Now that the January 1, 2020 compliance deadline for the California Consumer Privacy Act (“CCPA”) has passed and the dust has settled, it may be worth taking a look at how a few other changes in California may impact privacy law. More specifically, in the chaos caused by CCPA compliance, several privacy experts have overlooked California’s steps to regulate the Internet of Things (“IoT”).

THE INTERNET OF THINGS GETS MORE DANGEROUS

While we were all focused on the impeding CCPA deadline, we can be forgiven for missing a recent incident where a Ring security camera was hacked to harass a child in her bedroom. On December 12, 2019, the Washington Post reported on 8-year-old Alyssa LeMay who went to her bedroom when she heard music. Once inside her bedroom, the music stopped and a man’s voice said: “Hello there.” The hacked Ring camera allowed the stranger to view Alyssa’s room and speak directly to her. The man also told Alyssa that he was Santa Claus. The remarkable exchange between Alyssa and the stranger allowed the man to use a racial slur with the child and prompt her to misbehave. The video on the Washington Post website has to be watched to be believed and to fully understand the significant danger created by the “Internet of Things” devices. Further, while this incident did not cause long-term damage, it is easy to see the dangers created by these devices in our homes.

This incident with the Ring camera makes parents long for simpler times, such as in December of 2015, when they only needed to worry about pictures and data saved on children’s toys that were breached by a toymaker.

LEGISLATION ADDRESSES THE DANGERS RELATED TO THE INTERNET OF THINGS

While the CCPA deadline was important, California lawmakers imposed another deadline on January 1, 2020, that requires a manufacturer of a connected device, such as the Ring camera, to take steps that would make IoT devices collect and safely store data. Specifically, the “Security of Connected Devices” law may provide a model for other state and federal laws as IoT devices become more ingrained in our lives. And, while the law may contain several significant holes and only applies to manufacturers, it provides a decent first step in regulating this new technology with the following:

• First, the new law states that “Manufacturer” “means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the person’s behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.” This definition will have an immediate impact to the extent this will create more security outside of California as manufacturers bring all devices in compliance with California’s laws rather than lose access to the California market. Therefore, while this law is limited to California, we can expect all IoT devices in all states will get more secure.

• Next, the law requires “[a] manufacturer of a connected device…equip the device with a reasonable security feature or features that are all of the following: (1) Appropriate to the nature and function of the device. (2) Appropriate to the information it may collect, contain, or transmit. (3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”  Once again, because the California market is so large, we can expect to see all IoT devices integrate “reasonable security features” regardless of whether the device will be sold in California.

• Further, many of the other definitions found in this law are broad and will most likely result in manufacturers increasing security features. For example, the term “connected device” is used in the law to mean “any device, or other physical objects that are capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Therefore, while it is clear that a Ring camera would fall under this law, we may see manufacturers of printers make sure they are in compliance.

• Finally, while the law is broad, it does not create a private cause of action. The California Attorney General will need to enforce this law. Additionally, it is clear that this law is limited to manufacturers and does not apply to individuals that install and use IoT devices.

THE INTERNET OF THINGS IS WITH US FOR GOOD

At present, the dangers presented by interconnected devices must be addressed by manufacturers of the products and law enforcement such as the California Attorney General.  California’s Security of Connected Devices law does not create a private cause of action. That being said, this technology, and the laws that control the use of this technology, are quickly evolving.  In the matter of a few years, we have gone from speculating how these devices could cause harm to see children harassed in their own bedrooms. The Economist recently reported: “One forecast is that by 2035 the world will have a trillion connected computers, built into everything from food packaging to bridges and clothes.” (The January 10, 2020 edition of the Wall Street Journal also addresses these issues in great detail.) Based on this significant increase in interconnected devices in both residential and industrial settings, the Economist article concludes: “As a result, a series of unresolved arguments about ownership, data, surveillance, competition and security will spill over from the virtual world into the real one.”  Therefore, as these dangers become clear and we see the potential for property damage or bodily injury, we can expect to see state and federal governments step up the regulation of the Internet of Things.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post The Internet Of Things Gets More Dangerous And More Regulated In 2020 appeared first on Privacy Risk Report.

Over the years there have been questions whether the term “cyber” is adequate in light of the exponential growth of privacy law.  First, the term “cyber” tried to do too much when it was used to describe everything from large-scale data breaches to small instances of corporate espionage.  Further, the term “cyber” did not do enough to distinguish between personal information being compromised through sophisticated computer attacks and information compromised through unsophisticated employee negligence.  Finally, the “one-size fits all” use of the term “cyber” has recently been called into question by a federal court.

In American Health Inc. v. Dr. Sergio Chevere, 2017 WL 6561156 (Dec. 22, 2017), the District Court for Puerto Rico examined the term “cyber” while determining the litigants’ cross-motions for summary judgment.  The dispute arose when the Defendant, Dr. Sergio Chevere, an employee of the Plaintiff, American Health Inc., forwarded fifty-four emails from his work email account, which was stored on the Plaintiff’s servers, to his personal email account.  Importantly, the District Court noted “Defendant did not cause damage to or erase data from plaintiffs’ computer systems.” Rather,  Plaintiff claims it was damaged because the emails contained confidential and proprietary information which violated state and federal law.  Plaintiffs further claim they spent more than $170,000 in litigation costs related to this incident.  Both parties moved for summary judgment thus prompting the District Court to decide if Plaintiff had a viable cause of action under federal or state laws.

