Ping Service
Feedback Forms

Congress Proposes Bill Protecting Student Data

While the protection of private data contained within student records is not a new concern, advances in technology and the accompanying headlines of data breach have caused Congress to reconsider the issue.

The Family Educational Rights and Privacy Act (FERPA) currently protects against the unauthorized disclosure of personally identifiable information (PII) contained within student records. PII includes direct identifying information, such as a student’s name, as well as indirect identifying information, such as date or place of birth.

The role computers and networks play in the operation of schools is profound. Like many industries, the issue of data storage for schools is a significant aspect of the information technology infrastructure. Increasingly, schools (mostly public enterprises) migrate and store data in the Cloud, thus placing PII in the hands of third party (mostly private) business associates. Schools also rely on on-line text books, on-line web applications, and software as a service. Much of this did not exist when President Ford signed FERPA into law in 1974. One survey showed only 25 percent of districts notify parents that its students’ data interfaces with the Cloud.

Read the rest of this entry »

Cyber at Lloyds: Catching the cyber horse in motion

The following article was written by my good friend Tony Ellwood. Tony is senior executive, underwriting, at Lloyd’s Market Association and a thought leader. We are grateful to Tony for allowing us to republish his article, which first appeared in the July 16th edition of Insurance Day.

Rick

LondonThe question of whether a running horse has all four hooves in the air simultaneously was one that perplexed generations. No matter just how closely a horse was observed, the motion of its legs was simply too rapid for the human eye to register accurately. It was not until the advent of photography and an experiment by Eadweard Muybridge in 1878 that the question was answered. He developed a camera that was triggered by wires attached to a horse’s legs allowing him to shoot 24 photographs as the horse ran past, which proved beyond a shadow of doubt that a horse does indeed lose contact completely with the ground in mid-gait.

There are many parallels between Muybridge’s study of the running horse and a new survey the Lloyd’s Market Association (LMA) has launched to understand the full extent of cyber risk being underwritten in the Lloyd’s market. The similarity is the sheer pace with which cyber liability has grown from its beginnings in the mid-1990s to current global premiums in the order of £1.5bn, and still rising sharply. The speed of that growth, combined with the rate at which cyber has evolved as a product, make it a particularly tricky line to pin down. What’s more, the question that has been formulating in the LMA’s collective mind is how much cyber liability is being written at Lloyd’s within other classes of business such as marine or aviation. This survey is the first attempt to comprehensively map that business.

Read the rest of this entry »

Rumination and Pondering

Is it Karma that Adam Silver sanctioned Donald Sterling or am I thinking about it too deeply? I’ll leave it to readers to decide.

Edit PDF    Send article as PDF   

The Insurance Industry and ICANN: The Next Frontier

icann-flagsWe all take the Internet for granted.  Short of a power outage taking down phone lines, cell towers and satellite transmissions, the Internet will always be there. Like death and taxes, you can count on it.

Not that the paradigm will change any time soon, but at some point, it might.

On March 14 and 17, 2014, the Wall Street Journal reported on the decision by the National Telecommunications and Information Administration (“NTIA”), part of the Commerce Department, to cede control of the Internet from the Internet Corporation for Assigned Names and Numbers (“ICANN”) (a U.S. non-profit) to an organization of multinational stakeholders.

As readers of Cyberinquirer, know, ICANN is responsible for managing the core of the Internet by distributing domain names and Web addresses.  It’s been doing so since 1998.

Read the rest of this entry »

Cyber, Privacy and Technology Best Practices and Reputational Harm: Why Legal Professionals Need a Lawyer’s Advice, Counsel and Privileges

BabyB_LPlate_improvedIntroduction

Lawyers, like other professionals, often have access to their clients’ personal and financial details. At the same time, they may possess comparable information about their clients’ clients (such as when a lawyer represents a healthcare company). As a result, lawyers are at risk for being sued if and when something happens to that information – such as when a laptop or cell phone is misplaced or stolen or a hacker breaches a law firm or client’s systems and accesses the client’s personally identifiable, health care, and/or confidential information.
The most prudent way to avoid such lawsuits and minimize their impact is to create and implement cyber, privacy and technology (“CPT”) best practices before something goes wrong. In most cases, this would include best practices training and education as well as the purchase of dedicated CPT-specific insurance. This article discusses why lawyers are at risk, how to create and implement best practices, and the advantages of CBT insurance coverage rather than (mistakenly) relying on professional errors and omissions and/or general liability coverage in the event of a CPT incident.

Executive Summary

An attorney’s reputation is his and her lifeblood. Indeed, reputation translates to the bottom line. For better or worse.
And, of course, reputation is, in large part, predicated on the quality, timeliness and cost-effectiveness of the services being provided. So too, it is incumbent that an attorney avoid negative commentary (or embarrassing revelations) through the pervasive and ubiquitous medium of social media. As a corollary, attorneys, like others, must be sensitive to the loss of customer goodwill, whether measured by turnover, client retention or other intangible assets.

Regardless of whether your clients are the Fortune 500, middle-market companies or small entrepreneurs, an attorneys’ clients – and by extension, the attorney himself and herself (to the extent the attorney holds personal, health or commercial information) – are at risk of losing personally identifiable information (“PII”), personal health information (“PHI”) and/or confidential commercial information (“CCI”). It doesn’t matter whether the harm is attributable to malicious activity or simple employee or third-party negligence. It’s the effect that is the focus, not necessarily the cause (although that too factors into the analysis).

