Donate   |   Search   |   Contact Us   |   Sign In
Community Search
Data Breach, Privacy & Cyber Insurance Law Content

 

 

 

June 2019

 

Data Breach, Privacy and Cyber Insurance Section Plans Sun Valley Debate

 

On Friday August 2, 2019, the Data Breach, Privacy and Cyber Insurance Committee will host a debate at the Sun Valley summer meeting. “The Great Privacy Debate of our Time:  To Be Forgotten or Not To Be Forgotten”.



The program will be styled like a real, formal debate. The resolution to be debated is as follows: Resolved:  Private businesses, including especially insurance carriers, should have full and unfettered access to and use of personal and private information, limited only by the willingness of individuals to consent. 



The affirmative of the proposition is that access to and use of personal and private information should operate in a free market, as long as the individual consents, with minimal government intrusion, such as seen in the Ohio model. The affirmative will be argued by John Sinnott of Irwin Fritchie Urquhart & Moore in New Orleans and by Gena Sluga of Christian, Dichter & Sluga in Phoenix.

 

The negative of the proposition---that access and use of an individual’s private and personal information should be governed not just by consent but by regulation and statute to prevent business and others from overreaching, such as seen in the California and European GDPR Models—will be argued by Craig Marvinney of the Walter Haverfield firm in Cleveland and Sarannah McMurtry of Acceptance Insurance in Nashville.



The debate will be moderated by Jim Chapman of the Crenshaw, Ware & Martin firm in Norfolk, Virginia. 

It will be a 50 minute program with relevant and critical questions being posed to the panelists by Jim Chapman.

 

The use and privacy of personal data will be at the forefront of the insurance and for that matter litigation both now and in the future. As artificial intelligence and analytics programs become more and more sophisticated and the amount of available data continues to explode, the issue becomes how far should companies and particularly insurance companies be able to go in using that data.

 

What type of data should an insurance company be able to collect and maintain about its insureds? Is wholesale collection and use in coverage and premium decisions a good thing? Is it a bad thing? And what might in the future be considered misuse? What is the proper role of government in determining the privacy boundaries? There are presently no clear answers, but courts, businesses and governments will be called upon to deal with the ethical and privacy ramifications of the use of all this data. 

 

Join us for a lively and full debate of these and other questions by an esteemed panel of skilled advocates.   

  

March 2019

 

As I type this, the U.S. Senate is holding a hearing involving executives from Equifax and Marriott over recent data breaches at those companies. It will focus on Equifax's handling of data security leading up to the stunning loss of the consumer credit data of 143 million people and the Marriott breach that affected as many as 383 million guest records in what has been reported to have been a nation-state attack.

We have a great program planned for the Winter Meeting in Austin. Please join us on Wednesday, March 27 at 8:00 for a discussion of artificial intelligence in “To Infinity and Beyond: the New, the Hot, and the Stuff We Don’t Understand Yet.” Special thanks to speakers Steve Embry, Heidi Barcus, and David Jaroslaw.

Our section has been asked to nominate new FDCC members. Recruiting future leaders is a priority for the Federation, so please give this some thought and email Steve Embry with details on your nominee(s).

We’d like to make this section as engaging and valuable as possible to our section members and clients. If you have any suggestions, such as program ideas for upcoming meetings, marketing opportunities, ways to further engage our section, etc., please contact Steve Embry.

 

John Sinnott

December 2018

 

Click here for "Can a City Invade Your Privacy? Does the Rise of Smart Cities Mean the Fall of Privacy"Click here for "Can a City Invade Your Privacy? Does the Rise of Smart Cities Mean the Fall of Privacy"

 

 

 

September 2018

 

Click here for "How Even a 15 Year Old Can Hack Your Law Firm"

 

 

 

 

 

Summertime Cyber Happenings

 

Over the summer, there have been noteworthy developments in the data breach and cyber insurance field.  

 

American Tooling Center

 

The first was the subject of an article I wrote which appeared in the August 8 version of the Advisen Cyber Newsletter. This article discussed the impact of American Tooling Center v. Travelers, decided on July 13 of this year. In this case, the Sixth Circuit changed its previous direction and held  losses due to phishing (where employees were duped into transferring money into fake accounts) were covered by that portion of a cyber policy that provided coverage for the direct or indirect loss of property due to the fraudulent transfer of property by a third party. Previous cases in Fifth and Ninth circuits as well as the Sixth had found similar language did not cover such losses. These courts held that the fraud provisions do not apply where an employee of the company acts to transfer the funds to a criminal solicitation even if that employee was tricked in to using the computer to do the deed.

 

The importance of this case, as I discussed in my article, is that it turns the computer fraud provision on its head. Instead of the provision covering those situations where someone actually gains control of a computer through a hack, the mere use of a computer by a duped employee is enough. The former is a different type of risk entirely than the latter. The former depends to a large extent on strength of firewalls and the robustness of the back-up provisions of the system. The latter depends almost exclusively on the training of employees, something that the insured has more control over. The Sixth Circuit simply refused to recognize the fundamental difference between use of a computer by a duped employee and the hack of a computer by an outside entity.

 

Ohio Enacts Cybersecurity Safe Harbor Law

 

On August 3, 2018, the Governor of Ohio signed the Ohio Data Protection Act. Under this Act, eligible organizations may rely on their conformance to certain cybersecurity standards as an affirmative defense against tort claims in data breach litigation. This law is the first in the nation to  provide incentives to businesses to implement certain cybersecurity protections by providing them with such an affirmative defense to.

 

The Act specifically recognizes certain standards such as those promulgated by NIST, The Federal Risk and Authorization Management Program, the Center for Internet Security, and ISO)

By establishing “reasonable conformance” with these standards, a copy can obtain the benefit of the affirmative defense. The Act specifically does not impose liability for failure to conform to certain standards.

