Ping Service
Feedback Forms

Will Your Tech E&O Insurance Cover Your Retention of Someone Else’s Electronic Data?

 

The following was written by my good friend Scott Godes. While Scott may be intellectually dishonest, he is an effective advocate and counselor to his policyholder clients. Thanks Scott.

Court Offers Narrow Interpretation of Cyberinsurance.

If you’ve been paying attention to the news or any of your social media channels, you’ve probably heard people talking about cyberinsurance and that your company needs it. You might even have been told that cyberinsurance is a panacea for all risks related to cybersecurity and data privacy. To date, there has been very little publicly available litigation about the meaning of cyberinsurance policies. One federal court changed that with a decision issued on May 11, 2015 in Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc., No. 2:14-cv-170 TS, slip op. (D. Utah May 11, 2015). Unfortunately, the decision ruled against the policyholder and offered a narrow interpretation of the cyberinsurance policy involved in the dispute.

 

Read the rest of this entry »

SCOTUS TO DECIDE STANDING: WILL CYBER BREACH PLAINTIFFS BE TOLD TO TAKE A SEAT?

supreme-court-smallerOn April 27, 2015, the United States Supreme Court granted certiorari on the seminal question of whether a putative class of consumers’ allegations of statutory violations under the Fair Credit Reporting Act (“FCRA”), without concomitant actual injury, are sufficient to withstand a motion to dismiss for lack of standing. Spokeo, Inc. v Robins. In other words, do they have to prove actual injury or is fear of future harm sufficient. The implications for cyber breach plaintiffs could be palpable, as the vast majority of consumers have been unable to demonstrate tangible harm. In such cases, plaintiffs typically allege that they have suffered lost time and angst as the result of their efforts to deal with the theft of their personally identifiable information (“PII”) such as their names, social security numbers, and physical and email addresses.

Spokeo follows the Supreme Court’s decision in Clapper v. Amnesty International USA, where the Court again enumerated the principle that speculative or conceptual injury is insufficient and that plaintiffs must demonstrate “concrete, particularized and actual or imminent” harm in order to establish Article III standing. Since then, lower courts have been split on whether fear of future harm is enough to overcome the Constitution’s standing requirement.

In Spokeo, plaintiffs alleged that Spokeo’s publication of inaccurate information in violation of the FCRA would adversely impact their employment prospects without showing tangible and concrete harm. Rather, they simply claim that their increased risk of harm satisfied the standing requirement.

The predicate for the Spokeo lawsuit parallels that in cyber breach actions, albeit in those cases, plaintiffs oftentimes allege common law claims. Still, it is the rare consumer who incurs expense or suffers actual harm as the result of a cyber intrusion. They simply allege the risk of future harm. Is that enough? The Supreme Court will resolve the split of court authority in the statutory context this term.

 

 

 

 

 

 

PDF Printer    Send article as PDF   

Insurers: Assert Your Subrogation Rights

j0295158The following column was first published in 2012. It is as fresh today as it was then. Its time to take it to heart.

Rick

It is axiomatic to say that insurance products evolve. Indeed, like virtually every organic structure, its development, growth and nimbleness are necessary to meet the progress of maturing, service-based economies. Hence, the advent of cyber/tech/privacy liability (CTP) insurance. At present, there are over 50 markets selling some type of CTP coverage. Many insurers sell standalone products. Others bolt on new coverage parts to their existing products. Still others add endorsements that attempt to extend coverage to address an existing client’s business model. Read the rest of this entry »

A Technology Subrogation Claim. Finally.

neon-insuranceThank you to Travelers Casualty and Surety Company. In Travelers v. Ignition Studio, Inc., No. 1:15-cv-00608 (N.D. Ill.), Travelers brought a subrogation suit against Ignition Studio, Inc., a web design company, for allegedly negligently maintaining a community bank’s website and enabling hackers to steal bank customers’ information.

As discussed on this blog (here), insurers who pay claims have the legal right to initiate and pursue legitimate subrogation claims.  Regrettably, too many are foregoing this right. Travelers is the exception.

In Travelers, filed in January 2015, the insurer accused Ignition of failing to deploy basic anti-malware software on the server where the bank’s website was hosted. A breach occurred and Travelers paid its insured’s claim for resulting Loss. According to Travelers complaint, Ignition’s security applications were inappropriate for a bank website as Ignition did not install key software patches or adequately encrypt customer data.

Read the rest of this entry »

US District Court in Pennsylvania Dismisses Data Breach Class Action on Article III Standing

In Storm & Holt v. Paytime, Inc., 1:14-cv-01138-JEJ (MD Penn. Mar. 13, 2015), the United States District Court for the Middle District of Pennsylvania addressed the Article III standing issue of when a cause of action may exist for a malicious data breach.

The case involved two consolidated putative class actions related to a data security breach of Paytime, Inc.’s systems. Paytime is a national payroll service company. The Plaintiffs were current or former employees of entities that used Paytime as its payroll servicing provider. The Plaintiffs’ employers provided Paytime with the Plaintiffs’ confidential information, including full legal names, addresses, bank account information, Social Security numbers, and dates of birth in furtherance of Paytime’s payroll services to the employers. Unknown third parties then accessed the Paytime systems without authority. Paytime did not become aware of the security breach until twenty-three days following the breach. The Plaintiffs alleged that Paytime delayed an additional thirteen days prior to notifying affected parties of the breach. Playtime later confirmed that the data breach occurred and that the unknown third parties had gained access to the confidential information.

Read the rest of this entry »

US District Court in Texas Finds Plaintiffs Lack Article III Standing in PHI Breach

Hackers-Responsible-for-Massive-HIPAA-Security-BreachBeverly Peters v. St. Joseph Services Corporation d/b/a St. Joseph Health Care System was a class action that arose out of a data breach of the defendant-health care service provider. It was alleged in the action that malicious hackers obtained PHI of Plaintiff, Beverly Peters, and 405,000 other patients and employees of St. Joseph’s. St. Joseph’s response to the breach included notification and an offer of one year of free credit monitoring and identity theft protection.

Plaintiff sought damages under the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq. (“FCRA”) as well as state and common law causes of action sounding in tort and in contract. St. Joseph’s filed a motion seeking to dismiss the claim under FCRA based upon lack of standing or, in the alternative, for failure to state a claim.

The issue, as framed by the Court, was “whether the heightened risk of future identity theft/fraud posed by a data security breach confers Article III standing on persons whose information may have been accessed.” The Court found that Plaintiff did not allege a cognizable injury under Article III of the Constitution and therefore lacked requisite standing to bring the action.

Read the rest of this entry »

Gaps in Security The Increasing Need for Cyber Coverage

The following article was written by Brian Bassett and Guy Hollingsworth.  Brian is a Partner with Traub Lieberman Straus & Shrewsberry, LLP. Guy is a Claims Manager with AmTrust North America. Thanks guys!

Rick

We live in an increasingly digital world. The past several years have seen the growing popularity of social networking websites, the proliferation of Internet-based storage on the Cloud, and an overwhelming number of Apps for everything from shopping and banking to transacting business. As a result, personal and financial data is being gathered and stored electronically by businesses we trust. Businesses are becoming more savvy about how to utilize private information to target and attract customers, but the retention of that information may come at a price. By capturing this information, businesses have become targets for nefarious groups and illicit acts.

