In a major ruling on potential damages claims for negligent data breach, the Fifth circuit gives green light to sue for 130 million Identity thefts. Click here for opinion.
A case filed in the U.S. District Court in Tennessee illustrates the growing liability risks associated with cyber bullying. The parents of a middle school boy have filed a complaint against the Williamson County Board of Education and thirty-one of their son’s classmates.
The plaintiff was born in Ethiopia and was adopted in 2010 which is when he enrolled at Grassland Middle School. By 2012 a number of students allegedly engaged in a pattern of cyber bullying that included racist and profane statements, photographs and a racist death threat.
The Complaint alleges violations of the Civil Rights Act of 1964 and the Tennessee Bullying Prevention Act. Tennessee, along with several other states, has directly addressed the problem of cyber bullying. Children and teenagers today spend large amounts of time on cell phones, instant messaging, Facebook and other online activities. It is estimated that almost half of American teens have experienced some form of cyber bullying.
The Tennessee statute defines cyber bullying as bullying that takes place using electronic technology. Examples may include mean text messages or emails, rumors sent by email or posted on social networking sites, and embarrassing pictures, videos, websites or fake profiles. The statute also requires that school districts develop a policy prohibiting cyber bullying along with implementing procedures for the prompt investigation and remedial action as a consequence for a person found to have committed an act of cyber bullying.
In the Mihnovich case, the plaintiff was harassed via text messages with racial and profane statements by thirty-one of his classmates. A public Facebook page was created as a forum for the students to make racist comments about the plaintiff. In response, the plaintiff’s parents contacted the school to discuss what the school should do to protect the plaintiff. Allegedly the school advised the parents and subsequently their attorney, through a letter that is annexed to the Complaint, that the school system was not required to take any action.
The school took the position that there was no proof that the actions occurred during school hours. However, the plaintiffs allege the school had an affirmative duty to investigate and take disciplinary action against the perpetrators of hate speech regardless of where the speech originated because it was reasonably foreseeable that such hate speech would interfere with the plaintiff’s education, opportunities and performance.
As the Tennessee statute demonstrates, the law has caught up with cyber bullying. Massachusetts also has a law prohibiting cyber bullying as well as procedures in place for schools to develop and implement a policy to address the existence of bullying in its schools. In Mihnovich, the plaintiff is seeking $1.1 million in compensatory damages as well as punitive damages. Access to smartphones, Facebook and other internet sites is only going to increase and parents and schools should not ignore the potential legal liability posed by cyber bullying.
Smartphone manufacturer HTC agreed in February to settle Federal Trade Commission (FTC) charges that the company failed to take reasonable steps to secure software it developed for its mobile devices including smartphones and tablet computers. In its complaint, the FTC charged HTC with violations of the Federal Trade Commission Act. On July 2 the FTC approved a final order settling these charges.
The FTC alleged HTC failed to employ reasonable security measures in its software which led to the potential exposure of consumer’s sensitive information. Specifically, the FTC alleged HTC failed to implement adequate privacy and security guidance or training for engineering staff, failed to follow well-known and commonly accepted secure programming practices which would have ensured that applications only had access to users’ information with their consent. Further, the FTC alleged the security flaws exposed consumers to malware which could steal their personal information stored on the device, the user’s geolocation information and the contents of the user’s text messages.
HTC is a manufacturer of smartphones but it also installs its own proprietary software on each device. It is this software that the FTC targeted. While HTC smartphones run Google’s Android operating system, the HTC software allegedly introduced significant vulnerabilities which circumvented some of Android’s security measures.
As part of the settlement consent order, HTC agreed to issue security patches to eliminate the vulnerabilities. HTC also agreed to establish a comprehensive security program to address the security risks identified by the FTC and to protect the security and confidentiality of consumer information stored on or transmitted through a HTC device. HTC further agreed to hire a third party to evaluate its data and privacy security program and to issue reports every two years for the consent order’s 20 year term. The implication of the FTC’s policy makes it clear that companies must affirmatively address both privacy and data security issues in their custom applications and software for consumer use.
On June 25, 2013, the Massachusetts General Court’s (the State Legislature) Joint Committee on Labor and Workforce Development held a hearing on, among other items, HB 1766, the Healthy Workplace Bill. The bill would create a new Chapter 151G of the General Laws; Section 3(a) is the key provision. It states “No employee shall be subjected to an abusive work environment.” An abusive work environment under the bill is one where the employer or employees subjects the victim to “abusive conduct” intentionally causing physical or psychological harm. “Abusive conduct” is defined as including repeated “derogatory remarks, insults, and epithets…conduct of a threatening, intimidating, or humiliating nature; or the sabotage or undermining of an employee’s work performance.” A single instance may be sufficient to give rise to a violation. A claim may be made directly against the employer and the offending employee via direct lawsuit; unlike racial or sexual harassment claims, there is no prerequisite of filing with the Massachusetts Commission Against Discrimination. A victim may be awarded back pay, front pay, emotional distress damages, punitive damages, and attorney’s fees, among other things. It puts the burden on the employer to prove a defense that the complaint was the result of a reasonable performance evaluation, poor performance, or misconduct.