 

Of course, qualification for this new defense is automatic, may be challenging to establish and may itself be a fact issue for a jury to determine. There is no certification offered by the above agencies and establishing that a corporate security program conforms to the standards itself may be daunting.  Nevertheless, it could prove a useful tool particularly since the standards have been statutorily recognized. For an excellent discussion of the new provision, see a recent article by John Landolfi and Christoper Ingram of the Ohio based Vorys Sater firm.

July 2018

 

Privacy and Data   Breach: Three Things You Need to Know (GDPR Is Not One of Them)


While much of the attention this spring and early summer has been on the General Data Privacy Regulation (GDPR) promulgated by the European Union (and rightfully so), there have been three pretty significant developments in the United States that have or will affect data breach and privacy law and practice as well. These three are as follows:


The California Consumer Privacy Act


On June 28, California enacted a new and comprehensive privacy law which will become effective on January 1, 2020. The California Consumer Privacy Act of 2018 (CCPA) provides California consumers more extensive privacy rights and much more control over their personal information. It also imposes the threat of civil penalties and statutory damages for violation. Without going into all the provisions of the Act (there are a number of excellent articles on this), suffice it to say that most businesses vigorously opposed it primarily because of the increased cost of compliance and threat of litigation. The Act was, in fact, an attempt by the California Legislature to head off a ballot initiative that would have gone even further and basically allowed a private cause of action by anyone-injured or not-when a data breach or privacy violation occurs. California practitioners remember all too well the chaos that occurred when such a private cause of action was granted under the Unfair Competition Law, chaos that ultimately resulted in an amendment to that law that allows lawsuits only if the plaintiff was harmed by reason of the unfair act.


Why is the CCPA important? First, many businesses not only do business outside of California but inside the state as well. (Just as many US companies do business in Europe and will be impacted by the GDPR). And the Act has broad applicability; it will apply to businesses if they receive personal information from California residents and if they—or their parent company or a subsidiary—exceed one of three thresholds: (a) annual gross revenues of $25 million; (b) collect or hold personal information of 50,000 or more California residents, households, or devices annually; or (c) receive 50% or more annual revenue from selling California residents’ personal information.


Many national companies will meet these thresholds. Moreover, it will be difficult for many businesses to apply the provisions to just their business in California. Rather, they may be forced to change national practices to meet the California standards. In addition, other states may look to California to enact similar sweeping changes as well. So, the impact of the Act could be much broader.


LabMed v. FTC


The second development comes from a decision by the 11th Circuit. In LabMed v. FTC, the Court addressed the scope of Federal Trade Commission powers in connection with data breach and privacy issues. The FTC has been pretty aggressive in seeking penalties and injunctions under the unfairness prong of its statutory scope of authority and asserting jurisdiction over cyber security practices and data breaches. In LabMd, the FTC asserted that LabMd’s security was inadequate and constituted an unfair practice under the FTC authority statute. The FTC also acted in LabMed even though no particular statute was allegedly violated and instead relied on what it perceived to be general unreasonableness of LabMed’s protections. Finally, the FTC required LabMed to meet very vague standards which in essence gave the FTC full discretion to determine if LabMed had met those requirements.


The ALJ initially hearing the matter concluded that the FTC had not proven the alleged LabMd unfair practice had caused or was substantially likely to cause substantial injury as required by the statute. The matter was then brought before the full Commission which reversed the ALJ decision. The full Commission found that the mere disclosure of information itself violated valuable privacy rights of those whose records were stolen and the disclosure of such data caused a substantial likelihood of future harm even though no harm had yet occurred.


The matter made its way to the 11th Circuit. In an opinion rendered in early June, the Court held that the FTC must be specific in what it requires companies to do in response to a data breach and what security it must generally have in place; vague directives to in essence “do the right things” and be reasonable are not sufficient. The Court further held that the FTC could not act where no specific statute prescribed the conduct in issue. In other words, simple negligence or unreasonableness in failing to act won’t do to invoke FTC authority under the unfairness standard of the statute. It true, the could end up being a very big deal since the FTC routinely relies on a negligence standard in seeking compliance.


Carpenter v. U.S.


Finally, while there was a lot of publicity about SCOTUS’ right leaning rulings in Justice Kennedy’s final term, the 5-4 decision Carpenter v. U.S. reflected that in privacy matters at least, the Court leans more toward the middle. At issue was whether law enforcement has to get a warrant to access cell phone location data. All cellphone service providers maintain special sites or portals within their websites that law enforcement, for a small fee, can access and find the location of any cell phone for any given time. Because it happens fairly often, this became somewhat profitable for the providers, who also sell the data to third parties on occasion. In Carpenter, the location data showed that a defendant accused of robbing a chain of convenient stores always seemed to be in the area when a store was robbed. This was enough for the jury to convict him. In an opinion written by Chief Justice Roberts, the Court held that such data, like many other digital records was private and could not be willy-nilly obtained by law enforcement without a search warrant.


Using broad language, the Court recognized that such data provided a “window” into a person’s life and from it all sorts of things like political affliction, sexual preference, religion and the like could be derived. The non-criminal law upshot of the case: the Court believes that people have a reasonable expectation of privacy with respect to their location. Noting that cell phones are ubiquitous and that the location capabilities were quite sophisticated, the Court was willing to accept that technological changes called for new approaches, saying “although such records are generated for commercial purposes, [this] distinction does not negate Carpenter’s anticipation of privacy in his physical location “


In this regard, the Court likened the cell phone to an ankle bracelet worn by a convicted person except that in the latter case, the person’s rights have been protected by due process. Thus, a defendant is at least entitled to have a judge review whether there is probable cause for law enforcement to obtain access to location data. Bottom line for the civil side: the Court seems to believe pretty strongly that a person’s privacy right extends to location data generated by cell phones. This could have a significant impact in privacy litigation and support the notion that privacy rights have value for standing purposes.


So, while all the talk has been about the GDPR, these 3 domestic developments could impact US law pretty significantly.



 

May 2018

 

The Data Breach, Privacy and Cyber Insurance Section is busy planning for the summer meeting in Maui, Hawaii.