In many ways, the insurance industry has adapted to these new and changing risks facing businesses by bridging the gap between traditional insurance policies and the evolution of standalone cyber coverage. However, significant challenges to mitigating cyber risk are still present. Despite the availability of cyber coverage, only 26 percent of companies have purchased it according to the Ponemon Institute. Further, cyber policies remain largely untested by courts. Without a cyber policy in place, a business may find itself drowning in costs and damages resulting from a data breach.

Read the rest of this entry »

Illinois Court Holds No E&O Coverage for Underlying TCPA Violation

In Margulis v. BCS Ins. Co., 2014 Ill. App. LEXIS 826 (Ill. App. Ct. 1st Dist. 2014), the Appellate Court of Illinois, First District, had occasion to consider whether an insurer has a duty to defend an insurance agent under a professional liability policy against a claim alleging the insured sent unsolicited, automated telephone calls advertising its services to non-clients.

Scott Margulis and other similarly situated individuals brought a class action petition in Missouri state court against Bradford & Associates (“Bradford”), an insurance agent, alleging common law and Telephone Consumer Protection Act (TCPA) violations. Plaintiffs, non-clients of Bradford, allege Bradford transmitted unsolicited, automated telephone calls advertising its services to them.

Bradford tendered the suit to its professional liability carrier, Defendant BCS Insurance Company (“BCS”). The insuring agreement of the BCS policy provided, in part, that BCS would pay, on behalf of Bradford, “damages caused by any negligent act, error or omission by the Insured arising out of the conduct of the business of the Insured in rendering services for others as a licensed [agent or broker].” BCS denied coverage for the suit, asserting that the solicitation of business by advertising and marketing directed to members of the general public with whom one has no established business relationship does not involve the provision of services for others as licensed life, accident and health insurance agent.

Read the rest of this entry »

U.S. District Court in Minnesota Denies Target’s Motion to Dismiss Data Breach Lawsuit

2000px-Target_logo.svg
On December 2, 2014, the U.S. District Court for the District of Minnesota denied Target’s motion to dismiss the claims of a group of five payment-card-issuing banks, credit unions, and savings associations (the “Banks”) that assert in the law suit that Target was negligent in not preventing the widely publicized data breach at Target stores in late 2013.

Plaintiffs in this matter are a putative class of issuer banks whose customers’ data was stolen in the Target data breach. Plaintiffs’ Complaint consists of four claims sounding in negligence, violation Minnesota’s Plastic Security Card Act, negligence per se, and negligent misrepresentation by omission. Target moved to dismiss all claims arguing that Plaintiffs failed to plead sufficient facts to establish any of their claims.

With respect to Plaintiffs’ negligence claim, the Court found Plaintiffs had sufficiently plead that Target’s own conduct in failing to maintain appropriate data security measures and in turning off some of the features of its security measures, created a foreseeable risk of the harm that occurred, and Plaintiffs were the foreseeable victims of that harm. According to the Court, although Plaintiffs’ damages were directly caused by the third-party hackers’ malice, Plaintiffs sufficiently plead in their complaint that Target played a key role in allowing the harm to occur.

Read the rest of this entry »

Cyber Security Indeed: Derivative Action Dismissed Where Board Proactively Addressed Cyber Risks and Exposures

In the first of what is certain to become a cottage industry of derivative lawsuits involving alleged inadequate cybersecurity and deficient public disclosures, on October 20, 2014, a New Jersey federal court granted a motion to dismiss filed by Wyndham Worldwide Corporation’s directors and officers based on its finding that Wyndham’s Board has duly considered and dismissed the plaintiff’s demand that the company sue its directors and officers.  Palkon v. Holmes, et al, Case 2:14-cv-01234-SRC-CLW.

In Palkon, plaintiff presented the demand following a series of three security breaches through which hackers obtained personal information of over 600,000 Wyndham customers. (This is the same series of events that gave rise to the well-known lawsuit where Wyndham is challenging the FTC’s jurisdiction).

Read the rest of this entry »

ALJ Denies LabMD’s Motion for Sanctions Against the FTC

Although the litigation between LabMD and the Federal Trade Commission (FTC) continues in the Eleventh Circuit, an administrative law judge has resolved one battle between the two entities. Chief Administrative Law Judge D. Michael Chappell recently issued an order denying LabMD’s motion for sanctions against the FTC.

In 2009, information security firm Tiversa, Inc. notified the FTC that a file containing the personal information of over 9,300 LabMD customers (the “1718 file”) was available in a LimeWire sharing folder installed on a LabMD computer. The file was allegedly found on several LabMD IP addresses. LabMD alleged that Tiversa stole the file from a LabMD workstation in Atlanta, Georgia, and further claimed that the FTC never independently investigated the alleged theft or verified the origin or chain of custody for the 1718 file before commencing its action against LabMD.

Moreover, LabMD alleged an improper relationship between the FTC and Tiversa in that Tiversa benefitted financially from referring companies to the FTC for investigation. Specifically, LabMD alleged that many targets of FTC enforcement actions later became Tiversa clients. Accordingly, LabMD sought an order dismissing the FTC action with prejudice and awarding it attorney fees and costs.

Read the rest of this entry »

P.F. Chang’s CGL Insurer Seeks Declaratory Judgement on Data Breach Claim

P.F. Chang’s China Bistro made headlines when it recently reported that 33 of its restaurant locations spanning 18 states suffered a data breach in connection with the restaurant’s point-of-sale payment systems. While the breach was reported in the news media in June of this year, the unlawful access to its systems may have begun months prior to its discovery.

Two putative class action lawsuits were filed in the Northern District of Illinois and a third was filed in the Western District of Washington. These suits allege that personal information of as many as seven million customers may have been stolen as part of the breach.

On notice of these three putative class actions, on October 10, 2014, Travelers Indemnity Company filed a four-count declaratory judgment action in the District Court of Connecticut seeking a declaration that two commercial general liability (CGL) policies issued to P.F. Chang’s in 2013 and 2014 do not afford coverage for the data breach litigation.

Read the rest of this entry »

California District Court Finds Threat of Future Harm Sufficient to Confer Article III Standing in Data Breach Action

In a departure from the mounting body of case law finding that the “increased risk of future harm” is insufficient to confer Article III standing on victims of a data breach, the U.S. District Court for the Northern District of California recently found that such potential future harm is sufficient to allow a putative class of plaintiffs to proceed in Federal Court.

In re Adobe Sys. Privacy Litig., 2014 U.S. Dist. LEXIS 124126 (N.D. Cal. Sept. 4, 2014), involves various claims against Defendant Adobe Systems, Inc. (“Adobe”) arising out of an intrusion into Adobe’s computer network in 2013 and the resulting data breach. According to Plaintiffs, in July 2013, hackers gained unauthorized access to Adobe’s servers and spent several weeks inside Adobe’s network without being detected. Once the breach was eventually detected, Adobe announced that the hackers accessed the personal information of at least 38 million customers, including names, login IDs, passwords, credit and debit card numbers, expiration dates, and mailing and e-mail addresses. Adobe subsequently disclosed that the hackers were able to use Adobe’s systems to decrypt customers’ credit card numbers, which had been stored in an encrypted form.

Read the rest of this entry »

Ilinois Federal Court Grants Neiman Marcus’ Motion

Standing-Icon-269431Once again, a court finds that data breach plaintiffs do not have the requisite Article III constitutional standing to pursue civil action against a retailer – itself the victim of a cyber attack. Last month, the United States District Court for the Northern District of Illinois, Eastern Division granted high-end retailer Neiman Marcus’ 12(b)(6) motion to dismiss a law suit arising out of a data breach the company suffered in 2013.

