For a number of years, it has been clear that data collectors face a patchwork of privacy regulations that may give rise to contradictory obligations. A recent case involving the disclosure of private information of student loan borrowers provides one of the first examples of how courts may deal with situations where a data collector has competing obligations related to the same private data.

As a servicer of federal student loans, the Pennsylvania Higher Education Assistance Agency (“PHEAA”) found itself torn between the Connecticut Department of Banking (“Department of Banking”), its state regulator and the United States Department of Education (“Department of Education), its federal regulator and the agency that hired it to service the loans.

Caught Between A Rock And Hard Place…

In what the PHEAA refers to as finding itself “between a rock and a hard place,” the Department of Banking demanded that PHEAA produce all records containing private information of Connecticut residents with federal student loans serviced by the PHEAA. On the other hand, the Department of Education expressly prohibited PHEAA from releasing those same records to the Department of Banking. Consequently, the PHEAA faced the difficult question of whether federal law preempted the conflicting Connecticut law under which the Department of Banking threatened to revoke PHEAA license. Simply, PHEAA was damned if they released the information and damned if they did not release the information.

Questions Related To Preemption Between State And Federal Laws

In addition to its federal guidelines, the PHEAA also serviced student loans under a license issued by the Department of Banking to service student loans in Connecticut. To maintain its license, the PHEAA had to follow Connecticut state law. At some point, PHEAA received a letter from the Department of Banking demanding a review of information related to certain student loans serviced by PHEAA. As part of this review, the Department of Banking requested various documents including a “Student Loan Servicer Management Questionnaire and Information Request” seeking “borrower-specific information, including borrower complaints.” After going back and forth with PHEAA and the Department of Education, the Department of Banking sent PHEAA a letter stating PHEAA’s failure to produce the requested documents “constitute[s] grounds to revoke PHEAA’s student loan servicer license in Connecticut…”

On the federal side, the Department of Education contracts with third-party servicers – like PHEAA – to service “Direct Loans” the Department of Education issues. The Department of Education works to regulate loan servicers through contracts requiring compliance “with federal and Education records management policies, including those policies associated with the safeguarding of records covered by the Privacy Act of 1974.”  Upon hearing of the Department of Banking request, the Department of Education provided “an express directive that PHEAA was prohibited under federal law from releasing any data or documentation” that was requested by the Department of Banking.

In response to this overlap in competing laws, the Federal District Court for the Eastern District of Pennsylvania stated the initial question as “What to do?” PHEAA filed an interpleader action entitled Pennsylvania Higher Education Assistance Agency v. Perez, No. 3:18-cv-1114 (MPS) (Sept. 13, 2019). More particularly, PHEAA requested the District Court “to require [the Department of Banking and the Department of Education] to fight out between themselves the issue whether federal law preempts the [Department of Banking’s] document demand—and a declaratory judgment on the preemption issue.” More particularly, PHEAA filed this action seeking interpleader relief under Federal Rule of Civil Procedure 22 and, in the alternative, declaratory relief to determine if the competing state and federal laws preempted each other.

“What To Do?”

The Department of Education filed a motion to dismiss all claims against it. The District Court granted in part (dismissing the interpleader claim) and denied in part the Department of Education’s motion to dismiss (the joinder claims) in what presented a complex procedural analysis despite what seemingly appeared to be a simple question as to what PHEAA should do.

No Answer Under Inter-pleaded Statute

Under the first count in its complaint, the PHEAA seeks relief under Federal Rule of Civil Procedure 22 which provides “Persons with claims that may expose a plaintiff to double or multiple liability may be joined as defendants and required to interplead.”  Here, the District Court held Fed. R. Civ. P. provides no relief to the PHEAA because:

“PHEAA faces conflicting demands not from a single obligation, but from multiple obligations. Interpleader is not appropriate where a party “has inconsistent duties to separate parties under two separate, but related, agreements, and may have breached one agreement by complying with duties under the other.”

Based on this reasoning the District Court granted the Department of Education’s motion to dismiss.

An Answer Under The Joinder Statute

The District Court did not leave the PHEAA without any remedy when it found “joinder under Rule 19 provides PHEAA another avenue through which it can obtain the core relief it seeks.”  In particular, the District Court found the PHEAA may get the answer it needed through Federal Rule of Civil Procedure 19 which addresses compulsory party joinder in federal district courts. Fed. R. Civ. P. 19 states in relevant part that a party must be joined if “in that person’s absence, the court cannot accord complete relief among existing parties.” First, the District Court found the Department of Education should be joined because it sent “various communications about it directly to PHEAA” concerning the disclosure of information sought by the Department of Banking.” This made it clear that the Department of Education had an interest in the outcome of this litigation.

Next, the District Court held the Department of Education should be joined in order to avoid a situation where “PHEAA [was] subject to a substantial risk of incurring double, multiple, or otherwise inconsistent obligations.” On this point the District Court offered the following reasoning:

…If the state laws under which the [Department of Banking] is seeking documents from PHEAA are found not to be preempted and the Federal Defendants are not made parties, then they may choose to ignore this Court’s judgment on the preemption issue. There would be no obstacle to their bringing a breach-of-contract claim against PHEAA or terminating their contract with PHEAA on the ground that PHEAA had violated federal law by complying with the [Department of Banking’s] document request. If they took these steps, they would put PHEAA “between the proverbial rock and a hard place,” forcing PHEAA to choose between complying with state law in accordance with a non-preemption determination made by this Court and complying with the inconsistent obligation set out in its contract with Education (and possibly an inconsistent judgment in litigation initiated by Education). If they are joined as defendants under Rule 19, then, while a judgment by this Court of non-preemption could not order them to perform, or refrain from performing, any acts, it would bind them for purposes of res judicata, preclude them from bringing a collateral challenge to the judgment, and furnish a preclusion defense to PHEAA in any lawsuit by [the Department of Education] to terminate the contract. Disposing of the action in the Federal Defendants’ absence may thus leave PHEAA subject to a substantial risk of incurring inconsistent obligations. 

