October 22, 2011 - In handing down its decision yesterday in Wayne Crookes and West Coast Title Search Ltd. v. Jon Newton, the Supreme Court of Canada struck an important blow for certainty as far as Canadian internet publishers and users are concerned. The case, appealed from the British Columbia Court of Appeal, concerned a website operated by Newton. An article he posted on it contained hyperlinks to other websites, which in turn contained information about Crookes. Crookes sued Newton alleging that two of the hyperlinks connected to defamatory material, and that by using the hyperlinks, Newton was himself “publishing” the defamatory material. Read more...
So, you think that a corporate cyberattack has nothing to do with you? If so, think again. Indeed, to the extent you own stock or securities, the value of your holdings could be at risk in the event of a cyberattack. I’ve said it before and I’ll say it again: Cybersecurity is an economic issue. Seehere.
Take, for example, Intel (INTC). In the “Risks” section of its 2009 10-K, the company disclosed in a tersely worded statement that its networks had been the victims of “sophisticated” attacks. Kudos to Intel for making this disclosure, which predated the October 2011 publication of the SEC Guidance addressing public companies’ cyber risks and exposures (discussed here and elsewhere, including in the March 2012 edition of the Advisen Cyber Journal. Please feel free to contact me for details on how to obtain this must-read issue and subscribe. Advisen has done a masterful job, as it does with all of its publications). As will be discussed in my next post, a significant number of public companies still have not complied with their cyber risk and cyber exposure reporting “obligations” under the SEC Guidance.
As to Intel, the subject 10-K listed several noteworthy risks. The most intriguing stated that “We may be subject to intellectual property theft or misuse, which could result in third-party claims and harm our business and results of operations.” Intel’s disclosure continued that “[w]e regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software….These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful.”
The adverse economic impact of a cyber-related disclosure is not theoretical, either. Indeed, in the immediate wake of the News Corp./News of the World cell phone hacking scandal in mid-2011, News Corp’s market cap reportedly fell by over 15%, valued at approximately $7 billion, in less than a week. Not surprisingly, News Corp was sued shortly thereafter in a series of securities fraud class actions, which remain pending.
While cyber risks and exposures may or may not have an impact on a stock’s trading price, their potential impact can not be ignored. Google (GOOG) is another example. As previously discussedhere, Google has been the subject of cyberattacks which it claims were precipitated by the Chinese government. The import of this development can not be understated, as it created tensions between the U.S. and Chinese governments and even made it into Intel’s SEC filing. For private citizens, however, perhaps the greatest implication of the Google cyberintrusions is the arguable effect that they had on Google’s price per share. On January 12, 2010, when the intrusion was publicly disclosed, Google shares fell 1.7% to $590.48. By April 25, 2010 Google’s shares were trading at $544.99, another roughly 8% price drop. Can these losses be directly linked to the breach of Google’s security systems? Put differently, can a possible link be dismissed? That’s for shareholders and others to decide.
So, what does this all mean? At a minimum, it suggests that the economic implications of a cyber event can be wide ranging, from the simple cost of fixing a security gap to a major hit to a brands’ reputation (remember News of the World? After 168 years of tremendous success globally, it ceased publishing on July 10, 2011 as a direct result of the hacking scandal), all the way to claims arising from the theft of consumer’s personal and financial information. Such an intrusion into the systems of retailer T.J. Maxx (TJX) lead TJX to settle with regulators, states, consumers and others and set a settlement/remediation reserve of over $100 million.
In the end, it is clear that just as consumers need to be vigilant about monitoring their personal and financial information to protect themselves from identity theft and the like, investors too must regularly track their holdings to protect their portfolios and assets. As to the companies whose information and systems are at risk, the need for both D&O and cyber insurance is patently obvious, and is as important as the protection of their intellectual property, consumer information and other non-public data. Risk management, information protection and insurance go hand in hand. And we’re here to make sure everyone recognizes the correlation.
The following article was co-written by my Health Care Department colleagues Sal Rotella and Bill Conaboy. Thanks guys!
Rick
On March 13, 2012 – almost 30 months after becoming one of the first entities to self-report a breach under the Health Information Technology for Economic and Clinical Health (HITECH) Act – BlueCross BlueShield of Tennessee (BCBST) agreed to pay the Department of Health and Human Services (HHS) a record setting $1.5 million civil monetary penalty (CMP) for failing to safeguard protected health information (PHI).
The HITECH Act and HIPAA Enforcement
HHS adopted the interim final rule for HITECH’s breach notification requirement only a few weeks before the BCBST breach. The final rule requires covered entities to notify HHS following a breach of unsecured PHI. If a breach affects 500 or more individuals, the covered entity must report the breach electronically “without reasonable delay and in no case later than 60 days from discovery of the breach.”
Cloud computing is the storage of data on remote computer servers and the sharing and transmittal of such information by way of the internet. Use of the cloud enables both businesses and casual users to maintain as much or as little electronic data as they wish on a third party’s mainframes without the need for or the expense of having to buy and maintain their own hardware systems.
The cloud’s economic benefits are clear. Still, clouds can be a legal minefield for companies and their counsel. Data breaches, hosting of illegal content and inaccessibility of critical business information are just a few examples of turbulent situations cloud users can face.
Given the risks and potential rewards of the cloud, consider the following guide before entering into a cloud provider contract:
We are grateful to the rapidly-growing number of Cyberinquirer readers who continue to submit substantive content for publication. This truly is an industry blog, and we strive to present alternative points of view from all quarters.
The following article was authored by Gregg A. Rapoport, Esq., and David Lam, CISSP, CPP. Attorney Rapoport has represented policyholders in coverage litigation for over 20 years as part of a broad business litigation practice based in Pasadena, California. Mr. Lam is vice president of the Los Angeles Information Systems Security Association and has over 20 years of experience as an IT and information security professional and author. This article was first published by RIMS, and we appreciate Messrs. Rapoport and Lam offering it for republication here.
