Over the last couple of years, alleged privacy violations of the Illinois Biometric Information Privacy Act (“BIPA”) have flooded Illinois courts. One unique aspect of the BIPA class action cases in Illinois is seen when plaintiffs do not have to allege any actual injury or adverse effect. That is, since the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Ent. Corp., 432 Ill. Dec. 654, 129 N.E.3d 197 (Ill. 2019), Illinois courts have found plaintiffs have standing to bring cases with nothing more than the mere allegation of a technical violation of BIPA. These cases have survived motions to dismiss despite no allegations of identity fraud or theft of private biometric information. Of course, outside of Illinois BIPA cases, courts still require plaintiffs to at least allege harm resulting from a privacy incident to survive a motion to dismiss.

A recent example of a privacy dispute requiring allegations of damage to survive a motion to dismiss is seen in the unpublished decision Abernathy v. Brandywine Urology Consultants, P.A., 2021 WL 211144 (Del. 2021). The privacy incident in Abernathy resulted from a ransomware attack on Brandywine’s computer network that contained sensitive patient data and medical records needed for the operation of the medical clinic. For some reason, there was no attempt to collect a ransom. A group of Brandywine patients filed a class-action lawsuit.

The Abernathy court found the following information to be important about the privacy incident:

• Brandywine took immediate steps to notify its patients of the attack by issuing a Notice of Potential Data Breach.
• The Notice informed patients “that it was possible, though [Brandywine] believed that it was unlikely,’ that their personal information and financial information was compromised.”
• The Notice also stated that Brandywine would keep patients informed of “the results of its ongoing investigation.”

The class-action plaintiffs filed suit against Brandywine alleged the privacy incident resulted from Brandywine’s negligence along with a number of other causes of action. Brandywine filed a motion to dismiss the complaint arguing the plaintiffs lacked standing to bring the class action. In particular, Brandywine argued that plaintiffs failed to allege an injury in fact and that any alleged injuries could not be traced back to Brandywine. As seen in many “standing” cases, plaintiffs took the position they sustained an injury from the following “harms:” (1) imminent risk of future harm; (2) mitigation expenses; (3) loss of privacy; (4) anxiety; (5) failure to receive the benefit of a bargain; (6) loss of value of property in personally identifying information; and (7) disruption to plaintiff’s medical care.

In granting Brandywine’s motion to dismiss, the Court provided the following analysis on whether the plaintiffs suffered an injury. First, while Delaware courts had not addressed the question of whether the imminent risk of future harm from a data breach constitutes an injury-in-fact, the Abernathy Court looked to a number of federal court decisions holding a plaintiff lacks standing to sue a party that failed to protect data. These courts held there was no standing absent proof of actual misuse or fraud.  The Abernathy Court further noted that the Notice sent to Brandywine’s patients “stated there was a possibility that personal and financial information was compromised during the attack.” This Notice was found by the Court to not be a “concession of a plausible, concrete, imminent, or certain threat.”

Additionally, the Abernathy Court held the response to the attack was proper and found Brandywine “appeared to take swift and appropriate measures to investigate and mitigate the data breach.” The Court made it clear that Brandywine should not be punished for sending out the Notice. This conduct, informing individuals quickly about a potential privacy issue, should be encouraged. (“The Court is reluctant to make any ruling that would chill efforts to notify patients or clients of security breaches out of an abundance of caution.”)

In conclusion, the Abernathy Court granted Brandywine’s motion to dismiss because plaintiffs “failed to allege that any of them have been victims of any actual harm stemming from the attack.  As almost a year has now passed without any harm occurring, it appears unlikely that plaintiffs would be harmed in the near future.”

The Abernathy decision offers a useful reminder that plaintiffs, outside of BIPA litigation, will need to show real harm results from a privacy incident. It also shows how a data collector can control the situation even after a security incident by having a good response plan in place and ready to go. The Abernathy Court may not have been willing to side with Brandywine if it was shown that Brandywine lacked a reasonable response and kept its patients informed of the steps taken in response to the ransomware attack. This decision provides even more reason to have a proper response plan in place and ready to go.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post No Harm, No Foul: Delaware Court Dismisses Privacy Case When Plaintiffs Cannot Show Harm appeared first on Privacy Risk Report.

While this year has been an unpredictable year for all data collectors, it has been especially harsh for public and private schools. In addition to various obligations on all data collectors, schools hold sensitive information belonging to children that require more obligations.  Schools must balance these obligations as they lead their students and employees through online learning during 2020. That is, to continue teaching children, most schools have had no choice but to rely on third-party applications that require entrusting this sensitive data to outside vendors. Further, many schools are facing new state laws requiring schools more steps be taken to protect student data. The last thing schools need right now is an increase in ransomware attacks.

Of course, while many people have concerns and are grateful for schools during this time, hackers see opportunity. Namely, there are a number of new reports that schools are facing a substantial increase in ransomware targeting schools specifically. For example, on November 13, 2020, the Wall Street Journal addressed the uphill battle facing schools in an article titled, “Schools Struggling to Stay Open Get Hit by Ransomware Attacks.” This article examines a recent incident for a school district in Athens, Texas. As seen with many ransomware incidents, the technology chief for Athens schools, Tony Brooks, recalls one fateful day where he was contacted by school district employees reporting they could not log onto their computers. Of course, when he tried to log onto his computer, Mr. Brooks found a message stating: “All your important files are encrypted.”

Mr. Brooks immediately began negotiating with the hackers and, as commonly seen, he learned his school district’s hackers wanted to be paid in bitcoin. Ultimately, Mr. Brooks was able to cut off negotiations with the hackers before any payment was made when the school district come across a backup server holding the same information as the server compromised by the ransomware attack.

While the ransomware attack profiled in the Wall Street Journal merely costs Mr. Brooks’ school district substantial time in negotiating with the hackers and finding a fix short of paying the ransom, this situation makes it clear that school districts should not rely on luck to protect student data.