In Remijas v. Neiman Marcus Group, LLC, 2014 U.S. Dist. LEXIS 129574 (N.D. Ill. Sept. 16, 2014), Plaintiffs brought an action against Neiman Marcus for negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violations of several state data breach acts.

In 2013, hackers breached Neiman Marcus’ computer network, resulting in the potential disclosure of 350,000 customers’ payment card data and personally identifiable information. Of the payment cards that may have been affected, it appeared that about 9,200 were subsequently used fraudulently elsewhere. Plaintiffs were among the 350,000 customers and alleged that Neiman Marcus failed to adequately protect customer data from breach, and failed to provide timely notice of the breach after it occurred.

Read the rest of this entry »

CA Court of Appeal: CMIA Is Not All-Inclusive

customLogo.gifIn its recent decision in Eisenhower Medical Center v. Superior Court, 226 Cal. App. 4th 430 (Cal. App. 4th Dist. 2014), the Court of Appeal of California, Fourth District, had occasion to consider whether a medical facility’s disclosure of information concerning a patient that does not contain the medical treatment or history of the patient violates California’s Confidentiality of Medical Information Act (“CMIA”) (Cal. Civ. Code § 1798.82), which requires notification to consumers when security systems are breached.

On March 11, 2011, a computer was stolen from Eisenhower Medical Center (“EMC”) that contained an index of over 500,000 persons to whom EMC had assigned a clerical record number.  The records dated back to the 1980’s.  The information on the index was limited to each person’s name, medical record number, age, date of birth, and the last four digits of the person’s Social Security number.  EMC subsequently advised the patients of the theft, and a number of those individuals filed suit.  The suit was styled as a putative class action and sought nominal damages of $1,000 for EMC’s alleged violations of the CMIA.  The plaintiffs also included a cause of action for violation of the Consumer Records Act (“CRA”).

Read the rest of this entry »

Court Certifies Interlocutory Appeal for the FTC v. Wyndham Matter

TRAUB LIEBERMAN STRAUS & SHREWSBERRY LLP’s Cyber Law Blog previously discussed various aspects of the Federal Trade Commission (“FTC”) action filed against Wyndham Worldwide Corp. (“Wyndham”) under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” Recent developments in the FTC action carry implications for cyber liability and how companies handle cyber security and data breaches.

On April 7, 2014, US District Judge Esther Salas denied Wyndham’s motion to dismiss directly challenging the FTC’s authority to regulate cyber security practices. Wyndham’s motion asserted that Congress had not delegated such authority to the FTC under its Section 5 powers, and even if it did, the FTC failed to publish rules or regulations providing companies fair notice of the protections expected and “legal standards” to be enforced by the FTC.

At the time, Judge Salas unequivocally ruled in favor of the FTC’s authority. However, on June 23, 2014, the Court granted Wyndham’s application and certified the matter for an immediate interlocutory appeal to the Third Circuit Court of Appeals.

The appeal involves two questions of law: (1) whether the FTC can bring an unfairness claim involving data security under Section 5 of the FTC Act and (2) whether the FTC must formally promulgate regulations before bringing its unfairness claim under Section 5 of the FTC Act.

Interlocutory appeals are rarely granted, are in the complete discretion of the trial court, and must meet certain requirements under 28 U.S.C. § 1292(b), including whether there is a substantial ground for difference of opinion on the matter. While Judge Salas’s denial of Wyndham’s motion to dismiss was certain as to the FTC’s Section 5 authority and the issue of fair notice, the Order certifying the matter for interlocutory appeal on the other hand, acknowledged Wyndham’s “statutory authority and fair-notice challenges confront this Court with novel, complex statutory interpretation issues that give rise to a substantial ground for difference of opinion.”

The Court further acknowledged that it was dealing with an issue of first impression with “nationwide significance… which indisputably affects consumers and businesses in a climate where we collectively struggle to maintain privacy while enjoying the benefits of the digital age.”
As a result, the Third Circuit will be the first major appellate court to weigh in on the issue of whether the FTC has authority to regulate cyber security practices, and if so whether those regulations require specific legal standards and fair notice to those within the scope of FTC’s enforcement.

– See more at: http://www.traublieberman.com/cyber-law/2014/0710/4801/#sthash.hgIolyzW.dpuf

PDF Converter    Send article as PDF   

Rumination and Pondering

Is it Karma that Adam Silver sanctioned Donald Sterling or am I thinking about it too deeply? I’ll leave it to readers to decide.

PDF24 Creator    Send article as PDF   

New York Court to Sony: No Personal Injury Coverage for You!

As many of us have been saying since the advent of cyber insurance coverage, cyber policies potentially cover privacy risks and exposures, not Commercial General Liability policies, be it under a property damage or a personal/advertising injury insuring agreement.  In other words, policyholders and their brokers would be mistaken if they deluded themselves into thinking that a standard base CGL policy’s personal injury/advertising injury coverage applies to a typical cyber breach where personally identifiable information is extracted.  Sadly, my good friend Scott Godes falls into this category.

On February 21, 2014, , Judge Jeffrey K. Oing, of the New York Supreme Court, Manhattan Commercial Division ratified this maxim by denying personal injury coverage to Sony for the 2011 breach and theft of personal information from its PS3 gaming platform, among other databases.  Zurich American Insurance Company v. Sony Corporation of America, Index No. 651982/2011 (N.Y. Supreme, filed 7/20/2011). See Complaint here.

Read the rest of this entry »

Cyber class-action litigation: Insurers’ next significant spend?

The following article was first published by my friends at Advisen for their new Cyber Risk Network. For those who haven’t already done so, check it out.

Rick

Virtually every reader is well aware of the decision from the US Court of Appeals for the First Circuit finding that claims by class-action plaintiffs for “mitigation damages” arising from a cyber breach were viable. Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011).

There, the court held under Maine law that, in the abstract, certain claimants whose financial information was stolen could recover certain costs incurred in a reasonable effort to mitigate.

Hannaford Brothers is an extreme outlier in the world of cyber class-action litigation. And—as it should have in my view—the case effectively ended when the District Court, on remand, declined to certify the putative class in light of the claimants’ failure to establish that common issues of law and fact “predominate” over individual issues, a predicate to class certification.

Read the rest of this entry »

Cyber Security and Data Breaches: Why Directors and Officers Should Be Concerned

Following is an excerpt from the leading chapter in Willis London’s Executive Risks: A Boardroom Guide 2012/2013. If you would like to read the entire chapter, please contact me at [email protected] A complete copy will be emailed upon request. Cheers. Rick

sec1

Cyber insurance has become a necessity. Every company that maintains, houses or moves sensitive information is at risk of a data breach, primarily due to the growth and increased sophistication of hackers, malicious software and, most recently, ‘hacktavists’. Even mere employee negligence can lead to a data breach. High-profile companies such as Sony can attest that cyber-intrusions can lead to hundreds of millions, if not billions, of dollars in legal exposure.

Equally troublesome, our expanding online society has introduced new financial risks and exposures that may not be covered under general and professional liability insurance products, including standard directors’ and officers’ (D&O) policies. As such, corporate directors and officers, and their risk-management professionals, must ensure that they buy appropriately tailored policies that provide protection against the rapidly expanding risks to which they could be vulnerable, both personally and professionally.