Rick Bortnick
As they confront the sobering question of whether their networks and the data they carry are fully secure, today’s “C-level” executives are becoming fluent in once-esoteric information security terms. Many have reached the conclusion that no matter the size of their IT and security budgets, there is no foolproof system for securing the confidentiality, integrity and availability of their data. Company networks remain vulnerable to attacks even if they adhere to industry best practices and run best-of-breed firewalls.
To address these security challenges, companies are relying on their risk managers to evaluate the applicability of existing insurance coverage to data breach incidents, and to assess the value of transferring some of the uncovered financial risk to one of the carriers now offering cyber-risk insurance policies. As the market for these products matures, premiums have come down significantly and policy limits have increased.
Posted December 16th, 2011 by Rick WelshcloseAuthor: Rick WelshName: Rick Welsh Email: rickwelsh@me.com Site: About: Rick has been a Lead London Market cyber underwriter since 2000 with underwriting and broking experience in Asia Pacific, Australasia and Europe.See Authors Posts (1)
The following article, written by reknowned London Market underwriter Rick Welsh, was first published in the November 2011 Data Guidance newsletter. A shout out to Rick for passing it on to us for republication.
Rick Bortnick
Today, no company – even with comprehensive privacy policies and practices – can be safe from data breaches. Can companies effectively transfer the risk (and cost) of data breaches by way of insurance? What costs should the companies consider? Almost every reference to the cost of data breaches or ‘cyber crime’ identifies the actual cost of the breach notification as its common currency. In Part One of this analysis, Rick Welsh, Cyber Underwriting Director at ANV, explores this metric’s limitations and the true exposure and cost of data breaches.
The well-regarded Ponemon Institute is constantly measuring the cost of a data breach and is commonly referenced by many to express the rising cost of data breaches. The second annual ‘Cost of Cyber Crime Study’ issued by the Ponemon Institute in August 2011, found that the median annualised cost of cyber crime for the 50 companies in the study was $5.9 million, with a range being between $1.5 million to $36.5 million. The annualised average was up 56% from the previous year’s study.
Needless to say, the discoverability of social media posts is an important issue for litigants on both sides of the “v” and will continue to be the subject of fiercely-litigated motion practice. We will monitor the issue and post updates as courts across the country rule on this imporant, oftentimes substantively dispositive, issue.
Rick Bortnick
One of the high-profile battles being fought in the social media world continues to be over the ability of one party in a lawsuit to compel the other party to produce messages, posts, pictures, and other “private” things done over a social networking site like Facebook. The trend continues to reveal that courts are willing to compel disclosure in the right circumstances, and the most recent decision issued by a New York appellate court is no different.
In Patterson v. Turner Construction Company (New York Supreme Court, Appellate Division, First Department, October 27, 2011), the plaintiff sued for personal injury damages that included physical and psychological injuries that he claims to have suffered. During the lawsuit, the defendant asked the court to direct the plaintiff to provide an authorization allowing defendant to obtain “all of plaintiff’s Facebook records compiled after the incident alleged in the complaint, including any records previously deleted or archived[.]” The plaintiff, obviously, fought that request.
Posted December 10th, 2011 by John DoernbergcloseAuthor: John DoernbergName: John Doernberg Email: jdoernberg@wgains.com Site: About: John Doernberg is a Vice President at William Gallagher Associates in Boston and focuses on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, John practiced law at leading firms in New York and Boston.See Authors Posts (1)
As regular Cyberinquirer readers know, on October 12, 2011, the SEC’s Division of Corporate Finance published “suggested” Guidance on public companies’ disclosures of their cyber risks and exposures. I published a personal perspective on the implications of the Guidance in an October 29, 2011 post (here). Since then, our friend John Doernberg of William Gallagher Associates in Boston has written an excellent, thoughtful article which adopts a more technical approach. As many of you may know, John is a Vice President at William Gallagher and focuses on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, John practiced law at leading firms in New York and Boston. The following article first appeared at John’s own site, http://blog.wgains.com/?s=Doernberg, and is being republished here with his permission. Thanks John!
Rick Bortnick
Increased corporate reliance on computer networks and electronic data has brought a corresponding increase in risks associated with breaches of their security. Such breaches have become more frequent and severe. With these Guidelines, the Division has indicated that public companies and their advisors should focus greater attention on how disclosure obligations under the federal securities laws may be affected by the potential financial and operational impact of cybersecurity breaches.
The Guidelines note that cybersecurity breaches (generically referred to as cyber incidents) can be malicious (cyber-attacks) or unintentional. The Guidelines provide something of a rogue’s gallery of cyber malice: the gaining of unauthorized access to steal or corrupt sensitive data or to disrupt operations, denial of service attacks, sophisticated electronic circumvention of network security, and social engineering techniques such as phishing to extract passwords or other information that will enable the gaining of access.
Posted December 2nd, 2011 by Andrea CortlandcloseAuthor: Andrea CortlandName: Andrea Cortland Email: acortland@cozen.com Site: About: Andrea Cortland joined Cozen O’Connor’s Philadelphia office in September 2009 as an Associate in the Global Insurance Group. Prior to joining the firm, she participated in the Cozen O’Connor Summer Associate Program.
Andrea earned her law degree, magna cum laude, from the University of Miami School of Law, where she was Symposium Editor of the University of Miami Inter-American Law Review, a member of the Moot Court board, and a Dean's Fellow in the Academic Achievement Program. She organized a symposium entitled "Righting Wrongs? The Inter-American System of Human Rights after 50 Years," in celebration of the 30th anniversary of the Inter-American Court of Human Rights, the 40th anniversary of the American Convention on Human Rights, and the 50th anniversary of the creation of the Inter-American Commission on Human Rights. The symposium discussed the roles the court and commission have played in furtherance of human rights throughout the Americas and addressed current areas of concern. Andrea also wrote a comment note, "United States v. Burns: Canada's Extraterritorial Extension of Canadian Law and Creation of a Canadian 'Safe Haven' in Capital Extradition Cases," which was published in Volume 40 of the University of Miami Inter-American Law Review in Fall 2008.