 

We plan not one but a two part section meeting to deal with some timely and hot topics.

 

First, after the Amelia meeting and the plenary session we presented on cyber security, we have had a lot of questions about the cyber security issues just for lawyers and law firms. Many of you are wondering how what are the requirements and issues just for lawyers. So, we plan a one hour presentation on just this topic for Thursday August the 2nd at 7 am. This will be a panel discussion with Steve Embry, our Section Chair, Gina Buser, founder of Traveling Coaches, who, by the way, was instrumental in putting together the Evolve program, Dan Schroeder, Partner in Charge of Information Assurance Services and Rob Welch, partner with the Drew Eckl Farnham law firm in Atlanta. This panel will focus on such things as cyber security ethical issues, HIPPA security issues, cyber threats and protections for lawyers, cyber insurance for law firms and assurance programs for clients. It should be an interesting and lively session.

 

The second session will be on Friday, August 3, again at 7:00 am. This program will focus on future issues for lawyers and law firms in connection with bitcoin and blockchain. Again, there will be a panel composed of Glynna Christian, partner with Orrick, Peter Buck, Vice President of Product Strategy for NetDocuments, and, again, Steve Embry and Dan Schroeder. This panel will discuss what the blockchain is, the legal and litigation ramifications of it,  and ethical issues associated with both bitcoin and blockchain technoliges. It will include a demonstration of the use of blockchain.

 

Both panels will include both live and livestreaming presentations. So mark your calendars and join us early both days.

 


 

April 2018

Submitted by: Stephen E. Embry

 

TechU : 5 Key Take Aways

 

TechU, the brainchild of our President, Scott Kreamer, graduated its first class over the weekend of April 7th.

 

By way of background, Scott came up with idea of an intensive technology trial presentation course culminating in the award of the Technology Master Advocate Certification.  It was Scott’s view, and I think the new graduates would now confirm, that it is essential for FDCC lawyers to enhance their trial skills by becoming knowledgeable about and using technology tools to enhance their storytelling abilities. I had previously written an article about TechU and the overall Evolve initiative.

 

From Scott’s idea, the FDCC created the Evolve website where FDCC members can go to find what tech is available, some background on that tech and some instruction on how to use it. In addition, the FDCC partnered with Traveling Coaches to create training modules on various technologies.

But there is nothing like hands on experience which is where the crown jewel of this initiative, TechU, comes in. This 2-day intensive and immersive tech training was held in Philadelphia at Veritext Legal Solutions. The training was designed to provide participants the chance to learn the tech that’s out there, have access to course instructors to help them with any and all questions and then actually use the skills by making opening and closing statements to the other participants for feedback and constructive comment.

 

We deliberately kept the class size small so that everyone would have the chance to present. But the participants were a diverse group of lawyers with 40 years’ experience trying cases to those with only a few. We had lawyers from small firms, large firms and in between firms. We had a number of women participants and those of different ethnic backgrounds.

 

Sound intimidating? It was anything but. Bob Christie, who headed the instructional team consisting of Jack Delany, Tom Oakes of Veritext and myself, came up with a program where the participants could learn together in teams, collaborate and then talk in constructive terms about what they saw and heard.

 

The Program

 

We kicked off Friday night with a lecture from Bob Mongeluzzi,  a well known and highly successful plaintiffs’ lawyer. Mongeluzzi entertained and impressed the group by doing some of his actual opening and closings in well known cases. He showed how he successfully married technology and storytelling skills to obtains some of the largest verdicts in the nation.

 

On Saturday, Judge Linda Caracappa, Chief Magistrate Judge for the Eastern District of Pennsylvania told her story of how the courts in her jurisdiction became a model for the rest of the country for technology hardware available in the courtroom. Borne out of a desire to “level the playing field”, the courts in the Eastern District of Pennsylvania have state of the art tools available to all practitioners. We also heard from Chris Espinosa of Exponent who told us about the latest tech tools for visualization methods in the courtroom. 

 

But while these lectures were enlightening, the highlight of the TechU was the presentations by the participants after undergoing almost a day of spending time with the instructors and their colleagues one on one understanding what the technological tools available could do, how to use them and how to better tell stories with the aid of tech tools. Bob perceptively understood that the ability for everyone to collaborate was critical to this process and created at atmosphere where learning and doing without fear of either failure or criticism could occur, allowing remarkable growth.

 

Using a hypothetical case, the participants created their opening and closing statements. The statements were in a word: incredible. It was remarkable how far and how fast the participants came in mastering the skills. But more importantly, it opened up whole new worlds of storytelling capabilities.

 

The Take Aways

 

So, what are the take-aways? Here are five key ones:

 

·      Lawyers should not and need not be dependent on tech assistants to run tech in the courtroom. When they do, they disrupt the flow of the story they are trying to tell, and the jury loses attention.

 

·      Lawyers must know and understand technology and how to tell stories with it. Again, depending on third parties to do that who are not immersed in the story leads to stories being fit around the technology instead of technology being used to enhance the story.

 

·      Lawyers must know what technology there is out there and stay current. Without training like TechU, its hard to know what’s available and how it can enhance story lines.

 

·      Collaboration around tech and story telling is a phenomenal tool. Many times during the course, someone would offer a suggestion or way to accomplish something that solved a problem. And a diverse group coming at a story of a case in different ways unquestionably improves the product.

 

·      Lawyers of whatever age, skill and knowledge level can very quickly master technology that can improve their presentations and trial mastery. It need not be complicated or hard.

 

The Reviews

 

The training was a rousing success. We kept getting comments like “best seminar I’ve been to in 10 years”, “it was a game changer,” “I can’t believe I came so far so fast”. We even recorded several interviews with the participants which will soon be posted on the FDCC Utube channel.

We will offer this hopefully again next year. So, talk to those who went and the instructors. You will find that technology need not be intimidating. That it can be used to make you a better lawyer, teacher and communicator. That using it can be fun. That hands-on learning with your friends may be one of the best experiences you can ever have. 

