Uber’s technology and business plan has consistently presented a number of interesting privacy issues.   Another interesting privacy issue involving Uber came to light on November 28, 2017 when the City of Chicago and Illinois (“plaintiffs”) filed their Complaint in a case entitled City of Chicago et al. v. Uber Technologies, Inc., Case No. 2017CH15594 (Nov. 28, 2017). The Complaint is based on allegations that “[f]or the past several years, Uber has repeatedly failed to protect the privacy of its customers’ and drivers’ personal information.”  More specifically, the plaintiffs assert Uber took steps to cover up its breach in an effort to avoid negative publicity.  This case, regardless of whether the allegations are proven, should cause “data collectors” to consider what information they are putting (or not putting) out concerning any incidents prior to notification of the incident.

The First Breach

The plaintiffs assert that in 2014, Uber left personal information of more than 50,000 users vulnerable to hackers. In particular, the plaintiffs claim an Uber employee left Amazon Web Services login credentials exposed to the general public.  By September 17, 2014, Uber detected that its customers’ information had been accessed without authorization.  After the 2014 breach, Uber entered into a settlement agreement with the federal government where Uber agreed to fix vulnerabilities and create safeguards to protect against future breaches.

The Second Breach

Despite making “basic corrections to its data security platform,” Uber suffered another data breach involving 57 million users in October 2016. The Complaint alleges this Second Breach was similar to the First Breach in that customer data was exposed when hackers found exposed passwords.  While Uber put out a statement, the plaintiffs claim Uber failed to inform the public that sensitive information may have been compromised, including drivers’ passwords, credit card and banking numbers and Social Security numbers.

The Alleged Cover Up

The Complaint further asserts that after the second breach, “Uber opted to cover up the breach, both inside and outside the company.” The plaintiffs contend that, in order to avoid “negative public attention, Uber paid hackers $100,000 to delete the data based on the hackers’ agreement to never speak publicly of the incident.”  The plaintiffs claim the alleged cover up came to light because “criminal hackers couldn’t possibly be trusted to protect user data” and they ultimately disclosed the breach.  The Complaint states that “Uber went so far as to even track down the criminal hackers and enter into nondisclosure agreements with them as if they were common business partners…”  Further, the plaintiffs claim Uber made this payment so that it appeared to be related to its “bug bounty program” rather than a ransom payment.  The Complaint asserts “[t]his concealment kept riders, drivers, and government agencies in the dark for over a year about Uber’s substandard security practices…”

The alleged cover up continued until November 21, 2017, when Uber’s Board of Directors investigated the practices of Uber’s security team. Uber has still not disclosed this incident to its customers or drivers.

The Plaintiffs’ Causes Of Action And Violations Of Illinois’ Personal Information Protection Act (“PIPA”)

Plaintiffs first seek a recovery under Chicago Municipal Code Section 2-25-090 which prohibits any “unlawful practice” under the Illinois Consumer Fraud and Deceptive Business Act (“ICFA”).  In this regard, the plaintiffs claim “Uber intended that the public, including Chicago residents, rely on its deceptive representations and communications regarding the security of their personal information.”  The plaintiffs also claim Uber violated the Illinois Personal Information Protection Act (“PIPA”) when it failed to notify Chicago residents of the breaches.  Based on ten causes of action, the plaintiffs request the court fine Uber $10,000 for each day the Chicago Municipal Code was violated, $50,000 for violating the ICFA and $10,000 for each violation “involving an Illinois resident 65 years of age or older for each day such violation has existed and continues to exist.”