In many cases, the effect of a cyber incident could be devastating, if not fatal, to an attorney’s reputation. And, by extension, his or her practice’s economic viability.
It is almost axiomatic to say that “best practices” are among the most important strategies employed by attorneys and other professionals. Just as we counsel clients to use best practices with respect to their operations, so too, we, as professionals, should be well-trained on the scope and extent of best practices in the subject matter presented, including, in particular, CPT risks and exposures, which, to no surprise, are palpable and potentially devastating.

In the CPT context, among others, best practices counseling should be provided by an attorney. Unlike non-lawyers, attorneys bring with them the attorney-client privilege and work product protection. Although vendors and IT specialists can promote themselves as having the appropriate knowledge and training to teach and implement best practices, they do possess the critical protections afforded by the attorney-client relationship. In a relatively new space like CPT, where the law is uncertain and developing, the privileges become even more important, as many attorneys are just at the start of the learning curve.

To continue reading, please contact me at rbortnick@cpmy.com. A complete copy will be emailed upon request. Cheers. Rick

PDF Converter    Send article as PDF   

Canada Update: The Tort of “Intrusion upon Seclusion”

The following was written by my friend Patrick Cruikshank, Underwriting Manager, Specialty Risk – Professional Liability at Northbridge Insurance in Toronto. Thanks to Patrick for his contribution. Relevant articles are always welcome for publication.

Rick

canada-flag-stereotypesIn the 2012 case of Jones v. Tsige, the Ontario Court of Appeal established the new tort of invasion of privacy.  For some, this privacy tort has opened a Pandora’s Box.  For others, it’s considered legal progress in the modern technological world.

Sandra Jones and Winnie Tsige were employees of the Bank of Montreal (BMO).  They worked at different branches and did not know each other.  Tsige was in an intimate relationship with Jones’ ex-husband.

Over a period of 4 years, Tsige used her workplace computer to gain access to Jones’ personally identifiable information and personal financial information 174 times.  Tsige did not disseminate this information.

When Jones discovered this unauthorized access, she made a formal complaint to her employer, who upon investigation determined that Tsige had accessed Jones’ information and had no legitimate reason to do so.  Jones subsequently sued Tsige for invasion of privacy and breach of fiduciary duty.  She sought $70,000 in general damages plus $20,000 in punitive damages.

Jones’ claim was dismissed by the Ontario Superior Court because there was no law in Ontario that recognized an invasion of privacy tort.

The Court of Appeal overturned the decision and granted summary judgment in favor of Jones.

Read the rest of this entry »

Asia-Pacific Cyber Law Risks and Developments

We first published the following White Paper extract in October 2011. While the White Paper might be somewhat dated (and therefore will be refreshed shortly), it remains relevant for our friends interested in learning the basics of Asia Pacific cyber/privacy law. Please let me know if you’d like to see the entire paper. Rick

I. Introduction

The Internet facilitates the widespread and instantaneous flow of information across international borders. While the advent of this method of transnational communication has truly created a “global economy,” at the same time, it has engendered problems for companies and their insurers which seek to assess risk and implement information safeguards, particularly in the face of divergent data privacy laws which vary from region to region or may not even exist in certain jurisdictions. The Asia-Pacific region typifies such a lack of uniformity.

At the same time, the emerging economies in this rapidly growing part of the world have generated promising targets for computer hackers. 75% of Asia-Pacific enterprises have experienced cyber attacks in the past 12 months. Perhaps not surprisingly, a 2010 study by Symantec reported that almost half of all Asia-Pacific-based businesses (and 67% in Singapore) ranked cyber risk and information security as their top concern—more so than natural disasters, terrorism, and traditional crime combined. Cyber attacks and data breaches are on the radar of CEOs and risk managers for good reason: the average cost for a large company to remediate a data breach in Australia increased to nearly $2 million in 2010, which is slightly up from 2009. See Ponemon Institute/Symantec 2010 Annual Study: Australian Cost of a Data Breach (May 2011).

Notwithstanding the prevalence of such attacks, it is far more likely that a cyber security program is managed as a part of a company’s traditional business risks, with traditional coverages being contorted to cover various components of cyber risk (i.e. property loss, liability to third-parties, business interruption, etc.), rather than by way of a dedicated cyber-specific insurance program. Still, in light of recent developments, it is virtually certain that companies soon will begin looking to transfer such risk via more efficient and targeted technology insurance forms and policies

Read the rest of this entry »

Protecting Our Children from Internet Predators, Marketers and Information Aggregators: The Need for Aggressive Government Intervention

As everyone knows, the Internet has dramatically altered (read: simplified) the way we communicate, do business and satisfy our intellectual and social curiosities. Indeed, Internet-based sales topped the trillion dollar mark for the first time in 2012 and are projected to increase 18.3% to 1.298 trillion in 2013. I’d take that rate of growth any day, particularly in the current world economy.

Read the rest of this entry »

Canadians More Exposed Than One Would Think

canada-flag-stereotypesOkay. Let’s start with the obvious. No, this has nothing to do with Canadian citizens and immigrants behaving badly, although that may be a topic for a future post.

What we’re talking about is the prevalence of cyber-related incidents and the resulting fallout among Canadian-based companies. And the numbers may surprise you.