 



March 2018

Submitted by: F. Marshall Wall

 

The Data Breach, Privacy, and Cyberinsurance committee has been busy this winter.  If you missed the Winter Meeting in Amelia Island, you missed section chair Steve Embry’s plenary presentation entitled “The Dark Web and the War on Cyber: What You Need to Know” with speaker Keith Wojcieszek, a former Secret Service agent. 

 

Steve and others are presenting what should be a very informative webinar on March 20, 2018 at 1:00 p.m. EST.  That webinar is titled “Litigation Trends, Regulatory Requirements and Risk Management Fundamentals for In-House and Outside Counsel. Go to: www.thefederation.org/FDCCwebinars to learn more.

 

Our committee also has a great presentation planned for Hawaii.  The issues that this committee deals with affect every business and every law practice.  There are plenty of opportunities for others to get involved.  Join us!

 

 


 

 

February 2018

Submitted by: Stephen E. Embry

 

9th Circuit Ruling Threatens Anonymous Reviews

 

Late last year, the 9th Circuit dealt online anonymous reviewing services a chilling blow when it decided United States v. Glassdoor. Faced with an online service which allowed people to post employer reviews for the benefit of others, the 9th Circuit determined that those who posted on the service were like newspaper reporters and reverted to an analysis used for print media some 40 years ago.

 

Specifically, the Court ruled that the government could compel Glassdoor to reveal the identity of anonymous reviewers of employers by employees who posted on the site even if those who had posted didn’t consent. What this means for other online services that rely on similar anonymous posts could be significant.

 

Background

The case started when the government served a subpoena on Glassdoor, an online forum where current and former employees can anonymously post reviews about the salaries and work environments of their places of employment. The subpoena asked for identifying information for more than one hundred accounts that had posted reviews of an employer whose contracting practices were apparently under criminal investigation by a federal grand jury. The investigation centered on alleged wire fraud by one of the companies that was under investigation by a Grand Jury.

 

Glassdoor refused to reveal its users’ identity to the Grand Jury citing among other things the First Amendment right of its users to speak anonymously. According to Glassdoor identifying its users, “could have a chilling effect on both Glassdoor’s reviewers’ and readers’ willingness to use glassdoor.com.”

 

Glassdoor subsequently moved to quash the subpoena, invoking its users’ First Amendment right to speak anonymously, while simultaneously notifying the targeted users of the subpoena’s existence.

 

The Holding

The Court held Glassdoor to the standard set in Branzburg v. Hayes, where the Supreme Court held that a newspaper reporter must cooperate with a grand jury investigation unless there the reporter presents evidence that the investigation is being conducted in bad faith—which the 9th Circuit said Glassdoor had failed to do. Showing bad faith governmental conduct is difficult and the ruling could end up being a blow to the free speech and privacy rights of those who post online.

 

Ever since Branzburg was decided some 40 years ago, courts have recognized the severity of revealing a speaker’s identity against his or her will, and have imposed a variety of evidentiary requirements and multi-part balancing tests to ensure speakers’ rights are adequately protected. Despite this, the 9th Circuit rejected more recent case law, such as Bursey v. United States, which involved an actual newspaper and which would have the government —not Glassdoor—show a compelling need for the identities to be revealed. Said the Bursey Court “The right to be anonymous is aspect of the freedom of speech protected by the First Amendment.” In re Anonymous Online Speakers, 661 F.3d 1168, 1173 (9th Cir. 2011) (quoting McIntyre v. Ohio Elections Comm’n, 514 U.S. 334, 342 (1995)).

 

So even though in Bursey the Court realized that, “[t]he press function with which the [Branzburg] Court was concerned was news gathering,” but “[n]ews gathering [was] not involved” in Bursey, in Glassdoor the Court nevertheless treated Glassdoor as a newspaper and those who posted on the forum just like reporters.

 

Glassdoor’s Argument

Glassdoor argued it was not a news organization nor were those who post on its site reporters or gathering news. Instead, those posting were offering up information that probably was not available any place else, primarily to benefit others. According to Glassdoor, the only incentive for people to offer up the time to post was to engage more openly with one another and provide information that otherwise would likely not get provided.

 

And Glassdoor argued online communications necessarily depend on intermediaries, such as internet service providers and messaging platforms, to facilitate their carriage, accessibility, and storage. Those who post on the internet users are particularly vulnerable to having their speech published, taken out of context, examined, questioned and criticized in ways that true new reporters do not and in ways they can not anticipate when initially posting a comment. If a person fears that statements he or she makes online will be linked to their professional or legal identity, said Glassdoor, they will likely refrain from voicing at least some thoughts due to concerns about potential repercussions and reprisal. And the community would suffer.

 

These differences, argued Glassdoor, compelled the higher Bursey standard was not impossible to meet. Glassdoor believed the government-not the blogger-should be required to make a showing of need. It is the government that is best able to overcome this burden of proof.

 

The Impact

When one thinks of all the online services using anonymous postings, the consequences of the opinion could be vast. Not to mention the slippery slope the opinion creates. Would there be any restraints on what the government could compel in the name of investigation? Would there ever be a case where a blogger could show government bad faith? How? What about civil litigation?

 

Its one thing to give up privacy when we know what we are doing. Its quite another to believe what you are saying is anonymous only to find out its not. 

 

 


 

 

January 2018

Submitted by: Steve E. Embry

9th Circuit Finds a Substantive—and Valuable Privacy Right

 

On November 29, 2017, a 9th Circuit Panel affirmed a dismissal of a case against ESPN under the Video Privacy Protection Act (VPPA). In doing so though, the Panel recognized the Act created a substantive right of privacy and that, for standing purposes, that right had value. This could have far reaching implications in the 9th Circuit for so called non-damage cases stemming out of alleged privacy violations or data breach.

