“Publication” has always been an important consideration under the Personal Injury prong of commercial general liability policies (“CGL”). Likewise, questions related to “publication” are growing in importance in litigation involving Illinois’ Biometric Information Privacy Act (“BIPA”). For example, Illinois courts have previously found that BIPA claims involving “publication” of biometric information to a third party may trigger coverage under the “personal injury” definition of CGL policies. And now, a recent Illinois Court of Appeals decision has found BIPA violations involving “publication” are subject to a one-year statute of limitations. This recent development may beg the question as to how multiple CGL policies can be triggered by BIPA publication claims when they are subject to a one-year statute of limitations.

On September 17, 2021, the Illinois Court of Appeals provided much-needed guidance on the proper statute of limitations for alleged violations of BIPA. In Tims v. Black Horse Carriers, Inc.,1-20-0563 (First Cir. Sept. 17, 2021), the Illinois Court of Appeals for the First District addressed the defendant’s argument that BIPA was subject to a one-year limitations period under section 13-201 while plaintiffs claimed BIPA was subject to a five-year statute of limitations under 13-205.

The Illinois legislature did not provide a specific statute of limitations for BIPA claims. Litigants have primarily argued two statute of limitations were applicable. First, 735 ILCS 5/13-201 entitled “Defamation – Privacy” provides “[a]ctions for slander, libel or for publication of matter violating the right of privacy, shall be commenced within one year next after the cause of action accrued.” Second, 735 ILCS 5/13-205) entitled “Five-year limitation” provides a catch-all for all “actions on unwritten contracts, expressed or implied, or on awards of arbitration, or to recover damages for an injury done to property, real or personal or to recover the possession of personal property or damages for the detention or conversion thereof, and all civil actions not otherwise provided for, shall be commenced within 5 years next after the cause of action accrued.”

The Tims court did not apply a single statute of limitations uniformly to all the violation subparts of BIPA. Rather, in determining which statute of limitations individually applies to the various violation subparts of BIPA, the Court of Appeal’s determination was driven by whether the claimed BIPA violation subpart involves publication:

A private party would violate section 15(a) by failing to develop a written policy establishing a retention schedule and destruction guidelines, section 15(b) by collecting or obtaining biometric data without written notice and release, or section 15(e) by not taking reasonable care in storing, transmitting and protecting biometric data. Id. at ¶ 31 (citing 740 ILCS 14/15 (West 2018)) (emphasis added).

The Tims court further noted “[a] plaintiff could therefore bring an action under the Act alleging violations of section 15(a), (b), and/or (e) without having to allege or prove that the defendant private entity published or disclosed any biometric data to any person or entity beyond or outside itself. Stated another way, an action under section 15(a), (b), or (e) of the Act is not an action ‘for publication of matter violating the right of privacy.’” Id. at ¶ 31 (quoting 735 ILCS 5/13-201 (West 2018)) (emphasis added).

In summary, the Court of Appeals found the following statute of limitations apply to BIPA claims:

Of course, insurance coverage was not at issue in the Tims decision. It will be interesting to see how this decision, which limits the BIPA claims involving “publication,” impacts insurance coverage. Of course, the Illinois Supreme Court has found coverage for BIPA claims under the “personal injury” definition of CGL policies because of publication to third parties. See, West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (May 20, 2021). Therefore, insurers may be able to argue only one CGL policy has been potentially triggered when the BIPA publication claims are subject to a one-year statute of limitation.

This decision also misses another important aspect to determining insurance coverage for BIPA claims—accrual of the claim. While the Tims decision will offer some clarity as to the important issue of the proper statute of limitations for these claims, it left one rock unturned. Importantly, the Tims court did not address when a biometric claim accrues. Therefore, it is still unclear whether repeated conduct gives rise to a single BIPA violation or if each new violation gives rise to a new BIPA claim. While this issue causes problems on the defense side of BIPA cases, this issue is equally important when analyzing insurance coverage for BIPA claims as violations potentially span a number of policy periods.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post Did An Illinois Court Intend To Limit Coverage For BIPA Claims Under CGL Policies To One Year? appeared first on Privacy Risk Report.

Over the last couple of years, alleged privacy violations of the Illinois Biometric Information Privacy Act (“BIPA”) have flooded Illinois courts. One unique aspect of the BIPA class action cases in Illinois is seen when plaintiffs do not have to allege any actual injury or adverse effect. That is, since the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Ent. Corp., 432 Ill. Dec. 654, 129 N.E.3d 197 (Ill. 2019), Illinois courts have found plaintiffs have standing to bring cases with nothing more than the mere allegation of a technical violation of BIPA. These cases have survived motions to dismiss despite no allegations of identity fraud or theft of private biometric information. Of course, outside of Illinois BIPA cases, courts still require plaintiffs to at least allege harm resulting from a privacy incident to survive a motion to dismiss.