Another recent article, published on November 14, 2020, in the Las Cruces Sun-News entitled, “One Year Later: What the Ransomware Attack Taught Us About A Crisis” provides a first-hand account of the devastating effect a ransomware attack can leave on a school district. The author, Karen Trujillo, the Las Cruces School District superintendent, recalled a ransomware attack that hit her school district a year ago:  

There is a day in our district’s history that will be etched in the minds of Las Cruces Public Schools for quite some time. It was Oct. 29, 2019. I had been on the job as the interim superintendent for about two months when, in a matter of hours, our entire digital infrastructure at LCPS was swept away.

Our IT director, Matt Dawkins, got a call around 7 a.m. that one of our employees was having trouble gaining access to the server. “It’s ransomware,” Matt said. By 7:30 a.m, it was confirmed that 90 percent of our server systems were crippled. Our financial systems, student information, printers — all data storage was out of reach.

In addition to teachers losing all access to the technological tools they had grown accustomed to using to teach, Ms. Trujillo faced a number of significant burdens, including:  “Matt’s team of 21 people worked 18-hour days through Thanksgiving, Christmas and beyond, scrubbing more than 30,000 devices that needed to be rebuilt.” And, despite having to go through a terrible experience, Ms. Trujillo sees a silver lining in suffering a ransomware attack:

We thought the ransomware attack was our disaster for the year, but just when we started to rise from the ashes, the global pandemic thrust us into another crisis. It was as if the ransomware was a trial run for the situation we are in now. We were able to flip the switch from children in classrooms to remote learning in a weekend, rather than months. We went from no technology for learning to only technology for learning. The new devices we ordered during ransomware arrived just in time to get them in the hands of students who needed them. A year later, we understand the reality of cyberattacks, and — as a global pandemic — we know that no one is immune. Since then, we have installed firewalls, updated our systems, invested in our teachers and improved our infrastructure so we can protect ourselves. As we navigate through this pandemic, we use what we learned during the ransomware attack to handle the current crisis.

Interestingly, the WSJ article found the “[a]verage ransom payments across all industries have climbed in recent years, to $233,817 in the third quarter of this year from $41,198 a year earlier.”  And, the amount demanded as a ransom is expected to continue to rise.  It is now clear that school districts must make preparing for ransomware attacks a priority. And, if there was not enough of an incentive already to prepare for a ransomware attack, Illinois schools must be ready to implement additional steps by July 1, 2021, to meet the amended Student Online Personal Protection Act (“SOPPA”) requirements.

In order to effectively protect employee and student data, schools must have answers to at least the following questions:

• Is the school district prepared for a ransomware attack?
  • Would the school district pay the ransom?
  • How much would the school district be willing to pay for a ransom?
  • Where does the school district get bitcoin to pay a ransom?
  • Can the school district continue to teach while information is encrypted?
  • Does the school district have insurance that covers a ransomware event?
• What third-party vendors is the school district providing student data to?
• What third-party vendors are teachers providing student data to?
• What safeguards do third party vendors have in place to protect student data?
• Does the school district have insurance for a ransomware event at a vendor?
• Are there any state laws that give rise to requirements in the school district?
• Who in the school district will respond to students’ and parents’ questions about an incident?

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post Hackers See Opportunity In Attacking Schools As They Teach Through A Pandemic appeared first on Privacy Risk Report.

One bright spot in recent events has been to see our kids stay focused as students and to see teachers continue their great work while bunkered down from their homes. Nevertheless, it may be worthwhile to pause to think about the technology that makes this all possible. One lawsuit recently filed in California sheds light on the privacy issues created when students, schools and teachers become increasingly reliant on “e-learning” and the technology that supports it.

On April 2, 2020, a class-action lawsuit was filed in the District Court for the Northern District of California entitled H.K. and J.C., through their legal guardian Clinton Farwell v. Google, LLC, 20-CV-2257 NC (N.D. Cal. 2020) which brings issues related to data gathered from students during e-learning front and center. Allegations that “Google has infiltrated the primary and secondary school system in this country by providing access to its ‘Chromebook’ laptops, which come pre-installed with its ‘G-Suite for Education’ platform…to over half of the nation’s schoolchildren, including those in Illinois, most of whom are under the age of 13” form the basis of this Class Action Complaint. (See Complaint at ¶ 6). In general, the minor plaintiffs in H.K. claim “[t]hese Google-manufactured and provided laptops come equipped with Google’s ‘G Suite for Education’ platform, which requires the children using it to speak into a microphone on the laptop that records their voices and look into a camera on the laptop that scans their faces.”(See Complaint at ¶ 46).

In providing the factual background for their claims, the minor plaintiffs in H.K. assert “Google provides its ‘Chromebook’ laptops to grade schools, elementary schools and high schools nationwide, who in turn make these computing devices available for use by children who attend their schools.” (See Complaint at ¶ 33). The Complaint alleges that Google collects the following student information through this program:

• The student’s physical location;
• The websites visited by each student;
• Every search term used by the student in Google’s search engines;
• Every video watched by the student on the device;
• The student’s personal contact lists;
• Voice recordings;
• Saved passwords; and
• “Other behavior information.”

The Complaint in H.K. has allegations that Google collects students’ “voiceprints” and face images. (See Complaint at ¶ 38). Next, the Complaint asserts “Google uses the voiceprints and face templates it collects to, inter alia, identify and track the children who its Chromebook laptops and the “G Suite for Education” platform that comes installed on them.”  (See Complaint at ¶ 38). Further, the minor plaintiffs allege “[t]he unique voiceprints and face templates that Google has collected from children in Illinois and across the country are not only used by Google to identify children by name, they are also used by Google to recognize…gender, age and location.” (See Complaint at ¶ 40).