“Data Collectors” Must Put Thought Into Response If It Is Unclear If Formal Notification Is Necessary

This case, while only in the pleading stages, signals a shift in considerations for “data collectors” when responding to an incident. First, if true, it should be clear that paying off hackers and disguising the payment as a legitimate expense should be avoided.  Beyond this alleged payment, these allegations demonstrate the difficult balance between providing information to the public but not unnecessarily causing negative publicity.  For example, it is alleged that Uber put out a blog post in response to the 2016 incident that failed to address all the information that may have been compromised in the breaches.  The Complaint refers to this blog post as being “notably vague.”  Therefore, even if it is shown that Uber did not intentionally cover up these incidents, these allegations against Uber provide a reminder that a “data collector’s” response can create additional liability beyond the incident.

The post Claims Against Uber In New Lawsuit Show The Potential For Liability Beyond Not Protecting Data appeared first on Privacy Risk Report.

On June 27, 2017, the law firm DLA Piper (“law firm”) found itself to be one of many of targets of a recent global cyber attack. The attack reportedly did not compromise any client data.  Reports indicate that, even though email service was disrupted by the attack, lawyers were still able to communicate through text messaging and telephone calls. This attack on the law firm, which by all accounts was aptly prepared for a cyber attack, demonstrates that no business is completely safe and incident response preparation will continue to be a key element in cyber security.

This cyber attack was discussed in a recent decision and provides further proof that data breaches should not be the only concern when considering cyber security.  In Cone et. al. v. Hankook Tire Co., 2017 WL 3446295 (Aug. 10, 2017 W.D. Tenn.), the District Court for the Western District of Tennessee heard arguments during a show cause hearing on questions whether certain attorneys at the law firm, as counsel for the defendant, Hankook Tire (“Hankook”), should be held in contempt after jurors were mistakenly contacted after trial without the District Court’s permission.  While the attorney at the law firm was not held in contempt of court, the District Court made clear that cyber incident, which limited email communications, did not excuse the improper contact of jurors.

The conduct giving rise to the show cause hearing took place after a verdict was returned in favor of Hankook on June 30, 2017. At some point shortly after the case reached a verdict, the court clerk was informed that a “jury researcher” had contact with some of the jurors.  This contact violated the local rules because the parties did not have permission from the District Court to contact jurors to discuss the case.  On July 20, 2017, the District Court issued an order requiring the parties provide information on the jury researcher.

In response to the order seeking information on the jury researcher, counsel for Hankook filed a statement confirming they hired the jury researcher that followed up with the jurors. However, the response filed by Hankook made clear that one of its attorneys (“Sender Attorney”) put into motion a “series of mistaken assumptions” that resulted in the jurors being contacted without the District Court’s permission.  The response indicated the jurors were contacted under the following circumstances:

• On June 27, 2017, prior to the conclusion of the trial, the law firm suffered a cyber attack, disabling the firm’s email.
• On July 3, 2017, Sender Attorney emailed the jury researcher to inform them that a favorable verdict was returned for Hankook. Sender Attorney copied another attorney at his firm (“Copied Attorney”) on this email. The jury researcher responded on the same day asking whether they could contact the jurors. Sender Attorney stated that he thought the jury should be contacted unless the Copied Attorney disagreed.
• On the day after the trial ended, the Copied Attorney was traveling to South Korea and never saw the emails discussing whether the jury researcher should contact the jurors.  The Copied Attorney’s email was not restored until some point after Sender Attorney’s email had been sent.

Based on this timeline, Copied Attorney was not aware of Sender Attorney’s email until some point after the District Court issued the order seeking information on how jurors were contacted after the trial. Copied Attorney further stated that if he would have seen the emails, he would have instructed Sender Attorney to reach out to the other attorneys working on Hankook’s defense to determine if the jurors could be contacted by the jury researcher.  Unfortunately, with Copied Attorney silent on the issue, Sender Attorney and the jury researcher “mistakenly assumed” there was no reason to hold off on contacting the jurors.

The District Court found that Sender Attorney’s violation of the local rules was the result of “a series of questionable assumptions,” but did not rise to the level of contempt of court. While the holding in Cone may have little or no impact on the overall case, the District Court’s finding that there was a series of mistaken assumptions illustrates the impact that a cyber incident may have on the daily operations of any business.  In short, this cyber attack is further proof that we will likely continue to see cyber incidents causing communication disruptions in a variety of businesses.

