Many of us have been there. Sipping our morning coffee, signing into our Facebook accounts, waiting to see what notifications will greet us. We are intrigued to see that we have a friend request. Who could it be? An acquaintance from the past? A new colleague who we met at work? Whoever it is, we know that by accepting the request we will be granted access into this individual’s life and will know more about them in five minutes than we would know in a lifetime of small talk.

Due to the use of usernames and passwords, there is a belief that information shared on Facebook is confidential unless publicly shared. However, courts around the country are now addressing just how private this information really is.

In cases nationwide, litigants are asking courts to grant unfettered access to other parties’ Facebook or other social media accounts. Inevitably, in the age of status updates and hashtags, poking and friending, the lines between public and private information have become blurred. This trend has become increasingly prevalent in the insurance industry as insurance companies have realized the usefulness of social media in litigation.

Read the rest of this entry »

We are grateful to the rapidly-growing number of Cyberinquirer readers who continue to submit substantive content for publication. This truly is an industry blog, and we strive to present alternative points of view from all quarters. 

The following article was authored by Gregg A. Rapoport, Esq., and David Lam, CISSP, CPP. Attorney Rapoport has represented policyholders in coverage litigation for over 20 years as part of a broad business litigation practice based in Pasadena, California. Mr. Lam is vice president of the Los Angeles Information Systems Security Association and has over 20 years of experience as an IT and information security professional and author. This article was first published by RIMS, and we appreciate Messrs. Rapoport and Lam offering it for republication here.

Rick Bortnick

As they confront the sobering question of whether their networks and the data they carry are fully secure, today’s “C-level” executives are becoming fluent in once-esoteric information security terms. Many have reached the conclusion that no matter the size of their IT and security budgets, there is no foolproof system for securing the confidentiality, integrity and availability of their data. Company networks remain vulnerable to attacks even if they adhere to industry best practices and run best-of-breed firewalls.

To address these security challenges, companies are relying on their risk managers to evaluate the applicability of existing insurance coverage to data breach incidents, and to assess the value of transferring some of the uncovered financial risk to one of the carriers now offering cyber-risk insurance policies. As the market for these products matures, premiums have come down significantly and policy limits have increased.

Read the rest of this entry »

The following article, written by reknowned London Market underwriter Rick Welsh, was first published in the November 2011 Data Guidance newsletter. A shout out to Rick for passing it on to us for republication.

Rick Bortnick

Today, no company – even with comprehensive privacy policies and practices – can be safe from data breaches. Can companies effectively transfer the risk (and cost) of data breaches by way of insurance? What costs should the companies consider? Almost every reference to the cost of data breaches or ‘cyber crime’ identifies the actual cost of the breach notification as its common currency. In Part One of this analysis, Rick Welsh, Cyber Underwriting Director at ANV, explores this metric’s limitations and the true exposure and cost of data breaches.

The well-regarded Ponemon Institute is constantly measuring the cost of a data breach and is commonly referenced by many to express the rising cost of data breaches. The second annual ‘Cost of Cyber Crime Study’ issued by the Ponemon Institute in August 2011, found that the median annualised cost of cyber crime for the 50 companies in the study was $5.9 million, with a range being between $1.5 million to $36.5 million. The annualised average was up 56% from the previous year’s study.

Read the rest of this entry »

The following article was written by my good friend, Scott Godes, a policyholder attorney with Dickstein Shapiro in Washington, D.C., and his colleague, Ken Trotter, and appeared on Scott’s personal site, Corporate Insurance Blog, after being published by Hospitality Upgrade magazine. Cyberinquirer neither ratifies nor necessarily agrees with the opinions stated below, which are Scott’s exclusively and not those of Cyberinquirer or Dickstein Shapiro.

Rick Bortnick

It is no secret that the hospitality industry continues to be vulnerable to data breaches and other cyberattacks.  A report by Willis Group Holdings, a British insurance firm, states that the largest share of cyberattacks (38 percent) were aimed at hotels, resorts and tour companies.  According to the report, insurance claims for data theft worldwide jumped 56 percent last year, with a bigger number of those attacks targeting the hospitality industry. Because businesses in the hospitality industry obtain and maintain confidential data from consumers–countless credit card records in particular–they will continue to be attractive targets for hackers and data thieves. Cybersecurity risks can cause a company to incur significant loss or liability. A data breach could result in the loss of important and sensitive customer information and, in some cyberevents, stolen company funds.  Companies also may face liabilities to third parties under statutory and regulatory schemes, incurring costs to mitigate, remediate and comply with the liability under these statutes.  Worse still, class action lawsuits have been filed around the country after data breaches, with plaintiffs alleging, among others, the loss of the value of their personal information, identity theft, invasion of privacy, negligence or contractual liability.  Even when companies have had success in defeating class actions, they nonetheless incurred significant legal expenses when defending those lawsuits. Read the rest of this entry »

The following article first appeared on Mike Schmidt’s Cozen O’Connor blog, socialmediaemploymentlawblog.com. Thanks to Mike for allowing us to republish it as a follow-up to our December 2, 2011 post, Keep Your Friends Close, But Your Facebook Posts Closer, which addresses a Pennsylvania trial court’s ruling that ”plaintiff’s Facebook information is discoverable, provided the defendant has a good faith basis for seeking the material,” and our October 16, 2011 post, Facebook: Everything You Want to Know and More… Just a Discovery Request Away, where we comment on how easy it actually is to obtain information posted on Facebook.

Needless to say, the discoverability of social media posts is an important issue for litigants on both sides of the “v” and will continue to be the subject of fiercely-litigated motion practice. We will monitor the issue and post updates as courts across the country rule on this imporant, oftentimes substantively dispositive, issue.

Rick Bortnick

One of the high-profile battles being fought in the social media world continues to be over the ability of one party in a lawsuit to compel the other party to produce messages, posts, pictures, and other “private” things done over a social networking site like Facebook.   The trend continues to reveal that courts are willing to compel disclosure in the right circumstances, and the most recent decision issued by a New York appellate court is no different.

