Cyberliability and Technology

On November 7, 2014, the Australian Department of Immigration and Border Proteciton gave notice of a data breach that morning affecting the leaders of the G20.  As described:

The personal information which has been breached is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (ie prime ministers, presidents and their equivalents) attending the G20 leaders summit.

Affected by this data breach were, among others, President Barack Obama, Russian President Vladimir Putin, German Chancellor Angela Merkel, and UK Prime Minister David Cameron.  The cause of the data breach was the autocomplete feature of the “To:” field in Microsoft Outlook.

The autocomplete feature is a useful way to send an e-mail without having to look up an email address.  Unfortunately, without careful attention, it is easy for any person within a government agency, nonprofit organization, or commercial enterprise to accidentally send a message to the wrong person.  

As with the unfortunate Australian government employee, it is all too common for emails to contain personally identifying information and for such emails to be unencrypted.  It is easy to imagine the same occurring with trade secrets, protected health information, or attorney-client privileged material.

Massachusetts businesses are required to protect personal information pursuant to G.L. c. 93H and the implementing regulations at 201 CMR 17.00.  Business owners and managers should take care to review their e-mail policies regarding the transmission of unencrypted personal information and the use of the autocomplete feature as part of their written information security program.  Employers should take care, further, to ensure that such a program does not conflict with the NLRB’s December 2014 decision in Purple Communications.  In developing such a program, it is best to consult with experienced privacy attorneys.

 

Cyber breaches resulting in the release of personal identifiable information (PII) are increasingly common and now we are starting to see class action lawsuits filed as a result. In what will likely be the beginning of a wave of lawsuits filed as a result of cyber breaches, Schnucks Markets, operator of 100 supermarkets across the Midwest, recently removed a class action lawsuit filed against it to federal court stemming from a data breach that occurred in March in which 2.4 million credit card numbers were stolen.

The Class action complaint alleges Schnucks failed to properly and adequately safeguard its customer’s personal and financial data. In addition to common law negligence and disclosure, the plaintiffs allege a violation of the Illinois Personal Information Protection Act which requires a data collector of personal information to notify individuals in the most expedient manner possible and without unreasonable delay. The complaint alleges Schnucks waited over two weeks to notify its customers and then did so only through a press release as opposed to providing actual notice to individual consumers. Apparently Schnucks struggled to find the source of the breach and this delay may have continued to expose the PII of people who shopped at its stores.

Schnuck’s notice of removal to federal court states the grounds for removal include a class size of more than 100 people and damages at issue are greater than $5 million. Schnucks also explains that the data breach was the result of criminals hacking into its electronic payment systems at 23 stores. Further, during the relevant period, 1.6 million credit or debit card transactions took place at these stores. Schnucks calculates that 500,000 unique credit or debit cards were involved thus the putative class has at least 500,000 members.

Damages alleged by the plaintiffs include having their credit card data compromised, incurring numerous hours cancelling their compromised cards, activating replacement cards and re-establishing automatic withdrawal payment authorizations as well as other economic and non-economic harm. Given that data breaches are becoming increasingly common it is likely that there will be more lawsuits filed similar to Schnucks in the near future. Legal counsel experienced in cyber risk and insurance can assist retailers and insurance companies with handling such problems as they arise. 

data thief.jpgA data breach resulting in the theft and use of customer credit card numbers results in significant expenses and penalties for the victim company. Many companies still do not have specific cyber liability coverage and thus can be on the hook for all expenses related to such a breach. The Sixth Circuit Court of Appeals recently held that such losses resulting from the cyber theft of customer data were recoverable under a commercial crime policy. Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., 691 F. 3d 821 (6th Cir. 2012)

In 2005, hackers used an apparently unlocked wireless network at a DSW Shoe Warehouse store to obtain unauthorized access to DSW’s computer systems and downloaded credit card and bank account information from over 1.4 million DSW customers.  Subsequently, fraudulent transactions using the stolen customer payment information occurred. DSW incurred millions of dollars of expenses for customer communications, public relations, customer claims and lawsuits, and attorney fees in connection with investigations by seven State Attorneys General and the Federal Trade Commission (FTC).

DSW submitted a claim for coverage under a computer fraud rider to a “blanket Crime Policy” for losses related to the computer hacking. The rider provided coverage for Computer and Funds Transfer Fraud Coverage; specifically, any loss resulting from the theft of any insured property by computer fraud.