The post Law Firm Cyber Attack Is Involved In A “Series Of Mistaken Assumptions” appeared first on Privacy Risk Report.

The Federal Rules of Civil Procedure allow a defendant to remove an action from state court to federal court as long as the federal court would have subject matter jurisdiction over the litigation in the first place. A federal court will have subject matter jurisdiction over any case where it has diversity jurisdiction or any case presenting a federal question. The analysis of federal procedural questions in the context of data breach cases may involve everything from complex corporate structures (such as Anthem Blue Cross), complex facts (a cyberattack by a foreign government), as well as complex causes of action and, therefore, may present a number of unique issues for courts.

One recent example is seen in Gallo v. Unknown Number of Identity Thieves, 17-cv-01465 (May 31, 2017), where the plaintiff David Gallo (“Gallo”), began receiving calls from strangers claiming they found Gallo’s law firm charged their credit cards for legal work that was never completed. After conducting his own investigation, Gallo found the fraudulent charges were being run through a company called “LawPay” by thieves using a merchant account opened using Gallo’s personal information. Last January, Gallo spoke with another attorney that also had a fraudulent LawPay account set up in her name using her personal information obtained through the large hack at Anthem and its affiliates.

Based on his investigation, Gallo filed a complaint in the San Diego County Superior Court alleging that his personal information divulged in the Anthem hack was used by thieves to set up the accounts that would fraudulently charge for legal services.  Gallo’s complaint contained a request for an injunction against the identity thieves and a negligence claim against Anthem. In February, Anthem filed a notice of removal of the action to the United States District Court for the Southern District of California asserting the federal court had jurisdiction because the case presented questions related to “national security interests and the Health Insurance Portability and Accountability Act 1996” (“HIPAA”).  Anthem also claimed removal was necessary due to the federal questions under the Employee Retirement Security Act (“ERISA”). On March 21, 2017, Gallo filed a motion to remand which gave rise to this decision.

• The District Court found it did not have diversity jurisdiction

First, as with any case where removal is a question, the court examined whether there was a diversity of citizenship between the parties. Here, the Court found it did not have diversity jurisdiction and removal was not justified when Gallo was a citizen of California and Anthem was a California corporation. Anthem claimed that Gallo named the wrong entity when he named Anthem Blue Cross rather than Anthem Inc. That is, Anthem asserted there would be a diversity of citizenship if Gallo had properly named Anthem, an Indiana corporation, as a defendant for the unauthorized disclosure of Gallo’s private information. The Court found it did not have jurisdiction and found all references to “Anthem” in the complaint referred to Anthem Blue Cross, a California corporation.

• The breach does not constitute a “national emergency” requiring federal court jurisdiction

In an effort to support its request for removal, Anthem also argued “[t]he cyberattack that forms the basis of Plaintiff’s Complaint carries extraordinary national significance.” In particular, Anthem claimed “[t]he cyberattack on Anthem was perpetrated by a highly sophisticated Advance Persistent Threat (“APT”) affiliated with the Chinese government’s intelligence ministry.” Therefore, Anthem claims, it follows the cyberattacks by foreign state actors constitute a “national emergency” which require the “federal courts to have jurisdiction over state law claims related to data breaches by foreign state actors.”

In rejecting Anthem’s argument, the Court found “[a]lthough Anthem Blue Cross argues extensively that cybersecurity is an issue of national scope and importance, Anthem Blue Cross does not identify any federal law that would be implicated by the instant case. Instead, Anthem Blue Cross concedes that state common law and statutory law governs each of Gallo’s claims.” The Court further held that “although the breach at issue had nationwide consequences,” in the end this is merely a case between a California resident and a California corporation.  Therefore, the Court did not have jurisdiction of this case under this argument either.