In the section of the District Court’s opinion entitled “The Mise-En-Scène: An Overview of Malicious Cyber Acts and Plaintiffs’ Claims” the District Court first considered “some introductory notes on malicious cyber acts” that include:

Cyber technologies are a minefield of technical nuances. Naturally, the legal landscape that affects cyberspace can be seemingly riddled with gray areas and be difficult to navigate. Before jumping into the proverbial Minotaur’s maze, the court will, for clarity’s sake, consider some introductory notes on malicious cyber acts.

It is well-settled that malicious cyber acts can lead to civil liability and criminal prosecution. Indeed, criminal enterprises, malign actors, and those seeking to gain unfair advantages in their ventures increasingly turn to cyberspace to carry out or facilitate malicious acts.

 Based on this analysis, the District Court views malicious cyber acts as being separated into the following three distinct categories:

 Put plainly, malicious cyber acts consist of the use of computer driven technologies to commit malicious acts. They can be parceled into three distinct categories:

(1) acts in which a computer is the target of the malicious activity,

(2) acts in which a computer is used as a tool that is essential for the malicious activity, and

(3) acts in which the use of a computer is incidental to the malicious activity.

These distinctions are important when applying the law to malicious cyber acts. The court will discuss the first and second categories in more detail, insofar as the latter is immaterial to the issue at hand.

 In further developing the three distinct categories of malicious cyber acts, the District Court provided the following concerning the “first category:”

Acts in the first category, in which a computer is the target, can ordinarily only exist in cyberspace (e.g. hacking and distributed denial of service attacks). They are an entirely “new” breed of malicious activity. Traditional statutes are often ill-fitted or otherwise insufficient to carry civil claims and criminal prosecutions addressing malicious cyber acts of this sort. Thus, to properly make malicious cyber acts that fall into the first category actionable, specialized statutes that specifically target conduct in cyberspace are necessary.

And, the District Court provided the following concerning the “second category:”

On the other hand, acts in the second category, in which a computer is an essential tool, are mostly age-old malicious acts (e.g. fraud and theft) being committed in new ways. They are, in that sense, “old wine in new bottles.” Take, for example, a fraud committed in cyberspace and one committed in the physical world: both are fraud, but only the former is a malicious cyber act. They are different in that a computer was used as an essential tool in one but not in the other. A malicious cyber act falling into the second category can be properly addressed through a traditional statute, though specialized legislation could nonetheless streamline litigation or prescribe particular remedies. That is to say, while Congress could very well choose to enact legislation that specifically targets, say, instances of fraud committed through the use of a computer, traditional statutes addressing fraud could be perfectly adequate to carry the day.

After creating the framework for its decision, the American Health Court found Plaintiff’s allegations that Defendant engaged in the illegal misappropriation of confidential information was conduct falling within the second category of malicious cyber acts (acts in which a computer is essential for the alleged criminal action).  Using this methodology, the District Court found Plaintiff had no recourse under its alleged federal question claims (the Computer Fraud and Abuse Act (CFAA), the Wiretap Act, and the Stored Electronic Communications Act (SECA)). In particular, the District Court held “[t]hese three statutes are not catch-all nets for malicious cyber acts…[and] they target specific forms of conduct in cyberspace, under specific circumstances.” (“Hence, traditional laws may be more suitable conduits for plaintiffs legal action, rather than statutes that specifically target malicious cyber acts.”)  Consequently, the District Court found any relief due to the Plaintiff would be limited to traditional state laws.

While the District Court held Plaintiff may arguably be entitled to relief under state law, the Court did not have to analyze the state claims when the federal claims were dismissed.  Specifically, the District Court found it could not exercise supplement jurisdiction over Plaintiff’s state law claims (breach of contract, breach of duty of loyalty, breach of implied contractual and legal duty, and conversion under Puerto Rico’s Civil Code) when the federal claims were dismissed.  Consequently, Defendant’s motion for summary judgment was granted.

The American Health decision demonstrates the difficulty in using the term “cyber” for any activity that happens to involve a computer.  Here, the Defendant’s use of a computer was incidental to his alleged wrongful conduct.  That is, the Defendant could have printed out the confidential information found in the emails stored on the Plaintiff’s server and misappropriated the information with the hardcopies of the documents rather than transferring the information to his personal account through his computer.  Further, the District Court may have arrived at a different decision if Defendant actually destroyed the information stored on Plaintiff’s server.

Under the reasoning in the American Health decision, we may start to see the evolution of the term “cyber” be limited to incidents where “a computer is the target of the malicious activity.”  These activities, which may include hacking as an example, are what the District Court refers to as an “entirely ‘new’ breed of malicious activity.”  If the District Court’s analysis gains traction we may see legislation that would directly address this new breed of malicious activity rather than seeing various privacy claims being crammed into traditional laws.  Further, we may also see the evolution of cyber policies to be geared to providing coverage for this first category while possibly not providing coverage for the other two categories found in the American Health Court’s distinction of the use of the term “cyber.”

The post One-Size Does Not Fit All: Court Finds Not Every Crime Involving A Computer Is A Cyber Crime appeared first on Privacy Risk Report.

Last week, toymaker Mattel announced that it was not moving forward with its Aristotle product, which has been described as a “kid-focused smart hub.” The device was an artificial intelligence babysitter that could “switch on a night light to soothe a crying baby [and] was also designed to keep changing its activities, even to the point where it could help a preteen with homework.”  This is not the first time that Mattel has struggled with the integration of technology into its products.  Mattel’s product development was scrutinized a couple of years ago when it announced its “Hello Barbie,” which contained an embedded microphone in the doll’s belt, to record a child’s response to the doll’s questions. The child’s responses were then sent back to Mattel through the doll’s WiFi capabilities.  Mattel released the doll and had to immediately go on the defense of integrating this technology into its toys.