Andrea earned her undergraduate degree, summa cum laude, from the Rutgers College Honors Program of Rutgers University.See Authors Posts (1)
“Facebook helps you connect and share with the people in your life.” That is the Facebook mantra, as displayed on its homepage, and the opening line of a recent – and extremely thorough! – Pennsylvania trial court decision regarding the discoverability of a plaintiff’s relevant Facebook information. The court’s conclusion: a plaintiff’s Facebook information is discoverable, provided the defendant has a good faith basis for seeking the material, because there is no confidential social networking privilege under Pennsylvania law and because the Stored Communications Act only applies to internet service providers. The take-away for Facebook users: be careful what you post – it’s not as “private” as you think!
Regular Cyberinquirer readers may recall the following holiday poem by Amanda Lorenz that we published last year at this time. Like the Yule Log, we here at Cyberinquirer Central have decided to republish Amanda’s poem on an annual basis at holiday time, barring extenuating circumstances. Hope you agree that its as fresh today as it was a year ago. Perhaps even more apt. In any event, enjoy! And happy holiday season from your friends at Cyberinquirer.
Twas the month before Christmas and all through the house, All the children were networking with the click of a mouse. Cyber thieves were nestled all snug in their chairs, Waiting for shoppers to unknowingly share.
As I shopped for him and he shopped for me, The thieves stole our money and our financial history. We did not even realize that this information was taken, And we thought the denial of our credit card was mistaken. Using Phishing or SMiShingand hacking the links, Our private information was retrieved in a blink.
Perhaps we should have shopped on a network that was secure, Or at least checked our credit reports monthly to be sure, That thieves were not using our names and our faces To purchase plane tickets to tropical places. So to all of the shoppers who like to avoid the crowd,
Protect your info this season and make CyberInquirer proud!
In a prior post (here), we discussed the frequency of cyber thefts in the hospitality industry in 2009. We have a decent idea of how many of you read that article. For those of you who haven’t, here’s my topic sentence: “38% of the credit card hacking events in 2009 involved the hospitality industry.” Yep. 38%.
And guess what? The hospitality industry remained a high-level target in 2010. Alright, if you’re connected to the hospitality industry, you probably knew that already. But what you might not realize is that you’re not out of the clear. And, things may be getting worse as the frequency of cyber criminality grows, and as the perpetrators become more sophisticated and cyber attacks propagate (more on that below).
Its not often that worlds collide or that interests converge into one amorphous epiphany. But that’s exactly what happened to me recently, when the Division of Corporate Finance (DCF) of the U.S. Securities and Exchange Commission (SEC) issued a Disclosure Guidance identifying the types of information public companies should consider disclosing about cyber risks and events that could impact their financial statements. Now, the DCF has cautioned that the Disclosure Guidance only represents its own views and “is not a rule, regulation, or statement of the Securities and Exchange Commission.” The DCF also emphasizes right up front that ”the Commission has neither approved nor disapproved its content.” Yeah, right. YOU be an officer or director or officer of a company that does not “comply” with the DCF’s ”recommendations.”
Businesses that necessarily require their customers to disclose credit card and personal information, beware. Just five days ago, the United States Court of Appeals for the First Circuit held that claims by class action plaintiffs for ”mitigation damages” arising from alleged negligence and breach of contract were viable. Anderson v. Hannaford Brothers Co., Nos. 10–2384, 10–2450, 2011 U.S. App. LEXIS 21239 (1st Cir. Oct. 20, 2011).
In Anderson, the electronic payment processing system of a national grocery chain, Hannaford Brothers Co., was breached by hackers in 2007. This resulted in the dissemination of as many as 4.2 million credit card and debit card numbers, expiration dates, and security codes. Hannaford Brothers was not notified of the breach until February 27, 2008 and subsequently contained the breach on March 10, 2008. A week later, Hannaford released a statement regarding the breach and announced that over 1,800 cases of fraud resulting from the theft already had been reported.
Following Hannaford’s announcement, several financial institutions immediately cancelled customers’ debit and credit cards. Some financial institutions, which refrained from immediately canceling the credit card, monitored the accounts for unusual activity, cancelling the cards, in many cases, without notifying the customer. Customers who asked that their cards be cancelled incurred fees from issuing banks for the replacement cards.
Canada’s privacy regime can be described as a web of legislation at both the federal and provincial/territorial level. Some commentators express concern that this web has become tangled, lacks uniformity and actually undermines the predictability and consistency that, in their view, would exist under a single (federal) privacy regime. Canada has two primary privacy statutes: the Privacy Act and the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Privacy Act, R.S.C. 1985, c. P-21 (Can.), took effect on July 1, 1983, and imposed certain privacy rights obligations on approximately 250 federal government departments and agencies by limiting the use and disclosure of personal information. The Privacy Act also gives individuals the right to access and, if necessary, correct personal information held by governmental organizations subject to the Act.
The Internet facilitates the widespread and instantaneous flow of information across international borders. While the advent of this method of transnational communication has truly created a “global economy,” at the same time, it has engendered problems for companies and their insurers which seek to assess risk and implement information safeguards, particularly in the face of divergent data privacy laws which vary from region to region or may not even exist in certain jurisdictions. The Asia-Pacific region typifies such a lack of uniformity. At the same time, the emerging economies in this rapidly growing part of the world have generated promising targets for computer hackers.
75% of Asia-Pacific enterprises have experienced cyber attacks in the past 12 months. Perhaps not surprisingly, a 2010 study by Symantec reported that almost half of all Asia-Pacific-based businesses (and 67% in Singapore) ranked cyber risk and information security as their top concern—more so than natural disasters, terrorism, and traditional crime combined. Cyber attacks and data breaches are on the radar of CEOs and risk managers for good reason: the average cost for a large company to remediate a data breach in Australia increased to nearly $2 million in 2010, which is slightly up from 2009. See Ponemon Institute/Symantec 2010 Annual Study: Australian Cost of a Data Breach (May 2011). Notwithstanding the prevalence of such attacks, it is far more likely that a cyber security program is managed as a part of a company’s traditional business risks, with traditional coverages being contorted to cover various components of cyber risk (i.e. property loss, liability to third-parties, business interruption, etc.), rather than by way of a dedicated cyber-specific insurance program. Still, in light of recent developments, it is virtually certain that companies soon will begin looking to transfer such risk via more efficient and targeted technology insurance forms and policies.