Based on this reasoning, the District Court denied the Department of Education’s motion to dismiss thereby allowing the PHEAA’s case to proceed beyond the early pleadings stage.

The Development Of This Case Will Provide Insight To Data Collectors

After sifting through the complex procedural issues, the central question before the District Court is what does a data collector do when it faces contradicting state and federal regulations? This problem presented by inconsistent laws will undoubtedly increase as more federal, state, local and industry standards develop regulating the same information held by data collectors. Consequently, the legislators will need to harmonize the laws before the laws are adopted or the courts will need to harmonize the laws after they have been adopted if data collectors face inconsistent guidelines.

Of course, we will continue to monitor this case to see how the court decides the preemption issues.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post A Rock And A Hard Place: Recent Decision Addresses Competing Regulations For The Same Private Information appeared first on Privacy Risk Report.

On October 17, 2018, the American Bar Association published Formal Opinion (“F.O. 483) to directly address cyber security for lawyers. Specifically, F.O. 483 provides guidance on “attorney’s ethical obligations when a data breach exposes client confidential information.”  As an initial matter, F.O. 483 defines a “data breach” as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”  While F.O. 483 provides guidance based on a lawyer’s ethical responsibilities, F.O. 483 is not intended to address “other laws that may impose postbreach obligations, such as privacy laws or other statutory schemes that law firm data breaches might also implicate.”

F.O. 483 is based primarily on two ABA Model Rules.

First, ABA Model Rule 1.1 states “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” In recognizing the impact on the practice of law, F.O. 483 generally requires “lawyers to understand technologies that are being used to deliver legal services to their clients” and compels lawyers and their staff to use this technology to protect their clients’ private information.  F.O. 483 provides the following best practices to meet the lawyer’s ethical obligations:

• Monitoring for a Data Breach: F.O. 483 states “lawyers must make reasonable efforts to monitor their technology resources to detect a breach” in order to meet the requirements of Rule 1.1. In other words, F.O. 483 warns the “potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”

• Stopping the Breach and Restoring the System:  F.O. 483 also requires a “lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.” One method to meet this requirement is to adopt an incident response plan before an incident occurs.  Relying on the NIST standards, F.O. 483 reminds attorneys “[o]ne of the benefits of having an incident response capability is that it supports responding to incidents systematically (i.e., following a consistent incident handling methodology) so that the appropriate actions are taken. Incident response plans help personnel to minimize loss or theft of information and disruption of services caused by incidents.”

• Determining What Occurred: F.O. 483 obligates an attorney to “make reasonable attempts to determine whether electronic files were accessed, and if so, which ones” if a breach occurs.

Next, ABA Model Rule 1.6(a) requires that “‘[a] lawyer shall not reveal information relating to the representation of a client’ unless certain circumstances arise.”  As for cyber security, F.O. 483 requires an attorney to take “reasonable efforts” to preserve client confidentiality in order to meet their ethical obligations.

Finally, F.O. 483 provides guidance for lawyers to provide notice to current and former clients. Overall, a lawyer has a duty to notify their clients of an unauthorized disclosure of their personal information “irrespective of what type of security efforts were implemented prior to the breach.”  As with many data breach laws, F.O. 483 requires the client disclosure “to provide sufficient enough information for the client to make an informed decision as to what to do next, if anything.”  The lawyer should also inform the client of the plan to respond to the incident and efforts to protect the client’s data.  Finally, F.O. 483 directs lawyers to evaluate their obligations under state and federal law.

Law firms have been plagued by cyber issues. The ABA’s Formal Opinion concerning a lawyer’s cyber security obligations does not necessarily go beyond the obligations that any other data collector may have. That is, all data collectors, regardless of whether they are lawyers, must take reasonable steps to protect data and provide proper notification if personal data is disclosed without authorization.  While these obligations may not go beyond existing state and federal obligations, the Model Rules of Conduct make the analysis of cyber issues slightly different for lawyers when a cyber security issue may result in a ethical issue.

The post New ABA Formal Opinion Indicates Data Breach May Present Ethical Issue for Lawyers appeared first on Privacy Risk Report.

While some courts have found coverage for data breach claims under CGL policies, there should be little dispute that the best way to limit risk is to obtain a cyber policy rather than hoping for coverage under a CGL policy.

The decision in St. Paul Fire & Marine Ins. Co. v. Rossen Millennium, Inc., case no. 17-cv-540, provides the latest example of a court finding no coverage for a data breach under a commercial general liability insurance policy (“CGL”).  In Rosen Millennium, the Federal District Court for the Middle District of Florida issued an order on September 28, 2018, finding no coverage for a data breach under two CGL policies issued to defendant, Rosen Millennium (“Rosen”).

Rosen was providing data security services to Rosen Hotels & Resorts (“RHR”) when they discovered a potential breach of credit cards at a hotel in February of 2016.  The forensic investigator determined information related to the credit cards provided by hotel patrons was breached and RHR took steps to notify the patrons in March of 2016.