The law is being promoted in Massachusetts, with variants nationwide, to fill a perceived gap. Claims for intentional infliction of emotional distress may require a physical manifestation that does not always occur. Claims for tortious interference with contractual relationship lack an emotional distress component and may require additional proof to give rise to liability. Defamation claims are of no use when the vitriol is actually true, though it is said offensively. Anti-discrimination laws only protect against harassment on the basis of protected class status (e.g., race, gender, religion, orientation).
Such a law, if passed, should give a Massachusetts employer pause. If an employee has a bad day and becomes angry with another employee, the employer may become liable. If an employer places an employee on a performance improvement plan due to poor performance, the employer has to prove the performance was poor, unlike simply arguing such claim is not pretext as in discrimination claims. An accused employer or employee may be protected, however, under the First Amendment to the U.S. Constitution. Prof. Eugene Volokh has analyzed a number of cases on the question of workplace harassment and the First Amendment, finding that the issue remains an open one.
Raymond Law Group is watching the developments with this legislation and will ensure its clients are properly advised on their rights and responsibilities.
Today the Federal Trade Commission’s (FTC) rules promulgated under the Children’s Online Privacy Protection Act (COPPA) become effective. COPPA, passed by Congress in 1998, requires the FTC to issue and enforce regulations concerning children’s online privacy.
The purpose of COPPA is to protect children under age 13 and seeks to place parents in control over what personal information is collected from their children online. The rules promulgated by the FTC apply to operators of commercial web sites and services that collect, use or disclose personal information from children.
The updated rules require operators of online services to:
– Provide direct notice to parents and obtain parental consent before collecting personal information
– Provide parents access to their child’s personal information and allow them to have the information deleted
– Maintain the confidentiality of a child’s personal information
Under the rules personal information includes names, addresses, screen names, telephone numbers as well as any photographs, geolocation information or other online contact information.
The rules require businesses to immediately obtain parental consent for all geolocation information, photos or videos and screen names they have collected from children under age 13. Prior to the enactment of these rules the FTC sent more than 90 letters to online App Developers as part of an ongoing effort to help businesses comply with COPPA’s requirements. The FTC was careful to explain in the letters that receiving such a letter does not reflect a formal FTC evaluation of the company’s practices but rather seeks to assist companies to comply with the requirements prior to the rules becoming effective.
COPPA imposes additional requirements on online services that collect personal information from children who reside in Massachusetts. It is separate and distinct from the requirements imposed by M.G.L. c. 93H which concerns businesses that collect or license personal information about a Massachusetts resident.
The FTC has enforcement power and the penalty can be up to $16,000 per violation. Operators of websites, developers of apps and other online services that collect the personal information of children in Massachusetts should consult with an experienced attorney to navigate the complexities posed by COPPA’s implementation and to evaluate whether their services are in compliance with the updated rules.
As originally discussed on this blog back in February, a lawsuit brought by Advanced Micro Devices (AMD) against former employees accused of taking AMD trade secrets with them to competitor Nvidia has been ongoing and a recent opinion in the case highlights the uncertainty surrounding the Computer Fraud and Abuse Act (CFAA).
A recent opinion issued by Judge Timothy S. Hillman narrowly interpreted the CFAA in this case. Judge Hillman declined a broad interpretation of the CFAA and held that AMD’s allegations in its complaint are insufficient to sustain a CFAA claim.
The relevant portion of the CFAA provides that it is a violation of the CFAA to:
Knowingly and with intent to defraud, [access] a protected computer without authorization or [exceed] authorized access, and by means of such conduct [further]the intended fraud and [obtain] anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.
There exists a circuit split on the interpretation of this clause. As Judge Hillman noted, the 1st Circuit has not clearly articulated its position on the issue. The broad interpretation defines access in terms of agency or use. That is, whenever an employee breaches a duty of loyalty or a contractual obligation and acquires an interest adverse to their employer, then all subsequent access exceeds the scope of authorized access. Proponents of the narrower interpretation argue that the intent of the CFAA was to deter computer hacking and not to supplement common law trade secret misappropriation remedies and therefore fraudulent means must be used to obtain the information initially.
