On November 7, 2014, the Australian Department of Immigration and Border Proteciton gave notice of a data breach that morning affecting the leaders of the G20.  As described:

The personal information which has been breached is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (ie prime ministers, presidents and their equivalents) attending the G20 leaders summit.

Affected by this data breach were, among others, President Barack Obama, Russian President Vladimir Putin, German Chancellor Angela Merkel, and UK Prime Minister David Cameron.  The cause of the data breach was the autocomplete feature of the “To:” field in Microsoft Outlook.

The autocomplete feature is a useful way to send an e-mail without having to look up an email address.  Unfortunately, without careful attention, it is easy for any person within a government agency, nonprofit organization, or commercial enterprise to accidentally send a message to the wrong person.  

As with the unfortunate Australian government employee, it is all too common for emails to contain personally identifying information and for such emails to be unencrypted.  It is easy to imagine the same occurring with trade secrets, protected health information, or attorney-client privileged material.

Massachusetts businesses are required to protect personal information pursuant to G.L. c. 93H and the implementing regulations at 201 CMR 17.00.  Business owners and managers should take care to review their e-mail policies regarding the transmission of unencrypted personal information and the use of the autocomplete feature as part of their written information security program.  Employers should take care, further, to ensure that such a program does not conflict with the NLRB’s December 2014 decision in Purple Communications.  In developing such a program, it is best to consult with experienced privacy attorneys.


Cyber breaches resulting in the release of personal identifiable information (PII) are increasingly common and now we are starting to see class action lawsuits filed as a result. In what will likely be the beginning of a wave of lawsuits filed as a result of cyber breaches, Schnucks Markets, operator of 100 supermarkets across the Midwest, recently removed a class action lawsuit filed against it to federal court stemming from a data breach that occurred in March in which 2.4 million credit card numbers were stolen.

The Class action complaint alleges Schnucks failed to properly and adequately safeguard its customer’s personal and financial data. In addition to common law negligence and disclosure, the plaintiffs allege a violation of the Illinois Personal Information Protection Act which requires a data collector of personal information to notify individuals in the most expedient manner possible and without unreasonable delay. The complaint alleges Schnucks waited over two weeks to notify its customers and then did so only through a press release as opposed to providing actual notice to individual consumers. Apparently Schnucks struggled to find the source of the breach and this delay may have continued to expose the PII of people who shopped at its stores.

Schnuck’s notice of removal to federal court states the grounds for removal include a class size of more than 100 people and damages at issue are greater than $5 million. Schnucks also explains that the data breach was the result of criminals hacking into its electronic payment systems at 23 stores. Further, during the relevant period, 1.6 million credit or debit card transactions took place at these stores. Schnucks calculates that 500,000 unique credit or debit cards were involved thus the putative class has at least 500,000 members.

Damages alleged by the plaintiffs include having their credit card data compromised, incurring numerous hours cancelling their compromised cards, activating replacement cards and re-establishing automatic withdrawal payment authorizations as well as other economic and non-economic harm. Given that data breaches are becoming increasingly common it is likely that there will be more lawsuits filed similar to Schnucks in the near future. Legal counsel experienced in cyber risk and insurance can assist retailers and insurance companies with handling such problems as they arise. 

A recent resolution agreement between the United States Department of Health and Human Services, Office for Civil Rights (HHS) and Idaho State University (ISU) requires payment of $400,000 and implementation of a corrective action program to address the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients.  According to public information published by HHS (U.S. Department of Health & Human Services), ISU notified federal regulators of a breach and cooperated with an investigation headed by OCR (HHS Office for Civil Rights).   “Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said OCR Director Leon Rodriguez. “Proper security measures and policies help mitigate potential risk to patient information.” HHS Press Release

The key findings of the investigation were as follows:

  1.  ISU did not conduct an analysis of the risk to the confidentiality of ePHI as part of its security management process from April 1, 2007 until November 26, 2012;
  2.  ISU did not adequately implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level from April 1, 2007 until November 26, 2012; and
  3.  ISU did not adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner from April 1, 2007 until June 6, 2012.

See Resolution Agreement Here.  It should be noted that ISU admitted no fault.