Rosen submitted a notice of claim to its insurer, St. Paul Fire & Marine (“Travelers”) in December of 2016, which stated RHR claimed the breach was the result of Rosen’s negligence. Travelers issued a reservation of rights denying coverage and requesting Rosen provide any information it believes may impact St. Paul’s coverage determination. Shortly thereafter, Travelers filed this declaratory seeking a determination of its duty to defend Millennium against RHR’s negligence claims.  Even though RHR did not file suit, they claimed a demand letter from RHR and Millennium’s Notice of Claim and created a controversy as to Traveler’s duty to defend Millennium under the CGL policies.

• The Allegations Against Rosen Did Not Constitute “Property Damage” Under the CGL Policies

In granting Traveler’s motion for summary judgment, the District Court first opined that the Notice of Claim (which contained only the relevant dates of the breach) and demand letter (which provided only that Rosen exposed private information to third parties) did not trigger Traveler’s defense obligation under the policy.  In particular, the District Court found these documents “make no mention of, let alone a claim for, property damage or the costs incurred from complying with notification statutes.”  Consequently, the District Court found Rosen’s claims for coverage not ripe and held Travelers had no “duty to defend a hypothetical claim.”

• The Allegations Against Rosen Did Not Constitute “Personal Injury” Under the CGL Policies

The District also rejected Rosen’s assertion that RHR’s allegations constituted “personal injury” as that term is defined under the CGL Policies.  In particular, the CGL Policies defined personal injury as “injury, other than bodily injury or advertising injury, that’s caused by a personal injury offense.”  And, the CGL policies defined “personal injury offense” as “[m]aking known to any person or organization covered material that violates a person’s right of privacy.” The central question in the District Court’s analysis is whether the material, or personal information, was “made known” by Rosen and, therefore, constitutes a personal injury offense.  Both parties agreed “making known” “is synonymous with ‘publication.’”

In addressing this question, Travelers argued that the allegations against Rosen do not constitute publication because “third-party data breaches are not covered under” CGL policies. That is, there is no coverage because the alleged injuries do not result from Rosen’s “business activities but rather the actions of third parties.”  In other words, there is no coverage for these claims because, if there was a publication, the publication was not done by the insured, Rosen.

This decision serves as another reminder that only a sliver of the data breach cases even arguably trigger coverage under a CGL policy. On the other hand, the insurance marketplace has solved the problem Rosen faced in this matter by offering cyber insurance policies that are specifically designed to provide cyber coverage.

Please contact Todd M. Rowe (trowe@tresslerllp.com) for additional questions or for a copy of this decision.

The post Another Court Finds No Coverage Under CGL Insurance Policy for Data Breach appeared first on Privacy Risk Report.

Over the years there have been questions whether the term “cyber” is adequate in light of the exponential growth of privacy law.  First, the term “cyber” tried to do too much when it was used to describe everything from large-scale data breaches to small instances of corporate espionage.  Further, the term “cyber” did not do enough to distinguish between personal information being compromised through sophisticated computer attacks and information compromised through unsophisticated employee negligence.  Finally, the “one-size fits all” use of the term “cyber” has recently been called into question by a federal court.

In American Health Inc. v. Dr. Sergio Chevere, 2017 WL 6561156 (Dec. 22, 2017), the District Court for Puerto Rico examined the term “cyber” while determining the litigants’ cross-motions for summary judgment.  The dispute arose when the Defendant, Dr. Sergio Chevere, an employee of the Plaintiff, American Health Inc., forwarded fifty-four emails from his work email account, which was stored on the Plaintiff’s servers, to his personal email account.  Importantly, the District Court noted “Defendant did not cause damage to or erase data from plaintiffs’ computer systems.” Rather,  Plaintiff claims it was damaged because the emails contained confidential and proprietary information which violated state and federal law.  Plaintiffs further claim they spent more than $170,000 in litigation costs related to this incident.  Both parties moved for summary judgment thus prompting the District Court to decide if Plaintiff had a viable cause of action under federal or state laws.

In the section of the District Court’s opinion entitled “The Mise-En-Scène: An Overview of Malicious Cyber Acts and Plaintiffs’ Claims” the District Court first considered “some introductory notes on malicious cyber acts” that include:

Cyber technologies are a minefield of technical nuances. Naturally, the legal landscape that affects cyberspace can be seemingly riddled with gray areas and be difficult to navigate. Before jumping into the proverbial Minotaur’s maze, the court will, for clarity’s sake, consider some introductory notes on malicious cyber acts.

It is well-settled that malicious cyber acts can lead to civil liability and criminal prosecution. Indeed, criminal enterprises, malign actors, and those seeking to gain unfair advantages in their ventures increasingly turn to cyberspace to carry out or facilitate malicious acts.

 Based on this analysis, the District Court views malicious cyber acts as being separated into the following three distinct categories:

 Put plainly, malicious cyber acts consist of the use of computer driven technologies to commit malicious acts. They can be parceled into three distinct categories:

(1) acts in which a computer is the target of the malicious activity,

(2) acts in which a computer is used as a tool that is essential for the malicious activity, and

(3) acts in which the use of a computer is incidental to the malicious activity.

These distinctions are important when applying the law to malicious cyber acts. The court will discuss the first and second categories in more detail, insofar as the latter is immaterial to the issue at hand.