Doug Pollack of IDExperts recently published a blog post on cyber insurance that caught my eye. Insofar as IDExperts is a respected provider of cyber breach response services, I assumed the article would address technical issues. Upon reading the piece, however, I was disappointed to find that the article addressed insurance-related matters, including criteria for the selection of insurance products and programs, a topic typically the province of risk managers, brokers, underwriters and lawyers. Hmmm…
At the outset, the article addresses technical issues, as the author correctly suggests that “privacy, compliance and legal officers should work closely with their risk manager to ensure that the organization is getting a policy that meets its needs.” Having hooked me with that truism, I was looking forward to reading on. But that is where the technical commentary (and our common perspective) ends. From there, the author moves on to express his views (and, in my counter-view, misconceptions) on cyber insurance products and how they should operate.
In a recent decision, a Pennsylvania trial court concluded that no privilege exists to prevent access to non-public social website information of personal injury claimants. Rather, the “paramount ideal” of pursuing truth favors liberal discovery of relevant information on social media sites.
In Zimmerman v. Weis Markets, No. CV-09-1535 (C.P. Northumberland Cty., May 19, 2011), the court rejected a personal injury plaintiff’s objections to providing non-public portions of plaintiff’s Facebook and MySpace pages, after the defendant demonstrated that the public portions of those pages included recent photographs and comments that appeared to contradict the plaintiff’s claims of physical and emotional distress. The court agreed with the rationale stated in other recent cases holding that an individual who voluntarily posts photos and information on social networking sites does so with the intention of sharing, and thus cannot later claim any expectation of privacy. The court noted that the privacy policies of Facebook and MySpace disclose that any information posted may become publicly available at the user’s own risk.
Just as lawyers now routinely conduct due diligence on opposing parties’ social media pages. some lawyers also are monitoring postings by jurors on social media sites.
In a recent ethics opinion issued by the New York County Lawyers’ Association Committee on Professional Ethics (No. 743, 5/18/11), the committee concluded that an attorney may review jurors’ postings on publicly available social networking sites during trial. But they must not “friend” or “tweet” jurors, subscribe to their Twitter accounts, or otherwise contact them, either directly or through others.
The yellow fever outbreak of summer 1798 was the worst in Philadelphia’s history. Over 5,000 residents were infected, and nearly 1,300 died, causing even President Washington to flee. On the night of September 1st, 1798, the vault at Carpenter Hall was breached and the then-massive amount of $162,821 went missing. This first bank robbery in the United States, attributed as an “inside job”, ushered in an era of robberies that turned criminals into celebrities. Jesse James, Bonnie and Clyde, and John Dillinger have become legends. At present, the risk of yellow fever has been mitigated due to vaccines. The risk of bank vaults being physically robbed similarly has been reduced.
Computer hacking is a constantly evolving and growing threat. While recent high-profile network security breaches at companies such as Epsilon and Sony (with crisis management and other costs estimated to range from $1 billion to multiples thereof in the case of Sony) have helped raise awareness about the need to adequately protect personal identifiable information, the problem has existed for decades.
Yet the situation has only recently begun to receive proper attention from the media, government officials, businesses, and certain segments of the insurance industry. Of course, the cost of a security breach may have something to do with that. According to a study from Marsh and the Ponemon Institute, the typical data breach in FY 2010 resulted in companies and their insurers have to pay an average of $7.2 million to deal with and remedy the situation.
One particularly alluring target for hackers has been educational institutions. While schools and universities may not immediately appear to be obvious targets, the statistics confirm that attacks against educational institutions are on the rise.
In 2007, educational institutions accounted for 25% of all reported data breaches. This number jumped to 33% in 2008. See Sarah Stephens & Shannan Fort, Cyber Liability & Higher Education, Aon Professional Risk Solutions White Paper (December 2008) Read the rest of this entry »
Security is, I would say, our top priority because for all the exciting things you will be able to do with computers – organizing your lives, staying in touch with people, being creative – if we don’t solve these security problems, then people will hold back.
If anyone still harbors the notion that video games are simple distractions from the age of Pong, they haven’t seen the latest statistics. One of the most popular games released last year, “Call of Duty: Black Ops”, generated $650 million in the first five days of sales and exceeded $1 billion in record time. The achievement put the game in the company of Michael Jackson’s “Thriller” album and James Cameron’s movie “Titanic.” As a whole, the video game industry has been valued at over $100 billion. That massive size and scope makes the impact of a cyber attack all the more devastating.
On January 20, 2011, a federal class action lawsuit was filed against MySpace in the United States District Court for the Eastern District of New York. If successful, this new lawsuit could have dramatic implications for social networking sites and their users. Either way, it provides another opportunity to make a couple of privacy-related points for employers.
The MySpace lawsuit was filed on behalf of all former and current users of MySpace, who seek damages for the alleged improper and voluntary disclosure of personal and private information and data in response to foreign court search warrants without the knowledge or authorization of the MySpace users. The class alleges that search warrants issued by state judges for certain information have no force and effect when they are issued to MySpace’s California headquarters from other states, but that MySpace nevertheless provided responsive information and data voluntarily.
A “trend” is generally defined as a general course, drift or prevailing tendency. In the battle between the potential privacy rights of a social networking site user and the desire of a lawsuit party to have full access to the private portions of that user’s profile, the trend favoring full and unfettered access has become clearer with a decision just issued by the Pennsylvania Court of Common Pleas in the case of McMillen v. Hummingbird Speedway, Inc.
In McMillen, the plaintiff was injured during a stock car race, and sued for damages after being rear-ended during a cooling down lap. He alleged significant physical injuries and overall loss of general health and vitality, as well as an “inability to enjoy certain pleasures of life.” During the lawsuit, the defendants requested that plaintiff identify the name of all sites to which he belonged, and to identify his user name(s), login name(s), and passwords. Plaintiff responded by stating that he belonged to Facebook and MySpace, but he refused to give the other requested information based on confidentiality and privacy grounds.