As for the specific allegations by the minor plaintiffs in H.K., the Complaint alleges that H.K and J.C. were Illinois residents, under the age of 13 years old, when they used Google’s G Suite for Education platform in their elementary school located in Bushnell, Illinois. (See Complaint at ¶ 10). Further, the Complaint alleges that neither minor “was asked for verifiable or written parental consent authorizing Google extraction, collection, storage and use of their personal and uniquely identifying ‘biometric identifiers’ or ‘biometric information’…”

Based on these allegations, the plaintiffs in H.K. claim Google violated the Illinois Biometric Information Protection Act (“BIPA”) and the federal Children’s Online Privacy Protection Act (“COPPA”) in the following manner:

• The Complaint in K. states that Illinois enacted BIPA in 2008 to protect Illinois’ citizens’ biometric data which prohibits the collection or use of this information without providing notice to the individual and places a number of requirements on data collectors. (See Complaint at ¶ 17). The plaintiffs claim Google violated BIPA with its “practices of collecting, storing and using biometric identifiers and information from school children in Illinois without the requisite informed written consent…” (See Complaint at ¶ 19). Simply, plaintiffs in H.K. claim Google collected this information without obtaining parental consent. (See Complaint at ¶ 41). Based on these allegations the minor plaintiffs claim Google violated BIPA in their first cause of action.

Here, we may see Google argue that it is not subject to BIPA as a manufacturer of Chromebooks. BIPA lawsuits against the manufacturers of biometric equipment have not seen much success. As seen in the recent case Bray v. Lathem Time Co. 19-cv-3157 (C.D. Ill. March 27, 2020), in addition to suing his former employer, Bray sued Lathem, the company that designed and sold biometric-based timekeeping systems to employers to track time worked by hourly employees. “Lathem claims BIPA was not designed to apply to third-party technology vendors like itself. Although BIPA may give Bray a cause of action against his employer, Hixson—which he is pursuing in a separate action in state court—it does not give him a claim against Lathem.” Consequently, the District Court’s reasoning in Bray makes it more difficult to sue manufacturers of the equipment that collects biometric data.

• The Complaint in K. states that the federal government enacted COPPA in 1999 after “recognizing the vulnerability of children in the Internet age.” (See Complaint at ¶ 20).  “Under COPPA, developers of child-focused applications like Google’s ‘G Suite for Education’ service cannot lawfully obtain the personally identifiable information of children under 13 years of age without first obtaining verifiable consent from their parents.”

Privacy issues related to “e-learning” are developing at a rapid pace.  For example, on April 9, 2020, the Federal Trade Commission took a position that undercuts the plaintiffs’ assertions in H.K. that Google violated COPPA. In her blog post on the FTC’s website, Lisa Weintraub Schifferle wrote it was the FTC’s position that schools can consent to the collection of information for educational purposes:

If your child’s school is providing remote learning: Under COPPA, schools can consent on behalf of parents to the collection of student personal information by educational technology services. If your school has consented, then the service may only use that information for educational – not commercial – purposes. If you have questions about a service’s privacy and security practices, first review its online privacy notice. If you still have questions, consider asking your school. Remember, please, to be patient with your child’s school, as many schools are working hard to implement distance learning and may not be able to respond quickly. If you’d like to learn more, check out the U.S. Department of Education’s Student Privacy Policy Office’s new guidance on the Family Educational Rights and Privacy Act (FERPA) – “FERPA and Virtual Learning.”

Schools and educational technology companies can expect these privacy issues to become more prevalent once “brick and mortar” schools reopen. Further, in addition to seismic changes in this technology, schools will also need to monitor changes in the law. For example, the Illinois legislature’s recent amendments to the Illinois Student Online Personal Protection Act (“SOPPA”) by setting forth an extensive list of requirements that schools must implement by July 1, 2021.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post The ABC’s Of Privacy Law: New Lawsuit Provides Glimpse Of Privacy Issues For “E-Learning” In Schools Under COPPA, BIPA And SOPPA appeared first on Privacy Risk Report.

Understandably, there has been a lot of information concerning the novel coronavirus and its impact on insurance, business and, of course, people.  However, there has not been much discussion on what happens if there is a cyber event over the next couple of weeks as the world deals with the COVID-19 pandemic.  A cyber security breach during the novel coronavirus pandemic could sever the one thread connecting remote employees to their place of work.

While it is still early, there should be little dispute that the current pandemic will have a profound impact on the workplace, which, in turn, will have a profound impact on the use of data. Commentators have already offered the following concerning the new workplace:

If the future of work requires restructured workplaces, redefined roles, rapid learning, and reserves of trust—and it does, organizations are being challenged to do all that and more as they address the coronavirus pandemic. While we have long spoken about VUCA (volatile, uncertain, complex, and ambiguous) environments, we are finally and undoubtedly facing one.  In the span of a few weeks, the world’s economy traveled a path from cautious observation and common-sense health advisories to massive cancelations, business shutdowns, and work from home mandates. JPMorgan, AT&T, Google, Amazon, Nike, Facebook, among many, many more are hustling to virtualize business operations as social distancing continues to be the best practice to “flatten the curve” of contagion. 

Coronavirus, it turns out, might be the great catalyst for business transformation. 

Without a doubt, once we get through this pandemic, we will need to address how the new workplace impacts privacy.  The two most immediate concerns may be the opportunities for hackers and how regulations will be impacted by the overwhelming health and economic concerns.

1. The Pandemic May Provide Opportunities For Hackers

While there are a number of uncertainties during this unprecedented situation, we have been able to piece together some information concerning our world in March of 2020:

• We are in pandemic caused by the novel coronavirus;
• In response to the pandemic, people are working from home transferring information without the security measures found in the workplace;
• The pandemic has created turmoil in the world’s financial and employment markets; and
• Workers are feeling not secure, which may lead to snap decisions.

Unfortunately, these four factors give rise to the perfect environment for opportunistic hackers.  Data collectors may want to take the following approach in the coming weeks:

• Protect data transfers. In the coming weeks, as the pandemic unfolds, employee training or discussions on data safety will be key.  Data collectors should remind their new remote workforce of the emerging risks they face in transferring data.