 In further developing the three distinct categories of malicious cyber acts, the District Court provided the following concerning the “first category:”

Acts in the first category, in which a computer is the target, can ordinarily only exist in cyberspace (e.g. hacking and distributed denial of service attacks). They are an entirely “new” breed of malicious activity. Traditional statutes are often ill-fitted or otherwise insufficient to carry civil claims and criminal prosecutions addressing malicious cyber acts of this sort. Thus, to properly make malicious cyber acts that fall into the first category actionable, specialized statutes that specifically target conduct in cyberspace are necessary.

And, the District Court provided the following concerning the “second category:”

On the other hand, acts in the second category, in which a computer is an essential tool, are mostly age-old malicious acts (e.g. fraud and theft) being committed in new ways. They are, in that sense, “old wine in new bottles.” Take, for example, a fraud committed in cyberspace and one committed in the physical world: both are fraud, but only the former is a malicious cyber act. They are different in that a computer was used as an essential tool in one but not in the other. A malicious cyber act falling into the second category can be properly addressed through a traditional statute, though specialized legislation could nonetheless streamline litigation or prescribe particular remedies. That is to say, while Congress could very well choose to enact legislation that specifically targets, say, instances of fraud committed through the use of a computer, traditional statutes addressing fraud could be perfectly adequate to carry the day.

After creating the framework for its decision, the American Health Court found Plaintiff’s allegations that Defendant engaged in the illegal misappropriation of confidential information was conduct falling within the second category of malicious cyber acts (acts in which a computer is essential for the alleged criminal action).  Using this methodology, the District Court found Plaintiff had no recourse under its alleged federal question claims (the Computer Fraud and Abuse Act (CFAA), the Wiretap Act, and the Stored Electronic Communications Act (SECA)). In particular, the District Court held “[t]hese three statutes are not catch-all nets for malicious cyber acts…[and] they target specific forms of conduct in cyberspace, under specific circumstances.” (“Hence, traditional laws may be more suitable conduits for plaintiffs legal action, rather than statutes that specifically target malicious cyber acts.”)  Consequently, the District Court found any relief due to the Plaintiff would be limited to traditional state laws.

While the District Court held Plaintiff may arguably be entitled to relief under state law, the Court did not have to analyze the state claims when the federal claims were dismissed.  Specifically, the District Court found it could not exercise supplement jurisdiction over Plaintiff’s state law claims (breach of contract, breach of duty of loyalty, breach of implied contractual and legal duty, and conversion under Puerto Rico’s Civil Code) when the federal claims were dismissed.  Consequently, Defendant’s motion for summary judgment was granted.

The American Health decision demonstrates the difficulty in using the term “cyber” for any activity that happens to involve a computer.  Here, the Defendant’s use of a computer was incidental to his alleged wrongful conduct.  That is, the Defendant could have printed out the confidential information found in the emails stored on the Plaintiff’s server and misappropriated the information with the hardcopies of the documents rather than transferring the information to his personal account through his computer.  Further, the District Court may have arrived at a different decision if Defendant actually destroyed the information stored on Plaintiff’s server.

Under the reasoning in the American Health decision, we may start to see the evolution of the term “cyber” be limited to incidents where “a computer is the target of the malicious activity.”  These activities, which may include hacking as an example, are what the District Court refers to as an “entirely ‘new’ breed of malicious activity.”  If the District Court’s analysis gains traction we may see legislation that would directly address this new breed of malicious activity rather than seeing various privacy claims being crammed into traditional laws.  Further, we may also see the evolution of cyber policies to be geared to providing coverage for this first category while possibly not providing coverage for the other two categories found in the American Health Court’s distinction of the use of the term “cyber.”

The post One-Size Does Not Fit All: Court Finds Not Every Crime Involving A Computer Is A Cyber Crime appeared first on Privacy Risk Report.

Uber’s technology and business plan has consistently presented a number of interesting privacy issues.   Another interesting privacy issue involving Uber came to light on November 28, 2017 when the City of Chicago and Illinois (“plaintiffs”) filed their Complaint in a case entitled City of Chicago et al. v. Uber Technologies, Inc., Case No. 2017CH15594 (Nov. 28, 2017). The Complaint is based on allegations that “[f]or the past several years, Uber has repeatedly failed to protect the privacy of its customers’ and drivers’ personal information.”  More specifically, the plaintiffs assert Uber took steps to cover up its breach in an effort to avoid negative publicity.  This case, regardless of whether the allegations are proven, should cause “data collectors” to consider what information they are putting (or not putting) out concerning any incidents prior to notification of the incident.

The First Breach

The plaintiffs assert that in 2014, Uber left personal information of more than 50,000 users vulnerable to hackers. In particular, the plaintiffs claim an Uber employee left Amazon Web Services login credentials exposed to the general public.  By September 17, 2014, Uber detected that its customers’ information had been accessed without authorization.  After the 2014 breach, Uber entered into a settlement agreement with the federal government where Uber agreed to fix vulnerabilities and create safeguards to protect against future breaches.

The Second Breach

Despite making “basic corrections to its data security platform,” Uber suffered another data breach involving 57 million users in October 2016. The Complaint alleges this Second Breach was similar to the First Breach in that customer data was exposed when hackers found exposed passwords.  While Uber put out a statement, the plaintiffs claim Uber failed to inform the public that sensitive information may have been compromised, including drivers’ passwords, credit card and banking numbers and Social Security numbers.