Judge Hillman utilized a narrow interpretation of the CFAA and held that AMD had not pleaded sufficient facts to maintain a cause of action under the CFAA. AMD had pleaded that the defendants used their authorized access to computer systems to download and retain confidential AMD information which they retained when they left to go work at Nvida. The complaint, while alleging the defendants had the intent to defraud AMD, provided no facts which support the allegation that the defendants obtained the information through fraudulent or deceptive methods.
Judge Hillman did not outright dismiss the claim given the truncated evidentiary record and has allowed AMD the opportunity to plead specific details indicating that some or all of the defendants used fraudulent or deceptive means to obtain the confidential information and that they intentionally defeated or circumvented technologically implemented restrictions to obtain the confidential information. If other judges in the 1st Circuit follow Judge Hillman’s approach, plaintiffs will need to ensure that they plead with sufficient detail that the defendants obtained the information through a fraudulent or deceptive method as opposed to simply obtaining the information through permissible access.
Cyber breaches resulting in the release of personal identifiable information (PII) are increasingly common and now we are starting to see class action lawsuits filed as a result. In what will likely be the beginning of a wave of lawsuits filed as a result of cyber breaches, Schnucks Markets, operator of 100 supermarkets across the Midwest, recently removed a class action lawsuit filed against it to federal court stemming from a data breach that occurred in March in which 2.4 million credit card numbers were stolen.
The Class action complaint alleges Schnucks failed to properly and adequately safeguard its customer’s personal and financial data. In addition to common law negligence and disclosure, the plaintiffs allege a violation of the Illinois Personal Information Protection Act which requires a data collector of personal information to notify individuals in the most expedient manner possible and without unreasonable delay. The complaint alleges Schnucks waited over two weeks to notify its customers and then did so only through a press release as opposed to providing actual notice to individual consumers. Apparently Schnucks struggled to find the source of the breach and this delay may have continued to expose the PII of people who shopped at its stores.
Schnuck’s notice of removal to federal court states the grounds for removal include a class size of more than 100 people and damages at issue are greater than $5 million. Schnucks also explains that the data breach was the result of criminals hacking into its electronic payment systems at 23 stores. Further, during the relevant period, 1.6 million credit or debit card transactions took place at these stores. Schnucks calculates that 500,000 unique credit or debit cards were involved thus the putative class has at least 500,000 members.
Damages alleged by the plaintiffs include having their credit card data compromised, incurring numerous hours cancelling their compromised cards, activating replacement cards and re-establishing automatic withdrawal payment authorizations as well as other economic and non-economic harm. Given that data breaches are becoming increasingly common it is likely that there will be more lawsuits filed similar to Schnucks in the near future. Legal counsel experienced in cyber risk and insurance can assist retailers and insurance companies with handling such problems as they arise.
A recent resolution agreement between the United States Department of Health and Human Services, Office for Civil Rights (HHS) and Idaho State University (ISU) requires payment of $400,000 and implementation of a corrective action program to address the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients. According to public information published by HHS (U.S. Department of Health & Human Services), ISU notified federal regulators of a breach and cooperated with an investigation headed by OCR (HHS Office for Civil Rights). “Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said OCR Director Leon Rodriguez. “Proper security measures and policies help mitigate potential risk to patient information.” HHS Press Release
The key findings of the investigation were as follows:
- ISU did not conduct an analysis of the risk to the confidentiality of ePHI as part of its security management process from April 1, 2007 until November 26, 2012;
- ISU did not adequately implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level from April 1, 2007 until November 26, 2012; and
- ISU did not adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner from April 1, 2007 until June 6, 2012.
See Resolution Agreement Here. It should be noted that ISU admitted no fault.
Seen in a broader context, data breach is increasingly costly for public entities and private companies alike. Regulatory action and potential civil liability are on the increase under HIPAA and across all business sectors. For example the Federal Trade Commission (FTC ) regularly addresses circumstances where private companies engage in unfair or deceptive acts involving customer data or fail to follow their privacy polices specially where children are concerned.
Click here for a summary of laws and resources for business on data privacy and security including information on:
- Children’s Online Privacy Protection Act (COPPA)
- The Gramm-Leach-Bliley Act
- U.S.-EU Safe Harbor Framework
All businesses should have a risk assessment completed and should implement reasonable practices and procedures for securing data, especially electronic protected health information (ePHI) or other personally identifiable information (PII). The FTC publication Protecting Personal Information: A Guide for Business . A Privacy and Data Security attorney can work with businesses to reduce the risks associated with potential data breach. Another thing to consider is insurance for cyber liability and data breach which is increasingly available at reasonable prices. Consult your insurance professional for more information on available coverage and costs.