• Prepare for outages. There are new limitations on communicating with a remote workforce.  Data collectors should consider what their business may look like if there is an international, national or local outage that would cut this limited access even further.

• Think about permanent solutions for the new workplace. The remote workforce will be able to return to their traditional workplaces at some point.  Data collectors should think about what safeguards should be put into place if workers start working remotely more frequently.

Not surprisingly, we have already seen hackers target vital businesses that are essential during the coronavirus pandemic.  German newspapers have reported that “Cyber criminals have launched a distributed denial-of-service (DDoS) attack against German food delivery service Takeaway.com (Liefrando.de), demanding two bitcoins (about $11,000) to stop the flood of traffic.”  Commentators warn this may not be the end of cyber attacks:

Security experts anticipate these types of acts, intended to exploit essential services in times of crisis, will continue as restrictions due to COVID-19 remain in place. “Deplorably, we will likely see a further avalanche of cyberattacks targeting most susceptible online businesses,” says ImmuniWeb founder and CEO Ilia Kolochenko. As a result, many organizations may be forced to pay cybercriminals or invest in DDoS protection services to defend against advanced attacks.

Clearly, this will be a continuing threat over the next few weeks.

2. The Pandemic May Cause Privacy Regulations To Get Dialed Back.

A couple of months ago, business, insurers and governments were starting to get the hang of this privacy thing.  Previously, the biggest concern was compliance with privacy regulations such as the California Consumer Privacy Act (“CCPA”).  (By the way, a number of organizations are now calling for the delay of the enforcement of the CCPA: https://www.ciodive.com/news/CCPA-coronavirus-extension/574547/)  That was, of course, until the coronavirus pandemic sent workers home.

Being just a few weeks into the pandemic, we can be sure that privacy law will be profoundly impacted when deadlines are extended and the data is used by millions of workers that have moved offsite.  After the pandemic, we will need to watch deadlines and be ready to modify compliance with privacy law.

If the adoption or enforcement of privacy regulations is delayed by the coronavirus pandemic, we may see data collectors struggle to find guidance for proper data and storage and collection.  Looking at case law may fill this void left by relaxed deadlines and requirements.  For example, data collectors may look to decisions such as the March 26, 2018 opinion in Hopper v. Schletter Inc., 17-cv-01, 2018 WL 1472485 (W.D. North Carolina 2018) as an example where a court was prepared to hold employers liable if they disclose their employees’ information by mistake. And, if courts around the country adopt the reasoning in Hopper, employers can expect to have their cyber security protocols closely scrutinized after the coronavirus pandemic.

Further, the facts giving rise to the incident in Hopper are instructive to remote workplaces.  On April 19, 2016, the defendant in Hopper, Schletter Group, sent a letter advising its employees and former employees that Schletter had sent its employees’ W-2 forms by mistake to a third-party after it fell prey to a phishing scam. Schletter offered credit monitoring and identity theft protection to those impacted. After the plaintiffs filed a lawsuit seeking alleged damages as a result of this incident, Schletter filed a motion to dismiss the complaint. The District Court denied Schletter’s motion to dismiss the plaintiffs’ claims for negligence and breach of implied contract, invasion of privacy and violations of North Carolina’s Unfair Trade Practices and Privacy Acts. The District Court, however, dismissed the breach of fiduciary duty claim.

As an initial step, the District Court discussed all the warnings it believed Schletter had about phishing scams before it fell prey. In finding Schletter had ample notice of the potential for an incident, the District Court listed various FBI warnings, IRS alerts, articles and examples available of emails used in similar scams that it believed Schletter should have been aware of before the incident. After discussing all the ways the District Court believed the Defendant should have been aware of this scam, the District Court stated that “[d]espite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, [Schletter] provided its employees with unreasonably deficient training on cyber security and information transfer protocols prior to the Data Disclosure.” The District Court called Schletter’s preparation and response into question.

The District Court provided the following examples of how it believed Schletter failed to properly train its employees:

• How to detect phishing and spoofing emails and other scams including providing employees examples of these scams and guidance on how to verify if emails are legitimate;
• Effective password management and encryption protocols for internal and external emails;
• Avoidance of responding to emails that are suspicious or from unknown sources;
• Locking, encrypting and limiting access to computers and files containing sensitive information;
• Implementing guidelines for maintaining and communicating sensitive data; and
• Protecting sensitive employee information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients.

Based on this reasoning, the District Court concluded “[t]he Data Disclosure was caused by the Defendant’s failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems.” In further support of its conclusion, the District Court listed the various ways it found Schletter had failed to implement the proper security measures to protect the W-2s.

It will be interesting to see if courts are going to give data collectors a “pass” for lapses in cyber security once the coronavirus pandemic has come to an end.  Even though cyber security may be in flux, there is still a significant amount of guidance for data collectors.

The post Where Do We Begin? Two Immediate Threats to Cyber Security During the Coronavirus Pandemic appeared first on Privacy Risk Report.

For a number of years, it has been clear that data collectors face a patchwork of privacy regulations that may give rise to contradictory obligations. A recent case involving the disclosure of private information of student loan borrowers provides one of the first examples of how courts may deal with situations where a data collector has competing obligations related to the same private data.

As a servicer of federal student loans, the Pennsylvania Higher Education Assistance Agency (“PHEAA”) found itself torn between the Connecticut Department of Banking (“Department of Banking”), its state regulator and the United States Department of Education (“Department of Education), its federal regulator and the agency that hired it to service the loans.

Caught Between A Rock And Hard Place…

In what the PHEAA refers to as finding itself “between a rock and a hard place,” the Department of Banking demanded that PHEAA produce all records containing private information of Connecticut residents with federal student loans serviced by the PHEAA. On the other hand, the Department of Education expressly prohibited PHEAA from releasing those same records to the Department of Banking. Consequently, the PHEAA faced the difficult question of whether federal law preempted the conflicting Connecticut law under which the Department of Banking threatened to revoke PHEAA license. Simply, PHEAA was damned if they released the information and damned if they did not release the information.