The Alleged Cover Up

The Complaint further asserts that after the second breach, “Uber opted to cover up the breach, both inside and outside the company.” The plaintiffs contend that, in order to avoid “negative public attention, Uber paid hackers $100,000 to delete the data based on the hackers’ agreement to never speak publicly of the incident.”  The plaintiffs claim the alleged cover up came to light because “criminal hackers couldn’t possibly be trusted to protect user data” and they ultimately disclosed the breach.  The Complaint states that “Uber went so far as to even track down the criminal hackers and enter into nondisclosure agreements with them as if they were common business partners…”  Further, the plaintiffs claim Uber made this payment so that it appeared to be related to its “bug bounty program” rather than a ransom payment.  The Complaint asserts “[t]his concealment kept riders, drivers, and government agencies in the dark for over a year about Uber’s substandard security practices…”

The alleged cover up continued until November 21, 2017, when Uber’s Board of Directors investigated the practices of Uber’s security team. Uber has still not disclosed this incident to its customers or drivers.

The Plaintiffs’ Causes Of Action And Violations Of Illinois’ Personal Information Protection Act (“PIPA”)

Plaintiffs first seek a recovery under Chicago Municipal Code Section 2-25-090 which prohibits any “unlawful practice” under the Illinois Consumer Fraud and Deceptive Business Act (“ICFA”).  In this regard, the plaintiffs claim “Uber intended that the public, including Chicago residents, rely on its deceptive representations and communications regarding the security of their personal information.”  The plaintiffs also claim Uber violated the Illinois Personal Information Protection Act (“PIPA”) when it failed to notify Chicago residents of the breaches.  Based on ten causes of action, the plaintiffs request the court fine Uber $10,000 for each day the Chicago Municipal Code was violated, $50,000 for violating the ICFA and $10,000 for each violation “involving an Illinois resident 65 years of age or older for each day such violation has existed and continues to exist.”

“Data Collectors” Must Put Thought Into Response If It Is Unclear If Formal Notification Is Necessary

This case, while only in the pleading stages, signals a shift in considerations for “data collectors” when responding to an incident. First, if true, it should be clear that paying off hackers and disguising the payment as a legitimate expense should be avoided.  Beyond this alleged payment, these allegations demonstrate the difficult balance between providing information to the public but not unnecessarily causing negative publicity.  For example, it is alleged that Uber put out a blog post in response to the 2016 incident that failed to address all the information that may have been compromised in the breaches.  The Complaint refers to this blog post as being “notably vague.”  Therefore, even if it is shown that Uber did not intentionally cover up these incidents, these allegations against Uber provide a reminder that a “data collector’s” response can create additional liability beyond the incident.

The post Claims Against Uber In New Lawsuit Show The Potential For Liability Beyond Not Protecting Data appeared first on Privacy Risk Report.

For many years, governmental bodies and some commercial companies have had a responsibility to provide information conveniently to the public.  Specifically, under Open Records Acts, Freedom of Information Action requests and other similar requirements, many governmental bodies have to provide sensitive information to the public.  However, over the last few years, these same governmental bodies and commercial companies have also started to face additional requirements to adopt cyber security safety measures to protect data.  It is not difficult to see how these various requirements may become competing interests that cause confusion.  Therefore, we are starting to see new methods to address the need to provide information to the public in a convenient format while properly securing information.

One recent example of the need to strike a balance between providing information and safeguarding information is seen in Taylor v. School Administrative Unit #55, 2017 WL 4172944 (September 21, 2017), when the New Hampshire Supreme Court found providing information on a thumb drive, rather than through email, was acceptable given the cyber security concerns in protecting that information.

On May 12, 2016, the School Administrative Unit #55 (“School District”) voted to go into a nonpublic session to discuss the superintendent’s evaluation and “emergency functions.”  The School District voted to seal the minutes while in the nonpublic session.  The following month, the plaintiff, David Taylor, requested the superintendant’s office send him the minutes of the May 12, 2016 nonpublic session. Taylor was told the minutes could not be provided because they were sealed.  In response to a second email sent by Taylor, the superintendent’s office denied the request based on the School District’s “Right-To-Know” procedure which allowed records to only be provided  to a member of the public that brings a sealed thumb drive (or purchases a thumb drive directly from the School District) for the records to be downloaded.

By August of 2016,  Taylor had filed a complaint initiating this lawsuit based on allegations that the School District had violated New Hampshire law by voting in a closed session to seal the minutes of the nonpublic meeting and “refusing to forward to him, by email, the records he requested.” Taylor sought a declaration that the School District’s policy requiring information to be downloaded on a thumb drive violated New Hampshire and an order requiring the records be transferred via email.

The School District argued a number of “cyber security concerns” validated its procedure for using thumb drives rather than transferring the information through email. In agreeing with the School District, the New Hampshire Supreme Court held “we find valid the [School District’s] concern that responding to records requests by e-mail ‘would introduce unreliability into the process because sometimes e-mails are too big to be received, and there is no way for the [School District] to confirm receipt of e-mails it sends.” The Supreme Court was further concerned over the potential for mistakes once the School District started sending a number of responses to “Right-To-Know” requests via email.  Specifically, the Supreme Court agreed with the trial court’s finding that “while plaintiff may be correct that the simple forwarding of one email poses a very small cyber security risk, the greater potential risk comes from repeated email exchanges with multiple parties making Right-To-Know-Requests.”  Further, the Supreme Court held that the thumb drive policy did not necessarily diminish the use of records provided on thumb drives and “serves the governmental interest of protecting public bodies’ and agencies’ information technology systems…”

Governmental bodies have to walk a thin line between the need to make information available to the public and the need to have cyber security safeguards in place to protect the public. Here, the School District was required to provide access to information, but it also had a fiduciary duty to protect private information.  The School District’s agreement to provide the requested information on a thumb drive provides another example of how entities can use all available technology to overcome cyber security concerns.  While downloading data to a thumb drive may not be the most convenient method to provide this information, it allowed the School District to meet is fiduciary obligation to protect information.