A recent example of a privacy dispute requiring allegations of damage to survive a motion to dismiss is seen in the unpublished decision Abernathy v. Brandywine Urology Consultants, P.A., 2021 WL 211144 (Del. 2021). The privacy incident in Abernathy resulted from a ransomware attack on Brandywine’s computer network that contained sensitive patient data and medical records needed for the operation of the medical clinic. For some reason, there was no attempt to collect a ransom. A group of Brandywine patients filed a class-action lawsuit.

The Abernathy court found the following information to be important about the privacy incident:

• Brandywine took immediate steps to notify its patients of the attack by issuing a Notice of Potential Data Breach.
• The Notice informed patients “that it was possible, though [Brandywine] believed that it was unlikely,’ that their personal information and financial information was compromised.”
• The Notice also stated that Brandywine would keep patients informed of “the results of its ongoing investigation.”

The class-action plaintiffs filed suit against Brandywine alleged the privacy incident resulted from Brandywine’s negligence along with a number of other causes of action. Brandywine filed a motion to dismiss the complaint arguing the plaintiffs lacked standing to bring the class action. In particular, Brandywine argued that plaintiffs failed to allege an injury in fact and that any alleged injuries could not be traced back to Brandywine. As seen in many “standing” cases, plaintiffs took the position they sustained an injury from the following “harms:” (1) imminent risk of future harm; (2) mitigation expenses; (3) loss of privacy; (4) anxiety; (5) failure to receive the benefit of a bargain; (6) loss of value of property in personally identifying information; and (7) disruption to plaintiff’s medical care.

In granting Brandywine’s motion to dismiss, the Court provided the following analysis on whether the plaintiffs suffered an injury. First, while Delaware courts had not addressed the question of whether the imminent risk of future harm from a data breach constitutes an injury-in-fact, the Abernathy Court looked to a number of federal court decisions holding a plaintiff lacks standing to sue a party that failed to protect data. These courts held there was no standing absent proof of actual misuse or fraud.  The Abernathy Court further noted that the Notice sent to Brandywine’s patients “stated there was a possibility that personal and financial information was compromised during the attack.” This Notice was found by the Court to not be a “concession of a plausible, concrete, imminent, or certain threat.”

Additionally, the Abernathy Court held the response to the attack was proper and found Brandywine “appeared to take swift and appropriate measures to investigate and mitigate the data breach.” The Court made it clear that Brandywine should not be punished for sending out the Notice. This conduct, informing individuals quickly about a potential privacy issue, should be encouraged. (“The Court is reluctant to make any ruling that would chill efforts to notify patients or clients of security breaches out of an abundance of caution.”)

In conclusion, the Abernathy Court granted Brandywine’s motion to dismiss because plaintiffs “failed to allege that any of them have been victims of any actual harm stemming from the attack.  As almost a year has now passed without any harm occurring, it appears unlikely that plaintiffs would be harmed in the near future.”

The Abernathy decision offers a useful reminder that plaintiffs, outside of BIPA litigation, will need to show real harm results from a privacy incident. It also shows how a data collector can control the situation even after a security incident by having a good response plan in place and ready to go. The Abernathy Court may not have been willing to side with Brandywine if it was shown that Brandywine lacked a reasonable response and kept its patients informed of the steps taken in response to the ransomware attack. This decision provides even more reason to have a proper response plan in place and ready to go.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post No Harm, No Foul: Delaware Court Dismisses Privacy Case When Plaintiffs Cannot Show Harm appeared first on Privacy Risk Report.

Join us for this exciting new webinar…

The Final Countdown: Strategies for Illinois Schools to Get SOPPA Compliant Before the Deadline

Presented by Datamation and Tressler LLP

Thursday, March 12, 2020

10:00 AM – 11:00 AM CT

Click Here to Register!

Webinar Description

While data breaches are starting to become an accepted part of life, the public is not willing to accept breaches involving minors’ personal information. In particular, recent breaches at educational publisher Pearson and other vendors have put a priority on keeping student personal information secure. Illinois has taken the lead in privacy law by adopting the Student Online Personal Protection Act (“SOPPA”) to protect student personal information.  SOPPA is a unique privacy law in that compliance is mandatory and it places a number of objective requirements on public and private schools. This law requires Illinois schools to monitor the security measures taken by third parties entrusted with student data. This engaging presentation will address the requirements under SOPPA, including the July 1, 2021 compliance deadline.