In Patterson v. Turner Construction Company (New York Supreme Court, Appellate Division, First Department, October 27, 2011), the plaintiff sued for personal injury damages that included physical and psychological injuries that he claims to have suffered.   During the lawsuit, the defendant asked the court to direct the plaintiff to provide an authorization allowing defendant to obtain “all of plaintiff’s Facebook records compiled after the incident alleged in the complaint, including any records previously deleted or archived[.]”   The plaintiff, obviously, fought that request.

Read the rest of this entry »

As regular Cyberinquirer readers know, on October 12, 2011, the SEC’s Division of Corporate Finance published “suggested” Guidance on public companies’ disclosures of their cyber risks and exposures. I published a personal perspective on the implications of the Guidance in an October 29, 2011 post (here). Since then, our friend John Doernberg of William Gallagher Associates in Boston has written an excellent, thoughtful article which adopts a more technical approach. As many of you may know, John is a Vice President at William Gallagher and focuses on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, John practiced law at leading firms in New York and Boston. The following article first appeared at John’s own site, http://blog.wgains.com/?s=Doernberg, and is being republished here with his permission. Thanks John!

Rick Bortnick

Increased corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Such breaches have become more frequent and severe. With these Guidelines, the Division has indicated that public companies and their advisors should focus greater attention on how disclosure obligations under the federal securities laws may be affected by the potential financial and operational impact of cybersecurity breaches.

The Guidelines note that cybersecurity breaches (generically referred to as cyber incidents) can be malicious (cyber-attacks) or unintentional. The Guidelines provide something of a rogue’s gallery of cyber malice: the gaining of unauthorized access to steal or corrupt sensitive data or to disrupt operations, denial of service attacks, sophisticated electronic circumvention of network security, and social engineering techniques such as phishing to extract passwords or other information that will enable the gaining of access.

Read the rest of this entry »

“Facebook helps you connect and share with the people in your life.” That is the Facebook mantra, as displayed on its homepage, and the opening line of a recent – and extremely thorough! – Pennsylvania trial court decision regarding the discoverability of a plaintiff’s relevant Facebook information. The court’s conclusion: a plaintiff’s Facebook information is discoverable, provided the defendant has a good faith basis for seeking the material, because there is no confidential social networking privilege under Pennsylvania law and because the Stored Communications Act only applies to internet service providers. The take-away for Facebook users: be careful what you post – it’s not as “private” as you think!

Read the rest of this entry »

Regular Cyberinquirer readers may recall the following holiday poem by Amanda Lorenz that we published last year at this time. Like the Yule Log, we here at Cyberinquirer Central have decided to republish Amanda’s poem on an annual basis at holiday time, barring extenuating circumstances. Hope you agree that its as fresh today as it was a year ago. Perhaps even more apt. In any event, enjoy! And happy holiday season from your friends at Cyberinquirer.

Twas the month before Christmas and all through the house,
All the children were networking with the click of a mouse.
Cyber thieves were nestled all snug in their chairs,
Waiting for shoppers to unknowingly share.

 As I shopped for him and he shopped for me,
The thieves stole our money and our financial history.
We did not even realize that this information was taken,
And we thought the denial of our credit card was mistaken.
Using Phishing or SMiShing and hacking the links,
Our private information was retrieved in a blink.

 Perhaps we should have shopped on a network that was secure,
Or at least checked our credit reports monthly to be sure,
That thieves were not using our names and our faces
To purchase plane tickets to tropical places.
So to all of the shoppers who like to avoid the crowd,

Protect your info this season and make CyberInquirer proud!

Happy Holidays from CyberInquirer!

   Send article as PDF   

We’re only two weeks away from the season’s premier cyber education event: The PLUS Northwest Chapter & IIABKC Cyber Workshop, to be held on December 7 (a date which will live in infamy), 2011 at the Washington Athletic Club in downtown Seattle. This will be my first trip to Seattle, so I’m really looking forward to it, as well as to meeting those of you who attend. The panel is entitled Emerging Issues Surrounding Cyber Privacy and Security Risk and will run for a full three-hours (with a corresponding 3 Washington state CE credits), from 1.30 PM to 4.30 PM, to be followed by the always popular cocktail reception.  The cost is to attend is dirt cheap, given the panelists and topic, as its $40 for PLUS members and $60 for non-members.

So, you’re wondering, who are the panelists? Well, PLUS Northwest has assembled a crackerjack lineup of the following special guest speakers:

David Molitano,Vice President/Division Manager, Content Technology & Services at OneBeacon Professional Insurance; Kimberly Horn, Claims Manager for Technology, Media and Business Services at Beazley Group; and Karl Peterson, Senior Vice President, E&O and eRisk Product Team at Willis Executive Risks Practice.

You’ll only get this quality of presenter at the PLUS Northwest Chapter event. Don’t be fooled by pretenders or others promoting cyber conferences with lesser lights. This is THE cyber event to attend. And the post-workshop cocktail reception is an added bonus.

Please feel free to contact PLUS or me if you have any questions or would like further details about the Workshop. We look forward to seeing you there! And, in particular, meeting with you afterwards. Plus (no pun intended), for Cyberinquirer subscribers only, the first cocktail is on me. Just flip an email and let me know you’re coming.

Rick

   Send article as PDF   

With the help of our readers, Cyberinquirer has again been named as one of LexisNexis’s Top Insurance blogs 0f 2011. We are obviously flattered, particularly in view of the quality of the other blogs selected to this august list.  It shows that people are reading what we have to say. And that, perhaps, they are interested in what we have to say. We sure hope that to be the case. We love thinking, reading and talking about tech, privacy and cyber related issues (yeah, admittedly we’re geeks).  And we hope that you, our readers, gain from our insights, even if you don’t always agree with them.

So now that we’ve been recognized by LexisNexis for the second straight period, maybe some of you, our readers, will be more comfortable authoring a piece we can post. Remember, this blog is open to all relevant, responsible submissions, be they articles, commentaries, or just comments on something we have said that strikes a chord.  If you’ve got something to say that may be of interest to others in the community, email it to me at rbortnick@cozen.com and I will get back with you promptly. We strive to publish fresh, interesting content on a regular  basis, but its not always easy, as we do maintain law practices. And have other commitments. So flip your authored pieces. We’d actually appreciate it.