In subsequent litigation to determine whether the losses were covered by the commercial crime policy, DSW prevailed on summary judgment with respect to its claim that the hacking damages were covered under the policy. Defendant appealed arguing that the trial court erred by finding that the expenses incurred were a loss resulting directly from the theft of insured property by computer fraud. Defendant urged the Court to use the “direct means approach” which would require DSW to show the computer fraud to be the sole and immediate cause of the loss. DSW argued the District Court correctly utilized a traditional proximate cause standard.

The Appeals Court held that the District Court was correct in applying a proximate cause standard and did not err in finding that the loss was caused by the hacking. The Court also rejected the Defendant’s argument that the theft of customer data was covered by an exclusion under the policy. The policy stated that coverage does not apply to any loss of proprietary information, trade secrets, confidential processing methods or other confidential information of any kind. The Court held that the stolen customer information was not proprietary information because it belonged to the customer and not DSW. Furthermore, the stolen information did not constitute trade secrets or confidential processing methods. Finally, the language “other confidential information of any kind” was held to be general and should apply only to secret information of DSW. Otherwise, it would swallow the entire coverage for computer fraud. Since the confidential information was credit card and bank account numbers which belonged to the customers themselves, no exclusion under the policy applied.

DSW did not have a specific cyber insurance policy yet was still able to obtain coverage based on language in its commercial crime policy. Businesses should review their existing coverage carefully and may find that coverage for data breach is not expressly covered.

While companies are often focused on outsider risks such as breach of their systems through a stolen laptop or hacking, often the biggest risk is from insiders themselves. Such problems of access management with existing employees, independent contractors and other persons are as much a threat to proprietary information as threats from outside sources.

In any industry dominated by two main players there will be intense competition for an advantage. Advanced Micro Devices and Nvida dominate the graphics card market. They put out competing models of graphics cards at similar price points. When played by the rules, such competition is beneficial for both the industry and consumers.

AMD has sued four former employees for allegedly taking “sensitive” documents when they left to work for Nvidia. In its complaint, filed in the 1st Circuit District Court of Massachusetts, AMD claims this is “an extraordinary case of trade secret transfer/misappropriation and strategic employee solicitation.” Allegedly, forensically recovered data show that when the AMD employees left in July of 2012 they transferred thousands of files to external hard drives that they then took with them. Advanced Micro Devices, Inc. v. Feldstein et al, No. 4:2013cv40007 (1st Cir. 2013).

On January 14, 2013 the District Court of Massachusetts granted AMD’s ex-parte temporary restraining order finding AMD would suffer immediate and irreparable injury if the Court did not issue the TRO. The TRO required the AMD employees to immediately provide their computers and storage devices for forensic evaluation and to refrain from using or disclosing any AMD confidential information.

The employees did not have a non-compete contract. Instead the complaint is centered on an allegation of misappropriation of trade secrets. While both AMD and Nvidia are extremely competitive in the consumer discrete gpu market involving PC gaming enthusiasts, there are rumors that AMD managed to secure their hardware to be placed in both forthcoming next-generation consoles, Sony PlayStation 4 and Microsoft Xbox 720. AMD’s TRO and ultimate goal of the suit may therefore be to preclude any of their proprietary technology from being used by its former employees to assist Nvidia in the future.

The law does protect companies and individuals such as AMD from having their trade secrets misappropriated. The AMD case has only recently been filed and therefore it is unclear what the response from the employees will be. What is clear is how fast AMD was able to move to deal with such a potential insider threat. Companies need to be aware of who has access to what data and for how long. Therefore, in the event of a breach, whether internal or external, companies can move quickly to isolate and identify the breach and take steps such as litigation to ensure their proprietary information is protected.

spank.jpg

Today the FTC announced a $800,000 settlement with Patha social media network to settle allegations that it violated its own privacy policy and also illegally collected information on children under 13 in violation ofCOPPA(Children’s Online Privacy Protection Act).
According to the complaint Path represented that personal information from the user’s mobile device contacts would be collected only if the user clicked on “Add Friends” and then chose the “Find friends from your contacts” option. But despite that promise, Path automatically collected and stored personal data the first time the user launched the app and, if they signed out, each time they signed back in again. That, says the FTC, made Path’s statement false.