Questions Related To Preemption Between State And Federal Laws

In addition to its federal guidelines, the PHEAA also serviced student loans under a license issued by the Department of Banking to service student loans in Connecticut. To maintain its license, the PHEAA had to follow Connecticut state law. At some point, PHEAA received a letter from the Department of Banking demanding a review of information related to certain student loans serviced by PHEAA. As part of this review, the Department of Banking requested various documents including a “Student Loan Servicer Management Questionnaire and Information Request” seeking “borrower-specific information, including borrower complaints.” After going back and forth with PHEAA and the Department of Education, the Department of Banking sent PHEAA a letter stating PHEAA’s failure to produce the requested documents “constitute[s] grounds to revoke PHEAA’s student loan servicer license in Connecticut…”

On the federal side, the Department of Education contracts with third-party servicers – like PHEAA – to service “Direct Loans” the Department of Education issues. The Department of Education works to regulate loan servicers through contracts requiring compliance “with federal and Education records management policies, including those policies associated with the safeguarding of records covered by the Privacy Act of 1974.”  Upon hearing of the Department of Banking request, the Department of Education provided “an express directive that PHEAA was prohibited under federal law from releasing any data or documentation” that was requested by the Department of Banking.

In response to this overlap in competing laws, the Federal District Court for the Eastern District of Pennsylvania stated the initial question as “What to do?” PHEAA filed an interpleader action entitled Pennsylvania Higher Education Assistance Agency v. Perez, No. 3:18-cv-1114 (MPS) (Sept. 13, 2019). More particularly, PHEAA requested the District Court “to require [the Department of Banking and the Department of Education] to fight out between themselves the issue whether federal law preempts the [Department of Banking’s] document demand—and a declaratory judgment on the preemption issue.” More particularly, PHEAA filed this action seeking interpleader relief under Federal Rule of Civil Procedure 22 and, in the alternative, declaratory relief to determine if the competing state and federal laws preempted each other.

“What To Do?”

The Department of Education filed a motion to dismiss all claims against it. The District Court granted in part (dismissing the interpleader claim) and denied in part the Department of Education’s motion to dismiss (the joinder claims) in what presented a complex procedural analysis despite what seemingly appeared to be a simple question as to what PHEAA should do.

No Answer Under Inter-pleaded Statute

Under the first count in its complaint, the PHEAA seeks relief under Federal Rule of Civil Procedure 22 which provides “Persons with claims that may expose a plaintiff to double or multiple liability may be joined as defendants and required to interplead.”  Here, the District Court held Fed. R. Civ. P. provides no relief to the PHEAA because:

“PHEAA faces conflicting demands not from a single obligation, but from multiple obligations. Interpleader is not appropriate where a party “has inconsistent duties to separate parties under two separate, but related, agreements, and may have breached one agreement by complying with duties under the other.”

Based on this reasoning the District Court granted the Department of Education’s motion to dismiss.

An Answer Under The Joinder Statute

The District Court did not leave the PHEAA without any remedy when it found “joinder under Rule 19 provides PHEAA another avenue through which it can obtain the core relief it seeks.”  In particular, the District Court found the PHEAA may get the answer it needed through Federal Rule of Civil Procedure 19 which addresses compulsory party joinder in federal district courts. Fed. R. Civ. P. 19 states in relevant part that a party must be joined if “in that person’s absence, the court cannot accord complete relief among existing parties.” First, the District Court found the Department of Education should be joined because it sent “various communications about it directly to PHEAA” concerning the disclosure of information sought by the Department of Banking.” This made it clear that the Department of Education had an interest in the outcome of this litigation.

Next, the District Court held the Department of Education should be joined in order to avoid a situation where “PHEAA [was] subject to a substantial risk of incurring double, multiple, or otherwise inconsistent obligations.” On this point the District Court offered the following reasoning:

…If the state laws under which the [Department of Banking] is seeking documents from PHEAA are found not to be preempted and the Federal Defendants are not made parties, then they may choose to ignore this Court’s judgment on the preemption issue. There would be no obstacle to their bringing a breach-of-contract claim against PHEAA or terminating their contract with PHEAA on the ground that PHEAA had violated federal law by complying with the [Department of Banking’s] document request. If they took these steps, they would put PHEAA “between the proverbial rock and a hard place,” forcing PHEAA to choose between complying with state law in accordance with a non-preemption determination made by this Court and complying with the inconsistent obligation set out in its contract with Education (and possibly an inconsistent judgment in litigation initiated by Education). If they are joined as defendants under Rule 19, then, while a judgment by this Court of non-preemption could not order them to perform, or refrain from performing, any acts, it would bind them for purposes of res judicata, preclude them from bringing a collateral challenge to the judgment, and furnish a preclusion defense to PHEAA in any lawsuit by [the Department of Education] to terminate the contract. Disposing of the action in the Federal Defendants’ absence may thus leave PHEAA subject to a substantial risk of incurring inconsistent obligations. 

Based on this reasoning, the District Court denied the Department of Education’s motion to dismiss thereby allowing the PHEAA’s case to proceed beyond the early pleadings stage.

The Development Of This Case Will Provide Insight To Data Collectors

After sifting through the complex procedural issues, the central question before the District Court is what does a data collector do when it faces contradicting state and federal regulations? This problem presented by inconsistent laws will undoubtedly increase as more federal, state, local and industry standards develop regulating the same information held by data collectors. Consequently, the legislators will need to harmonize the laws before the laws are adopted or the courts will need to harmonize the laws after they have been adopted if data collectors face inconsistent guidelines.

Of course, we will continue to monitor this case to see how the court decides the preemption issues.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post A Rock And A Hard Place: Recent Decision Addresses Competing Regulations For The Same Private Information appeared first on Privacy Risk Report.