This is a story about Beverly Stayart and her efforts to sue Yahoo! and other search engines for linking her name to online content that she felt was offensive.
Although this lawsuit is rather striking, the case record does not reveal any particularly striking or unusual facts about Beverly, herself.
She is not a celebrity, or at least, was not one when she started this litigation. She has an M.B.A. from the University of Chicago, she has written a few papers about genealogy research that appear on the internet, and she is passionate about the environment. She is interested in the plight of wild horses, wolves and baby seals and has vigorously protested against their mistreatment. She has published two poems about baby seals on a Danish website.
Like many people, Beverly was curious about what she would find when she put her name into Yahoo’s search engine. To her chagrin, upon running a search of her name in 2008, she discovered that in addition to the expected search results, Yahoo! returned results that linked her name to online pharmaceutical companies promoting sexual dysfunction drugs Viagra, Cialis and Levitra, pornographic websites that contained spyware, and links that directed her to other websites promoting “sexual escapades”.
There have been a recent flurry of blog posts and media stories warning internet users about the potential dangers of posting their whereabouts on social networking sites, as such personal information is being used by opportunists to facilitate crimes. For example, just in the last month, three men in Nashua, New Hampshire allegedly used information they obtained from users’ Facebook status updates to learn when the users would not be home and thereupon broke into their vacant and vulnerable residences. Although Facebook has denied any link between its site and the crimes, the Nashua police believe that detailed information about the posters’ travel plans provided the thieves with sufficient information to know when the homes would be unoccupied.
Of course, the incidence of such crimes has not been widely disseminated through traditional media sources, such as newspapers, radio and television. As such, most Americans are unaware of this increasing phenomena. At the same time, internet users are more widely and more frequently publishing their personal information, including their travel and vacation plans, on social networking and other public sites. Moreover, beyond the routine “tweets” and run-of-the-mill social networking status updates, new applications for cellular phones and PDAs are being created to facilitate geographical updates. These applications such as “Foursquare,” “Gowalla” and “Facebook Places,” enable users to instantly identify their current physical location on the profiles they have created on social networking sites. Needless to say, allowing geographical information to freely be disclosed to the public can provide opportunists with even more accurate information about the whereabouts of their victims and their distance from an unoccupied and vulnerable residence.
Data security breaches pose a serious threat to a corporation’s financial stability as well as to its credibility in the marketplace. Most notably, the 2007 TJX data security breach, where 45 million credit card and debit card numbers were stolen, cost the company over $4 billion. For many corporations, the solution is to purchase a cyber liability insurance policy, which provides insurance coverage in the event of such a breach.
The risk of data security breaches has also affected students of universities throughout the nation. In June of last year, Cornell University officials informed 45,000 members of the school’s community that their personal information, including their names and social security numbers, was stolen after a University-owned laptop was stolen. Due to such breaches, college officials nationwide have begun purchasing cyber liability insurance policies to offset the financial burdens of a data security breach.
Google, Facebook, Twitter, Foursquare—millions of Americans, including myself, depend on these cyber sites as their gateway to information and communication in the outside world. What we may not realize, or choose to ignore for convenience’s sake, is that this gateway lies on a two-way street. The information that we seek using websites such as Google and what we communicate on Facebook and Twitter provide companies with vital data to better market their products to us. This use of information is referred to as “data mining. ”
An example of data mining can be seen in the advertisements that pop up on the side of your Facebook home page. Such ads are often relevant to the information posted on your “Profile” page, such as advertisements promoting products from your college alma mater.
At the outset, data mining seems like a win-win situation for both the consumer and the seller—the consumer is marketed with a product in which they are seemingly interested and the company has utilized its advertising budget in an informed, cost-effective manner. At the same time, however, the threat of an invasion of privacy is real and has the attention of members of Congress and federal officials to create legislation regulating the way in which, and the extent to which, our personal information is shared with third parties.
One of the difficult things to predict with regard to the use of social media in the employment setting continues to be the extent to which traditional legal claims apply equally to new social media outlets. We continue to advise employers that it is imperative to ensure that care is also taken to create policies and train employees on the use of social media in and out of the office setting, and not to let the informality and ease of the Internet lull employers into a false sense of security. On July 22, 2010, a New York Supreme Court Judge applied the tort of defamation to statements on Facebook in a case that offers an important message to employers.
The case of Finkel v. Dauber (New York Supreme Court, Nassau County) centered on statements posted by a Facebook group known as “90 Cents Short of a Dollar.” Plaintiff alleged that she was defamed by the group’s postings that stated “unbeknownst to many, [plaintiff] acquired AIDS while on a cruise to Africa” and then “persisted to screw a baboon which caused the epidemic to spread.” The postings further defamed plaintiff, she alleged, by stating “[w]hile in Africa she was seen fucking a horse.” And other intelligent banter.
On July 23, 2010, the United States Court of Appeals for the Eighth Circuit issued an important decision in Eyeblaster, Inc. v. Federal Ins. Co., 2010, U.S. App. LEXIS 15152, No. Civ. A. 08-3640, finding concurrent coverage under both a General Liability (“CGL”) insurance policy and a separate Information and Network Technology Errors and Omissions Liability (“E&O”) policy in circumstances where an online marketing company installed software on a consumer’s computer system, allegedly corrupting the computer’s software operating system.
Eyeblaster Inc. (“Eyeblaster”), the policyholder, is a company that creates, delivers and manages online interactive advertising. For the period December 5, 2006, to December 5, 2007, it was insured under two concurrent policies issued by Federal Insurance Company (“Federal”): (1) a CGL policy covering occurrences which cause damage to tangible property, and (2) an E&O policy which covered claims for financial loss caused by a wrongful act in connection with a product’s failure to perform its intended function or serve its intended purpose, resulting in damage to intangible property. As to the latter policy, intangible property included software, data and other electronic information. Both policies were “duty to defend” forms.
Interviewing for your first job as a teenager is as exciting as it is intimidating. Thoughts of what to do with your first paycheck consume your mind as you rehearse your best “do-you-want-fries-with-that” smile. The interview proceeds flawlessly and you start to count the dollar signs as you await the job offer. But imagine your surprise when you are informed that you did not get the job because your background check revealed that you are over $75,000 in debt and five years behind in your child support payments for your eleven year old child…a terrifying thought considering you are only 16 years old.