The SJC recently affirmed the Massachusetts Appeals Court’s ruling that a commercial landlord whose tenant broke a 12 year lease after only two years has to wait until the lease term expires before collecting damages.
In 275 Washington Street Corp. v. Hudson River International, LLC, the landlord and tenant entered into a 12 year lease for commercial space. The lease required the tenant to occupy and use the premises for a dental office and to pay the landlord monthly rent. The lease contained an indemnity provision which provided that “[t]enant shall indemnify Landlord against all loss of rent and other payments which Landlord may incur by reason of such termination during the remainder of the term.”
After one year the tenant closed its dental office and moved out of the premises but continued making payments for an additional year. At which point the tenant notified the landlord that it would be making no further rental payments and that it would not resume occupation of the premises. The landlord subsequently re-entered the premises and signed a new ten year lease for the premises with a replacement tenant at a lower rent than was agreed on under the original lease.
In 2008 the landlord filed suit against the tenant and sought to recover all damages arising from the breach. The landlord subsequently prevailed on a motion for summary judgment as to liability. Prior to trial the parties stipulated to a judgment but the defendants reserved their right to appeal.
On appeal, the Appeals Court held that the bright line rule remains that a landlord must wait to collect damages until the end of the original lease term. While the Appeals Court affirmed the finding of liability in favor of the landlord, it vacated the judgment assessing damages and remanded to the trial court to calculate the damages as of the time the landlord recovered possession of the premises.
On subsequent appeal to the Supreme Judicial Court, the SJC held that it is well settled that when a landlord terminates a lease following the default of a tenant, the tenant is obligated to pay the rent due prior to the termination but has no duty to pay any rent that accrues after the termination unless the lease expressly provides.
The landlord’s argument regarding the indemnification clause in the lease also failed because the SJC said an indemnification clause only reimburses a landlord for actual losses and the precise amount of those losses would not be known until the end of the period specified in the lease. The landlord argued the damages could be calculated because it had obtained a replacement tenant.
The SJC ruling underscores the importance of incorporating a clause in a commercial lease which explicitly describes the landlord’s remedies in the event of a default. The decision makes clear that the law will not change to accommodate a landlord that failed to include a rent acceleration clause in its lease. To protect against a default landlords should insist on a rent acceleration clause to be part of the remedy provided for in the lease. Otherwise, as in 275 Washington St, the landlord will have to wait until the end of the lease to collect damages.
A scientific or technological advantage is something to be protected. A case in the Business Litigation Session of Suffolk Superior Court demonstrates how cutthroat competition can be in the medical device industry and how the law deals with companies that disregard fair trade practices to gain an unfair advantage.
In 2007, Lightlab Imaging, a company that provides OCT medical imaging for human coronary arteries, had developed the most powerful laser in the industry. Lightlab had a cooperative relationship with Axsun to convert Axsun’s basic laser into one that could be used by Lightlab. Volcano, a competitor of Lightlab, desired a foothold in OCT technology and was well behind in the research and development of a laser with similar capabilities.
In 2008, Volcano acquired Axsun and viewed the acquisition as a means to both advance its entry into the OCT market and impede the growth of Lightlab. However, the contract between Lightlab and Axsun contained a confidentiality and exclusivity provision which prevented Axsun from selling high performance lasers to Volcano. In connection with Volcano’s indemnification of Axsun as part of the acquisition, Axsun breached its duty of confidentiality and provided Volcano with the specifications for the high performance laser.
In 2009, Lightlab filed suit in Suffolk Superior Court and its application for a preliminary injunction was granted. A subsequent jury trial on liability returned a verdict in favor of Lightlab finding that Axsun had violated the confidentiality provision of the contract with Lightlab. The jury also found that Volcano had misappropriated Lightlab’s trade secrets and interfered with Lightlab’s contract with Axsun.
Instead of trial on damages, the parties stipulated to damages of $200,000. Subsequently, after two jury waived trials, the Court granted Defendant’s summary judgment motion finding that Lightlab had not shown “use” of the trade secrets by Axsun and Volcano other than the due diligence use evidenced during the jury trial and therefore Lightlab had not proven misappropriation of those trade secrets.
On the 93A count, the court found that Lightlab was entitled to $200,000 in damages and because the defendant’s conduct was found to be knowing and willful, Lightlab received another $200,000 in punitive damages plus attorney fees which totaled $4,500,000.
The Supreme Judicial Court recently granted direct appellate review on whether the trial judge correctly excluded expert testimony on future lost profits on the grounds that the methodology used by the expert failed Daubert and was speculative and whether the trial judge correctly ruled that permanent injunctions may protect only specific trade secrets a defendant has already used. The SJC is soliciting amicus briefs with argument scheduled for Fall of 2013.