Read the rest of this entry »

The Posts have Come Back… To Cyberinquirer


Since last we visited, your humble Publisher has moved on to the Law Offices of Richard J. Bortnick, where I am Managing Director (very European, if I do say so myself). A number of dedicated readers and friends (you know who you are) have asked what had become of me and why my old email address was no longer effective.

The answer my friend (apologies to Peter, Paul and Mary) is the Law Offices of Richard J. Bortnick. At the risk of having this viewed as attorney advertising, I will stop there other than to say I also will be signing as a free agent with a Consulting Firm to be named later (but not much later).

So, please feel free to contact me if you want to catch up, engage in intellectual banter (with the exception of Philadelphia sports, where the banter will all be negative) or have some worthwhile humor you’d like to pass along (although it can’t be as good as the material I get from my good friend Jeff). My new email address is rjbortnick@comcast.net (at least for the short term… stay tuned on that too).

Its good to be back. And thanks for all of your kind wishes.

Rick

Create PDF    Send article as PDF   

Power to the People: Social Media Technologies Mediating Corporate Social Governance

The measure of effectiveness of a CEO and its executive board has always been the degree to which the business is achieving its purpose. Whether in Canada, the U.S., Europe or Asia, an executive board’s purpose should be to increase shareholder value, a purpose that is best accomplished by serving the needs of various stakeholders. Somewhere in the pyramid of stakeholders is the consumer or client, whose likes, favorites, and preferences must be met with quality personalized products and services that deliver high competitive value. In an interconnected global knowledge economy, this has meant listening to what consumers are saying online through social media platforms like Facebook and Twitter, and engaging in two-way conversations to respond in real-time to consumer demands.

Read the rest of this entry »

The Queen v. Cole: Privacy Protection for Employer-Issued Equipment in Canada

The recent decision The Queen v. Cole by the Supreme Court of Canada touches upon interesting issues regarding information privacy in the digital age.

The facts are simple. An information technologist working at the same high school as Mr. Cole, a teacher, remotely accessed Cole’s history of internet access and one of his drives and found a hidden file which contained nude photographs of a student. The photographs and internet file were copied onto a disc and given to the police, which determined that a search warrant was unnecessary. Cole was subsequently charged with possession of child pornography and fraudulently obtaining data from another computer hard drive. The trial judge excluded the computer material under Sections 8 and 24(2) of the Charter. In overturning the decision, the summary conviction appeal court found no breach of Section 8. This decision was set aside by the Ontario Court of Appeal, which concluded that the evidence of the disc containing the temporary internet files and the laptop computer and its mirror image was excluded. A 6-1 majority ruling by the Supreme Court concluded that the police infringed upon Cole’s rights but upheld the Court of Appeals’ finding that the evidence should not have been excluded from trial.

Read the rest of this entry »

Planet Mars, Curiosity, and Data Security

For those captivated by recent events in astronomy, parallels can be drawn between the recent landing of NASA’s rover Curiosity on planet Mars and the public discourse on data security in Canada. With the distinction that one is effectively equipped with the right budget and tools to achieve its actual objective, both have come a very long way, both have managed to blaze through layers of clouds, both seek to secure ingredients essential to life, and both are now aimlessly wandering about unchartered territories.

A decisive factor in Barrack Obama’s 2008 political campaign was the extensive use of individual, thin sliced consumer data to send highly tailored messages to gain political support. Within 13 years, Google has become the most valuable brand in the world through the aggregation of vast amounts of data including search data, or data held in Gmail accounts. This information is then used to create an advertising cruise missile, which is much more efficient than the old method of pattern bombing.

Read the rest of this entry »

Human Error: The Greatest Risk and Root Cause of Data Security

Whether discussing data encryption, network security, or internal data privacy management practices and policies, the most sophisticated IT security protocols, the most learned team of specialists, and the most compliant of data management practices and policies cannot escape, prevent, or remedy what many businesses and organizations have rightly labeled as the root cause of data security failures: human error. While they tend to possess greater network security than smaller organizations, the risk of human error should be of particular a concern to medium and large size organizations whose internal controls over data and employees are inevitably diluted by their size and numbers.

Read the rest of this entry »

Data Privacy and Unauthorized Non-Hackers: the Rise and Risk of Accountability and Breach Notifications in Canada

Recent unauthorized access to British Columbia Institute of Technology’s computer network, which contained personal medical information of approximately 12,680 individuals, is yet another reminder of risks of exposure to data breaches. That none of the data on BCIT’s computer network was compromised or misused is reflective of a low-profile non-hacker intrusion, and of the ease with which computer networks can be infiltrated. Indeed, a sophisticated hacker would know better than to leave massive amounts of data, rightly labeled by some as the “oil” of the 21st century, uncompromised. More curious than uncompromised data, however, is BCIT’s notification in the absence of an actual data breach, and mandatory breach notification provisions under B.C. privacy law.

Read the rest of this entry »

First Circuit Court of Appeals Holds Bank’s Online Security Measures “Commercially Unreasonable” in Landmark Decision

In a landmark decision, the First Circuit Court of Appeals held in Patco Construction Company, Inc. v. People’s United Bank, No. 11-2031 (1st Cir. July 3, 2012) that People’s United Bank (d/b/a Ocean Bank) was required to reimburse its customer, PATCO Construction Co., for approximately $580,000 which had been stolen from PATCO’S bank account. In so doing, the Court reversed the decision of the United States District Court for the District of Maine which had granted summary judgment in the bank’s favor.