The risks and costs of a data breach

It has become known as the Year of the Breach: in 2011, companies of all sizes experienced malicious intrusions or employee negligence that affected their operations and/or businesses. For example, in April 2011, computer hacktavists unlawfully accessed the Sony PlayStation Network (PSN) and obtained the personal and financial information of roughly 77 million PSN users. Since then, Sony and its insurers likely have spent tens, if not hundreds, of millions of dollars to remedy and mitigate the resulting security and commercial crises — an amount that grows by the day as lawyers prosecute class action lawsuits on behalf of allegedly affected users whose personal and financial information was improperly accessed.

Equally problematic for Sony, it has been sued by its commercial general liability (CGL) insurer, which sought to avoid coverage by arguing that its general liability policies do not and never were intended to cover data breaches.

The TJX Companies also fell victim to a cyber intrusion that security experts predict will have long-term costs of between US$4 billion and US$8 billion in fines, legal fees, notification expenses and brand impairment. In the TJX case, the retail group reported that 45.6 million credit and debit card numbers were stolen from one of its systems during the period July 2005 to January 2007. Of critical import, the January 2007 intrusion occurred after TJX already had knowledge of the initial breaches.

Of course, big corporations are not the only entities that are vulnerable to hackers and hacktavisits; indeed, half of all companies that have experienced data breaches have fewer than 1,000 employees.

 

PDF Creator    Send article as PDF   

Cyber, Privacy and Technology Best Practices and Reputational Harm: Why Legal Professionals Need a Lawyer’s Advice, Counsel and Privileges

BabyB_LPlate_improvedIntroduction

Lawyers, like other professionals, often have access to their clients’ personal and financial details. At the same time, they may possess comparable information about their clients’ clients (such as when a lawyer represents a healthcare company). As a result, lawyers are at risk for being sued if and when something happens to that information – such as when a laptop or cell phone is misplaced or stolen or a hacker breaches a law firm or client’s systems and accesses the client’s personally identifiable, health care, and/or confidential information.
The most prudent way to avoid such lawsuits and minimize their impact is to create and implement cyber, privacy and technology (“CPT”) best practices before something goes wrong. In most cases, this would include best practices training and education as well as the purchase of dedicated CPT-specific insurance. This article discusses why lawyers are at risk, how to create and implement best practices, and the advantages of CBT insurance coverage rather than (mistakenly) relying on professional errors and omissions and/or general liability coverage in the event of a CPT incident.

Executive Summary

An attorney’s reputation is his and her lifeblood. Indeed, reputation translates to the bottom line. For better or worse.
And, of course, reputation is, in large part, predicated on the quality, timeliness and cost-effectiveness of the services being provided. So too, it is incumbent that an attorney avoid negative commentary (or embarrassing revelations) through the pervasive and ubiquitous medium of social media. As a corollary, attorneys, like others, must be sensitive to the loss of customer goodwill, whether measured by turnover, client retention or other intangible assets.

Regardless of whether your clients are the Fortune 500, middle-market companies or small entrepreneurs, an attorneys’ clients – and by extension, the attorney himself and herself (to the extent the attorney holds personal, health or commercial information) – are at risk of losing personally identifiable information (“PII”), personal health information (“PHI”) and/or confidential commercial information (“CCI”). It doesn’t matter whether the harm is attributable to malicious activity or simple employee or third-party negligence. It’s the effect that is the focus, not necessarily the cause (although that too factors into the analysis).

In many cases, the effect of a cyber incident could be devastating, if not fatal, to an attorney’s reputation. And, by extension, his or her practice’s economic viability.
It is almost axiomatic to say that “best practices” are among the most important strategies employed by attorneys and other professionals. Just as we counsel clients to use best practices with respect to their operations, so too, we, as professionals, should be well-trained on the scope and extent of best practices in the subject matter presented, including, in particular, CPT risks and exposures, which, to no surprise, are palpable and potentially devastating.

In the CPT context, among others, best practices counseling should be provided by an attorney. Unlike non-lawyers, attorneys bring with them the attorney-client privilege and work product protection. Although vendors and IT specialists can promote themselves as having the appropriate knowledge and training to teach and implement best practices, they do possess the critical protections afforded by the attorney-client relationship. In a relatively new space like CPT, where the law is uncertain and developing, the privileges become even more important, as many attorneys are just at the start of the learning curve.

To continue reading, please contact me at [email protected] A complete copy will be emailed upon request. Cheers. Rick

Create PDF    Send article as PDF   

Canada Update: The Tort of “Intrusion upon Seclusion”

The following was written by my friend Patrick Cruikshank, Underwriting Manager, Specialty Risk – Professional Liability at Northbridge Insurance in Toronto. Thanks to Patrick for his contribution. Relevant articles are always welcome for publication.

Rick

canada-flag-stereotypesIn the 2012 case of Jones v. Tsige, the Ontario Court of Appeal established the new tort of invasion of privacy.  For some, this privacy tort has opened a Pandora’s Box.  For others, it’s considered legal progress in the modern technological world.

Sandra Jones and Winnie Tsige were employees of the Bank of Montreal (BMO).  They worked at different branches and did not know each other.  Tsige was in an intimate relationship with Jones’ ex-husband.

Over a period of 4 years, Tsige used her workplace computer to gain access to Jones’ personally identifiable information and personal financial information 174 times.  Tsige did not disseminate this information.

When Jones discovered this unauthorized access, she made a formal complaint to her employer, who upon investigation determined that Tsige had accessed Jones’ information and had no legitimate reason to do so.  Jones subsequently sued Tsige for invasion of privacy and breach of fiduciary duty.  She sought $70,000 in general damages plus $20,000 in punitive damages.

Jones’ claim was dismissed by the Ontario Superior Court because there was no law in Ontario that recognized an invasion of privacy tort.

The Court of Appeal overturned the decision and granted summary judgment in favor of Jones.

Read the rest of this entry »

Asia-Pacific Cyber Law Risks and Developments

We first published the following White Paper extract in October 2011. While the White Paper might be somewhat dated (and therefore will be refreshed shortly), it remains relevant for our friends interested in learning the basics of Asia Pacific cyber/privacy law. Please let me know if you’d like to see the entire paper. Rick

I. Introduction

The Internet facilitates the widespread and instantaneous flow of information across international borders. While the advent of this method of transnational communication has truly created a “global economy,” at the same time, it has engendered problems for companies and their insurers which seek to assess risk and implement information safeguards, particularly in the face of divergent data privacy laws which vary from region to region or may not even exist in certain jurisdictions. The Asia-Pacific region typifies such a lack of uniformity.

At the same time, the emerging economies in this rapidly growing part of the world have generated promising targets for computer hackers. 75% of Asia-Pacific enterprises have experienced cyber attacks in the past 12 months. Perhaps not surprisingly, a 2010 study by Symantec reported that almost half of all Asia-Pacific-based businesses (and 67% in Singapore) ranked cyber risk and information security as their top concern—more so than natural disasters, terrorism, and traditional crime combined. Cyber attacks and data breaches are on the radar of CEOs and risk managers for good reason: the average cost for a large company to remediate a data breach in Australia increased to nearly $2 million in 2010, which is slightly up from 2009. See Ponemon Institute/Symantec 2010 Annual Study: Australian Cost of a Data Breach (May 2011).