There is little dispute that the Illinois Biometric Information Protection Act (“BIPA”) is a unique privacy law to the extent that it creates a private cause of action for any failures to notify individuals before their biometric information is collected and stored. That is, BIPA potentially creates a liability regardless of whether there was a breach of private information. Further complicating matters is the fact that many data collectors that qualify as “financial institutions” or “local and state governments” are exempted from BIPA. A recent motion to dismiss filed by New Albertson’s, Inc. (“Albertson’s), a defendant named in a BIPA action, has put the constitutionality of this exemption for financial institutions and state governments at issue.

As with many employers in Illinois, Albertson’s was named as a defendant in a lawsuit based on alleged violations of BIPA. In a lawsuit entitled Bruhn v. New Albertson’s, Inc, Case No. 2018 CH 1737, filed in the Circuit Court of Cook County, Illinois, a class action plaintiff alleged he worked as a pharmacist at a Jewel-Osco store located in Elgin, Illinois. Plaintiff claims Jewel required him to provide a scan of his fingerprints on a biometric device in order to access the pharmacy’s computer system. Plaintiff further claims Jewel violated BIPA when it collected and stored his biometric information without providing the proper notification. On August 20, 2019, Albertson’s filed a motion to dismiss which will push Illinois courts to examine the constitutionality of BIPA.

As for a quick refresher on Illinois Constitutional law, the Illinois Constitution provides the following which is generally referred to as the “special legislation clause:”

The General Assembly shall pass no special or local law when a general law is or can be made applicable. Whether a general law is or can be made applicable shall be a matter for judicial determination.

In support of its motion to dismiss, Albertson’s analyzes the legislative intent behind BIPA and argues “[i]n short, the legislator felt BIPA was necessary to protect consumers’ biometric data, particularly connected with financial information.” And, while the legislature’s intent behind BIPA was to protect information by placing burdens on entities that collect and store biometric data, Albertson’s questions how that purpose is served when the statute does not include many entities that may qualify as a “financial institution or an affiliate of a financial institution” and contractors, subcontractors and agents of state or local governments.  Based on these exclusions to BIPA, Albertson’s argues that BIPA violates the special legislation clause and, is therefore unconstitutional because “Broad Groups” of individuals are excluded from the statutory framework. In particular, Albertson’s claims BIPA’s exclusions for financial institutions and local governments give way to an unfair result that is unconstitutional.

In its brief, Albertson’s argues the question of whether a law violates the special legislation clause and is void includes the following two-step analysis: “…whether the statutory amendments discriminate in favor of a select group” and “if so, whether the classification created by the statutory amendments is arbitrary.” As for the exception of financial institutions, Albertson’s argues BIPA excludes essentially the entire financial industry. Albertson’s asserts the use of the term “financial institution” in BIPA could exclude a number of entities ranging from retailers that happen to issue credit cards to car dealerships and mortgage brokers and, therefore, BIPA is unconstitutional.

Albertson’s further asserts the BIPA exception for governments unconstitutionally “eliminates a wide swath of entities from the BIPA.”  Albertson’s argues the exclusion for governmental entities is overly broad to the extent it exempts contractors, subcontractors and agents of state and local governments while they were working for the government. Consequently, the stated purpose of BIPA is not served with these exclusions.

Albertson’s claims BIPA’s impact, which excludes a potentially large number of entities from protecting the public’s biometric data, “constitutes special legislation in violation of the Illinois Constitution.  Albertson’s argues it is entitled to have the action against it dismissed since “[a] general law could have been passed, and was in fact originally proposed to apply to both the government and financial institutions.”

Regardless of whether the court finds BIPA unconstitutional, Albertson’s still brings a valid point to light about the confusion BIPA causes for data collectors. For example, Albertson’s poses a hypothetical where a janitorial company providing services to a government building would not have to comply with BIPA while another janitorial service providing services to a private building would incur the costs to comply with BIPA. It will be interesting to see how the trial court, and most likely the Illinois appellate court, addresses this question.

The post More Than Just A Confusing Law? Defendant Argues Illinois’ Biometric Law Is Unconstitutional appeared first on Privacy Risk Report.

It is a pivotal moment when the United States Supreme Court addresses data breach cases. There was a time when people said that cyber security would be like “Y2K” and any preparations for cyber issues would suffer the same embarrassing fate as buying a generator to prepare for “Y2K.” There is no need to get too emotional, but there is no reasonable dispute that privacy issues are now just a part of our lives. April 24, 2019 is a watershed moment in privacy law when the U.S. Supreme Court issued a decision in Lamps Plus, Inc. v. Varela, 2019 1780275 (April 24, 2019), a case that starts with a data breach.

• The Breach

In Lamps Plus, an employee, Frank Varela, filed a class action against his employer, Lamps Plus, in the U.S. District Court of California. Varela claimed his employer’s negligence provide a hacker with access to tax information that resulted in a fraudulent tax return being filed in his name. Varela’s class action complaint further asserted that 1,300 other employees had their information taken as well.

• Procedural History

Lamps Plus filed a motion to dismiss in the District Court wherein it argued the arbitration agreement in Varela’s employment contract required the dismissal of Varela’s class action lawsuit and that his claims should be arbitrated on an individual basis rather in a class action. The District Court denied the portion of the motion seeking to have the class members arbitrate their claims on an individual basis but authorized the arbitration of the claims on a class-wide basis. The Ninth Circuit affirmed the District Court’s decision to allow the class action plaintiffs arbitrate their claims as a class rather than require each class member arbitrate their claims individually. In particular, the Ninth Circuit’s holding, based on a finding that the arbitration provision was ambiguous, would have allowed Varela and the other employees to pursue their claims as a class in an arbitration proceeding.

In short, Varela argued that he should be permitted to litigate—in the courts—a class action against Lamps Plus despite signing an employment agreement with an arbitration provision stating “arbitration shall be in lieu of any and all lawsuits or other civil legal proceedings related to my employment.” On the other hand, Lamps Plus took the position that the case should be arbitrated and Varela was required to arbitrate his claims individually rather than drawing on the strength of other members in a class action. (A good breakdown of these issues can be found in this New York Times article.)