The VPPA

Interestingly, the VPPA was enacted in the 1980s by Congress in response to a video store giving The Washington Post a list of videos that Supreme Court then-nominee Robert Bork had rented. The VPPA was designed, in part, to protect consumers against the disclosure of personally identifiable information (PPI) by video providers. The basic provisions of the Act provide:

  • A prohibition against knowing disclosure of “personally identifiable information” of a “consumer” who rents or otherwise obtains video materials
  • Liability for a breach and the ability for an “aggrieved person” to bring a civil action 
  • Statutory damages of not less that $2500 per violation as well as punitive damages
  • Recovery of attorney’s fees and other litigation costs

The Allegations

In the ESPN case (Eichenberger v. ESPN), Eichenberger alleged that ESPN had disclosed videos he was watching on ESPN3 by sharing the serial number of his Roku device (Roku allows users to view videos and content on their TVs)and the events he was watching with the analytics firm, Adobe. Based on this information, Adobe was able to use information it had obtained from other sources to identify persons viewing ESPN3 and what they had viewed. Adobe then gave this information back to ESPN in an aggregated fashion and ESPN then sold to advertisers the demographic information from that material. Eichenberger argued that this constituted a violation of the VPPA since ESPN knew that Adobe would use the information to identify him.

The ESPN Response

ESPN’s response was : where’s the damage? Eichenberger suffered no real monetary loss as a result of its activities and ESPN itself did not disclose any personally identifiable information. Hence no standing and no violation.

Standing is a Hot Topic

Standing in privacy cases and in many data breach cases has been a hot issue upon which Circuits have not agreed. The Supreme Court attempted to weigh in on this issues in Spokeo v. Robins which involved standing in the context of the revelation of an individual's credit reports. The Supreme Court recognized that Article III of the U.S. Constitution "requires a concrete injury even in the context of a statutory violation" but that a "bare procedural violation, divorced from any concrete harm" was not enough to supply this standing. Since this ruling courts have not agreed on what it actually meant. Not long ago, for instance, the 2nd Circuit ruled that NBA 2K video game players lacked standing to sue Take-Two Interactive over biometric collection because the plaintiffs had failed to show injuries or at least a real risk of harm.

The 9th Circuit Found a Substantive Privacy Right

In reaching the conclusion that Eichenberger did have standing, the Panel, composed of 3 Circuit judges, held that the VPPA is a "substantive provision that protects concrete interests," and that the statute protects privacy interests more generally by ensuring that consumers retain control over their personal information.

The Panel went on to hold,  "Privacy torts do not always require additional consequences to be actionable," that the VPPA codifies a substantive right to privacy  and that it protects a consumers tight to privacy for his or her video viewing history.. Implicit in this holding is that this right has value and the breach of it creates actual damage: “plaintiff need not allege any further harm to have standing.”

The Panel went on to hold though that since the information ESPN provided Adobe was not itself personally identifiable information but only became such due to its combination with information Adobe—not ESPN—had, there was no violation of the ACT. (a holding that, itself is the subject of differing interpretation, see HULA AND THE CARTOON NETWORK: KEEPING RULE 23 VPPA CLASS ACTIONS AT BAY), there was no violation of the Act or breach of Eichenberger’s privacy rights. The Court reasoned:  "In 1988, the Internet had not yet transformed the way that individuals and companies use consumer data — at least not to the extent that it has today. Then, the VPPA’s instructions were clear. The manager of a video rental store in Los Angeles understood that if he or she disclosed the name and address of a customer — along with a list of the videos that the customer had viewed — the recipient of that information could identify the customer. By contrast, it was clear that, if the disclosure were that 'a local high school teacher' had rented a particular movie, the manager would not have violated the statute. That was so even if one recipient of the information happened to be a resourceful private investigator who could, with great effort, figure out which of the hundreds of teachers had rented the video." The panel then 9th Circuit concluded "that an ordinary person could not use the information that [ESPN] allegedly disclosed to identify an individual. Plaintiff has therefore failed to state a claim ... ."

What’s the So-What?

So why is this important? In means in the 9 Circuit at least and perhaps elsewhere, standing can be found based on the mere breach of privacy without more or without any monetary loss. It means privacy and personally identifiable information by itself have requisite value to provide standing. This could open the proverbial Pandora’s box for privacy and data breach claims unless and until the Supreme Court –or perhaps Congress-provides a better answer.

 

 




December 2017

Submitted by: Steve E. Embry

 

First of Its Kind Lawsuit Involving ICO’s

Many companies and individuals have recently attempted to raise funds through the sale of cryptocurrencies, coins or tokens. These fund-raising activities are generally called initial coin offerings (ICO) and take advantage of the interest in cryptocurrencies such as bitcoin whose rise in value the past year has been meteoric. In October, the first-class action lawsuit involving an ICO was filed in federal district of California.

 

ICOs have become popular because they are relatively easy to conduct, there have traditionally been few regulations and the law surrounding them is not particularly clear, at least not yet. Here’s how they work:  a cryptocurrency is created and then sold to early backers of a project in exchange for legal tender or other cryptocurrency like bitcoin. The investors then hope for a return from the increased value of the cryptocurrency or in some cases, a share of the returns from the project. There is typically no Prospectus although the terms may be set out in a Whitepaper or other literature.  

 

Many of these ICOs don’t employ traditional safeguards like you see with initial public offerings or with registered securities.  The industry has attracted a large number of operators and consultants some with more experience and credibility than others.

 

The SEC Position

The Securities and Exchange Commission (SEC) recently issued two pieces of guidance related to ICOs: a DAO report and an  Investor Bulletin. The DAO Report states that whether cryptocurrency generally qualifies as a security is a fact-based inquiry. (If the cryptocurrency is a security, a number of requirements with respect to such things as disclosure must be met). According to the SEC, the key question is how the future value of the cryptocurrency will be determined; if it is tied to the promoter’s efforts, it will likely be considered a security. So, for example, where the cryptocurrency is essentially worthless unless future development occurs or a promised dividend stream is established, the chances are better that the SEC would consider such cryptocurrency a security.

 

The Investor Bulletin provides more practical advice for ICO promoters and participants and suggests that for promoters, consideration of various risk factors, such as an ability to recover under federal securities laws if fraud occurs or theft, may be appropriate.