The dispute arose when Ocean Bank authorized six fraudulent withdrawals over seven days from an online account held by PATCO. While the bank’s security system flagged each one of the transactions as “high risk” because they were inconsistent with the timing, value, and geographic location of PATCO’s regular payment orders, the bank’s security system did not notify PATCO of this information and allowed the payments to go through. In light of this omission, PATCO sued, alleging that Ocean Bank should bear responsibility for the loss because its security system was not “commercially reasonable” under the Uniform Commercial Code, as codified under Maine Law.

Read the rest of this entry »

Cyberstalkers Beware: You’re Not Anonymous

A quick google search will reveal thousands of hundreds of thousands of hits for the term cyberstalking. Indeed, as of today, there are over 900,000 posts where the word is used. Perhaps not surprisingly, many of the listings involve teen cyberbullying and child protection issues. There are also large numbers of celebrities who are cyberstalked or otherwise harassed. Beyond juveniles and celebrities, the most frequently stalked demographic are 18-32 year old females, a cohort to which some of our own bloggers (and co-publishers) belong. Curiously, reports indicate that more and more women are also the cyberstalkers, not just the victims. Anecdotal stories suggest many of these women are married but unhappy with their lives.

Read the rest of this entry »

Past the Point of No Return: Jones v. Tsige and the “New” Tort of Invasion of Privacy in Canada

Jeremy Bentham used to refer to the common law as the “dog law”. As he explains it, “whenever your dog does anything you want to break him of, you wait till he does it, and then beat him for it. This is the way you make laws for your dog: and this is the way the judges make law for you and me.” .

Insofar as the tort of invasion of privacy in Canada is concerned, Jeremy Bentham was arguably right. Aside from the province of Quebec, which is governed by a civil law system, and a few other provinces in Canada which have benefited from a statutorily enacted tort of invasion of privacy, lower Courts have been divided over the existence of a free-standing tort of invasion of privacy at common law. The recent decision Jones v. Tsige (2012) by the Ontario Court of Appeal is the first to confirm that what used to be an embryonic tort of invasion of privacy is now alive and well in Canada

Read the rest of this entry »

Agreement between the US, NATO, and Australia on Cyber Security

The US and Australia have a longstanding agreement to back each other up in case of physical enemy attack, but now have moved that agreement to the arena of cyber-attack as well. With Australia’s history of cyber-attacks well known, such as an attack two years ago that brought down Australia’s Parliament’s website, the country cannot afford to ignore cyber security any longer.

Read the rest of this entry »

Cyber-security in a Hyperconnected World

The cyber-attacks recently launched by six individuals from the group Anonymous, an international hacktivist collective, against 13 Quebec government and police websites are but a fleeting glimpse of a much broader problem associated with the cyber world, most of which remains largely unseen. Succinctly stated, the cyber-attacks were a response to the Quebec Liberal party’s constitutionally questionable Bill 78 that was recently passed as a response to the student crisis sparked three months ago over the government’s planned 75% tuition increase. That six individual were arrested by law enforcement agencies and charged with mischief, conspiracy, and unlawful use of a computer should hardly be reassuring.

Read the rest of this entry »

New York Court of Appeals Rules That Viewing Images On The Web Does Not Constitute Procurement, Possession or Control, Even When Cached On A Hard Drive

On May 8, 2012, the New York Court of Appeals issued a ruling that merely viewing child pornography on the internet is not a criminal act under the New York Penal Code. The People v. James D. Kent, Index 70, NYLJ 1202552838004, at *1 (Ct. of App., Decided May 8, 2012). The rationale behind the decision of the state’s highest court bears discussion on a much broader scale due to its potential bearing on the legal definitions of procurement, possession and control of digital property.

The key question under consideration was the evidentiary significance of temporary internet files (or cache files) that are automatically created and stored on a the hard drive of a computer while the user is browsing the internet. The Appellate Court concluded that the act of viewing a web image alone does not, absent other proof, constitute either possession or procurement.

Read the rest of this entry »

Access to Insured’s Social Media Accounts: No Friend Request Necessary

The following article, written by my colleague Nicole Moody, first appeared in the Chicago Daily Law Bulletin. Thanks to Nicole for allowing us to republish it here.

Rick Bortnick

Many of us have been there. Sipping our morning coffee, signing into our Facebook accounts, waiting to see what notifications will greet us. We are intrigued to see that we have a friend request. Who could it be? An acquaintance from the past? A new colleague who we met at work? Whoever it is, we know that by accepting the request we will be granted access into this individual’s life and will know more about them in five minutes than we would know in a lifetime of small talk.

Due to the use of usernames and passwords, there is a belief that information shared on Facebook is confidential unless publicly shared. However, courts around the country are now addressing just how private this information really is.

In cases nationwide, litigants are asking courts to grant unfettered access to other parties’ Facebook or other social media accounts. Inevitably, in the age of status updates and hashtags, poking and friending, the lines between public and private information have become blurred. This trend has become increasingly prevalent in the insurance industry as insurance companies have realized the usefulness of social media in litigation.