• Supreme Court’s Decision In Favor Of Lamps Plus

In a 5-4 decision, the Supreme Court reversed and remanded the Ninth Circuit’s decision since Lamps Plus did not expressly agree to arbitrating employee disputes on a class action basis. Based on the arbitration provision in the employment agreement, Chief Justice Roberts—writing the majority opinion— held only individual arbitrations were permitted. The Majority further opined “Class arbitration ‘sacrifices the principal advantage of arbitration—its informality—and makes the process slower, more costly, and more likely to generate procedural morass than final judgment.’”

• How To Approach These Issues

Admittedly, the central issue in the Lamps Plus decision relates to the enforcement of an arbitration clause and merely happens to arise out of data breach. Nevertheless, this issue should be front and center for any employer that collects an employee’s private data.  In addition to reaching an agreement on the process of bringing claims against an employer (class actions versus individual claims), employment agreements may need to start addressing whether privacy claims should be litigated or arbitrated.

A further example was seen on April 9, 2019 when the Appellate Court of Illinois found an arbitration agreement did not allow an employer to arbitrate an employee’s biometric data claim. Liu v. Four Seasons Hotel, Ltd., 2019 IL App (1^st) 182645 (April 9, 2019). In Liu, the Court of Appeals rejected an employer’s contention that an employment agreement to arbitrate “wage or hour violation” claims would include the plaintiff’s alleged biometric data violations. The Liu court rejected the employer’s argument “that the sole purpose of requiring employees to scan their fingerprints was to monitor the hours worked, which makes it a ‘wage or hour violation’ claim.”

These two recent cases involving employment agreements demonstrate that there are a number of moving parts to a privacy lawsuit that must be considered by both those collecting the data and those having their data collected.

The post Arbitrate Or Litigate: U.S. Supreme Court Decision Sheds Light On Consequences Of Lamp Seller’s Data Breach appeared first on Privacy Risk Report.

Many governments are following the European Union’s lead with GDPR by enacting privacy laws that place significant burdens on data collectors.  For example, on November 1, 2018, Canada enacted a new privacy law that makes companies responsible for any losses caused by exposing consumers’ private data.  While many countries are enacting comprehensive data protection laws, the United States currently has a patchwork of state, federal and industry data protection laws.

Even though the United States may not be any closer to adopting uniform data privacy laws, U.S. legislators are still trying to keep the discussion moving.  Just last week, Senator Ron Wyden of Oregon announced a discussion draft of the “Consumer Data Protection Act” (the “Act”) that would establish new privacy rules for large American corporations.  While the Act contains a number of provisions that will ultimately limit the chances it will become law (such as steep criminal penalties for corporate officers), there are a number of provisions in the Act that may be worth considering for privacy legislation in the future.

The overall purpose of the Discussion Draft for the Consumer Data Protection Act of 2018  is to end consumer data from being used without the consumers’ knowledge or consent and to return control of the data back to consumers.  To achieve this objective, the Discussion Draft gives the Federal Trade Commission a greater ability to address cyber and privacy threats.  The Discussion Draft creates mechanisms that would allow the FTC to become what it refers to as a credible deterrent against failing to protect consumer’s data and, in turn, increases the FTC’s resources to enforce current and proposed regulations.

If adopted as drafted, the Act would amend the Federal Trade Commission Act to “establish requirements and responsibilities for entities that use, store, or share personal information, to protect personal information…”  First, the Act would create deterrents for a corporation failing to bolster its security measures by issuing fines up to 4% of annual revenue and jail terms lasting anywhere from ten to twenty years for senior executives that fail to implement proper safeguards.  Additionally, the Act would increase the FTC’s staff and other resources to allow for the laws to be enforced.

Commentators have stated that the Act is unlikely to pass in its current format “given the extreme penalties [and] lobbying clout of big businesses.”  However, even though the Act may never become law, there are a number of concepts short of large fines and corporate officer jail time that we may see incorporated into future data protection laws in the U.S:

• Consumer Opt-Out: If the Act was adopted, the FTC would have two years to create a system that would allow consumers to “opt-out” from having their data gathered, stored and traded by prohibiting information to be shared with third parties.  The Act would allow consumers to waive their right to opt-out in order to use a specific product or services.  Additionally, the Act would require the company to offer an option for the consumer to pay an additional fee to use a similar service that is not conditioned on waiving the right to opt-out.

• Compliance Reporting: The Act would also require any company with at least $1 billion in revenue and more than 1 million consumers to file an annual report certifying compliance with the Act. The report would be certified by the company’s corporate officers that could result in a jail sentence for both intentional and unintentional violations.

Once again, the Draft Discussion as proposed will at least start a dialogue concerning the next steps for privacy law in the U.S.  At its most basic level, this discussion will address fundamental questions concerning U.S. privacy law including what federal agency should be responsible for enforcement of the new privacy laws and the resources that will make enforcement possible.

The post Can We Talk?  “Discussion Draft” of U.S. Privacy Protection Bill Sheds Light on the Future of American Privacy Law appeared first on Privacy Risk Report.

On October 17, 2018, the American Bar Association published Formal Opinion (“F.O. 483) to directly address cyber security for lawyers. Specifically, F.O. 483 provides guidance on “attorney’s ethical obligations when a data breach exposes client confidential information.”  As an initial matter, F.O. 483 defines a “data breach” as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”  While F.O. 483 provides guidance based on a lawyer’s ethical responsibilities, F.O. 483 is not intended to address “other laws that may impose postbreach obligations, such as privacy laws or other statutory schemes that law firm data breaches might also implicate.”

F.O. 483 is based primarily on two ABA Model Rules.