Seen in a broader context, data breach is increasingly costly for public entities and private companies alike. Regulatory action and potential civil liability are on the increase under HIPAA and across all business sectors. For example the Federal Trade Commission (FTC ) regularly addresses circumstances where private companies engage in unfair or deceptive acts involving customer data or  fail to follow their privacy polices specially where children are concerned.

Click here for a summary of laws and resources for business on data privacy and security including information on:

  • Children’s Online Privacy Protection Act (COPPA)
  • The Gramm-Leach-Bliley Act
  • U.S.-EU Safe Harbor Framework

All businesses should have a risk assessment completed and should implement reasonable practices and procedures for securing data, especially electronic protected health information (ePHI) or other personally identifiable  information (PII). The FTC publication Protecting Personal Information: A Guide for Business . A Privacy and Data Security attorney can work with businesses to reduce the risks associated with potential data breach. Another thing to consider is insurance for cyber liability and data breach which is increasingly available at reasonable prices. Consult your insurance professional for more information on available coverage and costs. 

data thief.jpgA data breach resulting in the theft and use of customer credit card numbers results in significant expenses and penalties for the victim company. Many companies still do not have specific cyber liability coverage and thus can be on the hook for all expenses related to such a breach. The Sixth Circuit Court of Appeals recently held that such losses resulting from the cyber theft of customer data were recoverable under a commercial crime policy. Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., 691 F. 3d 821 (6th Cir. 2012)

In 2005, hackers used an apparently unlocked wireless network at a DSW Shoe Warehouse store to obtain unauthorized access to DSW’s computer systems and downloaded credit card and bank account information from over 1.4 million DSW customers.  Subsequently, fraudulent transactions using the stolen customer payment information occurred. DSW incurred millions of dollars of expenses for customer communications, public relations, customer claims and lawsuits, and attorney fees in connection with investigations by seven State Attorneys General and the Federal Trade Commission (FTC).

DSW submitted a claim for coverage under a computer fraud rider to a “blanket Crime Policy” for losses related to the computer hacking. The rider provided coverage for Computer and Funds Transfer Fraud Coverage; specifically, any loss resulting from the theft of any insured property by computer fraud.

In subsequent litigation to determine whether the losses were covered by the commercial crime policy, DSW prevailed on summary judgment with respect to its claim that the hacking damages were covered under the policy. Defendant appealed arguing that the trial court erred by finding that the expenses incurred were a loss resulting directly from the theft of insured property by computer fraud. Defendant urged the Court to use the “direct means approach” which would require DSW to show the computer fraud to be the sole and immediate cause of the loss. DSW argued the District Court correctly utilized a traditional proximate cause standard.

The Appeals Court held that the District Court was correct in applying a proximate cause standard and did not err in finding that the loss was caused by the hacking. The Court also rejected the Defendant’s argument that the theft of customer data was covered by an exclusion under the policy. The policy stated that coverage does not apply to any loss of proprietary information, trade secrets, confidential processing methods or other confidential information of any kind. The Court held that the stolen customer information was not proprietary information because it belonged to the customer and not DSW. Furthermore, the stolen information did not constitute trade secrets or confidential processing methods. Finally, the language “other confidential information of any kind” was held to be general and should apply only to secret information of DSW. Otherwise, it would swallow the entire coverage for computer fraud. Since the confidential information was credit card and bank account numbers which belonged to the customers themselves, no exclusion under the policy applied.

DSW did not have a specific cyber insurance policy yet was still able to obtain coverage based on language in its commercial crime policy. Businesses should review their existing coverage carefully and may find that coverage for data breach is not expressly covered.


Today the FTC announced a $800,000 settlement with Patha social media network to settle allegations that it violated its own privacy policy and also illegally collected information on children under 13 in violation ofCOPPA(Children’s Online Privacy Protection Act).
According to the complaint Path represented that personal information from the user’s mobile device contacts would be collected only if the user clicked on “Add Friends” and then chose the “Find friends from your contacts” option. But despite that promise, Path automatically collected and stored personal data the first time the user launched the app and, if they signed out, each time they signed back in again. That, says the FTC, made Path’s statement false.