Needless to say, we couldn’t have done this on our own. So the honor is not just for us, but for you too. Thanks.

   Send article as PDF   

In a prior post (here), we discussed the frequency of cyber thefts in the hospitality industry in 2009. We have a decent idea of how many of you read that article. For those of you who haven’t, here’s my topic sentence: “38% of the credit card hacking events in 2009 involved the hospitality industry.” Yep. 38%.

And guess what? The hospitality industry remained a high-level target in 2010. Alright, if you’re connected to the hospitality industry, you probably knew that already. But what you might not realize is that you’re not out of the clear. And, things may be getting worse as  the frequency of cyber criminality grows, and as the perpetrators become more sophisticated and cyber attacks propagate (more on that below).

Read the rest of this entry »

The following article was written by my good friend, Scott Godes, a policyholder attorney with Dickstein Shapiro in Washington, D.C., and first appeared on his personal site, Corporate Insurance Blog. Cyberinquirer neither ratifies nor necessarily agrees with the opinions stated below, which are Scott’s exclusively and not those of Cyberinquirer or Dickstein Shapiro. Responsible comment will gladly be published (promptly…). Please feel free to forward them to me at your convenience.

Rick Bortnick

On October 27, 2011, CNN.com posted:

A massive cyberattack that led to a vulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week.

The Krebs On Security blog posted:

Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure.

This is in line with comments from others, including this quote from Digital Forensic Investigator News, that “2011 has quickly become the year of the cyber attack.“  Would your insurance policies cover those events?  Beyond the denial of service attacks that made news headlines, a shocking “80 percent of respondents” in a survey of “200 IT security execs” “have faced large scale denial of service attacks,” according to a ZDNet story.  These attacks and threats do not appear to be on a downward trend.  They continue to be in the news after cyberattacks allegedly took place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend.  The alleged attacks were not only against government sites; they allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.” Themore recent ZDNet survey shows that a quarter of respondents faced denial of service attacks on a weekly or even daily basis, with cyberextortion threats being made as well.

Read the rest of this entry »

Its not often that worlds collide or that interests converge into one amorphous epiphany. But that’s exactly what happened to me recently, when the Division of Corporate Finance (DCF) of the U.S. Securities and Exchange Commission (SEC) issued a Disclosure Guidance identifying the types of information public companies should consider disclosing about cyber risks and events that could impact their financial statements. Now, the DCF has cautioned that the Disclosure Guidance only represents its own views and “is not a rule, regulation, or statement of the Securities and Exchange Commission.” The DCF also emphasizes right up front that ”the Commission has neither approved nor disapproved its content.” Yeah, right. YOU be an officer or director or officer of a company that does not “comply” with the DCF’s  ”recommendations.”

Read the rest of this entry »

Businesses that necessarily require their customers to disclose credit card and personal information, beware.   Just five days ago, the United States Court of Appeals for the First Circuit held that claims by class action plaintiffs for ”mitigation damages” arising from alleged negligence and breach of contract were viable.  Anderson v. Hannaford Brothers Co., Nos. 10–2384, 10–2450, 2011 U.S. App. LEXIS 21239 (1st Cir. Oct. 20, 2011). 

In Anderson, the electronic payment processing  system of a national grocery chain, Hannaford Brothers Co., was breached by hackers in 2007. This resulted in the dissemination of as many as 4.2 million credit card and debit card numbers, expiration dates, and security codes.  Hannaford Brothers was not notified of the breach until February 27, 2008 and subsequently contained the breach on March 10, 2008.  A week later, Hannaford released a statement regarding the breach and announced that over 1,800 cases of fraud resulting from the theft already had been reported. 

Following Hannaford’s announcement, several financial institutions immediately cancelled customers’ debit and credit cards.  Some financial institutions, which refrained from immediately canceling the credit card, monitored the accounts for unusual activity, cancelling the cards, in many cases, without notifying the customer.  Customers who asked that their cards be cancelled incurred fees from issuing banks for the replacement cards. 

Read the rest of this entry »

On October 17, 2011, the U.S. Court of Appeals for the Tenth Circuit issued a much-anticipated decision addressing the scope of “Advertising Injury” (“AI”) coverage for patent infringement claims.  Dish Network Corp. v. Arch Specialty Ins. Co., No. 10-1445, __ F.3d __ , 2011 U.S. App. LEXIS 20955 (10th Cir. 2011), rev’g, 734 F. Supp. 2d 1173 (D. Colo. 2010).  The court, applying Colorado law, reversed a decision from the District of Colorado in which that court granted summary judgment to the insurers.  In the underlying action, the plaintiff alleged that Dish Network Corp. (“Dish”) had infringed one or more of twenty-three patents by “making, using, offering to sell, and/or selling . . . automated telephone systems, including . . . the Dish Network customer service telephone system, that allow[s] Dish’s customers to perform pay-per-view ordering and customer service functions over the telephone.”  The Tenth Circuit concluded that the record was unclear about how Dish actually used the technologies at issue, but that some of the patent-holder’s most well-known innovations involved interactive call processing. 

Read the rest of this entry »

I recently attended a CLE that had a panel of social media experts who were discussing the role of Facebook, Twitter and MySpace in litigation. During a lull in the question and answer session, the Facebook attorney quipped: “you know, Facebook has already given you everything that you’ve ask for…” Immediately, the audience lifted their heads from their Blackberries and newspapers and started paying attention after this cryptic remark.

Read the rest of this entry »

I. Overview

Canada’s privacy regime can be described as a web of legislation at both the federal and provincial/territorial level. Some commentators express concern that this web has become tangled, lacks uniformity and actually undermines the predictability and consistency that, in their view, would exist under a single (federal) privacy regime. Canada has two primary privacy statutes: the Privacy Act and the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Privacy Act, R.S.C. 1985, c. P-21 (Can.), took effect on July 1, 1983, and imposed certain privacy rights obligations on approximately 250 federal government departments and agencies by limiting the use and disclosure of personal information. The Privacy Act also gives individuals the right to access and, if necessary, correct personal information held by governmental organizations subject to the Act.

