot be ‘based on’ something from the biometric-identifier paragraph’s ‘do not include’ list (for example, ‘photographs’), then an identifier may also not be ‘based on’ something from that same list.” And, the District Court rejects this argument by making the following distinction between these terms:

…the things on the list of biometric identifiers are just that—specific, biology based measurements used to identify a person, without reference to how the measurements were taken. And,…the ‘biometric information’ goes on to ensure that private entities cannot to an end-around the Privacy Act by converting biometric identifiers into some other format.” 

In the alternative, Google argued that BIPA does not apply even if it collected and used the photographs since Google did not act in Illinois. We will address the District Court’s analysis of this issue in our next post.

It is important to note that, in denying Google’s motion to dismiss, the District Court leaves the question open of whether Google’s arguments would hold up “once further factual development has occurred in discovery.” Therefore, in finding additional discovery is needed on this issue, the Court finds Plaintiffs adequately stated a claim under BIPA to survive the motion to dismiss.  The District Court further held that “[i]t is conceivable that discovery will reveal that what Google is actually doing does not fit within the definition of biometric identifier as interpreted by the Court.”  This case, and many cases currently in the courts involving these issues, will provide a unique opportunity to watch the development of various privacy legislative acts and allow us to see whether the current laws keep up with the development of technology.

The post Face It, We Are Going To See A Lot Of The Illinois’ Biometric Information Protection Act In Courts appeared first on Privacy Risk Report.