 

The Tezzie Suit

The SEC’s position on whether ICO’s involve the sale of securities will likely be at issue in a proposed class action filed against Dynamic Ledger Solutions, Inc. (DLS) and several other related entities regarding an ICO for tokens called “Tezzies.” Tezzies are tokens related to the Tezos blockchain. According to Tezos overview, the Tezos blockchain would facilitate formal verification of smart contracts by mathematically proving the correctness of the code governing transactions. This network was to launch in Summer 2017.

 

The  Complaint  alleges that the DLS launched the ICO in July 2017, and that over 607 million Tezzies were thereafter sold. In exchange, according to the Complaint, DLS and the other defendants received digital currency worth about $232 million (now worth approximately $475 million, according to the Plaintiff).

 

The plaintiff generally alleges that the Defendants:

 

·      Failed to register the offer and sale of securities in violation of federal securities laws;

 

·      Committed fraud in the offering or sale of securities in violation of federal securities laws;

 

·      Committed false advertising in violation of California statutory law;

 

·      Engaged in unfair competition in violation of California statutory law; and

 

·      Acted as alter-egos of one another and all actions could be imputed to each Defendant separately or to all Defendants severally.

 

More specifically, the Plaintiff also claims that the projected launch of Tezos network in December 2017, was postponed to February 2018; since Tezzies derive their value from the usefulness and the popularity of the Tezos network, that delay, according to the Plaintiff devalued the assets. Also according to Plaintiff, none of the development steps laid out in the overview document were met, and many terms were not even shown to the purchasers. Finally, Plaintiff asserts that the Tezos’ characterization as a donation is refuted by “significant investments made by cryptocurrency hedge funds.”

 

Plaintiff seeks restitution and disgorgement of gains, rescission of the purchases of Tezzies, and punitive damages, among other relief.

 

What’s at Stake?

The Tezzie case will likely raise questions of whether and under what circumstances an ICO will be considered a security offering subject to security related rules and regulations and the validity of the SEC views set out in the DAO Report and Investor Bulletin. The plaintiff has squarely alleged that the token’s value was related to future development and that no risk factors were included in the ICO materials – two factors specifically mentioned in the DAO Report and the Investor Bulletin. How this case and any subsequent ones will no doubt impact ICO marketplace and popularity.

 

 


 

November 2017

Submitted by: F. Marshall Wall

 

If you haven’t heard of the GDPR, it is time to learn something about it – at least for the sake of your clients. For starters, what does GDPR stand for?  It is the European Union’s General Data Protection Regulation.  You may be saying to yourself, “Wait, I practice in the US, why do I care about this?”  If you represent companies that sell products or offer services inside the EU, then this regulation matters to your clients. 

 

For some time the EU has taken a very different approach to privacy than the United States.  The EU is far more supportive of the idea that individuals should have control over what is done with their personal information.  The GDPR is a result of this focus on protecting individuals’ privacy rights.  Since the regulation runs to more than 260 pages, this article will necessarily discuss only a few of the highlights.

 

The GDPR applies both to organizations within the EU and also to those “located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”  Given the connected nature of our world and the size of the EU, the GDPR will apply to a great many companies in the US.

 

Key terms within the GDPR include “controller”, which is an entity that determines the purposes and means of the processing of data, and “processor”, which is an entity that processes data on behalf of a controller.  The term “processing” includes the storage, dissemination, or use of personal data.

 

The GDPR definition of personal data is much broader than in typical state data breach statutes in the US.  According to guidance from the EU, personal data includes, “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

 

Data subjects have the “right to be forgotten” under the GDPR, meaning a data controller must erase the subject’s data and cease any further dissemination of it.  People will also have rights to learn what personal data an entity has about them, including obtaining a copy of the data and learning where it is stored and how it is being used. 

 

Breach notification rules under the GDPR are strict.  Notification must be given to a supervisory authority in each applicable member state of the EU within 72 hours of discovery of the breach and to any data subject “without undue delay” in any situation where “the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.”

 

The GDPR also requires that consent agreements with data subjects use simple language and cannot be filled with legalese.  While these agreements can and will be used to allow entities to use, sell, and disseminate data, the typical boilerplate click-wrap agreements that we have become used to with every download or update likely will not pass muster.

 

Another significant feature of the GDPR is that many entities will be required to designate a Data Protection Officer (DPO). A DPO is mandatory wherever the data processing is carried out by a public authority or a company (controller or processor) whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a “large scale.”  These terms are not well defined and subject to interpretation. 

 

Penalties for violation of GDPR can be severe.  Data processors can be fined up to four percent (4%) of “annual global turnover” or €20 million, whichever is greater. 

 

Since the regulation is not yet in place, there is no precedent for enforcement or the level of penalties that will be applied in specific circumstances.  Many terms and provisions will require interpretation.

 

The GDPR was passed in April 2016 and becomes effective on May 25, 2018.  If companies have not started to prepare for compliance, there is no time like the present.

 

To learn more, and to see the countdown clock for enforcement of the GDPR, take a look at this link: http://www.eugdpr.org/.  At this writing your clients have 196 days, six hours, and 41 minutes to comply!

 


 

OCTOBER 2017

Advisen Cyber Risks Insight Conference Coming Up

 

There is still time to register for the Advisen Cyber Risks Insight Conference in New York City on October 26. It’s a one-day conference that I have attended for several years. It’s quite likely the preeminent industry cyber insurance and risk conference. Attendance is expected at around 1000—it is held always at the Grand Hyatt Hotel in Manhattan. Here is a link to the agenda.

 

The keynote this year is being given by Rudolph W. Giuliani, Chief of Cybersecurity, Privacy and Crisis Management Practice at Greenberg Traurig. The remaining speakers read like a who’s who in the cyber insurance field and range from underwriters, claims personnel brokers and forensic experts. They included Stephen Caitlen, founder of XL Caitlen, a leading cyber insurer, Martin South, President, US and Canada Division, Marsh and numerous others.