About the Presenter: Todd Rowe, Attorney at Tressler LLP

Todd Rowe is an award-winning privacy and cyberliability attorney located in Chicago, IL. He is ready to help you meet the SOPPA deadline. Tressler LLP attorneys are known for providing responsive, friendly and cost-effective legal services. Our team can offer custom, flat-rate or project-based pricing to ensure that we meet your budget and exceed your expectations. Learn more at www.tresslerllp.com/soppa, or contact Todd at trowe@tresslerllp.com for a free consultation.

The post New Webinar on March 12: Strategies for Illinois Schools to Get SOPPA Compliant Before the Deadline appeared first on Privacy Risk Report.

While there has been a huge increase in class action cases based on alleged violations of the Illinois Biometric Information Act (“BIPA”), it has not gone unnoticed that the vast majority of the recent cases are limited to allegations brought by employees against their employers rather than by customers. That is, the case law is developing into two distinct branches: BIPA customer cases and BIPA employment cases.

The rapid development of BIPA employment cases is surprising to the extent the Illinois Supreme Court’s decision in Rosenbach v. Six Flags, 2019 IL 123186 (Jan 25, 2019) involved a customer of the Six Flags amusement park. It is still unclear if the BIPA customer lawsuits are not developing as quickly because equipment that collects biometric data is not being used for customers or customers are still unaware that their data is being gathered. Either way, there is little question that data collectors must brace for the next wave of BIPA cases brought by customers.

BIPA lawsuits related to photo storage applications provided by Google LLC (“Google”) and other social media companies are providing some guidance on BIPA customer cases. In particular, Google Photos collects and stores photographs and promises to provide “[f]ree storage and automatic organization for all your memories.”  There are allegations that this technology uses “face templates” of the subjects in the photographs. This photo application has provided a number of BIPA cases outside the employment cases currently working through the courts.

A New BIPA Customer Lawsuit Involving the Google Photo App

On February 6, 2020, Brandon Molander (“Molander”) filed a Class Action Complaint against Google LLC in the District Court for the Northern District of California based on alleged BIPA violations. Molander claims Google “created, collected, and stored, in conjunction with its cloud-based ‘Google Photos’ service, millions of ‘face templates’ (or ‘face prints’)—highly detailed geometric maps of the face—from millions of Google Photos users.”  (Molander Complaint at ¶ 5). The Molander Complaint continues: “Google creates these templates using sophisticated facial recognition technology that extracts and analyzes data from the points and contours of faces that appear in photos taken on Google Android devices and uploaded to the cloud-based Google Photos service.”  In particular, the Molander Complaint alleges that with this technology, “[e]ach face template that Google extracts is unique to a particular individual, in the same way, that a fingerprint or voiceprint uniquely identifies one and only one person.”

The Molander Complaint provides the following concerning Google’s technology:

• “In May 2015, Google announced the release of its photo sharing and storage service called Google Photos. Users of Google Photos upload millions of photos per day, making photographs a vital part of the Google experience.” (Complaint at ¶ 19)
• The Google Photos app is pre-installed on all Google Android devices and “is set by default to automatically upload all photos taken by the Android device user to the cloud-based Google Photos service.” (Complaint at ¶ 20)
• “Unbeknownst to the average consumer, and in direct violation of [Illinois’ Biometric Information Protection Act], Google’s proprietary facial recognition technology scans each and every photo uploaded to the cloud-based Google Photos for faces, extracts geometric data relating to the unique points and contours (i.e. biometric identifiers of each face, and then uses that data to create and store a template of each face – all without ever informing anyone of this practice.” (Complaint at ¶ 21)

Based on these allegations, Molander claims Google improperly collected, used and stored his biometric data without obtaining a written release, used his information without properly notifying individuals that his information was being gathered and used his information without providing a public “retention schedule or guidelines for permanently destroying the biometric identifiers and/or biometric information.”