Mattel’s decision to not move forward with the Aristotle shows how much the climate for products that provide pathways into our homes and personal lives has changed in the last few years. That is, recent litigation and legislation have made it clear to many companies that the risk of holding customers’ personal data may not be worth the damage done if they fail to protect that data.

A court’s decision from last week provides further evidence of how rapidly the climate is changing for the commercial storage of personal data.  Rent-to-own stores, and the relationship they share with their customers, have been the subject of a substantial amount of privacy litigation.  For example, on October 28, 2015, we addressed an insurance coverage case involving a rental store’s tender of its defense of two lawsuits under three primary insurance policies and three umbrella policies. The underlying complaints in those cases involved allegations that Aspen Way installed software on its computers that it rented out to monitor their use.  Specifically, it was alleged that Aspen Way used this software, which could secretly monitor users by taking pictures and monitoring keystrokes, to help it repossess computers when its customers defaulted on their lease agreements.

On October 3, 2017, the District Court for the Northern District of Georgia revisited the thorny privacy issues presented when rent-to-own stores install this monitoring software.  In Peterson v. Aaron’s, 2017 WL 4390260 (N.D. Ga. Oct. 3, 2017), the plaintiffs obtained computers for their law firm that they allege had software allowing Aaron’s to obtain their private information without their consent.  The Complaint filed in this litigation contained allegations that Aaron’s worked with a third-party developer that allowed Aaron’s “to locate and shut down a computer in the event of theft or missed payment.”  The Plaintiffs claim they were unaware this software was installed on their computers.

Aaron’s filed a motion for summary judgment which was granted based on the following reasoning:

• Standing:  A seen in a number of privacy cases, the first and most burdensome hurdle for plaintiffs is whether they have standing to bring suit based under Spokeo v. Robins, 136 S. Ct. 1540, 1543 (2016). Here, the District Court, as seen with a number of other decisions in data breach and related cases, found a plaintiff must show (1) that they have suffered an “injury-in-fact;” (2) that there is a causal connection between the injury and the defendants’ alleged actions; and (3) that the injury will be redressed by a favorable decision.

In applying the Spokeo standard, the District Court first found one of the plaintiffs did not meet this standard when he was not on the lease for the laptop and, therefore, was found not to have a “legally protected interest.” The District Court found the plaintiff that leased the computer suffered harm when the computers were put into “Detective Mode” which logged screenshots and keystrokes. Consequently, at least one of the plaintiffs was able to establish standing and survive Aaron’s motion on this point.

• Intrusion Upon Seclusin Claim: While applying Oklahoma law (where the plaintiff was located when he was allegedly injured) the plaintiff was required to prove that there was “(1) an intrusion upon his privacy, and (2) that a reasonable person would find it highly offensive.”

Aaron’s argued it is entitled to judgment because there was no intrusion on the plaintiff’s property because the plaintiff did not have a reasonable expectation of privacy in his computer because the computer was leased for a business and was not intended for personal uses. The District Court rejected Aaron’s position that there are no property rights for lessees because “[a] lessee in possession of property expects reasonably similar levels of privacy as an owner.” The District Court also found the fact that the computer was used by employees for business purposes (“employees have less privacy expectations”) to be irrelevant since the plaintiff himself used the computer in addition to other employees. Lastly, the District Court rejected Aaron’s argument that the plaintiff waived his expectation of privacy since he was in default on his lease of the computer.

The District Court also found sufficient evidence that a reasonable person would find the monitoring of the laptop to be offensive.

• Aiding and Abetting: In finding the plaintiff may be able to meet the elements of an intrusion upon seclusion claim, the plaintiff must also show Aaron’s had the requisite knowledge about this conduct.

Here, Aaron’s franchises made the decision to monitor the laptops. Therefore, to hold Aaron’s liable, the plaintiff must show Aaron’s had knowledge of the alleged wrongful conduct. The District Court found the plaintiff failed to show Aaron’s had the requisite knowledge that its franchisees monitored the plaintiff’s laptop. On this point, the District Court granted Aaron’s motion for summary judgment.

It is important to note that Aaron’s only escaped liability because it did not monitor the customers.  The franchisers may still be found liable for monitoring customers.  Even though Aaron’s was entitled to judgment in this case when it was found Aaron’s did not have the requisite amount of knowledge that its customers were being monitored, the growing body of privacy law appears to be having a direct impact on product development for many American companies.   For example, in speaking about the decision concerning Mattel’s Aristotle this week, Mattel publicly stated the the decision was made by the company’s new chief of technology officer that “conducted an extensive review of the Aristotle product and decided that it did not fully align with Mattel’s new technology strategy.”  Now more than ever, companies are having to determine if developing products using this technology is worth the amount of safeguards that must be in place once these products have gathered customers’ personal data.

The post Even Though Court Finds No Liability For Monitoring Customers, New Products Show Technology Presents Many Thorny Issues appeared first on Privacy Risk Report.

For many years, governmental bodies and some commercial companies have had a responsibility to provide information conveniently to the public.  Specifically, under Open Records Acts, Freedom of Information Action requests and other similar requirements, many governmental bodies have to provide sensitive information to the public.  However, over the last few years, these same governmental bodies and commercial companies have also started to face additional requirements to adopt cyber security safety measures to protect data.  It is not difficult to see how these various requirements may become competing interests that cause confusion.  Therefore, we are starting to see new methods to address the need to provide information to the public in a convenient format while properly securing information.