The post The Line Between Obligations To Disclose Information And Obligations To Protect Private Information appeared first on Privacy Risk Report.

On June 27, 2017, the law firm DLA Piper (“law firm”) found itself to be one of many of targets of a recent global cyber attack. The attack reportedly did not compromise any client data.  Reports indicate that, even though email service was disrupted by the attack, lawyers were still able to communicate through text messaging and telephone calls. This attack on the law firm, which by all accounts was aptly prepared for a cyber attack, demonstrates that no business is completely safe and incident response preparation will continue to be a key element in cyber security.

This cyber attack was discussed in a recent decision and provides further proof that data breaches should not be the only concern when considering cyber security.  In Cone et. al. v. Hankook Tire Co., 2017 WL 3446295 (Aug. 10, 2017 W.D. Tenn.), the District Court for the Western District of Tennessee heard arguments during a show cause hearing on questions whether certain attorneys at the law firm, as counsel for the defendant, Hankook Tire (“Hankook”), should be held in contempt after jurors were mistakenly contacted after trial without the District Court’s permission.  While the attorney at the law firm was not held in contempt of court, the District Court made clear that cyber incident, which limited email communications, did not excuse the improper contact of jurors.

The conduct giving rise to the show cause hearing took place after a verdict was returned in favor of Hankook on June 30, 2017. At some point shortly after the case reached a verdict, the court clerk was informed that a “jury researcher” had contact with some of the jurors.  This contact violated the local rules because the parties did not have permission from the District Court to contact jurors to discuss the case.  On July 20, 2017, the District Court issued an order requiring the parties provide information on the jury researcher.

In response to the order seeking information on the jury researcher, counsel for Hankook filed a statement confirming they hired the jury researcher that followed up with the jurors. However, the response filed by Hankook made clear that one of its attorneys (“Sender Attorney”) put into motion a “series of mistaken assumptions” that resulted in the jurors being contacted without the District Court’s permission.  The response indicated the jurors were contacted under the following circumstances:

• On June 27, 2017, prior to the conclusion of the trial, the law firm suffered a cyber attack, disabling the firm’s email.
• On July 3, 2017, Sender Attorney emailed the jury researcher to inform them that a favorable verdict was returned for Hankook. Sender Attorney copied another attorney at his firm (“Copied Attorney”) on this email. The jury researcher responded on the same day asking whether they could contact the jurors. Sender Attorney stated that he thought the jury should be contacted unless the Copied Attorney disagreed.
• On the day after the trial ended, the Copied Attorney was traveling to South Korea and never saw the emails discussing whether the jury researcher should contact the jurors.  The Copied Attorney’s email was not restored until some point after Sender Attorney’s email had been sent.

Based on this timeline, Copied Attorney was not aware of Sender Attorney’s email until some point after the District Court issued the order seeking information on how jurors were contacted after the trial. Copied Attorney further stated that if he would have seen the emails, he would have instructed Sender Attorney to reach out to the other attorneys working on Hankook’s defense to determine if the jurors could be contacted by the jury researcher.  Unfortunately, with Copied Attorney silent on the issue, Sender Attorney and the jury researcher “mistakenly assumed” there was no reason to hold off on contacting the jurors.

The District Court found that Sender Attorney’s violation of the local rules was the result of “a series of questionable assumptions,” but did not rise to the level of contempt of court. While the holding in Cone may have little or no impact on the overall case, the District Court’s finding that there was a series of mistaken assumptions illustrates the impact that a cyber incident may have on the daily operations of any business.  In short, this cyber attack is further proof that we will likely continue to see cyber incidents causing communication disruptions in a variety of businesses.

The post Law Firm Cyber Attack Is Involved In A “Series Of Mistaken Assumptions” appeared first on Privacy Risk Report.

The threshold question in data breach lawsuits has been whether a litigant has “standing” to bring a cause of action against the party that allegedly caused a breach. This hurdle for litigants rises out of Article III of the Constitution that limits the jurisdiction of federal courts to “Cases” and “Controversies” “which are appropriately resolved through the judicial process.” Simply, litigants have not been able to move their cases forward unless they can show a concrete injury and demonstrate that future injuries are more than merely speculative.  Nevertheless, while a number of data breach cases have been lost at the initial pleadings states, some plaintiffs have been able to persuade courts that they suffered concrete injuries and could show the source of their alleged damages to survive a motion to dismiss.   As this body of law has developed over the years, one case in particular, Lewert v. P.F. Chang’s China Bistro, Inc., 14-3700 (7^th Cir. 2014), in the Seventh Circuit, has provided hope for data breach plaintiffs.  Recent developments in this case should provide more hope for plaintiffs.

The P.F. Chang’s data breach litigation traces its origins back to a 2014 data breach where plaintiffs claim their debit and credit card information had been hacked after they had visited a P.F. Chang’s in Illinois. P.F. Chang’s filed a motion to dismiss asserting first, that “the parties’ express contract precludes both an implied contract and a consumer fraud count”. (“Plaintiffs’ claims are that they purchased a meal at P.F. Chang’s and that, while P.F. Chang’s came through on the main course, it dropped the ball on the side order of data security.”) Additionally, P.F. Chang’s claimed plaintiffs’ case should have been dismissed because plaintiffs lacked standing and had no damage.  The District Court dismissed plaintiffs’ data breach action for lack of standing and, therefore, did not have to address P.F. Chang’s other arguments for dismissal.