Guidance For BIPA Customer Lawsuits

We have seen similar lawsuits filed against Google before Molander v Google LLC.  For example, the Eastern District for the Northern District of Illinois analyzed BIPA claims related to Google Photos in Rivera v Google, Inc.,16 C 02714 (N.D. Ill 2016). In Rivera, the District Court found claims by Plaintiffs that Google collected, uploaded and scanned photographs to create “facial templates” were sufficient to survive Google’s motion to dismiss. The District Court rejected Google’s argument that Plaintiffs’ class-action lawsuit should be dismissed because BIPA does not “apply to photographs or information derived from photographs.” Plaintiffs countered that face geometry scans constitute “biometric identifiers” under BIPA and, thus, must be protected.  Ultimately, on December 29, 2018, the Eastern District granted Google’s motion for summary judgment finding “Plaintiffs have not suffered an injury sufficient to establish Article III standing and their claims are dismissed.”  Therefore, based on this case, Molander may have an uphill battle to establish Google violated BIPA with the collection, storage and use of his photographs. (The Privacy Risk Report closely followed the Rivera case.)

While only the Class Action Complaint has been filed at this point in Molander v. Google LLC, case no. 20-cv-918, there are some recent developments that may provide guidance in the Molander case and BIPA customer cases.

First, we have seen many of the biometric data cases, outside the employment context, reach a resolution since Rivera was decided by the District Court for the Northern District of Illinois. The most recent example was seen a couple of weeks ago when it was widely reported in January 2020 that Facebook settled its own class-action lawsuit for $550 million based on claimed violations of Illinois’ Biometric Information Protection Act. The Facebook lawsuit seems to be based on technology that is similar to the technology at issue in Molander v. Google LLC: “The suit said the Silicon Valley company violated an Illinois biometric privacy law by harvesting facial data for Tag Suggestions from the photos of millions of users in the state without their permission and without telling them how long the data would be kept.” Therefore, it will be important to watch the Molander case to see if a large settlement for this technology is a trend that continues. The Facebook settlement will undoubtedly get plaintiffs’ class actions lawyers thinking about BIPA customer cases.

Additionally, there are questions as to how this technology will be used by companies for marketing or other unapproved uses. For example, we can expect to see more news about Clearview AI.  Clearview AI created a massive database of photographs (estimates of 3 billion photographs so far) “scraped” from social media.  At this point, Clearview AI has made this database only available to law enforcement.  Since the Rivera case, companies such as Clearview AI provide a glimpse of how this technology can be used and the control people may lose over their biometric data. These new uses for this technology may view how courts decide these cases. Over the next few months, we will see if the initial wave of BIPA employment cases crests and if BIPA customer cases pick up the pace.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post The Next Wave Of Biometric Cases: BIPA Customer Lawsuits appeared first on Privacy Risk Report.

Despite having the potential to impact many data collectors, Illinois’ Biometric Information Protection Act (“BIPA”) has received surprisingly little analysis from state or federal courts. A decision issued on October 17, 2019, by the United States District Court for the Northern District of Illinois may limit the number of BIPA cases reaching the federal courts and, in turn, further, limit the development of law addressing BIPA claims.

In Colon v. Dynacast, LLC, 19-cv-4561 (N.D. Ill. Oct. 17, 2019), the Plaintiff, Colon, filed a motion to remand the matter from the Federal Court back to the Circuit Court of Cook County, Illinois. Next, the defendant, Dynacast filed a motion to dismiss. The motion to dismiss was denied as being moot to the extent Colon’s motion to remand was granted and the matter was moved back to state court. Even though this matter was sent back to the state court, the Colon court still provides an interesting analysis of whether a litigant has standing to bring a BIPA case in federal courts.

As seen with many biometric data cases, the Colon matter arises out of allegations that Dynacast, Colon’s employer, used biometric data for their employee time-keeping system. That is, Colon alleges ‘that “each day’ of her employment (from 2013 until January 2018), she was ‘required to place her hand on a panel to be scanned in order to ‘clock in’ and ‘clock-out’ of work.”

Further, in order to support a class action claim, Colon asserted “[a]t least 200 of Defendant’s employees were required to use this biometric time-keeping system.” Colon also claimed that Dynacast failed to inform Colon, in writing, that her biometric data would be collected and did not provide “the specific purpose and length of term for which [her] biometric” information was collected, stored, and used; or “obtain written releases from Plaintiff…before it collected, used, and/or stored” her fingerprint data.” As typically seen in BIPA cases, Colon did not assert any damage beyond simply not receiving formal written notice that her biodata would be collected and stored.