One recent example of the need to strike a balance between providing information and safeguarding information is seen in Taylor v. School Administrative Unit #55, 2017 WL 4172944 (September 21, 2017), when the New Hampshire Supreme Court found providing information on a thumb drive, rather than through email, was acceptable given the cyber security concerns in protecting that information.

On May 12, 2016, the School Administrative Unit #55 (“School District”) voted to go into a nonpublic session to discuss the superintendent’s evaluation and “emergency functions.”  The School District voted to seal the minutes while in the nonpublic session.  The following month, the plaintiff, David Taylor, requested the superintendant’s office send him the minutes of the May 12, 2016 nonpublic session. Taylor was told the minutes could not be provided because they were sealed.  In response to a second email sent by Taylor, the superintendent’s office denied the request based on the School District’s “Right-To-Know” procedure which allowed records to only be provided  to a member of the public that brings a sealed thumb drive (or purchases a thumb drive directly from the School District) for the records to be downloaded.

By August of 2016,  Taylor had filed a complaint initiating this lawsuit based on allegations that the School District had violated New Hampshire law by voting in a closed session to seal the minutes of the nonpublic meeting and “refusing to forward to him, by email, the records he requested.” Taylor sought a declaration that the School District’s policy requiring information to be downloaded on a thumb drive violated New Hampshire and an order requiring the records be transferred via email.

The School District argued a number of “cyber security concerns” validated its procedure for using thumb drives rather than transferring the information through email. In agreeing with the School District, the New Hampshire Supreme Court held “we find valid the [School District’s] concern that responding to records requests by e-mail ‘would introduce unreliability into the process because sometimes e-mails are too big to be received, and there is no way for the [School District] to confirm receipt of e-mails it sends.” The Supreme Court was further concerned over the potential for mistakes once the School District started sending a number of responses to “Right-To-Know” requests via email.  Specifically, the Supreme Court agreed with the trial court’s finding that “while plaintiff may be correct that the simple forwarding of one email poses a very small cyber security risk, the greater potential risk comes from repeated email exchanges with multiple parties making Right-To-Know-Requests.”  Further, the Supreme Court held that the thumb drive policy did not necessarily diminish the use of records provided on thumb drives and “serves the governmental interest of protecting public bodies’ and agencies’ information technology systems…”

Governmental bodies have to walk a thin line between the need to make information available to the public and the need to have cyber security safeguards in place to protect the public. Here, the School District was required to provide access to information, but it also had a fiduciary duty to protect private information.  The School District’s agreement to provide the requested information on a thumb drive provides another example of how entities can use all available technology to overcome cyber security concerns.  While downloading data to a thumb drive may not be the most convenient method to provide this information, it allowed the School District to meet is fiduciary obligation to protect information.

The post The Line Between Obligations To Disclose Information And Obligations To Protect Private Information appeared first on Privacy Risk Report.

On December 1, 2015, VTech Holdings Ltd., a manufacturer of digital toys and telephones, reported that it suffered a data breach on November 14, 2015.  VTech’s “smart toys” breached the personal information of at least 6.4 million children in addition to the records of 4.9 million adult customers. VTech further reported that this breach involved “child profile information,” including the name, gender and birth date of the child. The “unauthorized party” gained access to information stored as part of VTech’s “Learning Lodge” app store on the company’s website.  (In 2015, the Privacy Risk Report addressed the facts related to VTech’s breach on December 2, 2015 at great length.)

Now that we are a few years down the road since the breach, we have seen VTech’s customers file lawsuits and we have been able to get a better picture of how the breach may have impacted VTech’s business.  Therefore, even though we have no information concerning VTech’s insurance program, we still have sufficient information about VTech’s breach to analyze the value of third party liability and first party coverage in data breaches.

• VTech’s Good News: No Liability For The Breach (So Far)

On July 5, 2017, the District Court for the Northern District of Illinois granted VTech’s motion to dismiss related to its data breach. As seen in numerous other data breaches cases, the plaintiffs in this litigation could not establish that they had standing to bring a lawsuit against VTech. That is, the District Court found that the plaintiffs “fail to make the connection between the data breach they allege and the identity theft they fear.” On this point alone the District Court held the plaintiffs did not have standing to proceed against VTech.

The plaintiffs also argued that VTech breached its contractual obligations when there was a “temporary (and in some cases ongoing or permanent) suspension of the apps that were used on VTech’s products.” Of course, there was no contract to use the apps.  Rather than pointing to any contractual provision, the plaintiffs argued that pictures and descriptions of the apps on the product’s packaging obligated VTech to continually provide access to the apps. The plaintiffs alleged that “the toys were priced at a premium in part due to their ability to access” the apps. On the other hand, VTech argued that “each plaintiff’s initial purchase transaction as relating to the fully-functioning, physical toy itself, rather than a combination of the physical product and online services…” That is, VTech argued it could not breach its obligations to provide the apps when the apps were separately “offered to plaintiffs after they purchased the toys.”  The District Court was not persuaded by plaintiffs’ argument when they could have easily used the toys without downloading the apps or uploading their personal information.  And, the District Court agreed with VTech when it found “there is a difference between selling a product that combines a physical toy and a service, and selling a physical toy whose features may be supplemented by a separate service that VTech provided for free.” Ultimately, the District Court held “[t]he complaint does not allege facts sufficient to show that the initial purchase transaction included both the toy and VTech’s furnishing of online services” and, therefore, VTech did not breach any contractual obligations if the plaintiffs did not enter into an online services contract at the time of purchase.