The FTC offers the following take-aways for businesses:

  • The main message comes as no surprise: Honor your privacy promises and be especially careful when it comes to kids’ information. What’s a little different is that the message is going out with ATTN: MOBILE APP DEVELOPERS across the top. Well-established consumer protection principles apply across the board, including to companies in the mobile market.
  • The default mindset about data collection used to be to gather as much as possible whenever possible. We’ve said it before, but that approach is <Valley Girl voice> like soooo 20th Century </Valley Girl voice>. As savvy companies know, the wiser approach – and a central tenet of “Privacy by Design” – is to think through your needs and ask only for information you have a legitimate reason to collect. Gathering data “just ‘cuz” doesn’t cut ice with consumers anymore.
  • Just because a platform gives you the technological capability to do something, doesn’t mean it’s the right thing for your business or your users. It’s a mistake to assume that somebody else – for instance, a mobile operating system provider or a device manufacturer – has thought through the privacy implications. When it comes to your app and your users, the buck stops with you.
  • COPPA isn’t just for kids’ sites. Yes, the rules apply when sites and online services are specifically designed for the under-13 set, but don’t be too quick to assume you’re not covered. The Rule also imposes legal responsibilities on operators who have actual knowledge they’re collecting personal info from kids.

The FTC issued a new Staff Report on Mobile Privacy Disclosure’s and apamphlet for mobile app developers to assist with compliance with the law.

Companies are well advised to have experienced legal counsel review your privacy policies and applications.

See the full FTC Blog post here

Thumbnail image for binary code2.jpgMajor databreaches make the news. TJ Maxx, Barnes & Noble, and Sony all had high profile breaches. In such large scale breaches, there is a flaw that is easily exploited on a grand scale. The individual hack is rarely reported and easily overlooked.

This past summer, a writer for Wired.com, found his online life turned upside down when hackers infiltrated multiple accounts and, in an attempt to burn their tracks, deleted years of emails and photographs in the process. The reason was because he had something they wanted: a three-letter Twitter handle. With little information, hackers were able to socially engineer well-meaning people at Apple and Amazon into giving them the information they needed to get into his accounts and obtain remote access to his wired devices.

In a follow-up to his experience, he published a piece yesterday outlining why passwords cannot keep users safe. A few of the more salient points are: 1) as computing power increases, brute force attacks can become more successful; 2) users use the same logins for multiple systems; 3) answers to security questions can be easily found; and 4) convenience is a trade-off for security. If one were to follow the prevailing wisdom, each person would have to memorize 16 digit, non-dictionary, randomly generated passwords for the dozens of online accounts held, without storing those passwords anywhere. This is nearly impossible and hence systems put in place password reset mechanisms that are themselves vulnerable.

Online businesses should take a closer look at how they protect their individual clients and what information is revealed in the event a third-party gains access that could be used to disguise themselves as the client to another provider. Failure to do so may subject them to a cyberliability claim.

A data breach occurs and personal information about your customers is compromised. It can happen to any size business, big or small, and the costs to your business can be significant. Every company stores private information including credit card numbers and social security numbers that are vulnerable to a deliberate cyber incident such as unauthorized access to digital systems for the purpose of misappropriating assets or sensitive computer information, corrupting data or causing operational disruption.

In recognition of such a fact the federal government has become involved. A Bill, introduced by Joe Lieberman, aims to address a wide range of cybersecurity issues including data breaches. The Division of Corporate Finance of the SEC has also given Disclosure Guidance that addresses requirements for companies to disclose cybersecurity risks, incidents and related litigation.

As identified by the SEC, disclosure of cybersecurity risk factors include:

–          Discussion of aspects of business or operations that give rise to material cybersecurity risks and potential costs and consequences

–          Description of outsourced functions that have material cybersecurity risks

–          Description of cyber incidents experienced

–          Description of relevant insurance coverage

–          Description of legal proceedings involving a cyber incident

Even smaller companies not subject to SEC public disclosure requirements need to implement appropriate measures to protect internal data. Failure to do so can result in significant expenses such as fines,  disruption of business, loss of customers and litigation expenses.

Many small business insurance policies do not cover cyber incidents such as data breaches. A consult with an attorney who specializes in cybersecurity risks and litigation can help you or your company evaluate your current insurance coverage, discuss specific cybersecurity insurance options and handle any litigation that may result from a cyber incident such as a data breach.