The vast majority of breach cases involve a defendant arguing an action should be dismissed to the extent the plaintiff lacks standing while the plaintiff argues they have standing since they suffered a concrete injury. The roles were reversed in Colon. Here, while arguing this action should be moved back to the state court, Colon argued she lacked Article III standing to allow the matter to remain in federal court. On the other hand, Dynacast argued: “Plaintiff’s injury is sufficiently concrete to confer Article III standing.” Colon was able to take this position in the federal court because she will most likely argue that the BIPA violation alone gives her a viable cause of action in the state court. That is, Colon may not need to even show she suffered a concrete injury when this matter is litigated in state court.

In finding Colon lacked standing and that the case should be remanded back to the state court, the District Court did not appear to be impressed by a BIPA claim based merely on the alleged failure to provide written notice:

That is, the only purported ‘violation of privacy’ was the failure to explain in writing that biometric data was being collected—something that would have been obvious to any employee subject to a fingerprint or hand-scan. But even if this rhetoric referred to activities that could give rise to concrete injuries, “legal conclusions or bare and conclusory allegations…are insufficient” to plead concrete injury and thus confer Article III standing.

The Colon court takes some shots at Colon’s claims before sending it back to state court. One touchstone of BIPA is the requirement that a data collector provides notice, in writing, that biometric information is being collected and stored.  Even though the Colon court finds the failure to provide notice cannot alone give rise to Article III standing, the court does not hold back on Colon’s BIPA’s notification requirement:

The fact that this was not explained in writing does nothing to harm people’s privacy interests because they knew that the data was being collected and did not allege that their data was shared with third parties.

 So too here: Defendant obviously collected Plaintiff’s fingerprint when the fingerprint was taken. No one alleges that Defendant snooped around like Nicholas Cage in National Treasure, surreptitiously gathering Plaintiff’s biometric data off discarded goods. Likewise, Defendant obviously stored the prints—otherwise, the entire authentication system would make no sense. [Citation omitted] Defendant had to compare each print taken at the timecard station to a baseline in order to determine if the employee clocking in or out was in fact who they said they were. Because Plaintiff knew that her data was being collected, Defendant’s failure to go through each procedural formality outlined in BIPA did not present any “appreciable risk of harm to the underlying concrete interest” in privacy, and therefore Plaintiff has not suffered any injury in fact. [citation omitted] Similarly, because Plaintiff has not alleged that her data was given to third-parties, her right to privacy in her biometric data was not compromised.

This case indicates that the federal courts may not be friendly to BIPA plaintiffs and, therefore, we can expect more BIPA claims to end up in state courts. This decision is still worthy of consideration in state court actions since the Colon court goes out of its way to beat up Colon’s BIPA claim. While state courts may not need to consider whether a litigant can establish Article III standing, this decision highlights a fundamental flaw in BIPA. That is, where is the harm if a litigant allows an employer to take a template of their fingerprint but does not provide formal written notice?

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post Federal Court Shreds Illinois’ Biometric Statute Before Remanding Case Back To State Court appeared first on Privacy Risk Report.

The recent decision in Kimbriel v. Abb, Inc.,19-CV-215 (October 1, 2019), provides insight into how far privacy law has developed in a short time. A couple of years ago there was little guidance as to what a plaintiff needed to establish standing in a data breach case. Many data breach lawsuits were dismissed as courts found the nexus between the breach and the alleged damages to be too weak or speculative to support a viable cause of action. The Kimbriel decision provides a “range” for plaintiffs to show they have standing to bring a lawsuit after a breach. First, the Kimbriel court finds plaintiffs cannot meet their burden to establish standing if they cannot show breached data was used or reasonably could be used after the breach. For example, credit inquiries using breached data is not sufficient to establish standing under the Kimbriel court’s reasoning. On the other end of the range, to meet their burden, plaintiffs will need to show they suffered an injury-in-fact and have standing when they can show criminals used their data. For example, plaintiffs that can show fraudulent credit cards were open with the breached information have a better chance of establishing standing to sue.

The Plaintiffs’ Allegations Related To The Breach Of Personal Information

In Kimbriel, the Defendant, the Plaintiffs’ employer, filed a motion to dismiss the Plaintiffs’ complaint asserting the Defendant breached employee data. Plaintiffs claimed the breach involved a database that housed employees’ sensitive information including full names, addresses, birth dates and social security numbers plaintiffs provided to Defendant in order to participate in an employee health plan. After the breach, the Defendant agreed to pay for identity credit monitoring services for the employees. On February 13, 2019, a credit-monitoring service notified the lead plaintiff, Paula Kimbriel, of five unauthorized credit inquiries with banking institutions.