First, ABA Model Rule 1.1 states “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” In recognizing the impact on the practice of law, F.O. 483 generally requires “lawyers to understand technologies that are being used to deliver legal services to their clients” and compels lawyers and their staff to use this technology to protect their clients’ private information.  F.O. 483 provides the following best practices to meet the lawyer’s ethical obligations:

• Monitoring for a Data Breach: F.O. 483 states “lawyers must make reasonable efforts to monitor their technology resources to detect a breach” in order to meet the requirements of Rule 1.1. In other words, F.O. 483 warns the “potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”

• Stopping the Breach and Restoring the System:  F.O. 483 also requires a “lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.” One method to meet this requirement is to adopt an incident response plan before an incident occurs.  Relying on the NIST standards, F.O. 483 reminds attorneys “[o]ne of the benefits of having an incident response capability is that it supports responding to incidents systematically (i.e., following a consistent incident handling methodology) so that the appropriate actions are taken. Incident response plans help personnel to minimize loss or theft of information and disruption of services caused by incidents.”

• Determining What Occurred: F.O. 483 obligates an attorney to “make reasonable attempts to determine whether electronic files were accessed, and if so, which ones” if a breach occurs.

Next, ABA Model Rule 1.6(a) requires that “‘[a] lawyer shall not reveal information relating to the representation of a client’ unless certain circumstances arise.”  As for cyber security, F.O. 483 requires an attorney to take “reasonable efforts” to preserve client confidentiality in order to meet their ethical obligations.

Finally, F.O. 483 provides guidance for lawyers to provide notice to current and former clients. Overall, a lawyer has a duty to notify their clients of an unauthorized disclosure of their personal information “irrespective of what type of security efforts were implemented prior to the breach.”  As with many data breach laws, F.O. 483 requires the client disclosure “to provide sufficient enough information for the client to make an informed decision as to what to do next, if anything.”  The lawyer should also inform the client of the plan to respond to the incident and efforts to protect the client’s data.  Finally, F.O. 483 directs lawyers to evaluate their obligations under state and federal law.

Law firms have been plagued by cyber issues. The ABA’s Formal Opinion concerning a lawyer’s cyber security obligations does not necessarily go beyond the obligations that any other data collector may have. That is, all data collectors, regardless of whether they are lawyers, must take reasonable steps to protect data and provide proper notification if personal data is disclosed without authorization.  While these obligations may not go beyond existing state and federal obligations, the Model Rules of Conduct make the analysis of cyber issues slightly different for lawyers when a cyber security issue may result in a ethical issue.

The post New ABA Formal Opinion Indicates Data Breach May Present Ethical Issue for Lawyers appeared first on Privacy Risk Report.

While some courts have found coverage for data breach claims under CGL policies, there should be little dispute that the best way to limit risk is to obtain a cyber policy rather than hoping for coverage under a CGL policy.

The decision in St. Paul Fire & Marine Ins. Co. v. Rossen Millennium, Inc., case no. 17-cv-540, provides the latest example of a court finding no coverage for a data breach under a commercial general liability insurance policy (“CGL”).  In Rosen Millennium, the Federal District Court for the Middle District of Florida issued an order on September 28, 2018, finding no coverage for a data breach under two CGL policies issued to defendant, Rosen Millennium (“Rosen”).

Rosen was providing data security services to Rosen Hotels & Resorts (“RHR”) when they discovered a potential breach of credit cards at a hotel in February of 2016.  The forensic investigator determined information related to the credit cards provided by hotel patrons was breached and RHR took steps to notify the patrons in March of 2016.

Rosen submitted a notice of claim to its insurer, St. Paul Fire & Marine (“Travelers”) in December of 2016, which stated RHR claimed the breach was the result of Rosen’s negligence. Travelers issued a reservation of rights denying coverage and requesting Rosen provide any information it believes may impact St. Paul’s coverage determination. Shortly thereafter, Travelers filed this declaratory seeking a determination of its duty to defend Millennium against RHR’s negligence claims.  Even though RHR did not file suit, they claimed a demand letter from RHR and Millennium’s Notice of Claim and created a controversy as to Traveler’s duty to defend Millennium under the CGL policies.

• The Allegations Against Rosen Did Not Constitute “Property Damage” Under the CGL Policies

In granting Traveler’s motion for summary judgment, the District Court first opined that the Notice of Claim (which contained only the relevant dates of the breach) and demand letter (which provided only that Rosen exposed private information to third parties) did not trigger Traveler’s defense obligation under the policy.  In particular, the District Court found these documents “make no mention of, let alone a claim for, property damage or the costs incurred from complying with notification statutes.”  Consequently, the District Court found Rosen’s claims for coverage not ripe and held Travelers had no “duty to defend a hypothetical claim.”

• The Allegations Against Rosen Did Not Constitute “Personal Injury” Under the CGL Policies

The District also rejected Rosen’s assertion that RHR’s allegations constituted “personal injury” as that term is defined under the CGL Policies.  In particular, the CGL Policies defined personal injury as “injury, other than bodily injury or advertising injury, that’s caused by a personal injury offense.”  And, the CGL policies defined “personal injury offense” as “[m]aking known to any person or organization covered material that violates a person’s right of privacy.” The central question in the District Court’s analysis is whether the material, or personal information, was “made known” by Rosen and, therefore, constitutes a personal injury offense.  Both parties agreed “making known” “is synonymous with ‘publication.’”

In addressing this question, Travelers argued that the allegations against Rosen do not constitute publication because “third-party data breaches are not covered under” CGL policies. That is, there is no coverage because the alleged injuries do not result from Rosen’s “business activities but rather the actions of third parties.”  In other words, there is no coverage for these claims because, if there was a publication, the publication was not done by the insured, Rosen.

This decision serves as another reminder that only a sliver of the data breach cases even arguably trigger coverage under a CGL policy. On the other hand, the insurance marketplace has solved the problem Rosen faced in this matter by offering cyber insurance policies that are specifically designed to provide cyber coverage.

Please contact Todd M. Rowe (trowe@tresslerllp.com) for additional questions or for a copy of this decision.

The post Another Court Finds No Coverage Under CGL Insurance Policy for Data Breach appeared first on Privacy Risk Report.