Even though the plaintifffs failed to show they had damages and could survive a motion to dismiss, the value of third party cyber liability coverage is clear.  The costs related to briefing the complex issues on a motion to dismiss related to whether the plaintiffs have standing can be too much for many companies.  Further, if the plaintiffs survive a motion to dismiss, which is happening on a more routine basis, a company will need to endure possibly years of litigation leading to a settlement or adverse judgment.  Therefore, the VTech case (even though the plaintiffs case was dismissed) still underscores the need for third party liability insurance found in cyber policies. This coverage is an essential tool when defending against any liability claims related to a data breach.

• VTech’s Bad News: Potential First Party Losses

Even though VTech’s motion to dismiss was successful, a new study shows this breach may still have had a detrimental impact on VTech. A recent analysis by Comparitech, specialists in security and privacy, shows how a data breach can impact a company’s stock price.  Comparitech’s analysis examined data breaches involving anywhere from one million to 100 million records and included the breach at VTech along with Apple, Adobe, Anthem, Community Health Systems, Dun & Bradstreet, eBay, Experian, Global Payments, Home Depot, Health Net, JP Morgan Chase, LinkedIn, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Vodafone, Yahoo.  In particular, Comparitech examined the closing share prices of these 24 companies from the day prior to the disclosure of a data breach and determined the following:

Admittedly, while Comparitech’s in-depth study of these large scale breaches easily demonstrates the importance of the first party coverage found in cyber policies for business loss at  large companies, it is not able to address the consequences of a data breach at smaller corporations. However, we have already seen proof that smaller companies suffer equally dire consequences when in January 2016, there were a number of reports concerning a cyber incident at FACC AG, an Austrian airplane component maker, that resulted in damages exceeding $50 million.   And, while a company may not be able to obtain insurance to cover losses in stock value, having a sophisticated cyber insurance portfolio may  provide confidence for investors and customers which, in turn, may limit a drop in stock value in the case of a breach.

The post 2015 Data Breach At Toy Manufacturer VTech Continues To Provide Insight In 2017 appeared first on Privacy Risk Report.

Many litigants are struggling with how to fit the “square peg” of cyber security claims into the “round hole” of law that may have been around for a number of decades.  One recent example was seen on June 27, 2017, when the United States District Court for the Central District of California dismissed a case entitled Casillas v. Berkshire Hathaway Homestate Companies, et al., 15-04763, 2017 WL 2813145 (June 27, 2017). In Casillas, the plaintiffs alleged two insurance investigators hacked an online database created by HQSU Sign Up Services, Inc. (“HQSU”) which stored workers’ compensation litigation files.  In serving as an “administrative services” contractor to various workers’ compensation attorneys, HQSU stored everything from “personal data” (including the client’s full name, Social Security Number, birth date, home address, legal status, driver’s license information, and salary information) to the attorneys’ communications with their clients and personal notes about the various cases. In particular, the plaintiffs allege that over the course of two years, the investigators accessed and downloaded over 30,000 workers’ compensation files.  The complaint further alleges the hackers took this information to provide the insurance companies with “a counsel’s advantage” in pending litigation and to “intimidate and force concessions” from various plaintiffs.

The Casillas Court closely analyzed what is necessary to bring a viable cause of action under 18 U.S.C. § 2701(a)(1), the Stored Communications Act. This Act was designed decades ago to “protect against the unauthorized interception” of “stored wire and electronic communications and transactional records.” The Act creates a private right of action against anyone who:

(1)       “intentionally accesses without authorization”

(2)       a “facility through which an electronic communication service is provided” and

(3)       “thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage.

However, before finding the plaintiffs’ complaint should be dismissed, the Court analyzed what it refers to as the “technical distinction between “electronic communication services” and “remote computing services.” Specifically, in addressing this distinction, the Court held that “…though they aren’t mutually exclusive categories, the Act establishes ‘different standards of care” for different types of communication.’” The Court provides the following distinction between these two phrases:

• Electronic Communications Service: “Congress defined an ‘electronic communication service’ as ‘any service which provides to users thereof the ability to send or receive wire or electronic communications.’ Think email: ‘[C]ommunication by which private correspondence is … typed into a computer terminal, and then transmitted over telephone lines to a recipient computer operated by an electronic mail company.’”
• Remote Computing Service: “A ‘remote computing service,’ by contrast, is one that ‘provi[des] to the public [a] computer storage or processing service[ ] by means of an electronic communications system.’ Think off-site storage: ‘In the age of rapid computerization, … remote computer service companies have developed to provide sophisticated and convenient computing services to subscribers and customers from remote facilities.’”

Indeed, this importance of this distinction is seen firsthand as the portion of the Act which the plaintiffs sought relief under, 18 U.S.C. § 2701(a)(1), “applies only to the provision of electronic communication services, and therefore excludes the provision of remote computing services from its strictures.” The Casillas court found plaintiffs’ complaint was limited to allegations that their attorneys “used HQSU’s administrative services in a limited fashion—by ‘uploading and downloading documents’ to the online database and appending case-related ‘notes’ to those documents.” These allegations, the court opined, describe “remote computing service” which does not give rise to a private cause of action under the Act. In conclusion, the court found “it’s plain that the plaintiffs have mixed up their claims under the Stored Communications Act.