The Defendant’s Argument That Plaintiffs Lack Standing For This Action

On the other hand, the Defendant argued in its motion to dismiss that Plaintiffs lack standing under Article III of the U.S. Constitution to bring this action because they have not alleged an injury-in-fact. That is, it is well settled by the U.S. Supreme Court that “[t]o establish standing, plaintiffs must show they have suffered an injury-in-fact-an injury that is “concrete, particularized, and actual or imminent[.]” See, Clapper v. Amnesty Int’l USA. The Clapper court held the injury-in-fact must be “fairly traceable to the challenged action[,] and redressable by a favorable ruling.” Id. Threatened injuries cannot be speculative, but “must be certainly impending.” Id.” Questions related to standing have plagued many data breach plaintiffs to the extent it is difficult to show damage (such as credit card fraud) is directly related to a particular breach. The Kimbriel court address this question by creating a range that examines the damage from a breach.

The District Court’s Dismissal Of The Complaint 

The District Court dismissed the Plaintiffs’ complaint finding the District Court lacked subject-matter jurisdiction over the plaintiffs’ claims.  In particular, the District Court held that without any allegations the hacked personal information had or will be used, in identity theft or fraud, the employees are not capable of demonstrating a concrete injury.

The District Court found this case fell in the middle of two recent decisions that “address injury-in-fact in the data privacy context.”  First, Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), provides an example where “the plaintiffs did not have standing because, critically, they could neither show that their data was actually used nor allege enough plausible facts to show that threatened future harms were “certainly impending.”   The plaintiff’s allegations in the Beck case were fatally defective since the “mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft.”

On the other end of the range, the court in Hutton v. Nat’l Bd. of Examiners in Optometry, Inc. Hutton v. Nat’l Bd. of Examiners in Optometry, Inc., 892 F.3d 613 (4th Cir. 2018), found “plaintiffs had suffered an injury-in-fact because their data had actually been used to open fraudulent credit card accounts.

Here, the District Court found the Plaintiffs’ allegations in the Kimbriel case were closer to the allegations brought by the plaintiffs in Beck rather than the allegations in Hutton  That is, Plaintiffs’ complaint in Kimbriel did not establish the District Court had standing since, “[b]y plaintiffs’ own admission, the credit inquiries do not, by themselves, constitute an independent injury-in-fact.”  Further, the District Court rejected the argument that the credit inquiry coupled with allegations that the breach was a result of a targeted phishing scheme, “constitute a sufficient factual basis to conclude there is a certainly impending risk of identity theft.”

While the District Court found the Plaintiffs in Kimbriel presented a stronger case for an injury-in-fact than the plaintiffs in Beck, “their asserted injuries are still too speculative to meet the ‘certainly impending’ threshold” necessary to support their claim.

What The Kimbriel Decision Tells Us About Privacy Law

We can expect other courts to adopt a similar analysis to that seen in Kimbriel as data breach cases continue to reach the courts.  Thankfully, not every data breach results in damage to the individuals that had their information compromised. This decision provides an important reminder that not every data breach results in damages.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post Home On The Range: Recent Decision Addresses Range Of Data Breach Cases appeared first on Privacy Risk Report.

The current roster of threats–ransomware, phishing schemes and hacking–are well understood at this point. Of course, these threats are constantly evolving as we live in a world where criminals get bored quickly and need to move on. The newest privacy threat may involve elaborately faked videos, called “deepfakes,” which may be used to disparage people. A manipulated video of House Speaker Nancy Pelosi recently went viral was slowed down to make it appear she was slurring her words following a meeting with President Donald Trump. This incident was the first time the public came face to face with this new threat and how believable and potentially damaging these fake videos can be. Further, this technology has gone from being almost unknown to the public to a viable threat within months. While it is still unclear how this threat manifests, it is safe to assume that the public will be worried about this technology within the next few years and insurers should immediately begin considering how this threat may impact their insureds.

A recent Washington Post article entitled Deepfakes Are Coming. We are Not Ready, addresses recent technological developments that may ultimately impact privacy. First, the article provides the following overview of this growing threat:

“Deepfakes are created by something called a “generative adversarial network”, or GAN. GANs are technically complex but operate on a simple principle. There are two automated rivals in the system: a forger and a detective. The forger tries to create fake content while the detective tries to figure out what is authentic and what is forged. Over each iteration, the forger learns from its mistakes. Eventually, the forger gets so good that it is difficult to tell the difference between fake and real content. And when that happens with deepfakes, those are the videos that are likely to fool humans, too.”