The Seventh Circuit reversed the District Court’s dismissal of the plaintiffs’ complaint based on Remijas v. Neiman Marcus Grp., LLC., 794 F.3d 688 (7^th Cir. 2015), another Seventh Circuit data breach case.  In particular, the Seventh Circuit reversed the District Court’s findings based on the following:

• The Seventh Circuit held in Remijas that the plaintiffs met their burden in showing their “injuries were concrete and particularized enough to support Article III standing. Likewise, in P.F Chang’s, the Seventh Circuit found allegations of an increased risk of fraudulent charges and identity theft met the plaintiffs’ burden.
• The Seventh Circuit also found the plaintiffs in P.F. Chang’s met their burden to show causation and that a favorable judgment would redress those injuries. Here, the P.F. Chang’s Court held Plaintiffs alleged sufficient facts to plausibly show their information was likely included in the hack at P.F. Chang’s. And, the plaintiffs were able to establish their financial injuries, which include lost opportunity to accrue points on his credit card while waiting for a replacement and time and resources spent to track any fraudulent charges, were sufficient to show a favorable judgment could redress plaintiffs’ alleged injuries.

Since the Seventh Circuit’s decision, the P.F. Chang’s case has been remanded back down to the trial court and the parties have continued to litigate issues related to P.F. Chang’s motion to dismiss. For example, On December 13, 2016, the District Court entered an order stating that because plaintiffs’ complaint was dismissed by the District Court for lack of standing, the District Court did not address P.F. Chang’s additional arguments for dismissal.  The District further ordered the parties to submit briefs discussing the issues that remained unresolved after the Seventh Circuit found plaintiffs had standing to bring suit. Last February P.F. Chang’s filed a motion for leave to file additional briefs in support of its motion to dismiss. In its briefs, P.F. Chang’s argued plaintiffs’ complaint should be dismissed because the plaintiffs’ purchases formed express contracts rather than implied contracts and plaintiffs’ allegations did not support allegations that P.F. Chang’s violated the Illinois Consumer Fraud Act.  Plaintiffs filed a brief in opposition which argued that P.F. Chang’s “filed a new, full-throated motion to dismiss.”

On April 26, 2017 the District Court filed a minute order which merely stated the “motion to dismiss is denied for the reasons stated in open court.” The District Court further granted plaintiffs’ motion to compel P.F. Chang’s to participate in a Rule 26(f) conference and begin discovery.

While it took a while to get here, we are finally at the point in this case where we will see if plaintiffs can gather sufficient evidence to support their claims. Data breach plaintiffs have struggled to survive the pleadings stage as many courts found their damages were too speculative to survive a motion to dismiss.  It will be important to watch this case get through the discovery phases and move toward trial in order to get the full picture regarding liability for cyber security. Further, the P.F. Chang’s litigation is even more important since the Neiman Marcus case recently settled before we could see how that litigation unfolds through discovery and further motion practice.

The post P.F. Chang’s Leftovers: District Court Refuses To Address Motion To Dismiss Again After Seventh Circuit Finds Plaintiffs Have Standing In Data Breach Case appeared first on Privacy Risk Report.

It is evident that password security is one economical way to decrease the chances of a cyber incident, but recent litigation sheds light on a situation involving a password having too much protection. The American College of Education (ACE), which provides professional development programs for educators, filed suit against its former systems administrator because he would not provide the password for a student email system. The former employee, Triano Williams, filed his own discrimination lawsuit alleging, among many other accusations, that the passwords were stored on a laptop he returned to ACE, and that he offered to help them find the password for a fee.

The first lawsuit was initiated on July 19, 2016, when ACE filed suit against Williams, in Marian County, Indiana, based on allegations that Williams would not provide the password for a Google account that held e-mail and course materials for 2,000 students after ACE fired him from his position as Systems Administrator. When ACE contacted Williams after he was terminated about gaining access to the Google account, Williams stated he would provide the passwords for $200,000.

ACE’s complaint (Paragraph 2) contained the following allegations containing Williams’ employment and termination:

• “As the Systems Administrator for ACE, Mr. Williams had access to ACE’s confidential information and trade secrets.”
• “Following his termination, Mr. Williams returned the company-issued computer which he had been using to perform his work duties.”
• “The computer had been wiped of all information, included information needed by ACE to conduct its business. Specifically, at the time his employment with ACE ended, Mr. Williams was the sole administrator of ACE’s email account (hosted by Google), which is used by its students to communicate with the college and conduct their coursework.”
• “Mr. Williams claims the login and administrator password to access ACE’s email was “autosaved” on his work laptop, but because Mr. Williams wiped his hard drive before returning to ACE, the administrator login information was lost.”
• “The college has been unable to access its email account.”
• “Without access to its email system, ACE is unable to administer its email account, without the administrator username and password which is causing immeasurable harm to the College’s reputation as its students are unable to access their email and coursework.”
• “ACE has also requested the login information multiple times from Mr. Williams, but he has refused to provide that information without ACE paying him $200,000.”