There will be three tracks going on simultaneously: a rack on the cyber product, a track on quantifying the insuring risk and a track on defining the risk (aka, “the threat track”). It was at this conference some three years ago that the General Counsel of Allstate stated from the podium that he believed litigation over the meaning of cyber polices was something he would be dealing with the rest of his career…and he was a pretty young guy!!

 

And here the good thing about the conference… (shhh)…. there is not many outside lawyers that attend. So, if you want to chat with the AIG head of cyber claims, you can just walk right up to him. No fighting off hordes of other lawyers trying to scarf up business.

 

If any of you are thinking of going, give me a shout, would love to meet up. Advisen publishes a daily cyber risk blog by the way if you would like to subscribe. Here is a link. It has some timely articles and news in it. And they welcome articles from outside lawyers and experts as well-I’ve had pretty good luck getting things published there.

Want more information on the now infamous Equifax breach? Here is a link to an article on the breach, the legal issues it will likely present and the impact.

 


 

 

AUGUST 2017

The FDCC’s newest section—Data Breach, Privacy, and Cyber Insurance—has planned an active year for 2017-18. Our section is led by Chair Steve Embry and Vice Chairs Chris Holecek, John Sinnott, and Marshall Wall. Feel free to contact any of the section leaders throughout the year to offer input or get involved.

 

We are planning a plenary presentation for the winter meeting in Amelia Island on cyber threats. Stay tuned for more information about this as the date approaches. The winter meeting is February 24-28, 2018 at the Omni Hotel and Resort in Amelia Island, Florida.

 

Here are some recent developments in the data breach, privacy, and cyber insurance:

  • The Internet of Things to Come in Cybersecurity: The Internet of Things is fraught with risk. The monetization of health care data has been a significant threat since as early as 2015. We are all endangered by such exploitation because pieces of anyone’s information can be sold for a handsome profit on the Dark Web.
  • Outsider or Insider: Who Will Cause Today’s Data Breach?: In today’s cybercrime landscape, threats come not only from all sides, but also from within.
  • How a Potent Defense Can Stifle Data-Breach Lawsuits by BusinessesConsumers aren’t the only plaintiffs in data-breach litigation. Businesses sue, too. When they do sue, businesses can be strong plaintiffs. This is because, unlike consumers, businesses usually can establish standing, since they’re more likely to have suffered direct financial loses that can be readily identified. This doesn’t mean, however, that a data-breach business plaintiff can waltz untouched through the Rule 12(b)(6) stage.
  • What to Know About Risk, Coverage Before You Buy Cyber Insurance: If a healthcare organization decides to insure itself against cyber-attacks, how do C-suite executives and others go about evaluating potential cybersecurity risks and insurance coverage in today’s chaotic threat landscape?
  • Data Breach Class Action Reinstated: Must plaintiffs allege actual identity theft from a data breach to avoid dismissal of their class action lawsuit? No, according to a recent opinion from a three-judge panel of the United States Court of Appeals for the District of Columbia Circuit. 

One way to stay up to date on these issues is to participate in our section’s Slack page.

 

 

JULY 2017

The Anthem $115 Data Breach Settlement: A Tipping Point?

Seven years ago, a Texas jury awarded a woman name Melinda Ballard $32 million in what was touted as a toxic mold lawsuit. Almost overnight, a cottage mold litigation industry sprang up. Seminars on how to litigate a mold case from plaintiffs’ and defendants’ perspectives proliferated and were standing room only (I know, I spoke at some). Plaintiffs lawyers advertised their mold expertise in a massive hunt for clients. Lawsuits galore. Experts and consultants came out of the woodwork as moon suits and containment centers like those used for asbestosis abatement became the norm for wiping down common mold with bleach from ordinary walls. Never mind that the Ballard case was really an insurance bad faith case. Never mind that mold was and is ubiquitous. Never mind that the causal relationship between mold and serious illness is, at best, sketchy. Millions of dollars spent in costs and legal fees until the hysteria burned itself out.

Have we reached a Melinda Ballard moment with data breach litigation?  Last month, Anthem agreed to settle a class action over the health insurer’s massive January 2015 data breach. In that breach, hackers obtained and compromised the data of some 78.8 current and former Anthem insureds and employees that led to a probe by the Federal Bureau of Investigation and massive publicity. The information compromised included names, birthdates, Social Security numbers, medical IDs, street and e-mail addresses and employee data, including income.

After the predicable litigation commenced and ran its course, Anthem agreed to pay $115 million to resolve consumer claims over the attack in the largest data-breach settlement in history. As part of the proposed settlement, Anthem agreed to set aside some $15 million to pay for out-of-pocket expenses incurred because of the data breach and to establish a fund to buy at least two years of credit monitoring services for the class to help protect them from fraud. For individual class members who already have their own credit-monitoring services and don’t want to enroll in the settlement’s plan, the settlement provides alternative compensation of as much as $50 per class member.

The proposed accord, which would end class-action lawsuits filed in several states, requires approval from a federal judge in San Jose, California.

Data breach suits have had mixed success in the courts. Substantial Article III standing issues exist since often the damages are only possible or threatened, not actual. Where the breach is compromised financial information, fraudulent changes resulting from compromised account information are reversed by card issuing banks, and only a small percentage of people are actually victimized by identity theft. And even if plaintiffs get past a motion to dismiss for lack of standing, there remain lots of procedural and substantive hurdles. So while other breach cases have outright failed in proving standing (as with Barnes & Noble’s data breach), others have settled for relatively modest sums, such as Target’s recent $18.5 million settlement over its 2013 breach with state attorneys general and a $10 million settlement with consumers.


But some believe the announcement of a $115 million settlement could suggest to the plaintiffs bar that these cases are now lucrative, initiating a feeding frenzy similar to that which occurred after the Ballard case. After all, data breach cases are costly to defend and, if successful, could pose significant exposure particularly if the numbers involved are large. And there are regulatory and attorney general potential liabilities. Not to mention the publicity and complicated nature of responding to data breaches prelitigation and the multitude of often inconsistent state laws which make the chance for errors in the initial handling process possible.