Read the rest of this entry »

New Cybersecurity Disclosure Guidance for Public Companies: Focusing Attention, Raising Questions

As regular Cyberinquirer readers know, on October 12, 2011, the SEC’s Division of Corporate Finance published “suggested” Guidance on public companies’ disclosures of their cyber risks and exposures. I published a personal perspective on the implications of the Guidance in an October 29, 2011 post (here). Since then, our friend John Doernberg of William Gallagher Associates in Boston has written an excellent, thoughtful article which adopts a more technical approach. As many of you may know, John is a Vice President at William Gallagher and focuses on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, John practiced law at leading firms in New York and Boston. The following article first appeared at John’s own site, http://blog.wgains.com/?s=Doernberg, and is being republished here with his permission. Thanks John!

Rick Bortnick

Increased corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Such breaches have become more frequent and severe. With these Guidelines, the Division has indicated that public companies and their advisors should focus greater attention on how disclosure obligations under the federal securities laws may be affected by the potential financial and operational impact of cybersecurity breaches.

The Guidelines note that cybersecurity breaches (generically referred to as cyber incidents) can be malicious (cyber-attacks) or unintentional. The Guidelines provide something of a rogue’s gallery of cyber malice: the gaining of unauthorized access to steal or corrupt sensitive data or to disrupt operations, denial of service attacks, sophisticated electronic circumvention of network security, and social engineering techniques such as phishing to extract passwords or other information that will enable the gaining of access.

Read the rest of this entry »

Keep Your Friends Close, But Your Facebook Posts Closer

“Facebook helps you connect and share with the people in your life.” That is the Facebook mantra, as displayed on its homepage, and the opening line of a recent – and extremely thorough! – Pennsylvania trial court decision regarding the discoverability of a plaintiff’s relevant Facebook information. The court’s conclusion: a plaintiff’s Facebook information is discoverable, provided the defendant has a good faith basis for seeking the material, because there is no confidential social networking privilege under Pennsylvania law and because the Stored Communications Act only applies to internet service providers. The take-away for Facebook users: be careful what you post – it’s not as “private” as you think!

Read the rest of this entry »

Cyberinquirer Named As One of LexisNexis’s Top Insurance Blogs of 2011

With the help of our readers, Cyberinquirer has again been named as one of LexisNexis’s Top Insurance blogs 0f 2011. We are obviously flattered, particularly in view of the quality of the other blogs selected to this august list. It shows that people are reading what we have to say. And that, perhaps, they are interested in what we have to say. We sure hope that to be the case. We love thinking, reading and talking about tech, privacy and cyber related issues (yeah, admittedly we’re geeks). And we hope that you, our readers, gain from our insights, even if you don’t always agree with them.

So now that we’ve been recognized by LexisNexis for the second straight period, maybe some of you, our readers, will be more comfortable authoring a piece we can post. Remember, this blog is open to all relevant, responsible submissions, be they articles, commentaries, or just comments on something we have said that strikes a chord. If you’ve got something to say that may be of interest to others in the community, email it to me at rbortnick@cozen.com and I will get back with you promptly. We strive to publish fresh, interesting content on a regular basis, but its not always easy, as we do maintain law practices. And have other commitments. So flip your authored pieces. We’d actually appreciate it.

Needless to say, we couldn’t have done this on our own. So the honor is not just for us, but for you too. Thanks.

PDF24 Creator    Send article as PDF   

Securities Law and Cyber Disclosures… Perfect Together…Especially for Cyber and Tech Underwriters and Brokers. And Me

Its not often that worlds collide or that interests converge into one amorphous epiphany. But that’s exactly what happened to me recently, when the Division of Corporate Finance (DCF) of the U.S. Securities and Exchange Commission (SEC) issued a Disclosure Guidance identifying the types of information public companies should consider disclosing about cyber risks and events that could impact their financial statements. Now, the DCF has cautioned that the Disclosure Guidance only represents its own views and “is not a rule, regulation, or statement of the Securities and Exchange Commission.” The DCF also emphasizes right up front that “the Commission has neither approved nor disapproved its content.” Yeah, right. YOU be an officer or director or officer of a company that does not “comply” with the DCF’s “recommendations.”

Read the rest of this entry »

Facebook: Everything You Want To Know and More… Just a Discovery Request Away!

I recently attended a CLE that had a panel of social media experts who were discussing the role of Facebook, Twitter and MySpace in litigation. During a lull in the question and answer session, the Facebook attorney quipped: “you know, Facebook has already given you everything that you’ve ask for…” Immediately, the audience lifted their heads from their Blackberries and newspapers and started paying attention after this cryptic remark.

Read the rest of this entry »

INTRODUCTION TO CANADA’S PIPEDA PRIVACY LEGISLATION

I. Overview

Canada’s privacy regime can be described as a web of legislation at both the federal and provincial/territorial level. Some commentators express concern that this web has become tangled, lacks uniformity and actually undermines the predictability and consistency that, in their view, would exist under a single (federal) privacy regime. Canada has two primary privacy statutes: the Privacy Act and the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Privacy Act, R.S.C. 1985, c. P-21 (Can.), took effect on July 1, 1983, and imposed certain privacy rights obligations on approximately 250 federal government departments and agencies by limiting the use and disclosure of personal information. The Privacy Act also gives individuals the right to access and, if necessary, correct personal information held by governmental organizations subject to the Act.