Read the rest of this entry »

I.                    Introduction

The Internet facilitates the widespread and instantaneous flow of information across international borders.  While the advent of this method of transnational communication has truly created a “global economy,” at the same time, it has engendered problems for companies and their insurers which seek to assess risk and implement information safeguards, particularly in the face of divergent data privacy laws which vary from region to region or may not even exist in certain jurisdictions.  The Asia-Pacific region typifies such a lack of uniformity.  At the same time, the emerging economies in this rapidly growing part of the world have generated promising targets for computer hackers. 

75% of Asia-Pacific enterprises have experienced cyber attacks in the past 12 months.  Perhaps not surprisingly, a 2010 study by Symantec reported that almost half of all Asia-Pacific-based businesses (and 67% in Singapore) ranked cyber risk and information security as their top concern—more so than natural disasters, terrorism, and traditional crime combined.  Cyber attacks and data breaches are on the radar of CEOs and risk managers for good reason: the average cost for a large company to remediate a data breach in Australia increased to nearly $2 million in 2010, which is slightly up from 2009.  See Ponemon Institute/Symantec 2010 Annual Study: Australian Cost of a Data Breach (May 2011).  Notwithstanding the prevalence of such attacks, it is far more likely that a cyber security program is managed as a part of a company’s traditional business risks, with traditional coverages being contorted to cover various components of cyber risk (i.e. property loss, liability to third-parties, business interruption, etc.), rather than by way of a dedicated cyber-specific insurance program.  Still, in light of recent developments, it is virtually certain that companies soon will begin looking to transfer such risk via more efficient and targeted technology insurance forms and policies.   

Read the rest of this entry »

Doug Pollack of IDExperts recently published a blog post on cyber insurance that caught my eye. Insofar as IDExperts is a respected provider of cyber breach response services, I assumed the article would address technical issues. Upon reading the piece, however, I was disappointed to find that the article addressed insurance-related matters, including criteria for the selection of insurance products and programs, a topic typically the province of risk managers, brokers, underwriters and lawyers. Hmmm…

At the outset, the article addresses technical issues, as the author correctly suggests that “privacy, compliance and legal officers should work closely with their risk manager to ensure that the organization is getting a policy that meets its needs.” Having hooked me with that truism, I was looking forward to reading on. But that is where the technical commentary (and our common perspective) ends. From there, the author moves on to express his views (and, in my counter-view, misconceptions) on cyber insurance products and how they should operate.

Read the rest of this entry »

First published on September 22, 2011 at e-Discovery Law Review
Monetary sanctions, attorneys fees, and adverse inference jury instructions are the more common type of sanctions imposed on litigants for the spoliation of evidence, or not producing relevant documents. Recently, however, a court has increased the severity and impact of sanctions by applying them not only to current litigation, but also to a party’s future litigation, with the effects lingering for years to come.

The Underlying Suit

“Any competent electronic discovery effort would have located this email.” These words were written in an opinion by a United States District Judge in the Eastern District of Texas in Green v. Blitz U.S.A., Inc., No. 2:07-CV-372 (E.D. Tex., Mar. 1, 2011) Green involved a product liability suit in which the requirement of a flame arrester was in dispute. The jury returned a defense verdict, and the plaintiff collected a low settlement amount as part of a high-low settlement agreement. During discovery in a subsequent case with the same defendant and plaintiff’s counsel, counsel learned of documents that were not produced in Green. The plaintiff then filed a motion for sanctions against the defendant in Green and a motion to re-open the Green case. While the court denied the motion to re-open because the statute of limitations had expired, the court did impose sanctions for the discovery abuse.

Read the rest of this entry »

We are pleased to announce that Cyberinquirer is among the group of initial nominees for the Top Insurance Law Blogs of 2011!

Each year, LexisNexis honors a select group of blogs that set the online standard for a given industry.  And, as we write this, LexisNexis is in the process of selecting the Top 50 Blogs for the LexisNexis Insurance Law Community.   The selection will be based on LexisNexis’s review of various insurance law-related sites as well as comments from its members. And here’s where the shameless plug for Cyberinquirer come in…

In order to vote forCyberinquirer (and for those of you who will, thanks in advance for doing so!), you will need to be a registered LexisNexis Community member and be logged in. If you have not registered previously, follow this link to create a new registration or use the sign-in credentials from your favorite social media site. Registration is free. Once you have logged in, scroll to the very bottom of the page. Then add a comment in the box to vote for Cyberinquirer. That’s all there is to it! Please note that voting ends on October 7, 2011.

And, thanks again for supporting us and our geeky hobby.

   Send article as PDF   

The protracted copyright infringement class action by freelance writers seeking compensation for pieces published without authorization in various online databases has hit another roadblock.

In re Literary Works in Electronic Databases Copyright Litigation involves claims for infringement of works as to some of which the copyrights are registered and the vast majority are unregistered. This detail – the registered/non-registered distinction – keeps stymieing resolution of the case. In 2007, after the parties had spent years negotiating a settlement and gaining district court approval, the Second Circuit threw out the settlement, holding that the district court lacked subject matter jurisdiction to approve the settlement because many of the claims to be resolved were based on unregistered works, and registration is a jurisdictional predicate to a copyright infringement suit. The Supreme Court finally reversed in 2010, and the parties went back to the district court and again gained approval of the settlement.

Read the rest of this entry »

The ABA has issued a formal ethics opinion that provides guidance to lawyers whose clients use an employer’s email account to send or receive email from counsel.  In Formal Opinion 11-459, the Standing Committee on Ethics and Professional Responsibility urges lawyers to warn their clients that the confidentiality of electronic communications may be jeopardized if the employer or other third party, such as a hotel or library, has the potential to access email or other correspondence hosted on the third party’s computer system.