Litigants bringing claims related to cyber security, data breaches and privacy not only have to overcome significant hurdles to establish standing, but often have to work with law that was developed before the technology was developed that forms the basis for their claims.   Admittedly, it may be difficult to seek relief for damage caused by modern technology under laws that precede this technology by decades.  Even though the Casillas court acknowledges the distinction between “electronic communication services” and “remote computing services” may be “a bit dated,” the parties still must meet the requirements for a viable action under the Act.  This case demonstrates the complexity with cyber security and privacy claims and the need to retain counsel that has experience in this developing, highly-specialized area.

The post Square Pegs: Recent Case Shows Problems With Fitting Cyber Liability Claims Into Law That Is “A Bit Dated” appeared first on Privacy Risk Report.

By Danita L. Davis Sudac

Individuals’ willingness to share detailed accounts of their lives on social media sites, such as Facebook, has created an unparalleled source of evidence for lawyers seeking discovery.   There is little question that social media evidence can be helpful in the areas of civil litigation.  For example, it can be used to discredit a litigant or contradict allegations of damages. Recently, in the high profile matter of Brown v. City of Ferguson, 15-cv-831, (E.D. Mo., E Div. Jan. 27, 2017), U.S. District Judge E. Richard Webber ordered that the family of Michael J. Brown, Jr., the unarmed black teenager killed in 2014 by police in Ferguson, must disclose all relevant Facebook posts in their wrongful death action against the city.   The court disagreed with Brown’s family members’ claims that they had a right to privacy for notes sent through Facebook Messenger.  The court likened Messenger to a “personal diary” which the court found must be disclosed if it has entries relevant to a case.  The court reasoned that the social media posts would show the family members’ relationships with Brown, which will help calculate pain, suffering and psychological damages, as well as provide evidence that could be used by the City and other Defendants to impeach or show bias.  In addressing concerns as to overbreadth and relevance, the court noted that the disclosure was limited in time and the entry of a protective order would safeguard any remaining privacy concerns. 

In cases where the production of social media information is challenged, most courts note that discovery of such information is governed by the same legal principles that guide more traditional forms of discovery.   As one New York Superior Court opinion recognized, “fishing expeditions” of social media accounts are just as objectionable as their “analog  antecedents.”   Winchell v. Lopiccolo, 954 N.Y.S.2d 421 (2012).  Relevance is still a perquisite before broad social media discovery is allowed.  Once relevance is established, however, the  traditional rules of civil procedure generally apply.

Despite the fact that social media users may try to self-regulate their privacy settings to restrict public disclosure, in the litigation context, these posts may be deemed relevant and discoverable regardless of the users’ privacy intentions.  Further, when seeking social media discovery, attorneys should also think twice about “friending” a represented adverse policy. Such activity likely violates  the Rules of Professional Conduct which addresses communications with represented parties.  As it pertains to their own clients, attorneys must also be aware of issues related to the preservation of social media evidence.   Once involved in a lawsuit, a litigant cannot delete relevant social media evidence at issue in the litigation.

In sum, as social media continues to be a popular and accessible mode of communication, discovery of social media information will become more prominent. Attorneys and their insurer clients should familiarize themselves with rules and recent decisions regarding the production of social media information as  issues surrounding such discovery will  likely be the subject of objection and motion practice.

The post Emerging Privacy Issues In Discovery Of Social Media appeared first on Privacy Risk Report.

On January 19, 2017, in Pratt v. M & T Bank Corp., the U.S. District Court for Delaware found an information technology auditor at M & T Bank could not support his Delaware Whistleblower Protection Act (the Act) claim with allegations that he was fired for reporting violations of data privacy laws. In granting M & T Bank’s motion for summary judgment on this issue, the court stated, “[t]his is a case of an auditor that did his job too well, or not well enough…that is for the jury to sort out.”

In his complain, the plaintiff, Charles Pratt, Jr., alleges that he worked for M & T Bank for 17 months before he was fired from his job in the audit department of the bank’s information technology security team. During his employment, Pratt claims “that his reports of data security violation, requests for further testing, and objections to misleading reports were why [M & T Bank] wrote him up and ultimately fired him.” In short, Pratt claims M & T Bank violated data privacy laws including the Gramm Leach Bliley Act and HIPAA. M & T Bank argued that violations of these laws are not covered under the Act.

Pratt’s first cause of action was based on an alleged violation of the Act. The Act protects employees fired for reporting violations of certain state and federal laws. In particular, a violation under the Act for fraud is defined as:

“an act or omission…that is [materially inconsistent with, and a serious deviation from, financial management or accounting standards implemented pursuant to a rule or regulation promulgated by the employer or a law, rule, or regulation promulgated under the laws of this State, or the United States, to protect any person from fraud, deceit, or misappropriation of public or private funds or assets under the control of the employer.”

The court found Pratt’s first cause of action failed because he did not claim M & T Bank violated any financial management or accounting standards as required under the Act. Further, the court found “[t]he legislative history of the Act reinforces the intuition that the statute refers to how a business manages and accounts for its finances.” The court further noted that “the fraud provision of the Act was added in 2004, in the wake of the Enron scandal.” Based on the legislative history, the court held “the Act’s text that the Act reaches only standards related to finances, not data privacy” and granted M & T Bank’s summary judgment on the Act claim.