Read the rest of this entry »

Ensuring Discovery Compliance: Sanctions Relating to Past, Present, and Future Adverse Parties

First published on September 22, 2011 at e-Discovery Law Review
Monetary sanctions, attorneys fees, and adverse inference jury instructions are the more common type of sanctions imposed on litigants for the spoliation of evidence, or not producing relevant documents. Recently, however, a court has increased the severity and impact of sanctions by applying them not only to current litigation, but also to a party’s future litigation, with the effects lingering for years to come.

The Underlying Suit

“Any competent electronic discovery effort would have located this email.” These words were written in an opinion by a United States District Judge in the Eastern District of Texas in Green v. Blitz U.S.A., Inc., No. 2:07-CV-372 (E.D. Tex., Mar. 1, 2011) Green involved a product liability suit in which the requirement of a flame arrester was in dispute. The jury returned a defense verdict, and the plaintiff collected a low settlement amount as part of a high-low settlement agreement. During discovery in a subsequent case with the same defendant and plaintiff’s counsel, counsel learned of documents that were not produced in Green. The plaintiff then filed a motion for sanctions against the defendant in Green and a motion to re-open the Green case. While the court denied the motion to re-open because the statute of limitations had expired, the court did impose sanctions for the discovery abuse.

Read the rest of this entry »

For Some Universities, Cyber Insurance Doesn’t Make The Grade

Data security breaches pose a serious threat to a corporation’s financial stability as well as to its credibility in the marketplace. Most notably, the 2007 TJX data security breach, where 45 million credit card and debit card numbers were stolen, cost the company over $4 billion. For many corporations, the solution is to purchase a cyber liability insurance policy, which provides insurance coverage in the event of such a breach.

The risk of data security breaches has also affected students of universities throughout the nation. In June of last year, Cornell University officials informed 45,000 members of the school’s community that their personal information, including their names and social security numbers, was stolen after a University-owned laptop was stolen. Due to such breaches, college officials nationwide have begun purchasing cyber liability insurance policies to offset the financial burdens of a data security breach.

Read the rest of this entry »

Cyber Security On President Obama’s Agenda

Faced with revitalizing a deteriorated economy, formulating a national budget, and the aftermath of Osama Bin Laden’s death, President Barack Obama has his hands full. Yet, in the midst of all the issues commanding the White House’s attention, the Obama Administration somehow has found time to address the threats to our nation’s cyber security.

According to Business Insurance, on Thursday, May 12, 2011, the Obama Administration proposed cyber security legislation to improve protection for individuals and the federal government’s computer and network systems. The proposed legislation would address national data breach reporting by creating simpler and standardized reporting requirements for the 47 states that contain such requirements. The proposal would also synchronize penalties for computer crimes with other crimes. Additionally, the government, through the Department of Homeland Security, would become directly involved in assisting the industry as well as state and local governments in policing and enforcing cyber security. The proposed legislation encourages the state and local governments to share information with the Department of Homeland Security about cyber threats or related incidents by providing them with immunity for doing so.

Read the rest of this entry »

Bloggers Beware: Righthaven’s got its eye on you…

Whether you own a website where you allow blogs and comments to be posted, or if you are the blogger/poster, listen up.

For those of you who haven’t heard of Righthaven LLC, they are to the blogging world what editors are to the Law Review world…cite-checking and anti-plagiarism “proponents” (let’s call ‘em that, for argument’s sake). Righthaven’s been making quite a splash and has gained popularity among news chains since its coming into existence in the spring of 2010. According to David Kravets’ article, “Righthaven Expands Troll Operation With Newspaper Giant[1], Righthaven has filed over 180 lawsuits and has settled over 70 of them already. Its major suppliers of copyrighted material include Stephens Media (owners of Las Vegas Review-Journal), MediaNews Group (owners of San Jose Mercury News and the Denver Post), and WEHCO Media (owners of Arkansas Democrat-Gazette and Chattanooga Times Free Fress), to name a few.[2] Owned by Net Sortie Systems LLC and SI Content Monitor LLC, Righthaven is the brain-child of Las Vegas-based IP attorney, Steven Gibson.[3] Righthaven’s clients assign their rights in the content to Righthaven, who then sues for copyright infringement.[4]

In order to analyze the problems faced by the parties to such lawsuits, we’ll have to discuss the U.S. Copyright Act, as well as the Digital Millennium Copyright Act (“DMCA”).

Read the rest of this entry »

Your “Status Update” May be Revealing More Than Your Status

There have been a recent flurry of blog posts and media stories warning internet users about the potential dangers of posting their whereabouts on social networking sites, as such personal information is being used by opportunists to facilitate crimes. For example, just in the last month, three men in Nashua, New Hampshire allegedly used information they obtained from users’ Facebook status updates to learn when the users would not be home and thereupon broke into their vacant and vulnerable residences. Although Facebook has denied any link between its site and the crimes, the Nashua police believe that detailed information about the posters’ travel plans provided the thieves with sufficient information to know when the homes would be unoccupied.

Of course, the incidence of such crimes has not been widely disseminated through traditional media sources, such as newspapers, radio and television. As such, most Americans are unaware of this increasing phenomena. At the same time, internet users are more widely and more frequently publishing their personal information, including their travel and vacation plans, on social networking and other public sites. Moreover, beyond the routine “tweets” and run-of-the-mill social networking status updates, new applications for cellular phones and PDAs are being created to facilitate geographical updates. These applications such as “Foursquare,” “Gowalla” and “Facebook Places,” enable users to instantly identify their current physical location on the profiles they have created on social networking sites. Needless to say, allowing geographical information to freely be disclosed to the public can provide opportunists with even more accurate information about the whereabouts of their victims and their distance from an unoccupied and vulnerable residence.