Notwithstanding the prevalence of such attacks, it is far more likely that a cyber security program is managed as a part of a company’s traditional business risks, with traditional coverages being contorted to cover various components of cyber risk (i.e. property loss, liability to third-parties, business interruption, etc.), rather than by way of a dedicated cyber-specific insurance program. Still, in light of recent developments, it is virtually certain that companies soon will begin looking to transfer such risk via more efficient and targeted technology insurance forms and policies

Read the rest of this entry »

The Posts have Come Back… To Cyberinquirer


Since last we visited, your humble Publisher has moved on to the Law Offices of Richard J. Bortnick, where I am Managing Director (very European, if I do say so myself). A number of dedicated readers and friends (you know who you are) have asked what had become of me and why my old email address was no longer effective.

The answer my friend (apologies to Peter, Paul and Mary) is the Law Offices of Richard J. Bortnick. At the risk of having this viewed as attorney advertising, I will stop there other than to say I also will be signing as a free agent with a Consulting Firm to be named later (but not much later).

So, please feel free to contact me if you want to catch up, engage in intellectual banter (with the exception of Philadelphia sports, where the banter will all be negative) or have some worthwhile humor you’d like to pass along (although it can’t be as good as the material I get from my good friend Jeff). My new email address is [email protected] (at least for the short term… stay tuned on that too).

Its good to be back. And thanks for all of your kind wishes.

Rick

www.pdf24.org    Send article as PDF   

Cyber Liability Insurance: Ensuring Adequate Coverage in the Age of E-Commerce

I. Introduction: Insurance Products for Cyber Risks

Increasing reports of cyber intrusions, data theft and computer system malfunctions have led a rapidly-growing number of companies to purchase insurance coverage to protect themselves from technology and cyber privacy risks. Indeed, as our technology-driven economy continues to evolve and businesses become more reliant on electronic communication and data storage, they are developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. As such, prospective policyholders are becoming more cognizant of the necessity for insurance covering such growing exposures.

Read the rest of this entry »

Power to the People: Social Media Technologies Mediating Corporate Social Governance

The measure of effectiveness of a CEO and its executive board has always been the degree to which the business is achieving its purpose. Whether in Canada, the U.S., Europe or Asia, an executive board’s purpose should be to increase shareholder value, a purpose that is best accomplished by serving the needs of various stakeholders. Somewhere in the pyramid of stakeholders is the consumer or client, whose likes, favorites, and preferences must be met with quality personalized products and services that deliver high competitive value. In an interconnected global knowledge economy, this has meant listening to what consumers are saying online through social media platforms like Facebook and Twitter, and engaging in two-way conversations to respond in real-time to consumer demands.

Read the rest of this entry »

The Queen v. Cole: Privacy Protection for Employer-Issued Equipment in Canada

The recent decision The Queen v. Cole by the Supreme Court of Canada touches upon interesting issues regarding information privacy in the digital age.

The facts are simple. An information technologist working at the same high school as Mr. Cole, a teacher, remotely accessed Cole’s history of internet access and one of his drives and found a hidden file which contained nude photographs of a student. The photographs and internet file were copied onto a disc and given to the police, which determined that a search warrant was unnecessary. Cole was subsequently charged with possession of child pornography and fraudulently obtaining data from another computer hard drive. The trial judge excluded the computer material under Sections 8 and 24(2) of the Charter. In overturning the decision, the summary conviction appeal court found no breach of Section 8. This decision was set aside by the Ontario Court of Appeal, which concluded that the evidence of the disc containing the temporary internet files and the laptop computer and its mirror image was excluded. A 6-1 majority ruling by the Supreme Court concluded that the police infringed upon Cole’s rights but upheld the Court of Appeals’ finding that the evidence should not have been excluded from trial.

Read the rest of this entry »

First Circuit Court of Appeals Holds Bank’s Online Security Measures “Commercially Unreasonable” in Landmark Decision

In a landmark decision, the First Circuit Court of Appeals held in Patco Construction Company, Inc. v. People’s United Bank, No. 11-2031 (1st Cir. July 3, 2012) that People’s United Bank (d/b/a Ocean Bank) was required to reimburse its customer, PATCO Construction Co., for approximately $580,000 which had been stolen from PATCO’S bank account. In so doing, the Court reversed the decision of the United States District Court for the District of Maine which had granted summary judgment in the bank’s favor.

The dispute arose when Ocean Bank authorized six fraudulent withdrawals over seven days from an online account held by PATCO. While the bank’s security system flagged each one of the transactions as “high risk” because they were inconsistent with the timing, value, and geographic location of PATCO’s regular payment orders, the bank’s security system did not notify PATCO of this information and allowed the payments to go through. In light of this omission, PATCO sued, alleging that Ocean Bank should bear responsibility for the loss because its security system was not “commercially reasonable” under the Uniform Commercial Code, as codified under Maine Law.

Read the rest of this entry »

Past the Point of No Return: Jones v. Tsige and the “New” Tort of Invasion of Privacy in Canada

Jeremy Bentham used to refer to the common law as the “dog law”. As he explains it, “whenever your dog does anything you want to break him of, you wait till he does it, and then beat him for it. This is the way you make laws for your dog: and this is the way the judges make law for you and me.” .

Insofar as the tort of invasion of privacy in Canada is concerned, Jeremy Bentham was arguably right. Aside from the province of Quebec, which is governed by a civil law system, and a few other provinces in Canada which have benefited from a statutorily enacted tort of invasion of privacy, lower Courts have been divided over the existence of a free-standing tort of invasion of privacy at common law. The recent decision Jones v. Tsige (2012) by the Ontario Court of Appeal is the first to confirm that what used to be an embryonic tort of invasion of privacy is now alive and well in Canada

Read the rest of this entry »

Will SEC Guidance Awaken Private Companies To Cyber Insurance Needs?

The following article was first published in Advisen’s inaugural Cyber Liability Journal (here) as my first regular column. The second Journal was published today and is available from Advisen at http://corner.advisen.com/journals.html (here). I will republish my second column in the coming days.

Rick

Many who underwrite or broker insurance, or practice law in the cyber/technology/privacy (“CTP”) realm migrated to this emerging area from the directors and officers liability regime. At the same time, it did not take a crystal ball to recognize that it was only a matter of time before CTP and D&O found a commonality. And that time is now.

Virtually every public and private company is reliant on computer networks and electronic data. It’s a way of life in the 21st Century. And there’s no going back. Yet with reliance comes risk. It seems we read about significant CTP breaches involving large, multinational companies almost on a weekly basis. CTP breaches have become a well-recognized risk of doing business. Estimates project that over 10 percent of us already have been hacked or had their identities stolen. I am among them.

Read the rest of this entry »

FAA v. Cooper and the Federal Privacy Act: Narrow Interpretation, Broad Consequences

With its March 28, 2012 decision in Federal Aviation Administration, et al. v. Cooper, 132 S. Ct. 1441 (U.S. 2012), the United States Supreme Court restricted the scope of a federal privacy law, ruling that the law – which allows recovery for “actual damages” – only authorizes damages for monetary losses. Accordingly, a San Francisco pilot was not permitted to recover humiliation and emotional distress damages from government agencies that disclosed his HIV-positive status without his consent.

In 1964, Stanmore Cooper (“Cooper”) obtained his pilot’s license from the Federal Aviation Administration (“FAA”). In 1985, Cooper was diagnosed with HIV and began taking antiretroviral medication. At that time, the FAA did not issue medical certificates to persons with HIV, so Cooper gave up his pilot’s license, knowing that he would not qualify for renewal of his medical certificate. However, in 1994, Cooper re-applied for a pilot’s license and, to receive a medical certificate, purposefully withheld his HIV-positive status and medication from the FAA. He renewed his certificate four more times and as recently as 2004, each time withholding information about his condition. When Cooper’s health began to deteriorate, he applied for long-term disability benefits and, to substantiate his claim, disclosed his HIV-positive status to the Social Security Administration (“SSA”), which awarded him disability benefits.