Based on these general allegations, ACE claims it suffered harm from Williams’ actions and sought recovery under theories of: (1) intentional interference with a contractual relationships and business relationships, (2) violation of the Indiana Uniform Trade Secret Act, (3) conversion, (4) offense against intellectual property, (5) breach of fiduciary duty, and (6) criminal mischief. ACE further sought a restraining order requiring Williams to immediately provide the password for ACE’s Google-hosted student e-mail account.

On December 30, 2016, Williams struck back when he filed a complaint in the U.S. District Court for the Northern District of Illinois alleging he was subjected to a hostile work environment and disparate treatment prior to and when ACE fired him. The complaint filed in Williams’ discrimination action sheds some light on Williams’ side of this story. In particular, Williams claims that he “was the sole remaining administrator when ACE decided to terminate him and lock him out of ACE’s Google email system.” Williams refused to assist ACE in retrieving the password because he was no longer an employee at the time and ACE was not offering any compensation for his work. Further, Williams’ complaint alleges that ACE had faced a similar situation with another employee and “paid…a sizable consultant fee to perform the task needed by ACE.”

In discussing this situation, cyber security experts warn that “[a] lot of organizations are using cloud-based services and online services like this [and] [e]ven under a good situation, somebody could leave and then you find out the cloud service you depend on gets canceled because maybe the bill didn’t get paid.” Further, this situation shows the important role employees play in cyber security. While it has always been clear that employees can supplement the technological safeguards put in place, this litigation shows how the technology ACE relied on may have actually made ACE’s life more difficult. Regardless of whether ACE or Williams prevails in their competing lawsuits, the takeaway here is that the dispute may have been defused to some extent if ACE had stored the passwords in multiple (and safe) places.

The post Recent Litigation Provides Example of Password Being Possibly Too Safe appeared first on Privacy Risk Report.

For years there has been a discussion over whether data breaches and cyber security can eventually be regulated by centralized laws rather than various state and federal laws and regulations. Even in October 2014, President Obama called upon Congress to pass data breach legislation because, “[t]he current patchwork of laws governing a company’s obligations in the event of a data breach is unsustainable, and helps no one.”

At present, almost two years down the road, we still do not have a single framework regulating cyber security and data breaches. A recent blog post by the Federal Trade Commission (FTC) addresses how its enforcement activities can be coordinated with data breach guidelines created by the Department of Commerce (DOC). However, there is still more work to be done to harmonize state and federal law.

Background On NIST Standards

On February 14, 2014, the DOC’s National Institute of Standards and Technology (NIST) set out “a set of industry standards and best practices to help organizations identify, assess and manage cybersecurity risks.” The DOC created these standards in response to Obama’s Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity.”

Specifically, this EO was intended “to enhance the security and resilience of the nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation and economic prosperity while promoting safety, security, business confidentiality, privacy and civil liberties.” The NIST Framework did not introduce or create new standards. Rather, it was intended to “leverage and integrate” practices that had already been in use by the NIST and similar organizations in 2014. The Framework provides general practices to approach a cyber security risk, referred to as the “Core,” which is composed of five “functions:” Identify, Protect, Detect, Respond and Recover. Based on these functions, the key elements of effective cybersecurity were summarized in the following manner:

1. Identify: helps organizations gain an understanding of how to manage cybersecurity risks to systems, assets, data and capabilities.
2. Protect: helps organizations develop the controls and safeguards necessary to protect against or deter cybersecurity threats.
3. Detect: are the steps organizations should consider taking to provide proactive and real-time alerts of cybersecurity-related events.
4. Respond: helps organizations develop effective incident response activities.
5. Recover: is the development of continuity plans so organizations can maintain resilience—and get back to business—after a breach.

Complying with the FTC via the NIST Framework

The FTC “is committed to protecting consumer privacy and promoting data security in the private sector.” Further, the FTC’s interest stems from Section 5 of the FTC Act, which is “the primary enforcement tool that the FTC relies on to prevent deceptive and unfair business practices in the area of data security.” Since 2001, the FTC has settled nearly 60 cases against companies that it believed failed to secure consumers’ personal information. Because of its enforcement in data security, the FTC is constantly asked “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?”. FTC responds:

The Framework is not, and isn’t intended to be, a standard or checklist. It’s meant to be used by an organization to determine its current cybersecurity capabilities, set individual goals, and establish a plan for improving and maintaining a cybersecurity program, but it doesn’t include specific requirements or elements. In this respect, there’s really no such thing as “complying with the Framework.” Instead, it’s important to remember that the Framework is about risk assessment and mitigation. In this regard, the Framework and the FTC’s approach are fully consistent: The types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determine whether a company’s data security and its processes are reasonable. By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement.

The FTC provides the following guidance concerning cyber security risks:

The Framework’s five Core functions can serve as a model for companies of all sizes to conduct risk assessments and mitigation, and can be used by companies to: (1) establish or improve a data security program; (2) review current data security practices; or (3) communicate data security requirements with stakeholders. And as the FTC’s enforcement actions show, companies could have better protected consumers’ information if they had followed fundamental security practices like those highlighted in the Framework.

Cyber Insurance’s Development Without Harmonized Laws and Regulations

 While the development of cyber security and data breaches measures may be stunted when there is little or no coordination between the laws and regulations, cyber insurance can continue to grow regardless of the actions of state, local and federal government. Rather than relying on government guidelines, the early stages of development of cyber insurance is supported by insurers, brokers and policyholders coordinating to make sure everyone understands a policyholder’s particular risks and the proper safeguards are put into place.

The post Cyber Insurance Can Develop Without Centralized Cyber Law appeared first on Privacy Risk Report.