But before we all gear up for another wild litigation ride, there are several points to keep in mind. First, the Anthem breach involved a huge number of people and tons of data. Much of the data was health records, some of the most sensitive and valuable information on the black market. The possibility for mischief with a person’s health records is pretty significant. The regulatory framework involving health records is daunting. So from a standing perspective, it would be easier for a court to conclude that the data has value and/or the threat of harm is “imminent”.  Stolen health records increase the “anger factor” that often drives huge verdicts. These factors all make the Anthem case pretty unique.

Damages in most run of the mill data breach cases not involving health data, though, remain hard to show with any certainty. Given the number of data breach incidents that have already occurred, more and more people already have credit monitoring in place reducing the value of this as damage element. In financial breaches, consumers at least are fairly well protected and knowledgeable.

And unlike the mold situation, the threat of data breach is not one to a person’s health as much as it is to their convenience, making individual damages in most cases pretty low. So that means to succeed, plaintiffs must pursue class actions with uncertain recoveries in an area the law relating to which is still uncertain. From the plaintiffs perspective, a proverbial long shot that could be expensive to bet on.

 

 

JUNE 2017

WannaCry: An Aptly Named Beginning to Large-Scale Ransomware Attacks?

 

On Friday, May 12, 2017, the ransomware attack known as WannaCry began.[1] Within a day, the malware infected more than 230,000 computers in over 150 countries.[2] Thankfully, on May 15, 2017, a web security researcher discovered a mistake in the malware’s code.[3] The web security researcher was then able to disable the further spread of the malware by exploiting the coding mistake. But future cyberattackers may not make the same mistake that WannaCry’s coders did.

 

WannaCry is classified as a ransomware attack. It was unique in that it spread in a devastating fashion. All ransomware attacks target vulnerabilities in a victim computer’s software. Through those vulnerabilities, attackers then spread malware that scrambles and encrypts the victim’s computer. The attackers then offer to unscramble and decrypt the victim’s computer for a fee/ransom. Many ransomware attacks are limited in scope because when software developers become aware of vulnerabilities in their programs, they issue patches that eliminate those weaknesses. However, every so often, cyberattackers discover a vulnerability in software that had never been found before so when the cyberattackers target that vulnerability, everyone who uses that software is at risk. These vulnerabilities are known as zero-day vulnerabilities because there is no time to patch the vulnerability prior to an attack. The WannaCry attack targeted a zero-day vulnerability in Microsoft’s software. Therefore, all computers that ran Microsoft were at risk until Microsoft could issue a patch.

 

Usually ransomware spreads through phishing—fraudulently sending emails with infected attachments which when opened target a software vulnerability and thus encrypt the computer. WannaCry, however, was so effective because the vulnerability it targeted was Microsoft’s Server Message Block (SMB) protocol.[4] The SMB is an application-layer network protocol, meaning that it is the mechanism by which networked computers share access to files, printers, etc.[5] Thus, WannaCry was not dependent on phishing in order to spread, but rather spread automatically to all computers in a network. In other words, the vulnerability WannaCry targeted made it spread quickly, and uncontrollably.

 

Fortunately, WannaCry was not as devastating as it could have been. However, there is no reason to believe that similar cyberattacks will fail like WannaCry. There are many ways that law firms and businesses can reduce the likelihood of being the victims of cyberattacks, ranging from buying cyberattack insurance to hiring outside firms to supply security. In the meantime, it’s important to update your computers’ software when available, because those patches can prevent you from being the next ransomware WannaCry victim.



[1] Bill Brenner, “WannaCry: the ransomware worm that didn’t arrive on a phishing hook,” Naked Security by Sophos, May 17, 2017.

[2] “Unprecedented” cyberattack hits 200,000 in at least 150 countries, and the threat is escalating,” CNBC, May 14, 2017.

[3] Elizabeth Weise, “How a 22-year-old inadvertently stopped a worldwide cyberattack,” USA Today, May 13, 2017.

[4] Bill Brenner, “WannaCry: the ransomware worm that didn’t arrive on a phishing hook,” Naked Security by Sophos, May 17, 2017.

[5] “Microsoft SMB Protocol and CIFS Protocol Overview,” Microsoft, October 22, 2009.


MAY 2017

Data breach, privacy, and cyber insurance continue to be hot topics in the news. Here are some recent headlines:

We discuss these and other topics of interest to our section on our Slack page. Please join the discussion. Check your email for the invitation to join our Slack team or email one of the section leaders for more information.

 

 

APRIL 2017

IBM recently released its “X-Force Threat Intelligence Index” for 2017.  The report addressed security breaches during 2016 and noted that more than 4,000,000,000 records were leaked in 2016 – more than the total from 2014 and 2015 combined.  This number was influenced by the massive breach disclosed by Yahoo but even excluding that event, the volume of breaches continues to increase.

 

Distributed denial of service (DDoS) attacks continue to increase in size and in many cases the bots leading these attacks prey on unsecured Internet of Things (IoT) devices.  Malware attached to spam email continues to increase and ransomware, which can result in the infected system being locked until the target pays a ransom to the hacker, makes up a large majority of the malware.  2016 also ended with a record number of disclosures of software vulnerabilities by developers.

 

The top five industries breached in 2016 were: (1) Information and communications; (2) Government; (3) Financial services; (4) Media and entertainment; and (5) Professional services.  The last category serves as a reminder to attorneys of their obligations to clients to take care of the information entrusted to them. 

 

If you have an interest, the report can be accessed here:

https://www-01.ibm.com/marketing/iwm/dre/signup?source=urx-13655&S_PKG=ov57325

 

 

 

more Calendar

The upcoming calendar is currently empty.

Click here to view past events and photos »

Featured Members

Special Thanks

Membership Software Powered by YourMembership  ::  Legal