Adults aren’t the only victims of identity theft. Child identity theft is an increasing and understated crime. A child’s Social Security Number (“SSN”) is the perfect target, as the theft typically goes undetected until years after the crime has taken place. Indeed, the crime might not be discovered until the rightful owner/victim uses his or her SSN for the first time years later. This revelation often occurs when the victim applies for his or her first job or financial aid before college.
The scheme works as follows: businesses are using various techniques to search the Internet for dormant SSNs. These numbers often belong to long-term inmates, dead people or children. Obtaining them is not as difficult as one may think, as SSNs are distributed systematically depending on age, geographical location and when the number is issued. Once it has been determined that no one is actively using the number to obtain credit, the numbers are offered for sale.
Lest one question the severity of the evolving challenges in our rapidly growing cyber world, President Obama has crystallized it succinctly: (1) “cyber threat is one of the most serious economic and national security challenges we face as a nation;” and (2) “America’s economic prosperity in the 21st century will depend on cybersecurity.” In other words, President Obama has declared cybersecurity to be a national security priority.
While that’s obviously good news, the follow-up question is “how are we doing in meeting the associated demands?” Regrettably, not so well, it seems.
Speaking before cybersecurity and privacy experts from government, law enforcement, the private sector, academia and privacy and civil liberties groups, President Obama, Homeland Security Secretary Janet Napolitano, Commerce Secretary Gary Locke, Cyber Coordinator Howard Schmidt and other Administration officials uniformly acknowledged that far more work needs to be done to protect digital communications and information infrastructure and make it more difficult and costly for cybercrimimals.
We’ve all heard the story of the clerk at the local gas station who was double-swiping credit cards in order to make fraudulent copies. Online banking, restaurants, clothing retailers…every industry is potentially a target. Yet the industry that was the subject of more credit card thefts than any other sector in 2009? Hotels.
To the point, SpiderLabs (an affiliate of Trustwave, a data-security consulting firm) has published a study which reports that 38% of the credit card hacking events in 2009 involved the hospitality industry. Over one-third of all thefts of credit card numbers occurred at hotels. Much to my surprise, given the wealth of reporting on the subject, the financial services industry lagged well behind at a comparatively minor 19%. Retail followed at 14.2% while restaurants and bars were fourth at 13%.
I guess I shouldn’t have been surprised, though, as my own credit card number was stolen several years back while i was staying at a business travelers’ hotel in New York City. I had gone to the City for a Cinco de Mayo event sponsored by a major international insurer. Several days later, I received a call from my credit card company asking if I had bought gasoline on Long Island or a $5000 television at a big box retailer. While I do buy gasoline, I hadn’t been on Long Island. And while I certainly would have loved a $5000 television (or, for economy’s sake, something less pricey), I hadn’t bought that either. The conclusion was simple: my credit card number had been stolen when I used it at the New York hotel.
So, why hotels? According to security analysts, they’re generally easy targets. The large chain hotels may employ sophisticated security technology or other protections. Or they may not. In either case, how about smaller or private owned, non-chain hotels? The next time you check into a hotel, ask what security methods they use to protect credit card information. You probably won’t like the answer. The credit card number that you provide at check-in may sit in a folder or a file maintained right at the front desk. Who would prevent someone from simply lifting the file? Especially in the middle of the night. The single desk clerk on overnight duty?
I was recently introduced to a great new Scrabble word: “meme”. According to wikipedia, my source for all things “e-”, a meme, in reference to the Internet, is ‘the propagation of a digital file or hyperlink’ that contains content consisting of a saying or joke, a rumor, an altered or original image, a complete website, a video clip or animation, or an offbeat news story, among many other possibilities. In other words, an Internet meme is an inside joke that is shared between a large number of Internet users.
Internet memes have a tendency to evolve and spread extremely swiftly, sometimes going in and out of popularity in just days. They are spread organically, voluntarily, and peer to peer, rather than by compulsion, predetermined path, or completely automated means. The term ‘meme’ can refer to the content that spreads from user to user, the idea behind the content, or the phenomenon of its spread.
Ally McBeal fans may now appreciate the reference to the dancing ‘oogachucka’ baby. In an effort to be a bit more up-to-date in my meme references, I’ve embedded some of them, below. If you’re seeing them for the first time, you may experience the ‘lightbulb effect’ – that is, you’ll actually get the joke behind certain late night comedy skits that just didn’t seem all that funny.
His name is Ghyslain Raza, but you may know of him as “Star Wars Kid”, a portly 15-year-old student at a Quebec private high school who had filmed himself wielding a mock light saber, pretending to be a Star Wars character in combat. The two-minute video was supposed to be private, but he left it lying around at his school where three students, who did not know the teenager, came across the video, posted it on the Internet on April 14, 2003, adding a message inviting people to make insulting remarks about the clip.
Unfortunately for him, it wasn’t just his friends who found the footage so amusing. The video went ‘viral’. One Web log that posted the video was allegedly downloaded 1.1 million times, and by October 2004 one Internet site dedicated to the video had recorded 76 million visits. According to UK marketing firm The Viral Factory, it became the most downloaded video of 2006. So mortified was the teenager that he dropped out of school and finished the semester at a psychiatric ward. According to the student, “It was simply unbearable, totally. It was impossible to attend class.” More than 35 other revised versions of the video clip, created by other people, have found their way to the Internet, with additional sound and visual effects.
This is an extreme but far from unique example of the devastation wrought by cyber-bullying, the term given to internet conduct in which students harass other students by e-mail and on the internet. Given the potentially devastating consequences of cyberbullying, should schools have the power to discipline their students engaging in this form of harmful conduct?
A major issue confronting school boardsis that cyberbullying usually does not take place at school, although its effects can later reverberate among students during school hours. Students may post offensive material from home, or other times outside of school hours, but the targets are fellow classmates. Is it appropriate for a school board to discipline a student for posting such material simply because the postings are being accessed by other students at school or target other students? At the same time, with power comes responsibility – if school boards have the power to discipline students for their behavior outside of school, are schools then to be mandated with the responsibility to essentially monitor and censor the world-wide web? Just how far should a school board’s jurisdiction extend regarding inappropriate off-school student e-conduct?