The Washington Post article relies on Hany Farid, a professor of computer science at Dartmouth College, to access this growing threat:

“But, as Farid worries, perhaps the larger threat comes from the destruction of democratic accountability. “Because if it is, in fact, the case that almost anything can be faked well, then nothing is real.” Once deepfakes exist, politicians can pretend that any disqualifying behavior has actually been created by a neural network. As we’ve seen in the Trump era, with a highly polarized electorate, millions will believe what they are told by a politician they support, even when there is overwhelming evidence to the contrary.”

Beyond the potential impact of international relations and the electoral process, the implications of this developing technology may have on private individuals is easily seen. As we have seen many times, a technology that starts out being used by the most tech-savvy government actors filters down to low-tech criminals. While still in its early stages, this technology is quickly (and unfortunately) becoming convincing. For example, a video posted to YouTube shows how this technology can be used to take a still picture of Marilyn Monroe or Albert Einstein and bring them to life.

It is not hard to imagine how this technology can be used to release a video that will make a person’s life difficult or be used to extoll a ransom. Over the next few years, we can expect to see a number of unique legal questions concerning this technology.  For example, how will legal counsel advise the president of a corporation that has been targeted with a deepfake video?  Courts will immediately face issues as how to authenticate all videos to allow them to become admissible evidence. And, in the same way, insurers needed time to properly assess the risk posed by prior threats, insurers will face similarly difficult questions even if they decide to provide coverage for the damage done by deepfake videos. That is, how can an insurer be certain the video is indeed fake and therefore, would trigger such coverage? It is not difficult to foresee the huge potential business interruption losses that could result from a deepfake video. While we may have some time before Deepfake videos begin causing damage, we need to immediately begin considering these difficult questions before deepfake videos become a major threat.

The post Are “Deepfakes” The Next Privacy Threat Facing Insurers And Insureds? appeared first on Privacy Risk Report.

The litigation resulting from the Neiman Marcus breach in 2013 continues to create interesting law and precedent.  The history on this matter is significant since Neiman’s breach exposed customers’ credit card numbers. This litigation has already created significant law on the issue of what data breach plaintiffs need to show to establish standing in federal cases. This litigation resurfaced on September 17, 2018 when the class action plaintiffs filed their motion to approve the award for attorney’s fees and other costs. Objectors, who were class members, challenged the plaintiffs’ motion through their own motions to decertify the class. The Court’s decision sheds new light on the requirements to certify a class of plaintiffs in data breach cases.

In reviewing the motions to decertify the class, the District Court for the Northern District of Illinois held a class cannot be certified if the class members have “impermissible intra-class conflicts. ”It is well settled that “[a] single class cannot be fairly or adequately represented by the named plaintiffs and class counsel if members of the class have antagonistic or conflicting claims.” In short, this decision provides one of the best examples of how courts may address the varying interests of plaintiffs in data breach class action lawsuits.

To approach the question of whether the plaintiffs in Neiman had divergent interests, the Court first addressed the fact that the class action plaintiffs had varying degrees of involvement in the Neiman data breach.  Specifically, the Court divided the class members into the following three groups based on where they fell in the “malware period” (the period within which the malware was operating):

• Those who made purchases during the time range within which the malware was operating;
• Those who made purchases during the malware period and while the malware was active at the location of their purchase; and
• Those who made purchases outside the malware period.

After breaking the class plaintiffs into groups, the Court found the first two groups presented the fewest problems for class certification, or in other words, they had similar sufficiently similar interests to be members of the same class.  Even though the Court found the first two groups had similar interests, the Court still found a slight “disparity of interests” between these first two classes to the extent the first group, who had their information taken, was at odds with the second group, who both had information taken in the breach while the malware was active.  The Court further noted that this disparity in interests made the parties’ settlement “suspect” when there was a requirement for class members to opt in before knowing if their information was at risk.  The aspect of the settlement does not sit well with the Court since it may force some class members to take unnecessary efforts when they cannot be certain that their information was compromised.  Given these issues, the Court reluctantly found the parties’ settlement involving the first two groups to be supported by law when “the class representatives and class counsel had equal incentive to represent the interests of all class members who made a purchase within the malware period.”

While the first two groups may have made the settlement in Neiman suspect, the Court found including the third group, made of individuals that made purchases outside the malware period, destroyed the class certification. These individuals knew from the outset of litigation that the malware was not active at the time of their purchases and, therefore, they had divergent interests from the first two classes when they had “no chance of monetary recovery.”

Based on these divergent interests between class members, the court decertified the class in the Neiman litigation and the motions to approve the settlement were denied.