Read the rest of this entry »

New York Court of Appeals Rules That Viewing Images On The Web Does Not Constitute Procurement, Possession or Control, Even When Cached On A Hard Drive

On May 8, 2012, the New York Court of Appeals issued a ruling that merely viewing child pornography on the internet is not a criminal act under the New York Penal Code. The People v. James D. Kent, Index 70, NYLJ 1202552838004, at *1 (Ct. of App., Decided May 8, 2012). The rationale behind the decision of the state’s highest court bears discussion on a much broader scale due to its potential bearing on the legal definitions of procurement, possession and control of digital property.

The key question under consideration was the evidentiary significance of temporary internet files (or cache files) that are automatically created and stored on a the hard drive of a computer while the user is browsing the internet. The Appellate Court concluded that the act of viewing a web image alone does not, absent other proof, constitute either possession or procurement.

Read the rest of this entry »

If the Glove Fits, You Must Defend

Trade dress insurance coverage is alive and well. At least in Wisconsin. In Acuity v. Ross Glove Company, 2012 WL 1109035 (Wis. Ct. App. April 4, 2012), the Wisconsin Court of Appeals held that an insurer’s duty to defend was triggered under advertising injury liability coverage where the underlying complaint set forth allegations of trade dress infringement.

In the Acuity case, Ross Glove purchased a commercial general liability policy from Acuity, which included advertising injury liability coverage. The policy at issue defined “advertising injury”, in part, as “infringing upon another‘s copyright, trade dress or slogan in your advertisement.”

Read the rest of this entry »

The Implications of a Cyberattack on Your Securities Portfolio: You May Want to Read Your Holdings’ 10-Ks

falling moneySo, you think that a corporate cyberattack has nothing to do with you? If so, think again. Indeed, to the extent you own stock or securities, the value of your holdings could be at risk in the event of a cyberattack. I’ve said it before and I’ll say it again: Cybersecurity is an economic issue. See here.

Take, for example, Intel (INTC). In the “Risks” section of its 2009 10-K, the company disclosed in a tersely worded statement that its networks had been the victims of “sophisticated” attacks. Kudos to Intel for making this disclosure, which predated the October 2011 publication of the SEC Guidance addressing public companies’ cyber risks and exposures (discussed here and elsewhere, including in the March 2012 edition of the Advisen Cyber Journal. Please feel free to contact me for details on how to obtain this must-read issue and subscribe. Advisen has done a masterful job, as it does with all of its publications). As will be discussed in my next post, a significant number of public companies still have not complied with their cyber risk and cyber exposure reporting “obligations” under the SEC Guidance.

As to Intel, the subject 10-K listed several noteworthy risks. The most intriguing stated that “We may be subject to intellectual property theft or misuse, which could result in third-party claims and harm our business and results of operations.” Intel’s disclosure continued that “[w]e regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software….These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful.”

The adverse economic impact of a cyber-related disclosure is not theoretical, either. Indeed, in the immediate wake of the News Corp./News of the World cell phone hacking scandal in mid-2011, News Corp’s market cap reportedly fell by over 15%, valued at approximately $7 billion, in less than a week. Not surprisingly, News Corp was sued shortly thereafter in a series of securities fraud class actions, which remain pending.

While cyber risks and exposures may or may not have an impact on a stock’s trading price, their potential impact can not be ignored. Google (GOOG) is another example. As previously discussed here, Google has been the subject of cyberattacks which it claims were precipitated by the Chinese government. The import of this development can not be understated, as it created tensions between the U.S. and Chinese governments and even made it into Intel’s SEC filing. For private citizens, however, perhaps the greatest implication of the Google cyberintrusions is the arguable effect that they had on Google’s price per share. On January 12, 2010, when the intrusion was publicly disclosed, Google shares fell 1.7% to $590.48. By April 25, 2010 Google’s shares were trading at $544.99, another roughly 8% price drop. Can these losses be directly linked to the breach of Google’s security systems? Put differently, can a possible link be dismissed? That’s for shareholders and others to decide.

So, what does this all mean? At a minimum, it suggests that the economic implications of a cyber event can be wide ranging, from the simple cost of fixing a security gap to a major hit to a brands’ reputation (remember News of the World? After 168 years of tremendous success globally, it ceased publishing on July 10, 2011 as a direct result of the hacking scandal), all the way to claims arising from the theft of consumer’s personal and financial information. Such an intrusion into the systems of retailer T.J. Maxx (TJX) lead TJX to settle with regulators, states, consumers and others and set a settlement/remediation reserve of over $100 million.

In the end, it is clear that just as consumers need to be vigilant about monitoring their personal and financial information to protect themselves from identity theft and the like, investors too must regularly track their holdings to protect their portfolios and assets. As to the companies whose information and systems are at risk, the need for both D&O and cyber insurance is patently obvious, and is as important as the protection of their intellectual property, consumer information and other non-public data. Risk management, information protection and insurance go hand in hand. And we’re here to make sure everyone recognizes the correlation.

PDF Printer    Send article as PDF   

WARNING: HHS Now Combating HIPAA Violations With HITECH Weaponry

On March 13, 2012 – almost 30 months after becoming one of the first entities to self-report a breach under the Health Information Technology for Economic and Clinical Health (HITECH) Act – BlueCross BlueShield of Tennessee (BCBST) agreed to pay the Department of Health and Human Services (HHS) a record setting $1.5 million civil monetary penalty (CMP) for failing to safeguard protected health information (PHI).


The HITECH Act and HIPAA Enforcement

HHS adopted the interim final rule for HITECH’s breach notification requirement only a few weeks before the BCBST breach. The final rule requires covered entities to notify HHS following a breach of unsecured PHI. If a breach affects 500 or more individuals, the covered entity must report the breach electronically “without reasonable delay and in no case later than 60 days from discovery of the breach.”

Read the rest of this entry »

Access to Insured’s Social Media Accounts: No Friend Request Necessary

The following article, written by my colleague Nicole Moody, first appeared in the Chicago Daily Law Bulletin. Thanks to Nicole for allowing us to republish it here.

Rick Bortnick

Many of us have been there. Sipping our morning coffee, signing into our Facebook accounts, waiting to see what notifications will greet us. We are intrigued to see that we have a friend request. Who could it be? An acquaintance from the past? A new colleague who we met at work? Whoever it is, we know that by accepting the request we will be granted access into this individual’s life and will know more about them in five minutes than we would know in a lifetime of small talk.

Due to the use of usernames and passwords, there is a belief that information shared on Facebook is confidential unless publicly shared. However, courts around the country are now addressing just how private this information really is.

In cases nationwide, litigants are asking courts to grant unfettered access to other parties’ Facebook or other social media accounts. Inevitably, in the age of status updates and hashtags, poking and friending, the lines between public and private information have become blurred. This trend has become increasingly prevalent in the insurance industry as insurance companies have realized the usefulness of social media in litigation.