Posted April 21st, 2010 by Kendall HaydencloseAuthor: Kendall HaydenName: Kendall Hayden Email: KHayden@cozen.com Site: About: KENDALL KELLY HAYDEN is an associate in the Dallas office of Cozen O’Connor, P.C., where her litigation practice focuses on insurance, commercial, and transportation law. She is a graduate of the State Bar’s leadership academy and serves as an advisory member on the Texas Bar Journal Board of Editors.See Authors Posts (1)
A man and a lion were arguing about who was best, each one seeking evidence in support of his claim. They came to a tombstone on which a man was shown in the act of strangling a lion, and the man offered this picture as evidence. The lion replied, “It was a man who painted this; if a lion had painted it, you would instead see a lion strangling a man. But let’s look at some real evidence instead.” The lion then brought the man to the amphitheater and showed him so he could see with his own eyes just how a lion strangles a man. The lion then concluded, “A pretty picture is not proof: Facts are the only real evidence!”
The moral of the story has indeed changed since the times of Aesop, at least in today’s courtroom. Social networking websites such as Facebook, MySpace, and Twitter invite attorneys and their clients into a lion’s den of pictures and postings, creating a haven for evidentiary consequences that can be unexpected obstacles if attorneys are unprepared to counter them.
INTRODUCTION
With claims such as “Facebook is a great place to keep in touch with friends,” “Using Twitter is going to change the way you [stay] in touch,” and “MySpace lets you meet your friends’ friends,” social networking websites are, admittedly, enticing. This article surveys recent evidentiary issues involving these sites across multiple practice areas and counsels how to avoid some of the adverse rulings discussed herein.
Odd as it may seem to those of us who live and breathe cyber, tech and privacy insurance, I have heard anecdotally of municipal authorities who profess that their cities and towns do not need to incur the expense of buying these products. “Why do we need them? We don’t operate on the internet,” they reportedly have said.
Well, my response is “why don’t you think you need them?” Do you maintain a bank account? Do you store personally identifiable information about private citizens, whether in your property records, police files, tax databases or otherwise? Are your employees able to access your municipality’s computer systems remotely? Is it really possible that every single piece of information you maintain is recorded on paper and nothing is stored on a mainframe, whether located on- or off-site? Come on. Its 2010. That’s virtually impossible, isn’t it? Haven’t you read my December 23, 2009 post “No One is Immune. Even Government Entities Need Cyber/Tech Insurance?”
Since that posting, additional municipalities have suffered cyber attacks and been the subject of cyber lawsuits.
Never underestimate the value of a good domain name! As any website owner will tell you, http://www.rose.com, by any other name, is likely to lose customers.
About a week ago, my colleague’s nephew, Kevin Bortnick, found himself in a domain name predicament. His plight is interesting and he has graciously permitted us to blog about his situation, which provides some useful context for a discussion about domain name disputes.
Kevin is a talented website developer who used the name “KBortnick” or “KB” for his internet business. In November of 2005, he registered the domain name kbortnick.com for a period of four years, at a cost of about $10 per year. Although the domain name expired in November, 2009, he explained that “I was moving out & had a bit of a money crunch, so I figured I’d renew it in about a month, because it really wasn’t worth anything & I figured it would be fine….”
A couple of weeks ago, he attempted to re-register the name, only to discover that someone else had purchased it. That unknown ‘someone’ had immediately put it up for sale on a website that auctions off domain names, http://seto.com, subject to a minimum bid of $480. As you can imagine, Kevin was livid. “The highest I’ve ever seen my domain name appraised at was about $30”, he exclaimed, “and most places didn’t even give it that!”
(I empathized with Kevin’s situation. Over Canadian Thanksgiving, while I was sitting before the computer in a state of turkey-induced lethargy, I was suddenly roused from my stupor by the discovery that the domain name “pamelapengelley.com” could be registered for the low, low price of just $10 a year. I may soon write a post that is entitled “How I learned the hard way that just because you can make a hideously tacky personal flash website dedicated to your glorious self doesn’t mean that you should make one.” But I digress…)
Kevin’s dilemma got me thinking – is this what is known as “cybersquatting”? Is there any remedy for this sort of thing? Does Kevin have any recourse?
In fact, there are a couple of different mechanisms for resolving a cybersquatting dispute, and my understanding of them was greatly assisted by some basic knowledge about the development of the Internet and some tech-related acronyms like “DNS”, “IP” and “ccTLD”. If these terms are unfamiliar to you, then I ask for your indulgence while I lay out some of the basic IT background. It’s a bit lengthy so if you are computer-savvy, you may just want to skip part 1. Read the rest of this entry »
The risk of cyberattacks is real and growing. While many of us theorize and speak in hypotheticals about the possibility of a major and potentially devastating cyberattack (or twenty), those considered most “in the know” are taking these risks seriously. And for good reason.
A January 29, 2010 study commissioned by McAfee, Inc and authored by the Center for Strategic and International Studies (CSIS) reports that over one-third (37%) of the IT security executives surveyed believe that critical infrastructure such as electrical grids, oil and gas production, water supply, telecommunications and transportation networks has become increasingly vulnerable to a cyberattack. Moreover, 40% of the 600 executives from 14 countries who responded predict a major security incident in their sector within the next year. Only 20% believe their sector is secure and will successfully avoid a serious cyberattack over the next five years.
The respondents work in critical infrastructure enterprises across seven sectors in 14 countries (including the US, UK, Japan, China, Germany, France, Italy, Russia, Spain, Brazil, Mexico, Australia and Saudi Arabia). Most problematic, over half of the respondents admitted that their concerns are not without foundation. Indeed, 54% acknowledged that their companies already have experienced infiltrations or large-scale cyberattacks from terrorists, organized crime gangs, and/or nation-states. The average cost of resultant downtime is estimated to be $6.3 million per day. Not chump-change by any means.