• Anthem’s beliefs that Gallo’s allegations are “implicitly based on HIPAA” do not require the case be removed to federal court.

Anthem also argued that removal was appropriate because Gallo’s “state law and statutory causes of action are predicated on alleged violations of HIPAA.” Gallo’s complaint, however, contained no reference to HIPAA and did allege that any health information had been taken or misused. Instead, Anthem claimed Gallo’s complaint was “implicitly based on HIPAA.” Consequently, the Court found that it has not been shown how HIPAA was sufficiently relevant to this case to establish federal jurisdiction.

Even after finding no HIPAA-related violations, the court further noted that a number of courts have already found that “HIPAA does not provide for a private right of action.” That is, the Court had concern that if it found it had jurisdiction based on Anthem’s argument that the Complaint’s allegations are “implicitly based on HIPAA,” there was a chance that Anthem could make an “end-run around clear precedent precluding a private right of action under HIPAA.”  Therefore, the Court found these allegations did not give the Court jurisdiction over this case.

The thorough analysis by the Court on the simple question of whether Anthem was able to remove this action demonstrates the complex procedural questions potentially arising from data breach cases.  That is, there were questions concerning whether Gallo named the proper Anthem Entity (Anthem Blue Cross of California or Anthem, Inc. of Indiana), which Anthem entity held Gallo’s personal information and which Anthem was the victim of a cyberattack.   Further, Gallo and Anthem have not even reached the complexities seen during the discovery phases and motion practice.  While the Court does not address the issue, the question of whether Gallo has the correct Anthem entity may come back to haunt him if it is shown that Anthem, Inc. of Indiana actually stored Gallo’s information and was the target of the Chinese cyberattack.

The post Data Breach Litigation Presents Novel Questions Concerning Federal Civil Procedure appeared first on Privacy Risk Report.

A class action complaint was filed against BART, the San Francisco Bay Area Rapid Transit District, on May 22, 2017 in the District Court for the Northern District of California alleging BART created a “clandestine collection of private cell phone identifiers.” In particular, the plaintiffs claim the “BART Watch APP”—a mobile application that provided users with transit information and the ability to contact the police—collected private data in violation of California’s privacy laws. Elerts Corporation, the software developer, was also named as a defendant for its development of the App.

The Plaintiffs claim that “a detailed review of the BART Watch App reveals that Defendants have been using it to secretly collect Californians’ unique mobile device identification numbers…and periodically track their location.” The Plaintiffs further allege that “by collecting the device identification numbers, locations, and other personal information…Defendants have amassed a trove of data through the App.” And, Plaintiffs claim that these actions by BART and BART Police are prohibited under California law.

• Privacy concerns over law enforcement tracking and collecting cell phone data

Some background is needed on “government surveillance technology” to fully understand the substance of Plaintiffs’ claims. The Complaint addresses news reports in March 2014 about California law enforcement agencies using “Stingray” devices to track and collect cell phone data in a given area. As the reporting on Stingray devices increased, the California legislature took steps to limit the use of Stingrays and similar data collecting technology in California. The Legislature sought to limit “the government’s use of communications interception technologies to ‘collect a variety of data about ‘caught’ cell phones, particularly the phone’s unique numeric identifier and its physical location.”

• Alleged privacy concerns with BART’s Watch App

The Complaint alleges that “[a] forensic review of the App and how it communicates with Defendants’ servers reveals the BART Watch App was programmed to operate just as the communications interception technologies the California Legislature has warned of.” That is, the Plaintiffs assert that the App improperly collects data from users’ cell phones including “the phone’s unique numeric identifier and its physical location.”   The Plaintiffs further assert the App violates users’ privacy when contact information entered by a user is combined with the phones unique numeric identifier. In short, plaintiffs claim the App results in collecting “a host of identifying, tracking, and sensitive data” from users without their permission.