Read the rest of this entry »

New Cybersecurity Disclosure Guidance for Public Companies: Focusing Attention, Raising Questions

As regular Cyberinquirer readers know, on October 12, 2011, the SEC’s Division of Corporate Finance published “suggested” Guidance on public companies’ disclosures of their cyber risks and exposures. I published a personal perspective on the implications of the Guidance in an October 29, 2011 post (here). Since then, our friend John Doernberg of William Gallagher Associates in Boston has written an excellent, thoughtful article which adopts a more technical approach. As many of you may know, John is a Vice President at William Gallagher and focuses on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, John practiced law at leading firms in New York and Boston. The following article first appeared at John’s own site, http://blog.wgains.com/?s=Doernberg, and is being republished here with his permission. Thanks John!

Rick Bortnick

Increased corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Such breaches have become more frequent and severe. With these Guidelines, the Division has indicated that public companies and their advisors should focus greater attention on how disclosure obligations under the federal securities laws may be affected by the potential financial and operational impact of cybersecurity breaches.

The Guidelines note that cybersecurity breaches (generically referred to as cyber incidents) can be malicious (cyber-attacks) or unintentional. The Guidelines provide something of a rogue’s gallery of cyber malice: the gaining of unauthorized access to steal or corrupt sensitive data or to disrupt operations, denial of service attacks, sophisticated electronic circumvention of network security, and social engineering techniques such as phishing to extract passwords or other information that will enable the gaining of access.

Read the rest of this entry »

Keep Your Friends Close, But Your Facebook Posts Closer

“Facebook helps you connect and share with the people in your life.” That is the Facebook mantra, as displayed on its homepage, and the opening line of a recent – and extremely thorough! – Pennsylvania trial court decision regarding the discoverability of a plaintiff’s relevant Facebook information. The court’s conclusion: a plaintiff’s Facebook information is discoverable, provided the defendant has a good faith basis for seeking the material, because there is no confidential social networking privilege under Pennsylvania law and because the Stored Communications Act only applies to internet service providers. The take-away for Facebook users: be careful what you post – it’s not as “private” as you think!

Read the rest of this entry »

Securities Law and Cyber Disclosures… Perfect Together…Especially for Cyber and Tech Underwriters and Brokers. And Me

Its not often that worlds collide or that interests converge into one amorphous epiphany. But that’s exactly what happened to me recently, when the Division of Corporate Finance (DCF) of the U.S. Securities and Exchange Commission (SEC) issued a Disclosure Guidance identifying the types of information public companies should consider disclosing about cyber risks and events that could impact their financial statements. Now, the DCF has cautioned that the Disclosure Guidance only represents its own views and “is not a rule, regulation, or statement of the Securities and Exchange Commission.” The DCF also emphasizes right up front that “the Commission has neither approved nor disapproved its content.” Yeah, right. YOU be an officer or director or officer of a company that does not “comply” with the DCF’s “recommendations.”

Read the rest of this entry »

And Now, the Maine Event: Mitigation Costs Constitute Damages in Data-Breach Case

Businesses that necessarily require their customers to disclose credit card and personal information, beware. Just five days ago, the United States Court of Appeals for the First Circuit held that claims by class action plaintiffs for “mitigation damages” arising from alleged negligence and breach of contract were viable. Anderson v. Hannaford Brothers Co., Nos. 10–2384, 10–2450, 2011 U.S. App. LEXIS 21239 (1st Cir. Oct. 20, 2011).

In Anderson, the electronic payment processing system of a national grocery chain, Hannaford Brothers Co., was breached by hackers in 2007. This resulted in the dissemination of as many as 4.2 million credit card and debit card numbers, expiration dates, and security codes. Hannaford Brothers was not notified of the breach until February 27, 2008 and subsequently contained the breach on March 10, 2008. A week later, Hannaford released a statement regarding the breach and announced that over 1,800 cases of fraud resulting from the theft already had been reported.

Following Hannaford’s announcement, several financial institutions immediately cancelled customers’ debit and credit cards. Some financial institutions, which refrained from immediately canceling the credit card, monitored the accounts for unusual activity, cancelling the cards, in many cases, without notifying the customer. Customers who asked that their cards be cancelled incurred fees from issuing banks for the replacement cards.

Read the rest of this entry »

Tenth Circuit “Dishes Out” Important Opinion Addressing The Scope Of Advertising Injury Coverage For Patent Infringement Claims

On October 17, 2011, the U.S. Court of Appeals for the Tenth Circuit issued a much-anticipated decision addressing the scope of “Advertising Injury” (“AI”) coverage for patent infringement claims. Dish Network Corp. v. Arch Specialty Ins. Co., No. 10-1445, __ F.3d __ , 2011 U.S. App. LEXIS 20955 (10th Cir. 2011), rev’g, 734 F. Supp. 2d 1173 (D. Colo. 2010). The court, applying Colorado law, reversed a decision from the District of Colorado in which that court granted summary judgment to the insurers. In the underlying action, the plaintiff alleged that Dish Network Corp. (“Dish”) had infringed one or more of twenty-three patents by “making, using, offering to sell, and/or selling . . . automated telephone systems, including . . . the Dish Network customer service telephone system, that allow[s] Dish’s customers to perform pay-per-view ordering and customer service functions over the telephone.” The Tenth Circuit concluded that the record was unclear about how Dish actually used the technologies at issue, but that some of the patent-holder’s most well-known innovations involved interactive call processing.

Read the rest of this entry »

Facebook: Everything You Want To Know and More… Just a Discovery Request Away!

I recently attended a CLE that had a panel of social media experts who were discussing the role of Facebook, Twitter and MySpace in litigation. During a lull in the question and answer session, the Facebook attorney quipped: “you know, Facebook has already given you everything that you’ve ask for…” Immediately, the audience lifted their heads from their Blackberries and newspapers and started paying attention after this cryptic remark.

Read the rest of this entry »

INTRODUCTION TO CANADA’S PIPEDA PRIVACY LEGISLATION

I. Overview

Canada’s privacy regime can be described as a web of legislation at both the federal and provincial/territorial level. Some commentators express concern that this web has become tangled, lacks uniformity and actually undermines the predictability and consistency that, in their view, would exist under a single (federal) privacy regime. Canada has two primary privacy statutes: the Privacy Act and the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Privacy Act, R.S.C. 1985, c. P-21 (Can.), took effect on July 1, 1983, and imposed certain privacy rights obligations on approximately 250 federal government departments and agencies by limiting the use and disclosure of personal information. The Privacy Act also gives individuals the right to access and, if necessary, correct personal information held by governmental organizations subject to the Act.

Read the rest of this entry »

Ensuring Discovery Compliance: Sanctions Relating to Past, Present, and Future Adverse Parties

First published on September 22, 2011 at e-Discovery Law Review
Monetary sanctions, attorneys fees, and adverse inference jury instructions are the more common type of sanctions imposed on litigants for the spoliation of evidence, or not producing relevant documents. Recently, however, a court has increased the severity and impact of sanctions by applying them not only to current litigation, but also to a party’s future litigation, with the effects lingering for years to come.

The Underlying Suit

“Any competent electronic discovery effort would have located this email.” These words were written in an opinion by a United States District Judge in the Eastern District of Texas in Green v. Blitz U.S.A., Inc., No. 2:07-CV-372 (E.D. Tex., Mar. 1, 2011) Green involved a product liability suit in which the requirement of a flame arrester was in dispute. The jury returned a defense verdict, and the plaintiff collected a low settlement amount as part of a high-low settlement agreement. During discovery in a subsequent case with the same defendant and plaintiff’s counsel, counsel learned of documents that were not produced in Green. The plaintiff then filed a motion for sanctions against the defendant in Green and a motion to re-open the Green case. While the court denied the motion to re-open because the statute of limitations had expired, the court did impose sanctions for the discovery abuse.