This case demonstrates how the development of cyber security is impacting the laws currently on the books and the need to at least revisit these laws. In Pratt, the court discusses how the fraud provision in the Act “was added in 2004, in the wake of the Enron scandal” and “at its core, the Enron scandal involved the fraudulent accounting and reporting of Enron’s earnings and debts.” Data security was not a pressing concern for many corporations in 2004. Further, corporate officers were not facing potentially dire consequences for not having proper security measures in place or ignoring employees’ calls for proper security measures to be taken. Consequently, the argument made by the plaintiff in Pratt, that he was fired for reporting data security issues, may become an issue for legislatures to start considering related to the current protections offered by Whistleblower Protection Acts.

The post Court Finds Whistleblower Protection Act Offers No Protection for Auditor That Reports Data Security Issues appeared first on Privacy Risk Report.

A number of states have recently imposed duties for data collectors to safely store information. For example, Illinois data collectors are now required to “implement and maintain reasonable security measures” to protect data (815 ILCS 530/45). Unfortunately, data collectors have not received guidance on what constitutes “reasonable security measures.” In the absence of this guidance from legislature, a number of courts are beginning to analyze what measures are reasonable for data storage.

For example, in Dittman v. The University of Pittsburgh Medical Center (UPMC), the Superior Court of Pennsylvania affirmed the trial court’s dismissal of the plaintiffs’ negligence and breach of implied contract claims. The plaintiffs filed suit alleging that UPMC suffered a data breach involving the plaintiffs’ names, birth dates, social security numbers, tax information, addresses, salaries, bank information of approximately 62,000 current and former employees. An estimated 780 employees’ stolen information was used to file fraudulent tax returns.  As of the date of the opinion, the source of the data breach was unknown.

The plaintiffs claim UPMC had a legal duty to protect their personal and financial information. Specifically, plaintiffs allege UPMC, “failed to encrypt data, establish adequate firewalls and implement adequate authentication protocols to protect the information in its computer network.”

UPMC Had No Legal Duty Related to Employee Information

The appellate court first reviewed the question of whether an employer has “a legal duty to act reasonably in managing its computer systems … collected from its employees, when the employer elects, for purposes of its own business efficiencies, to store and manage such sensitive employee data on its internet-accessible computer system, leaving it vulnerable to computer hackers, in the absence of reasonable safeguards.” The appellate court analyzed this question under the following five factors concerning legal duty:

• Relationship Between Parties Gives Rise to a Duty: Under this first factor, the appellate court held that, as an employer, UPMC had the requisite relationship to impose a duty to protect employee information.
• Social Utility of the Conduct Weighed Against the Nature of the Risk Imposed, and Foreseeability of the Harm Does Not Require Imposing a Duty: Under the second and third factors, the appellate court found that employers “have an obvious need to collect and store personal information about their employees,” and electronic storage is the most efficient method. However, the appellate court recognized that the risks of a data breach increase as the usage of electronic storage increases. However, the appellate court ultimately concludes that, “[w]hile a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information.” Under this analysis, the appellate court found no duty should be imposed on UPMC.
• Consequences of Imposing a Duty Do Not Require Imposing a Duty: In finding no need to impose a duty to employees, the appellate court found no need for a “judicially created duty of care…to incentivize companies to protect confidential information.” Further, the appellate court acknowledged the fact that there is “no true way to prevent data breaches altogether.”
• Public Interest Did Not Require Imposing a Duty: The appellate court found the fifth factor, public interest, did not require the imposition of a duty on UPMC. Specifically, public interest does not require the imposition of duty because the Pennsylvania legislature had already imposed a duty to notify those individuals impacted by a breach. “It is not for the courts to alter the direction of the General Assembly because public policy is a matter for the legislature.”

Concurring Statements also filed with this decision that, while agreeing with the Majority’s decision, warn that “in this constantly developing area of law and technology we must proceed to establish precedent slowly and with caution.” Specifically, the Concurrences noted that the employees claim “that UPMC had failed to use reasonable care in the storage of their personal information by, inter alia, properly encrypting the data, establishing adequate firewalls, and implementing an appropriate authentication protocol.”

The Concurring Opinion in the Dittman decision sheds light on what court may find constitute “reasonable care” in data storage. Gaining an understanding of these standards have become even more important recently when many legislatures around the country have started to place requirements for data storage. For example, Illinois’ legislature now requires that “data collectors implement and maintain reasonable security measures to protect…records from unauthorized access….”

Consequently, while there are many questions concerning what “reasonable security measures” entail, the reasoning in the Dittman decision may provide guidance. While not controlling in any manner, in the absence of an interpretation of “reasonable security measures,” a “data collector” may want to consider the advice in the Dittman Concurrence and take steps to encrypt data, establish adequate firewalls and implement an appropriate authentication protocol to protect data.

The post Recent Case Sheds Light on What Courts May Find Makes Security Measures Reasonable appeared first on Privacy Risk Report.

This article originally appeared on November 3, 2016 in the Horton Group’s newsletter.

The term “Internet of Things” (IoT) refers to networks of “smart” devices (including appliances, vehicles, watches and toys) that collect and exchange data over the internet. In the last few years we have started to see these devices become part of our homes and personal lives. And, unfortunately, we have seen hackers gain more access to our homes and personal lives through these interconnected devices.

While the IoT is not a new concept for many insurance or technology professionals, manufacturers and smaller businesses have recently seen how interconnected devices, such as video cameras or computers, can give their businesses an edge over the competition. These devices are improving productivity by allowing remote access, by automatically checking in with the manufacturer for software updates and by allowing data storage. And, as seen in our homes and personal lives, these devices are unfortunately allowing hackers more access to our workplaces and giving hackers more unguarded devices that can be used in their attacks on society. While the full extent as to how much access hackers will have is still unknown, a glimpse at these issues makes clear that the best strategy includes integrating cyber insurance with its other safeguards.