The Third Cause of Action, entitled Violation of Privacy Rights, claims the BART Watch App violates Article I of the California Constitution which “protects citizens against unwanted access to data by electronic and covert means…” This provisions of the California Constitution provides that “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.” The Plaintiff’s theory against BART is that the California Legislature recognized that “governmental agencies’ unchecked power to track a ‘phone’s unique numeric identifier and its physical location’” posed a threat to the public. The Legislature attempted to address this threat by enacting such laws as the Cellular Communications Interception Act.  That is, the Plaintiffs claim that BART has created this App which is “masquerading as a transit app that secretly collects” Californians’ private information in an effort to get around the Legislature’s attempt to safeguard this data.

• Impact of this litigation

The practical impact of this litigation may, admittedly, be limited in scope.  Plaintiff’s first cause of action is based on allegations that BART violated the Cellular Communications Interception Act.  This Act required BART to install proper procedures and practices to safeguard user data.  Consequently,  the outcome of this litigation may be limited to data collectors gathering information through cellular communications.  Further, the Plaintiffs’ action is based on the concern over the collection of private data by governmental agencies.

However, while this litigation may offer the most insight for cellular data collection by governmental agencies, private data collectors should not ignore the substance of these allegations.  A number of the allegations in the Complaint call into question whether users were properly informed how their data would be used by BART or other governmental agencies.  That is, the Complaint alleges that privacy disclosures were not easily accessible for users to review before agreeing to download the App.  Regardless of whether the allegations are true against BART, this litigation makes clear that data collectors have a fiduciary responsibility to use data for the exact purpose the data was provided and nothing more.

The post App Users Throw Transit Provider Under The Bus On Privacy Issues And Use Of Data appeared first on Privacy Risk Report.

Technology in the workplace has developed to a point where we now have our personal data and our employer’s data commingled on the same devices.  We may now see employees using work phones to store personal numbers and family pictures while they store work information on our equipment at home.  This commingling of data and equipment is usually not a problem until an employee leaves their position and the employer must decipher what equipment and data the employee has a right to take with them. It is becoming increasingly clear that employee training, including discussions of acceptable uses of employer equipment and data, are the best way to avoid conflicts when an employee departs.

One case in particular demonstrates the confusion that may arise when an employee commingles work and personal data with work and personal equipment.  On April 12, 2017, the California Court of Appeals in Mendez v. Piper, (unpublished) 2017 WL 1350770, Monterey County Super. Ct. No. M113943 (2017), found an employer failed to prove that an employee violated California law when the employee copied his own personal data from a hard drive owned by the employer after the employee quit his job. This case was originally filed by the employee, John Mendez (“Mendez”) when his former employer, Piper Environmental Group (“PEG”) and Mendez’s former wife, Jane Piper (“Piper”) (also the CEO of Piper), told Mendez’s prospective employers that he was barred from divulging trade secrets and could not take employment without violating his marital settlement agreement with Piper.

Mendez sought a judicial declaration and an injunction against PEG while PEG filed a cross-complaint based on allegations that Mendez breached a fiduciary duty and that he violated a confidentiality agreement with PEG. Both the trial court and appellate court dedicated a substantial portion of its analysis to the question of whether Mendez’s alleged copying, using and altering of confidential information stored on PEG computer equipment violated the Uniform Trade Secrets Act, Penal Code section 502.

Section 502 provides in relevant part:

CHAPTER 5. Larceny [484 – 502.9]

( Chapter 5 enacted 1872. )

(a) It is the intent of the Legislature in enacting this section to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. The Legislature finds and declares that the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data.

• Mendez’s Employment And Termination

Mendez testified that during his employment he would have been considered PEG’s “computer system administrator.” PEG allowed employees, including Mendez, to store personal and business data on PEG’s computer system. As part of his duties, Mendez testified that he set up an external drive at his residence and backed up PEG data to a company laptop which he brought home and copied the data to the external drive at his residence. Mendez further testified that his backups included all files, including Mendez’s personal and business data.