When clients use an employer’s computer, smartphone or other telecommunications device, or an employer’s email account, the employer may be able to obtain access to the communications and take advantage of that opportunity in various contexts, such as when the client is engaged in an employment dispute or when the employer is responding to a subpoena or document discovery in litigation.

Read the rest of this entry »

A recent Ninth Circuit opinion on class certification demonstrates both the potentially fact-intensive nature of class action “typicality” issues and the importance of substantive law in determining whether common issues predominate over individual issues.

In Stearns v. Ticketmaster Corp., the Ninth Circuit Court of Appeals reviewed several decisions denying class certification to various plaintiffs challenging an allegedly deceptive internet scheme involving Ticketmaster and its one-time affiliate, Entertainment Publications, Inc. (“EPI”). At issue is a link on Ticketmaster’s website to EPI’s Entertainment Rewards program, which allows members paying a monthly fee to download printable coupons.

Read the rest of this entry »

We at Cyberinquirer will be taking a break this weekend. I am heading to NYC for a memorial in honor of our dear friend John Keohane, who perished that awful day at the age of 41. Many of you may have known John from his days with CIGNA, ACE and Zurich. He is still missed by his colleagues, friends and family and always will be. What a tragedy.

   Send article as PDF   

The following article was published in the September 1, 2011 edition of National Underwriter’s Property Casualty 360 website. 

I.     Introduction: Insurance Products for Cyber Risks

Increasing reports of cyber intrusions, data theft and computer system malfunctions have led a rapidly-growing number of companies to purchase insurance coverage to protect themselves from technology and cyber privacy risks. Indeed, as our technology-driven economy continues to evolve and businesses become more reliant on electronic communication and data storage, they are developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. As such, prospective policyholders are becoming more cognizant of the necessity for insurance covering such growing exposures.

Read the rest of this entry »

The Clerk for the U.S. District Court for the Eastern District of Pennsylvania recently ruled that there is a heavy presumption that prevailing parties may recover certain e-discovery costs under 28 U.S.C. § 1920. Federal Rule of Civil Procedure 54(d)(1) allows prevailing parties to submit bills of costs for certain expenses, enumerated in 28 U.S.C. § 1920, for taxation by the Clerk against the non-prevailing parties. For example, that statute provides for the taxation of costs related to obtaining copies of transcripts and printing. More significantly, the statute provides for the taxation of “[f]ees for exemplification and the cost of making copies of any materials where the copies are necessarily obtained for use in the case.” 28 U.S.C. § 1920(4). While the term “exemplification” is undefined, federal district clerks have traditionally awarded, as exemplification and copying costs, those costs related to the production of paper documents, photographs, models, maps, blow-ups, charts, and diagrams.

Read the rest of this entry »

In a recent decision, a Pennsylvania trial court concluded that no privilege exists to prevent access to non-public social website information of personal injury claimants. Rather, the “paramount ideal” of pursuing truth favors liberal discovery of relevant information on social media sites.

In Zimmerman v. Weis Markets, No. CV-09-1535 (C.P. Northumberland Cty., May 19, 2011), the court rejected a personal injury plaintiff’s objections to providing non-public portions of plaintiff’s Facebook and MySpace pages, after the defendant demonstrated that the public portions of those pages included recent photographs and comments that appeared to contradict the plaintiff’s claims of physical and emotional distress. The court agreed with the rationale stated in other recent cases holding that an individual who voluntarily posts photos and information on social networking sites does so with the intention of sharing, and thus cannot later claim any expectation of privacy. The court noted that the privacy policies of Facebook and MySpace disclose that any information posted may become publicly available at the user’s own risk.

Read the rest of this entry »

Just as lawyers now routinely conduct due diligence on opposing parties’ social media pages. some lawyers also are monitoring postings by jurors on social media sites.

In a recent ethics opinion issued by the New York County Lawyers’ Association Committee on Professional Ethics (No. 743, 5/18/11), the committee concluded that an attorney may review jurors’ postings on publicly available social networking sites during trial. But they must not “friend” or “tweet” jurors, subscribe to their Twitter accounts, or otherwise contact them, either directly or through others.

Read the rest of this entry »

Well, this result seemed almost inevitable.  After all, who gets away with misleading a court?  Right?  But is the amount of the sanction sufficient?  Righthaven was ordered to pay a measly $5,000.  Is that amount really going to punish Righthaven in any significant way?

Righthaven LLC is a copyright holding company, founded in March 2010, which acquires the rights to newspaper content from its partner newspapers (most notably, Stephens Media, which owns the Las Vegas Review Journal). Upon finding that content has been copied to online sites without permission, Righthaven initiates litigation against the site owners, alleging copyright infringement.
Read the rest of this entry »

In addition to being a trademark geek, I could be accurately accused of also being a tech geek. A “geek” is someone who loves using, and helping other people use, technology to help simplify his or her life. Best Buy, capitalizing on this endearing term for electronic lovers, created the Geek Squad, a tech support service. Their distinctive orange and black cars marked with their trademarked logo can be called out to provide in-home support or they are just a phone call away to help you with your technological needs.

There’s not too many other words other than geek that convey the nerdy type of people who love technology, but Best Buy is taking action against others who use “geek” for this purpose in their slogans.  In a recent lawsuit against Newegg.com, Best Buy claimed trademark infringement over Newegg’s slogan “Geek On,” saying that the similarity between the motto, in addition to using orange and black in their logo, breaches their rights.  And this is neither the first, nor the last, time that Best Buy will sue companies over this issue.

Read the rest of this entry »

The yellow fever outbreak of summer 1798 was the worst in Philadelphia’s history. Over 5,000 residents were infected, and nearly 1,300 died, causing even President Washington to flee. On the night of September 1st, 1798, the vault at Carpenter Hall was breached and the then-massive amount of $162,821 went missing. This first bank robbery in the United States, attributed as an “inside job”, ushered in an era of robberies that turned criminals into celebrities. Jesse James, Bonnie and Clyde, and John Dillinger have become legends. At present, the risk of yellow fever has been mitigated due to vaccines. The risk of bank vaults being physically robbed similarly has been reduced.