The Good:  The Industrial Internet of Things Can Improve Productivity

It is not difficult to see how the interconnectivity offered by these IoT devices can improve the workplace. For example, the October 25, 2016 issue of the Chicago Business Journal describes what is commonly referred to as “the industrial internet of things” (IIoT). Similar to that seen in the technology showing up in our homes, the technology giving rise to the IIoT connects industrial machinery “to enhance functionality and improve operational efficiency in industrial settings, ultimately making manufacturing more flexible, efficient and profitable and better able to serve their customers.” The IIoT is being credited with increasing efficiency in factory processes, energy usage and transportation. In particular, the Chicago Business Journal discusses how IIoT provides “real-time data,” methods for “better asset use,” and the ability to fix problems quicker by using “predictive diagnostics.” At this early stage, the IIoT is a method worth exploring to increase productivity.

The Bad:  IIoT Gives Hackers Access to the Workplace

While the overall impact of the IIoT on industry is considered positive, there should be no question that, as seen with any technological advance, there are some drawbacks. Specifically, the one trait that allows the IIoT to be useful, interconnectivity, has allowed hackers and criminals to gain access to interconnected industrial networks. For example, in 2008, hackers shut down a Turkish oil pipeline which resulted in a massive explosion. The hackers, believed to be Russian, compromised the pipeline’s surveillance camera software and infiltrated the pipeline’s internal network. After gaining access, the hackers shut down alarms, cut off communications and caused the crude oil in the line to over-pressurize to cause the explosion. Without setting off a single alarm, the explosion shut the pipeline down and caused large financial losses for the private companies and governments with interests in the pipeline.

A second example was seen in 2004 when a German steel factory was attacked by hackers who gained control of a blast furnace. According to reports, the factory suffered massive damage when hackers managed to access the factory’s production networks and tampered with the controls of a blast furnace. After the system was compromised, individual system components began to fail. As a result of the failures, one of the plant’s blast furnaces could not be shut down, resulting in extensive damage to the plant.

These attacks on the Turkish oil pipeline and the German blast furnace demonstrate the damage when hackers are given the opportunity. More troubling is the fact that these two incidents occurred before the interconnected devices were even remotely common in the workplace. That is, hackers will have more opportunity in the coming years. As businesses continue to adopt interconnected technology, we can expect hackers to have increased access to industrial systems. And, in turn, we can expect more security issues to impact industrial systems, networks and systems.

The Ugly:  The Influx Of Devices Used in the IIoT Also Increases the Number of Devices Available for Hackers’ Attacks

Unfortunately, the increase in interconnected devices translates into more devices available for hackers to hijack and use in cyber attacks. For example, internet-connected surveillance cameras and other unprotected IoT-connected devices were used by hackers to cause massive internet disruptions on October 21, 2016. This recent attack is generally blamed on the “Mirai botnet” which used unprotected IoT devices to launch a Distributed Denial of Service (DDoS) attack on at least 80 major websites. While it is still early in the investigation, it appears many interconnected devices were hijacked to take part in this attack.

Thus, the devices giving rise to the IIoT do not just merely increase the number of devices available for hackers to infiltrate individual networks. In simple terms, the chances of large-scale cyber attacks increase as the number of unprotected devices increase which can be used in such attacks. And, while many businesses understand the importance of cyber security for computers in the workplace and at home, cyber security for other interconnected devices can be easily overlooked. Consequently, we can expect to see internet connected devices used in the workplace to be used in many DDoS attacks in the near future. And, those attacks, which shut down websites and other computer systems, could easily cut into the productivity in a number of industries.

Cyber Insurance Available to Address IIoT

While it may be unclear what technological safeguards are worth the investment, businesses can be certain that cyber insurance provides a cost-effective and simple method to decrease the risks associated with the IIoT. In particular, first party insurance policies with the following coverages are essential for any business attempting to limit the possible harm created by interconnected devices:

• Loss or damage to digital assets: This coverage may include loss or damage to data or software programs, resulting in costs incurred through restoring, updating, recreating or replacing devices to the same condition they were in prior to the loss or damage. For example, this coverage may cover the costs to repair software used in the workplace which has been lost to a virus or otherwise compromised by hackers.
• Business interruption from network downtime: This coverage may include costs related to interruption, degradation in service, or failure of the network, resulting in loss of income, increased cost of operation and/or costs incurred by mitigating and investigating the loss. For example, one factor that did not become clear until recently is the fact that while the property damage in the Turkish oil pipeline and German blast furnace incidents was expensive, a company that suffers such a loss would also have to stop their assembly lines or other industrial processes while clean-up and repairs/replacement are completed.
• Cyber extortion: This coverage may include costs related to attempts to extort money by threatening to damage or restrict the network, release data obtained from the network, and/or communicate with the customer base under false pretenses to obtain personal information. This coverage becomes more important everyday as businesses are increasingly targeted for “ransomware.” As seen in our homes, businesses will get the most out of IIoT-connected technology by understanding and preparing for unforeseen risks. The threat from the increasing number of interconnected devices is two-pronged: first, hackers have more access to the individual networks and systems; and, potential losses related to shutdowns caused by DDoS or similar attacks can disrupt productivity and vendor productivity. Therefore, it will be become increasingly clear that obtaining cyber insurance is part of any reasonable strategy to handle the unforeseen risks related to the IIoT.

The post Industrial Internet of Things: The Good, The Bad And The Ugly appeared first on Privacy Risk Report.