Read the rest of this entry »

Invasions of Privacy In The Cyber Sphere: Who’s Watching And What They Know About You

Google, Facebook, Twitter, Foursquare—millions of Americans, including myself, depend on these cyber sites as their gateway to information and communication in the outside world. What we may not realize, or choose to ignore for convenience’s sake, is that this gateway lies on a two-way street. The information that we seek using websites such as Google and what we communicate on Facebook and Twitter provide companies with vital data to better market their products to us. This use of information is referred to as “data mining. “

An example of data mining can be seen in the advertisements that pop up on the side of your Facebook home page. Such ads are often relevant to the information posted on your “Profile” page, such as advertisements promoting products from your college alma mater.

At the outset, data mining seems like a win-win situation for both the consumer and the seller—the consumer is marketed with a product in which they are seemingly interested and the company has utilized its advertising budget in an informed, cost-effective manner. At the same time, however, the threat of an invasion of privacy is real and has the attention of members of Congress and federal officials to create legislation regulating the way in which, and the extent to which, our personal information is shared with third parties.

Read the rest of this entry »

Concurrent CGL and E&O Coverage for “Spyware?” Yes, Says the Eighth Circuit

On July 23, 2010, the United States Court of Appeals for the Eighth Circuit issued an important decision in Eyeblaster, Inc. v. Federal Ins. Co., 2010, U.S. App. LEXIS 15152, No. Civ. A. 08-3640, finding concurrent coverage under both a General Liability (“CGL”) insurance policy and a separate Information and Network Technology Errors and Omissions Liability (“E&O”) policy in circumstances where an online marketing company installed software on a consumer’s computer system, allegedly corrupting the computer’s software operating system.

Eyeblaster Inc. (“Eyeblaster”), the policyholder, is a company that creates, delivers and manages online interactive advertising. For the period December 5, 2006, to December 5, 2007, it was insured under two concurrent policies issued by Federal Insurance Company (“Federal”): (1) a CGL policy covering occurrences which cause damage to tangible property, and (2) an E&O policy which covered claims for financial loss caused by a wrongful act in connection with a product’s failure to perform its intended function or serve its intended purpose, resulting in damage to intangible property. As to the latter policy, intangible property included software, data and other electronic information. Both policies were “duty to defend” forms.

Read the rest of this entry »

Identity Theft: Our Children At Risk

Interviewing for your first job as a teenager is as exciting as it is intimidating. Thoughts of what to do with your first paycheck consume your mind as you rehearse your best “do-you-want-fries-with-that” smile. The interview proceeds flawlessly and you start to count the dollar signs as you await the job offer. But imagine your surprise when you are informed that you did not get the job because your background check revealed that you are over $75,000 in debt and five years behind in your child support payments for your eleven year old child…a terrifying thought considering you are only 16 years old.

Adults aren’t the only victims of identity theft. Child identity theft is an increasing and understated crime. A child’s Social Security Number (“SSN”) is the perfect target, as the theft typically goes undetected until years after the crime has taken place. Indeed, the crime might not be discovered until the rightful owner/victim uses his or her SSN for the first time years later. This revelation often occurs when the victim applies for his or her first job or financial aid before college.

The scheme works as follows: businesses are using various techniques to search the Internet for dormant SSNs. These numbers often belong to long-term inmates, dead people or children. Obtaining them is not as difficult as one may think, as SSNs are distributed systematically depending on age, geographical location and when the number is issued. Once it has been determined that no one is actively using the number to obtain credit, the numbers are offered for sale.

Read the rest of this entry »

Wake Up and Smell the Threats: Two Recent Examples of Why Municipalities Need Cyber Insurance

Odd as it may seem to those of us who live and breathe cyber, tech and privacy insurance, I have heard anecdotally of municipal authorities who profess that their cities and towns do not need to incur the expense of buying these products. “Why do we need them? We don’t operate on the internet,” they reportedly have said.

Well, my response is “why don’t you think you need them?” Do you maintain a bank account? Do you store personally identifiable information about private citizens, whether in your property records, police files, tax databases or otherwise? Are your employees able to access your municipality’s computer systems remotely? Is it really possible that every single piece of information you maintain is recorded on paper and nothing is stored on a mainframe, whether located on- or off-site? Come on. Its 2010. That’s virtually impossible, isn’t it? Haven’t you read my December 23, 2009 post No One is Immune. Even Government Entities Need Cyber/Tech Insurance?

Since that posting, additional municipalities have suffered cyber attacks and been the subject of cyber lawsuits.

Read the rest of this entry »

But I’m Innocent, I Swear! This Website Proves It!

Who would have thought a comment as innocent as “Just walked into work at Cozen O’Connor-Toronto…so much work to get done” could potentially cause you so much trouble?

I came across an article this weekend by Tracy Staedter, titled “I’m Not Home: Please Rob Me”. Ready to become paranoid? Read the article – it’s short and to the point. Ever send out Evites? How about prior tweets, MySpace posts, etc. inviting people to your place and including an address? Bingo! Better pack up and move quick!