Read the rest of this entry »

It has become common practice for lawyers to mine social media pages of parties and witnesses for discovery purposes. The posts and photos may show a party to be lying about the extent of his or her claimed injury or disability, or they could undermine or support other claims. Facebook and other social media sites also have become fertile ground for cutting edge ethical questions posed to state Bar ethics committees.

In a recent ethics opinion issued by the San Diego County Bar Association, a lawyer asked if it was proper to “friend” request high-ranking employees of a company the lawyer was suing on behalf of a former employee pursuing a wrongful discharge case. The lawyer believed that these high-ranking employees were dissatisfied with the company and likely had been posting negative information on their social media pages that were accessible only to those persons who had been accepted as “friends”.

Read the rest of this entry »

During the last decade, individuals and business have changed the way they manage their data by moving this data management offsite – otherwise known as cloud computing. This differs from the old model of information management that, more or less, mirrored the pre-computing era, meaning that an employee’s file might be kept in a cabinet in a Human Resources (“HR”) office or stored on a company’s in-house server. With cloud computing, however, that same employee file may be stored hundreds or thousands of miles away from the HR officer who needs to review it – or the IT officer tasked with preserving that data for potential litigation.

As discussed more fully in Rick Bortnick’s prior posts (here and here), cloud computing outsources data and software management, migrating it from the local to the global by providing instant access over the internet. According to the National Institute of Standards and Technology, cloud computing has five primary characteristics: (1) “on-demand self-service,” or the ability to call up stored data or capabilities as needed; (2) broad network access through a variety of platforms; (3) pooling resources providing “location independence”; (4) “rapid elasticity” in the distribution of computing capabilities, and (5) “measured service,” or service-appropriate control and optimization by the cloud system manager rather than the local user. It is the pooling of resources and the measured service managed by third-parties that pose the greatest risks during e-discovery.
  Read the rest of this entry »

A: They are some of the Google Search Terms that have brought readers to our site this week.  

A list of this week’s Top Google Search Terms leading to Cyberinquirer, and some other cute cyber-related gags that have qualified for our “Weekend Funnies” post, are set out below. I was flattered to see my name appear on the search list unaccompanied by terms like “lawyer” or “cyber geek” or “unhygenic”.  Here’s the list: Read the rest of this entry »

Computer hacking is a constantly evolving and growing threat.  While recent high-profile network security breaches at companies such as Epsilon and Sony (with crisis management and other costs estimated to range from $1 billion to multiples thereof in the case of Sony) have helped raise awareness about the need to adequately protect personal identifiable information, the problem has existed for decades. 

Yet the situation has only recently begun to receive proper attention from the media, government officials, businesses, and certain segments of the insurance industry.  Of course, the cost of a security breach may have something to do with that.  According to a study from Marsh and the Ponemon Institute, the typical data breach in FY 2010 resulted in companies and their insurers have to pay an average of $7.2 million to deal with and remedy the situation. 

One particularly alluring target for hackers has been educational institutions.  While schools and universities may not immediately appear to be obvious targets, the statistics confirm that attacks against educational institutions are on the rise. 

In 2007, educational institutions accounted for 25% of all reported data breaches.  This number jumped to 33% in 2008.  See Sarah Stephens & Shannan Fort, Cyber Liability & Higher Education, Aon Professional Risk Solutions White Paper (December 2008) Read the rest of this entry »

We would like to thank our devoted readers for making our site the world’s 3,364,537 most popular website as ranked by www.mostpopularwebsites.net! Considering that there are billions of websites online today, the fact that our site merits a specific ranking is a big deal to us. As you will see, we have proudly posted our newly discovered status on the left column of the site.  It’s a dangerous job, but somebody has to do it!

Clearly, our popularity is due to the nature of our substantive, high-caliber content posted on a regular basis (“regular” being defined in the context of a not-for-profit blog with busy contributors who, generally speaking, require the pulling of only a few teeth to motivate the production of articles). We admit, however, that we have occasionally found ourselves grappling with the conflicting desires of (1) maintaining serious, topical high-quality posts on cyber law and insurance related topics; and (2) posting random, funny, goofy stuff,  just for the heck of it. This inclination hits us at odd times…like an afternoon at the office when we should, instead, be putting the finishing touches on a mediation brief. In this post, we have therefore attempted to strike a compromise post that is both informative, random AND goofy. Intrigued? Then please read on. Read the rest of this entry »

It seems Righthaven hasn’t been able to catch a break since my December 2010 post.  Righthaven LLC is a copyright holding company founded in early 2010, which acquires newspaper content from its partner newspapers after finding that the content has been copied to online sites without permission, in order to engage in litigation against the site owners for copyright infringement. 

Just last week, in a suit filed against Democratic Underground (“D.U.”), Righthaven sought damages because D.U. used four paragraphs of a 34 paragraph Las Vegas Review Journal article (recall that the Journal and its contents belong to Stephens Media).  The post included a link to the full article, as well as citing the Journal. 

U.S. District Court Judge Roger Hunt dismissed the lawsuit, holding that a “copyright owner [here, Stephens Media] could not assign a bare right to sue.”  In addition, the court came down hard on Righthaven because it failed to advise, as required by law, that Stephens Media had a pecuniary interest in the lawsuits (Righthaven and Stephens Media were sharing the profits received from these lawsuits).  Judge Hunt seemed disgusted with Righthaven’s behavior and gave Righthaven two weeks “to show cause … why [Righthaven] should not be sanctioned for this flagrant misrepresentation to the court.”  Judge Hunt accused Righthaven of trying to “manufacture standing” in all of its cases.  (Click here for the Court’s full decision.) Read the rest of this entry »

Today, data breaches are a frequent occurrence. Often with the disclosure of each breach comes an announcement of credit report monitoring for affected individuals for a certain time period. So what does credit monitoring really provide? Identity protection, peace of mind or simply customer goodwill?