Read the rest of this entry »

Righthaven: SANCTIONED…but how much?

Well, this result seemed almost inevitable. After all, who gets away with misleading a court? Right? But is the amount of the sanction sufficient? Righthaven was ordered to pay a measly $5,000. Is that amount really going to punish Righthaven in any significant way?

Righthaven LLC is a copyright holding company, founded in March 2010, which acquires the rights to newspaper content from its partner newspapers (most notably, Stephens Media, which owns the Las Vegas Review Journal). Upon finding that content has been copied to online sites without permission, Righthaven initiates litigation against the site owners, alleging copyright infringement.
Read the rest of this entry »

Best Buy “Geeks” Out, Accusing Others of Trademark Infringement

In addition to being a trademark geek, I could be accurately accused of also being a tech geek. A “geek” is someone who loves using, and helping other people use, technology to help simplify his or her life. Best Buy, capitalizing on this endearing term for electronic lovers, created the Geek Squad, a tech support service. Their distinctive orange and black cars marked with their trademarked logo can be called out to provide in-home support or they are just a phone call away to help you with your technological needs.

There’s not too many other words other than geek that convey the nerdy type of people who love technology, but Best Buy is taking action against others who use “geek” for this purpose in their slogans. In a recent lawsuit against Newegg.com, Best Buy claimed trademark infringement over Newegg’s slogan “Geek On,” saying that the similarity between the motto, in addition to using orange and black in their logo, breaches their rights. And this is neither the first, nor the last, time that Best Buy will sue companies over this issue.

Read the rest of this entry »

Discovery in the Age of Cloud Computing

During the last decade, individuals and business have changed the way they manage their data by moving this data management offsite – otherwise known as cloud computing. This differs from the old model of information management that, more or less, mirrored the pre-computing era, meaning that an employee’s file might be kept in a cabinet in a Human Resources (“HR”) office or stored on a company’s in-house server. With cloud computing, however, that same employee file may be stored hundreds or thousands of miles away from the HR officer who needs to review it – or the IT officer tasked with preserving that data for potential litigation.

As discussed more fully in Rick Bortnick’s prior posts (here and here), cloud computing outsources data and software management, migrating it from the local to the global by providing instant access over the internet. According to the National Institute of Standards and Technology, cloud computing has five primary characteristics: (1) “on-demand self-service,” or the ability to call up stored data or capabilities as needed; (2) broad network access through a variety of platforms; (3) pooling resources providing “location independence”; (4) “rapid elasticity” in the distribution of computing capabilities, and (5) “measured service,” or service-appropriate control and optimization by the cloud system manager rather than the local user. It is the pooling of resources and the measured service managed by third-parties that pose the greatest risks during e-discovery.
Read the rest of this entry »

Righthaven’s Ba-aaaaack….but its Aim Falls Short

It seems Righthaven hasn’t been able to catch a break since my December 2010 post. Righthaven LLC is a copyright holding company founded in early 2010, which acquires newspaper content from its partner newspapers after finding that the content has been copied to online sites without permission, in order to engage in litigation against the site owners for copyright infringement.

Just last week, in a suit filed against Democratic Underground (“D.U.”), Righthaven sought damages because D.U. used four paragraphs of a 34 paragraph Las Vegas Review Journal article (recall that the Journal and its contents belong to Stephens Media). The post included a link to the full article, as well as citing the Journal.

U.S. District Court Judge Roger Hunt dismissed the lawsuit, holding that a “copyright owner [here, Stephens Media] could not assign a bare right to sue.” In addition, the court came down hard on Righthaven because it failed to advise, as required by law, that Stephens Media had a pecuniary interest in the lawsuits (Righthaven and Stephens Media were sharing the profits received from these lawsuits). Judge Hunt seemed disgusted with Righthaven’s behavior and gave Righthaven two weeks “to show cause … why [Righthaven] should not be sanctioned for this flagrant misrepresentation to the court.” Judge Hunt accused Righthaven of trying to “manufacture standing” in all of its cases. (Click here for the Court’s full decision.) Read the rest of this entry »

Cyber Crime and Securities Fraud Litigation: The Next Wave?

Following the publication of our original post on the implications of a cyber attack on investors’ securities portfolios (see here), we have been asked by scores of readers whether securities fraud litigation arising from cyber crime has ensued. Not surprisingly, the answer is “yes.”

Indeed, we have located at least two such cases, one a putative securities fraud class action against a payment processing company and the second an SEC initiated action against a private investor. The results may (or may not) surprise you, depending on your perspective of trial courts’ levels of judicial activism and willingness to render substantive decisions at early stages of litigation.

In re: Heartland Payment Systems, No. 09-1043 (D.N.J. Dec. 07, 2009) remains the paradigm for such litigation. To facilitate its payment processing services, Heartland Payment Systems (“Heartland”) stored millions of credit and debit card numbers on its internal computer network. In December 2007, hackers launched a Structured Query Language Attack (“SQL attack”) on Heartland’s payroll management system. To its credit, Heartland was able to successfully avert the attack before any personally identifiable information was stolen. At the same time, however, the company failed to detect malicious software (“malware”) which had been placed on the network by the SQL attack. The malware infected Heartland’s payment processing system, ultimately enabling the hackers to steal 130 million consumer credit and debit card numbers. Heartland did not discover the breach until January 2009, at which time it notified government authorities and publicly disclosed the event. Over the course of the following month, Heartland’s stock price dropped over $15 per share. Perhaps not surprisingly, shareholder class actions ensued.

In their complaint, plaintiffs alleged that Heartland and its officers and directors had made material misrepresentations and omissions about the December 2007 SQL attack. Specifically, plaintiffs claimed that the defendants concealed the SQL attack and misrepresented the general state of Heartland’s data security. Plaintiffs further alleged that the defendants’ conduct was fraudulent because they were aware that Heartland’s network had been breached, yet they had not fully remedied the problem Read the rest of this entry »

Bloggers Beware: Righthaven’s got its eye on you…

Whether you own a website where you allow blogs and comments to be posted, or if you are the blogger/poster, listen up.

For those of you who haven’t heard of Righthaven LLC, they are to the blogging world what editors are to the Law Review world…cite-checking and anti-plagiarism “proponents” (let’s call ‘em that, for argument’s sake). Righthaven’s been making quite a splash and has gained popularity among news chains since its coming into existence in the spring of 2010. According to David Kravets’ article, “Righthaven Expands Troll Operation With Newspaper Giant[1], Righthaven has filed over 180 lawsuits and has settled over 70 of them already. Its major suppliers of copyrighted material include Stephens Media (owners of Las Vegas Review-Journal), MediaNews Group (owners of San Jose Mercury News and the Denver Post), and WEHCO Media (owners of Arkansas Democrat-Gazette and Chattanooga Times Free Fress), to name a few.[2] Owned by Net Sortie Systems LLC and SI Content Monitor LLC, Righthaven is the brain-child of Las Vegas-based IP attorney, Steven Gibson.[3] Righthaven’s clients assign their rights in the content to Righthaven, who then sues for copyright infringement.[4]

In order to analyze the problems faced by the parties to such lawsuits, we’ll have to discuss the U.S. Copyright Act, as well as the Digital Millennium Copyright Act (“DMCA”).

Read the rest of this entry »