The Court’s decision in Neiman may create another hurdle for plaintiffs in addition to surviving motions to dismiss.  Questions related to damages sustained by class action plaintiffs have always been closely scrutinized by courts.  Under this reasoning, class action plaintiffs will also need to show the class representatives have an incentive to represent the interests of every member of the class members.

Please reach out to Todd M. Rowe for a copy of the Memorandum Opinion And Order issued on September 17, 2018.

The post The Neiman Marcus Case is Back and is Causing “Class Warfare” appeared first on Privacy Risk Report.

Courts have generally defined “spoofing” as “the practice of disguising a commercial e-mail to make the e-mail appear to come from an address from which it did not originate.  Spoofing involves placing in the ‘from’ or ‘reply-to’ lines, or in other portions of e-mail messages, an email address other than the actual sender’s address, without the consent or authorization of the user of the e-mail address whose address is spoofed.”  Kavaly v. eBay Inc., 245 F.R.D. 71, 91 n. 34 (E.D.N.Y 2007).  This summer we have seen two important decisions related to whether “spoofing” incidents trigger coverage under computer crime insurance. First, on July 6, 2018, the Second Circuit in Medidata Solutions Inc. v. Fed. Ins. Co., 729 Fed. Appx. 117 (6^th Cir. 2018), held a criminal’s manipulation of an insured’s email system triggered coverage under a computer crime policy.  A week later, the Sixth Circuit in American Tooling Center, Inc. v. Travelers Cas. And Surety Co. of America, 895 F.3d 455 (6^th Cir. July 13, 2018), held a spoofing scam that caused the insured to wire money to a fraudulent bank account also triggered coverage under a computer crime policy.  These cases, which hinge on the use of a computer to commit fraud, are quickly becoming misunderstood as directly impacting the cyber insurance marketplace.

The recent discussion surrounding these cases are confusing to the extent  that courts have been analyzing computer crime coverage cases involving spoofing for quite some time.  For example, in Apache Corp. v. Great American Ins. Co., 662 Fed. Appx. 252 (2016) (unpublished), the Federal Court for the Southern District of New York held there was no insurance coverage under a computer crime policy for a $2.4 million loss caused by an insured following a fraudulent website link to a fraudulent bank account. This fraud was put in motion with a phone call to the insured from a person claiming to be a vendor requesting payments be sent to a new bank account.  The insured told the person that the change could not be made without a formal request on the vendor’s letterhead. A week later the insured received an email on what appeared to be the vendor’s letterhead providing information on the new bank account for money to be wired. The spoofing scheme worked and the insured did not figure out he was sending its payments to a fraudulent bank account until a significant amount of money had been sent.

The computer fraud policy at issue in Apache provided coverage “for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property….”  The insured denied coverage for this claim because the “loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.”  Ultimately, the Apache court found the use of email in the fraud scheme included telephone calls and forged letterhead was not covered under the computer fraud coverage because:

“[t]he email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process, would…convert the computer-fraud provision to one for general fraud.”

While the Apache court found a computer did not play a significant enough role in the spoofing scheme, this case demonstrates the significant precedent related to spoofing claims under computer fraud coverage. The most recent decisions out of the Second Circuit and Sixth Circuit merely build on this body of law in the following manner:

Click image to view chart in full-screen mode.

Click image to view chart in full-screen mode.

While the Second Circuit does not directly address the Apache decision in Medidata, the underlying decision of the District Court for the Southern District Court of New York rejected the insurer’s arguments based on the reasoning in Apache because “[t]he underlying fraud in Apache was achieved through a muddy chain of events.”  See, Apache Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471 (2017).  That is, the District Court held Apache is distinguishable because in addition to a computer, the criminals use phone calls, spoofed emails, and falsified documents. While this line of cases shows how courts address spoofing claims under computer crime policies, these cases provide no guidance in interpreting cyber policies that do not contain computer fraud coverage.

There are subtle differences between all the spoofing cases. However, the one consistent trait is there is computer fraud policy at issue rather than a cyber policy in each of these cases. This is not a point to be overlooked. For example, the Medidata court rejected the insurers position that the policy was limited “to only hacking-type intrusions.”  Moreover, the insured conceded “that no hacking occurred.”  On the other hand, most cyber policies are intended to only provide coverage for losses and liability caused by “hacking-type intrusions.”  Consequently, the reach of these recent spoofing cases is limited to policies that provide computer fraud coverage.

The post Are Cyber Insurance Policies Being “Spoofed” by Recent Computer Fraud Decisions? appeared first on Privacy Risk Report.