Credit report monitoring is the checking of one’s credit history in order to detect suspicious activity or changes. Companies that provide credit monitoring typically will alert the individual to activity tied to his or her social security number, such as credit inquiries, delinquencies, negative information, employment changes and new accounts. So why does credit monitoring fail to provide identity theft protection?

1.  First, individuals can receive a free credit report on an annual basis. The three credit reporting agencies, Equifax, Experian and TransUnion, have set up the following internet website, through which individuals can request free copies of their annual credit reports: https://www.annualcreditreport.com/cra/index.jsp.

2.  Secondly, criminals will wait at least one year and one day in the brokering or use of stolen data if the company that sustained the privacy breach offers one year credit monitoring.

3.  Third, credit monitoring primarily serves to alert, after the fact, the opening of new accounts. In turn, it typically does not warn the individual of changes with their existing credit. Hence, to the extent the persons’ current credit ratings have been adversely affected by the malicious acts of a third-party, they may go unreported and be unknown to the person whose credit has been impacted.

4.  Fourth and most importantly, credit monitoring fails to protect against the malevolent conduct listed below, as outlined by the non-profit Identity Theft Resource Center: 

Read the rest of this entry »

The front page of today’s New York Times is not solely concerned with the fallout from President Obama’s well publicized dustup with Bibi Netanyahu. No, the Supreme Court of the US gets a slab of the bottom fold, continued inside. The subject? The literary style of the top nine. And very erudite it is, apart from Justice Clarence Thomas that is, who cites the hit television show “24” as his model for what a good brief should aspire to. Jack Bauer, what hast thou wrought?

The article made me wonder what a Supreme Court opinion might look like in years to come, when today’s law students and associates have replaced the good Clarence, Ruth, et al, on the highest bench in the land. Here’s a possible example taken at random from the recent decision in Milner v Department of the Navy:

JUSTICE KAGAN delivered the opinion of the Court.

The Freedom of Information Act (FOIA), 5 U. S. C. §552, requires federal agencies to make Government records available to the public, subject to nine exemptions for specific categories of material. This case concerns the scope of Exemption 2, which protects from disclosure material that is “related solely to the internal personnel rules and practices of an agency.” §552(b)(2). Respondent Department of the Navy (Navy or Government) invoked Exemption 2 to deny a FOIA request for data and maps used to help store explosives at a naval base in Washing- ton State. We hold that Exemption 2 does not stretch so far.

And what the same judgement might look like if written by a member of the Twitter generation:

Kaggers: FOIA = Feds give docs to public. 9 excepts. #2, “solely to the internal personnel rules and practices of an agency.” Navy no use hide stuff go boom.

Why Pacman stopped using Twitter

   Send article as PDF   

Faced with revitalizing a deteriorated economy, formulating a national budget, and the aftermath of Osama Bin Laden’s death, President Barack Obama has his hands full. Yet, in the midst of all the issues commanding the White House’s attention, the Obama Administration somehow has found time to address the threats to our nation’s cyber security.

According to Business Insurance, on Thursday, May 12, 2011, the Obama Administration proposed cyber security legislation to improve protection for individuals and the federal government’s computer and network systems. The proposed legislation would address national data breach reporting by creating simpler and standardized reporting requirements for the 47 states that contain such requirements. The proposal would also synchronize penalties for computer crimes with other crimes. Additionally, the government, through the Department of Homeland Security, would become directly involved in assisting the industry as well as state and local governments in policing and enforcing cyber security. The proposed legislation encourages the state and local governments to share information with the Department of Homeland Security about cyber threats or related incidents by providing them with immunity for doing so.  
 
Read the rest of this entry »

Following the publication of our original post on the implications of a cyber attack on investors’ securities portfolios (see here), we have been asked by scores of readers whether securities fraud litigation arising from cyber crime has ensued. Not surprisingly, the answer is “yes.”

Indeed, we have located at least two such cases, one a putative securities fraud class action against a payment processing company and the second an SEC initiated action against a private investor. The results may (or may not) surprise you, depending on your perspective of trial courts’ levels of judicial activism and willingness to render substantive decisions at early stages of litigation.

 In re: Heartland Payment Systems, No. 09-1043 (D.N.J. Dec. 07, 2009) remains the paradigm for such litigation. To facilitate its payment processing services, Heartland Payment Systems (“Heartland”) stored millions of credit and debit card numbers on its internal computer network. In December 2007, hackers launched a Structured Query Language Attack (“SQL attack”) on Heartland’s payroll management system. To its credit, Heartland was able to successfully avert the attack before any personally identifiable information was stolen. At the same time, however, the company failed to detect malicious software (“malware”) which had been placed on the network by the SQL attack.  The malware infected Heartland’s payment processing system, ultimately enabling the hackers to steal 130 million consumer credit and debit card numbers.  Heartland did not discover the breach until January 2009, at which time it notified government authorities and publicly disclosed the event.  Over the course of the following month, Heartland’s stock price dropped over $15 per share. Perhaps not surprisingly, shareholder class actions ensued.

In their complaint, plaintiffs alleged that Heartland and its officers and directors had made material misrepresentations and omissions about the December 2007 SQL attack. Specifically, plaintiffs claimed that the defendants concealed the SQL attack and misrepresented the general state of Heartland’s data security.  Plaintiffs further alleged that the defendants’ conduct was fraudulent because they were aware that Heartland’s network had been breached, yet they had not fully remedied the problem Read the rest of this entry »

I am proud to be a Co-Chair of the 2nd Annual NetDiligence Cyber Risk & Privacy Liability Forum which will take place June 9-10, 2011, at the historic Philadelphia Union League. Last year’s program was a huge success and the program planners are expecting the turnout to be even bigger this year.

NetDiligence and HB Conferences have teamed up to pull together thought leaders in the cyber/privacy industry to address the most urgent subjects. The program is fully accredited for continuing education and is priced at a level firms and companies will find attractive.