The FTC offers the following take-aways for businesses:

  • The main message comes as no surprise: Honor your privacy promises and be especially careful when it comes to kids’ information. What’s a little different is that the message is going out with ATTN: MOBILE APP DEVELOPERS across the top. Well-established consumer protection principles apply across the board, including to companies in the mobile market.
  • The default mindset about data collection used to be to gather as much as possible whenever possible. We’ve said it before, but that approach is <Valley Girl voice> like soooo 20th Century </Valley Girl voice>. As savvy companies know, the wiser approach – and a central tenet of “Privacy by Design” – is to think through your needs and ask only for information you have a legitimate reason to collect. Gathering data “just ‘cuz” doesn’t cut ice with consumers anymore.
  • Just because a platform gives you the technological capability to do something, doesn’t mean it’s the right thing for your business or your users. It’s a mistake to assume that somebody else – for instance, a mobile operating system provider or a device manufacturer – has thought through the privacy implications. When it comes to your app and your users, the buck stops with you.
  • COPPA isn’t just for kids’ sites. Yes, the rules apply when sites and online services are specifically designed for the under-13 set, but don’t be too quick to assume you’re not covered. The Rule also imposes legal responsibilities on operators who have actual knowledge they’re collecting personal info from kids.

The FTC issued a new Staff Report on Mobile Privacy Disclosure’s and apamphlet for mobile app developers to assist with compliance with the law.

Companies are well advised to have experienced legal counsel review your privacy policies and applications.

See the full FTC Blog post here

www.jpgWhile fraud protection has become a common expectation from consumers in regards to their bank accounts and credit accounts, treatment of commercial clients including small businesses in the face of a cyber attack or fraud is more opaque.

Smaller companies are more vulnerable to cyber threats than their larger counterparts due to the lack of resources to protect against cyber threats. The proportion of cyber attacks specifically targeting small businesses has risen at a faster rate compared to the number of attacks on organizations as a whole.

When a small business suffers a cyber breach they are often stuck with absorbing the losses. However, several recent cases have shown small businesses having success in litigating such a claim against their bank.

In a recent 1st Circuit case, Patco v. People’s United Bank, Patco’s bank account at People’s Bank was hacked and the cyber thieves stole hundreds of thousands of dollars by directing the funds through online transfers to bank accounts the thieves controlled.

The Bank had security protocols in place to protect account holders including only allowing Patco employees who were authorized to access the account and a $1,000 threshold on ACH credit transfers. Thus the bank argued it had adequate security in place.

In its complaint, Patco alleged a hacker obtained one of the employee’s ID and passwords and initiated numerous withdrawals to accounts to which Patco had never before wired funds. These transactions did not trigger any suspicious activity alert at the bank despite the fact that the transfers were the largest ACH credit transfers ever initiated on the account, the transfer request originated from an IP address never before used on the account and the funds were sent to accounts to which no transfers had ever before been sent. 

After a 1st Circuit Court of Appeals ruling that People’s Bank lacked reasonable safeguards against the hackers, the bank settled and agreed to reimburse Patco $345,000.

Generally, if a bank has taken commercially reasonable steps to prevent cyber attacks they will not be liable for funds stolen by a hacker. However, as these recent decisions show, what is commercially reasonable can depend on the specific circumstances of each case. If you or your business has been the victim of a cyber attack you should contact an attorney with experience to evaluate your potential remedies and liability.

 

Thumbnail image for binary code2.jpgMajor databreaches make the news. TJ Maxx, Barnes & Noble, and Sony all had high profile breaches. In such large scale breaches, there is a flaw that is easily exploited on a grand scale. The individual hack is rarely reported and easily overlooked.

This past summer, a writer for Wired.com, found his online life turned upside down when hackers infiltrated multiple accounts and, in an attempt to burn their tracks, deleted years of emails and photographs in the process. The reason was because he had something they wanted: a three-letter Twitter handle. With little information, hackers were able to socially engineer well-meaning people at Apple and Amazon into giving them the information they needed to get into his accounts and obtain remote access to his wired devices.