At some point, PEG hired a chief financial officer and it quickly became clear that Mendez’s service was no longer needed at PEG. The chief financial officer testified at trial that he believed it was his responsibility to find out as much as possible about PEG’s computer system in order to prepare for Mendez’s departure from PEG. After applying “pressure” on Mendez, Mendez ultimately quit his position at PEG.

• Dispute Over Backup Data

While at a hearing concerning Mendez’s unemployment benefits, PEG’s attorney asked Mendez to return the laptop that Mendez used in the backup process. Shortly after his discussion, Mendez purchased a new computer and transferred the files from the laptop to his new computer. Mendez “wiped” his personal information from the hard drive of the laptop and left only the operating system because he originally planned on donating the laptop. However, after PEG was able to prove that it paid for the laptop, Mendez returned the laptop to PEG after it Mendez had removed his information.

• PEG’S Insufficient Evidentiary Support

The trial court found that PEG failed to carry its burden to prove Mendez had violated section 502 by accessing, copying, using or altering PEG’s data without permission. The California Court of Appeals affirmed the trial court’s findings on the following basis:

o   PEG failed to show Mendez copied data belonging to PEG

The trial court found PEG failed to meet its burden when it provided no evidence that Mendez knowingly copied files belonging to PEG. Rather, Mendez testified that the only data he copied was data he owned. Further, the court rejected testimony proffered by PEG’s forensic computer expert to the extent this expert was “an expert in identifying which files were present on a computer and when files had been accessed, copied, or deleted, but he was not an expert on which files contained PEG’s data.” The Court of Appeals found evidence to support the trial court’s finding that “Mendez accessed the hard drive in order to retrieve his personal information (which was properly on the computer).”

o   PEG failed to show Mendez acted without permission in retrieving his data.

The court also rejected PEG’s assertion that Mendez needed its permission to retrieve personal data of the laptop after his employment was terminated. In support of its findings, the court held that “[f]or the purposes of storing documents and photos, a computer is akin to a filing cabinet or desk.” In support of its decision, the court further noted:

We believe that when an employer expressly or implicitly authorizes an employee to personalize his or her workspace with personal property, the employee has implicit authority to remove such personal property upon separation from employment (within any parameters reasonably needed to protect coworkers and the employer’s property). The employer does not acquire ownership of the employee’s personal property by some kind of adverse possession. We see no reason why the same principle should not apply to an employee’s personal information when it is stored on a work computer system. As the trial court implicitly concluded, Mendez had permission to retrieve his personal data from the external drive. In any event, it was PEG’s burden to prove Mendez acted without permission, not his burden to prove he had permission.

Based on this reasoning, the Court of Appeals affirmed the trial court’s decision that PEG failed to meet its burden of proof and that the data stored by the employee belonged to the employee.

•  Employee Training Is Key

This is not the first time we have seen disputes arise over data when an employee is terminated. For example, we have seen disputes involving account passwords where, after being terminated, the sole person that has possession of important workplace passwords demands money to provide the passwords to his former employer.  These situations are avoidable if employees and employers take the time before the stress of employee’s departure to determine how personal and business data and equipment should be treated.  Further, these issues could be addressed during quarterly meetings employers should have with employees to address data and privacy issues in the workplace. Even though the Mendez court found a computer is similar to a filing cabinet or a desk, the proper use of an employer’s computer should receive more discussion than the use of a filing cabinet.

The Illinois Personal Information Protection Act requires “Data Collectors” to take “reasonable measures” to protect data.  Contact Todd M. Rowe at Tressler LLP to discuss how employee meetings can be used to further ensure you are protecting data.

The post Take This Job And Shove It—Oh, But First Can I Get My Family Pictures and iTunes Off My Work Phone? appeared first on Privacy Risk Report.