The website causing havoc is www.PleaseRobMe.com. Check it out…make sure you aren’t on the site…then check again after every time you tweet, post, etc. Do you have the time to constantly check? Probably not. Should you? Probably. It may make you paranoid, but then again, shouldn’t you be? But should the creators of the website be blamed – legally, morally, ethically? Should they be held accountable for what you put out into the public realm? Can you sue for violation of your privacy rights? Do you really have an expectation of privacy in any of those posts? In an age where MySpace, Friendster and other social networking sites regularly have their records subpoenaed, why should anyone think that anything they post will be “private”? What piqued my curiosity even more was how this website could apply in the criminal or tort law application. Can this website be used to substantiate or corroborate an accused’s alibi – “Your Honor, look! I have proof that I wasn’t in the city when the crime occurred…I tweeted that I would be in Los Angeles!” Look, my knowledge of Canadian (or U.S., for that matter) Criminal Law/Procedure does not extend further than the 800 or so pages of textbooks I read while in law school. But surely this website can be put to more use than just what the creators intended. So long as a proper foundation is laid, and the purported evidence is relevant, it may be admitted, right? Something to definitely consider as a defense attorney.

The creators of the website claim the site is supposed to help us…to open our eyes to the evil out in the world. Call me crazy, but perhaps a simple email addressed to me would have been more appreciated…though it leaves one wondering if such a logical course of action would have been as effective.

PDF Editor    Send article as PDF   

Does The World Need A U.N. Sponsored Cyber Peace Treaty? One Diplomat Emphatically Says Yes… As the U.S. Gears Up For A Cyberwar

As the cyber war of words heats up between the U.S. and China, the rest of the world is taking notice….and proposing action.

Most recently, the head of the United Nations’ communication and technology agency, Secretary General Hamadoun Toure of the International Telecommunications Union, proposed a treaty whereby member countries agree not to precipitate a cyber attack against other member countries. “The framework would look like a peace treaty before a war,” he is reported to have said.

Secretary Toure’s proposal follows a series of concerns expressed at last month’s World Economic Forum in Davos-Klosters, Switzerland, including a harsh warning that cyber attacks could amount to a declaration of war. According to Secretary Toure, “[a] cyber war would be worse than a tsunami – a catastrophe.” Because of the potential devastating consequences of a cyber war, the Secretary strongly recommended that countries agree not to harbor cyber criminals and “commit themselves not to attack another.” Of course, nothing is quite as simple as that. For example, John Negroponte, the former director of U.S. intelligence, cautioned that intelligence agencies would “express reservations” about such a treaty. Given the breadth and scope of China’s, Russia’s and other countries’ intelligence operations and their reported limits on information disclosures, Mr. Negroponte’s remarks likely would be echoed by other nations.

Read the rest of this entry »

The Globalization of Cyber/Tech Risks and the Implications for Worldwide Insurance Coverage

j0254490As recognized below in Pamela’s post discussing whether the loss of computer data is “property damage” in the eye of tort law, the issues surrounding cyber/tech/privacy liability and the attendant insurance coverages are not the exclusive province of the United States or U.S. courts.

To the contrary, virtually every country worldwide is increasingly faced with the problem of having to deal with the hard social and legal issues presented by a rapidly evolving cyber world. So too, policyholders and the insurers who typically grant worldwide coverage under their policies must recognize that the risks faced are not exclusive to the U.S. or our Canadian cousins. The risks are global in nature and policyholders and insurers alike need to stay current with what’s happening outside our cocoon of the Western Hemisphere.

I am certain every reader is aware of the socio-political dispute whereby Google has threatened to withdraw from China amid claims that the Chinese government has hacked into Google’s and other third-parties’ databases, spied on Google email accounts, and tightened blocks on tens of thousands of internet sites, including Facebook, Twitter and YouTube. U.S. Secretary of State Hillary Clinton has spoken on the subject, advocating that companies such as Google refuse to support “politically motivated censorship.” Secretary Clinton also accused China, Tunisia and Uzbekistan of boosting censorship and called on Beijing to investigate the recent cyber attacks on Google and others. (On a side note, just last week, Europe’s principal security and human rights watchdog accused Turkey of blocking 3700 internet sites for “arbitrary and political reasons.”).

Read the rest of this entry »

No One is Immune. Even Government Entities Need Cyber/Tech Insurance

cyberCyber breaches occur on a daily basis. Or at least it seems like they do…but consider the breaches that we don’t hear about.

Companies’ fears that their brands could be adversely impacted by reports of cyber breaches mean that we rarely hear about them when they happen. What we do hear about are the very widespread, high profile breaches at large companies where there has been a failure protect a customer’s personal information.

What we often fail to consider is that any entity, commercial or non-profit, public or private, can fall victim to a cyber breach. Certainly, commercial businesses would be expected to insure against such risks. But what about governmental entities? Here’s one example.

The state of Oregon is investigating whether two state agencies violated the Oregon Consumer Identity Theft Protection Act. Each year thousands of Oregonians become victims of identity theft. According to the Federal Trade Commission, Oregon is ranked 13th in the nation for this crime. In response, both Oregon businesses and government have clear direction and expectations under the Act to ensure the safety of the personal identifying information they maintain. Personal information includes a consumer’s name in combination with a Social Security number, Oregon drivers license number or Oregon identification card, financial, credit or debit card number along with a security or access code or password that would allow someone access to a consumer’s financial account. Specific protections under the Act are detailed on the website of Oregon government’s Division of Finance and Corporate Securities (DFCS) , and include the following:

Read the rest of this entry »