Over the course of a day an a half, we will present 45 industry-leading experts. I will help moderate the Conference, together with my Co-Chairs, Oliver Brew of Hiscox USA, Toby Merrill of ACE Professional Risk and Meredith Schnur of Wells Fargo Insurance Services USA. Also featured will be a keynote address by Jeffrey L. Seglin, nationally syndicated columnist of The Right Thing and author of The Right Thing: Conscience, Profit and Personal Responsibility in Today’s Business.

 For program and registration information, go to http://litigationconferences.com/?p=17865. I look forward to seeing you there!

   Send article as PDF   

Cyber crime is costing the United Kingdom more than £27  billion a year ($43.5 million), according to a recent study published by Britain’s Office of Cyber Security and Information Assurance.  The report, entitled “The Cost of Cyber Crime,” concluded that digital crime was a widespread, pervasive threat to U.K. businesses.

Theft of intellectual property, such as designs, formulas and other company secrets from businesses costs £9.2 billion, with firms specializing in pharmaceuticals, biotechnology, electronics, IT and chemicals being hit hardest.  The pharmaceutical industry loses about £1.8 billion a year in IP theft, followed by electronics and electrical equipment makers and the software sector.  In terms of non-IP industrial espionage, financial services are the biggest loser, with yearly losses of more than 2 billion, followed by mining and aerospace. 

Read the rest of this entry »

On January 20, 2011, a federal class action lawsuit was filed against MySpace in the United States District Court for the Eastern District of New York. If successful, this new lawsuit could have dramatic implications for social networking sites and their users. Either way, it provides another opportunity to make a couple of privacy-related points for employers.

The MySpace lawsuit was filed on behalf of all former and current users of MySpace, who seek damages for the alleged improper and voluntary disclosure of personal and private information and data in response to foreign court search warrants without the knowledge or authorization of the MySpace users. The class alleges that search warrants issued by state judges for certain information have no force and effect when they are issued to MySpace’s California headquarters from other states, but that MySpace nevertheless provided responsive information and data voluntarily.

Read the rest of this entry »

Whether you own a website where you allow blogs and comments to be posted, or if you are the blogger/poster, listen up. 

For those of you who haven’t heard of Righthaven LLC, they are to the blogging world what editors are to the Law Review world…cite-checking and anti-plagiarism “proponents” (let’s call ‘em that, for argument’s sake).  Righthaven’s been making quite a splash and has gained popularity among news chains since its coming into existence in the spring of 2010.  According to David Kravets’ article, “Righthaven Expands Troll Operation With Newspaper Giant”[1], Righthaven has filed over 180 lawsuits and has settled over 70 of them already.  Its major suppliers of copyrighted material include Stephens Media (owners of Las Vegas Review-Journal), MediaNews Group (owners of San Jose Mercury News and the Denver Post), and WEHCO Media (owners of Arkansas Democrat-Gazette and Chattanooga Times Free Fress), to name a few.[2] Owned by Net Sortie Systems LLC and SI Content Monitor LLC, Righthaven is the brain-child of Las Vegas-based IP attorney, Steven Gibson.[3] Righthaven’s clients assign their rights in the content to Righthaven, who then sues for copyright infringement.[4] 

In order to analyze the problems faced by the parties to such lawsuits, we’ll have to discuss the U.S. Copyright Act, as well as the Digital Millennium Copyright Act (“DMCA”).

Read the rest of this entry »

We wrote to Google and asked what information was required to subpoena Gmail in order to determine the identity of an email customer. Google’s response is below:

Dear Ms. Pengelley:

The information requested relates to services offered by Google Inc., a U.S. company organized and operating in the U.S., and governed by U.S. laws.  As such, we ask that your request be directed to Google Inc. – Attn: Legal Department, and communicated through the proper legal channel.  Please direct further communications to Google Inc. – Attn: Legal Department – at 1600 Amphitheatre Parkway, Mountain View, California, 94043, US, Fax: + 1 650.469.0622, or by email at lis-global@google.com.

Read the rest of this entry »

Cloud computing is the storage of data on remote computer servers and the sharing and transmittal of such information by way of the internet.  Use of the cloud enables both businesses and casual users to maintain as much or as little electronic data as they wish on a third party’s mainframes without the need for or the expense of having to buy and maintain their own hardware systems.

The cloud’s economic benefits are clear.  Still, clouds can be a legal minefield for companies and their counsel. Data breaches, hosting of illegal content and inaccessibility of critical business information are just a few examples of turbulent situations cloud users can face.

Given the risks and potential rewards of the cloud, consider the following guide before entering into a cloud provider contract:

Read the rest of this entry »

As the latest episode of the continuing Wikileaks saga explodes across the Web and our newspapers, one wonders what else might be in store.

The whistle-blowing site has published 219 documents from its trove of 251,287 secret diplomatic cables so far. The new “Secret U.S. Embassy Cables” section of the WikiLeaks site is an expanding archive of the documents that can be searched in several ways, including by subject, country or topic.

The White House Press Secretary and assorted other US Administration mouthpieces bluster and threaten with the same words they used over the leaks about the wars in Iraq and Afghanistan. Not that anyone takes any notice. Who among us is going to take any notice of Robert Gibbs when we can pore over the juicy tidbits about who said what to whom. Which countries were bribed to take prisoners from Guantamo? And with how much? One guy, a million bucks. Two, meet the President. Red-faces there will be in plenty. And in governments other than just that of the US. Although it’s the US that will get the most attention. There’s nothing like a good dose of Schadenfreude.

Titillating as it is to see the US Administration red-faced, the question must be asked – what next? Exposing the diplomatic and other shenanigans of the US and its erstwhile Allies is one thing. But wouldn’t it be interesting to see the correspondence of, say, the Chinese Politburo? Or the private emails of Imadinnerjacket? Or the personal files of North Korea’s increasingly weird Kims? Who wouldn’t want to see the secret files of Hezbollah? Does the Pope use email? Or, hey, surely there’s a potential leaker in Israel’s IDF. Wouldn’t it be interesting to read the memos that went back and forth when everything hit the fan over the Mavi Mamara.

Of course, none of this means that governments are going to behave better. It’s going to be a boon for the cyber-security and security vetting industries though.

   Send article as PDF