In a follow-up to his experience, he published a piece yesterday outlining why passwords cannot keep users safe. A few of the more salient points are: 1) as computing power increases, brute force attacks can become more successful; 2) users use the same logins for multiple systems; 3) answers to security questions can be easily found; and 4) convenience is a trade-off for security. If one were to follow the prevailing wisdom, each person would have to memorize 16 digit, non-dictionary, randomly generated passwords for the dozens of online accounts held, without storing those passwords anywhere. This is nearly impossible and hence systems put in place password reset mechanisms that are themselves vulnerable.

Online businesses should take a closer look at how they protect their individual clients and what information is revealed in the event a third-party gains access that could be used to disguise themselves as the client to another provider. Failure to do so may subject them to a cyberliability claim.

magnifying glass book.jpgMobile application (“app”) developers, both the ones who write the code and the ones whose services or goods are being sold, may need to comply with a patchwork of state laws. A Connecticut or Massachusetts company has a nationwide reach when it offers an app for download in the Apple App Store, Google Play, or Windows Store. One of the laws that may apply is the California Online Privacy Protection Act (“CalOPPA”), Cal. Bus. & Prof. Code §§ 22575-22579. That law requires an online service operator that collects personally identifiable information (“PII”) to conspicuously post a specific type of privacy policy.

While many website developers and online merchants are familiar with that law regarding traditional websites and mobile versions of those sites, there has been an oversight in compliance regarding mobile apps. This week, the California Attorney General, Kamala D. Harris, began notifying many large companies, reportedly including United Continental, Delta, and OpenTable, that their apps are non-compliant. A sample of Attorney General Harris’s letter will automatically download here

Violation of CalOPPA may result in a claim under California’s Unfair Competition Law, Cal. Bus. & Prof. Code § 17206(a), with penalties up to $2,500 per violation. A violation may include each download of an app. An app that has had but 1,000 downloads without a conspicuous privacy policy could result in a $2.5 million penalty. App Developers should consult with counsel to review their compliance with CalOPPA and other applicable laws.

A data breach occurs and personal information about your customers is compromised. It can happen to any size business, big or small, and the costs to your business can be significant. Every company stores private information including credit card numbers and social security numbers that are vulnerable to a deliberate cyber incident such as unauthorized access to digital systems for the purpose of misappropriating assets or sensitive computer information, corrupting data or causing operational disruption.

In recognition of such a fact the federal government has become involved. A Bill, introduced by Joe Lieberman, aims to address a wide range of cybersecurity issues including data breaches. The Division of Corporate Finance of the SEC has also given Disclosure Guidance that addresses requirements for companies to disclose cybersecurity risks, incidents and related litigation.

As identified by the SEC, disclosure of cybersecurity risk factors include:

–          Discussion of aspects of business or operations that give rise to material cybersecurity risks and potential costs and consequences

–          Description of outsourced functions that have material cybersecurity risks

–          Description of cyber incidents experienced

–          Description of relevant insurance coverage

–          Description of legal proceedings involving a cyber incident

Even smaller companies not subject to SEC public disclosure requirements need to implement appropriate measures to protect internal data. Failure to do so can result in significant expenses such as fines,  disruption of business, loss of customers and litigation expenses.

Many small business insurance policies do not cover cyber incidents such as data breaches. A consult with an attorney who specializes in cybersecurity risks and litigation can help you or your company evaluate your current insurance coverage, discuss specific cybersecurity insurance options and handle any litigation that may result from a cyber incident such as a data breach.  

As the best informed Massachusetts technology lawyers already know, the FTC (Federal Trade Commission) and Google have announced a $22.5 million dollar settlement (the largest civil penalty ever) to address claims of unfair and deceptive trade practices in violating its privacy statement for Google Buzz – a social networking application for Gmail users.  Click Here for Bureau of Consumer Protection Business Center post with full history. 

The FTC / Google settlement underscores both the growing regulatory exposure in the area of cyber liability and the need to take privacy policies and practices seriously. Any company that does not have a plan in place dealing with cyber liability and compliance issues for data breach is taking a huge risk. Further, many companies do not take advantage of the available insurance products to reduce the risk of uninsured losses for cyber liability including failing to comply with privacy statements in user agreements for social media applications. 

Both large and small companies need to take steps now to address compliance issues for privacy and data breach laws. The best practices to avoid cyber liability can be identified and implemented as part of a consultation with a qualified cyber liability attorney.