The recent cyberattack on Google is just one example. According to CSIS’s report, however, there have been scores more. With additional attacks to come. Of most concern, perhaps, over half of those surveyed believe that the U.S., China and Russia as the three most vulnerable countries.
The report, entitled “In the Crossfire: Critical Infrastructure in the Age of Cyberwar,” goes on to state that more than one-third of the executives who responded feel their respective sectors are unprepared for a major attack and that two-thirds believe the ongoing recession has caused companies to reduce resources devoted to cyber protection.
This situation harkens back to the adage “one man’s suffering is another man’s gain.” The opportunities for cyber/tech underwriters are there. Go get ‘em, ladies and gentlemen.
To the contrary, virtually every country worldwide is increasingly faced with the problem of having to deal with the hard social and legal issues presented by a rapidly evolving cyber world. So too, policyholders and the insurers who typically grant worldwide coverage under their policies must recognize that the risks faced are not exclusive to the U.S. or our Canadian cousins. The risks are global in nature and policyholders and insurers alike need to stay current with what’s happening outside our cocoon of the Western Hemisphere.
I am certain every reader is aware of the socio-political dispute whereby Google has threatened to withdraw from China amid claims that the Chinese government has hacked into Google’s and other third-parties’ databases, spied on Google email accounts, and tightened blocks on tens of thousands of internet sites, including Facebook, Twitter and YouTube. U.S. Secretary of State Hillary Clinton has spoken on the subject, advocating that companies such as Google refuse to support “politically motivated censorship.” Secretary Clinton also accused China, Tunisia and Uzbekistan of boosting censorship and called on Beijing to investigate the recent cyber attacks on Google and others. (On a side note, just last week, Europe’s principal security and human rights watchdog accused Turkey of blocking 3700 internet sites for “arbitrary and political reasons.”).
Cyber breaches occur on a daily basis. Or at least it seems like they do…but consider the breaches that we don’t hear about.
Companies’ fears that their brands could be adversely impacted by reports of cyber breaches mean that we rarely hear about them when they happen. What we do hear about are the very widespread, high profile breaches at large companies where there has been a failure protect a customer’s personal information.
What we often fail to consider is that any entity, commercial or non-profit, public or private, can fall victim to a cyber breach. Certainly, commercial businesses would be expected to insure against such risks. But what about governmental entities? Here’s one example.
The state of Oregon is investigating whether two state agencies violated the Oregon Consumer Identity Theft Protection Act. Each year thousands of Oregonians become victims of identity theft. According to the Federal Trade Commission, Oregon is ranked 13th in the nation for this crime. In response, both Oregon businesses and government have clear direction and expectations under the Act to ensure the safety of the personal identifying information they maintain. Personal information includes a consumer’s name in combination with a Social Security number, Oregon drivers license number or Oregon identification card, financial, credit or debit card number along with a security or access code or password that would allow someone access to a consumer’s financial account. Specific protections under the Act are detailed on the website of Oregon government’s Division of Finance and Corporate Securities (DFCS) , and include the following:
The roads traveled by non-profit entities have never been easy ones to negotiate.Indeed, the time, expense and, dare I say, risk of doing good deeds and raising capital has been fraught with potholes and impediments from the get-go. Now, that road has become even more treacherous for non-profits and their cyber/tech insurers alike.
1. An Overview of Massachusetts’ New Data Security Law
Effective March 1, 2010, a new data security breach law will become effective in the Commonwealth of Massachusetts. Described by some as the toughest data security law in the U.S., the law and corresponding regulations applies to all entities, including non-profits, that employ or serve Massachusetts residents and which store, own or license “personal information” about a Massachusetts resident. Here is the Press Release from the Office of Consumer Affairs and Business Regulation. Here is the Final Version of The Regulations.
2. What is Meant by “Personal Information”?
The term “personal information is defined in the law to mean a Massachusetts resident’s first and last name, or first initial and last name, together with:
The resident’s driver’s license number or state identification card;
Bank/financial account or credit/debit account number; or
Social Security number.
In other words, personal information will, generally speaking, include anything uniquely identifiable about a Massachusetts resident.
Remember the good ol’ days of the Commodore 64, back when fluorescent colors were fashionable and “Computer, earl grey…hot” was to boldly go where no one has gone before?
Well, those days are now behind us, and unless you’re one of the stubborn few who still use a phone line to dial into “those newfangled internets”, you have probably heard of Google’s new search by site application, “Google Goggles”.
On Monday, Google announced the launch of a new search engine that allows users to perform an internet search simply by submitting a photograph. Instead of using words, you can take a picture of an object with your camera phone: Google will attempt to recognize the object, and return relevant search results to you. The experimental search-by-sight feature, called Google Goggles, has a database of billions of images that informs its analysis of what’s been uploaded. Vic Gondotra, Google’s vice president of engineering, has said: “It is our goal to be able to identify any image. It represents our earliest efforts in the field of computer vision. You can take a picture of an item, use that picture of whatever you take as the query.” The application is still in a very early stage of development, however, and works best with objects, books, album covers, artwork, landmarks, places, and logos. You can view Google’s video of the application below:
In the security industry there is a generally accepted philosophy that no system or network is completely secure – a competent attacker with enough time, patience and resources will eventually find a way into a target.
We may have gotten a good chuckle out of the various messages that were left on the Twitter accounts for Barack Obama, Britney Spears, and Bill O’Reilly, but the implications are serious; with every new technology comes new risk. Viruses can permanently erase an entire system, sensitive system files can be accessed and altered by intruders, computer networks can be infiltrated and used to attack others and credit card information can be absconded and used to make unauthorized purchases.
“Cybersecurity” refers to the protection of that information by preventing, detecting and responding to attacks. Although there may be a tendency to consider cybersecurity to be a technical issue with technical solutions, it may also be useful to think of cybersecurity as an economic issue…with economic solutions.
This is the message that the Internet Security Alliance (“ISA”) has made in a landmark report issued earlier today, December 3, 2009. The ISA is a trade association which represents a gamut of corporate interests ranging from Defence and Aerospace, Banking & Financial, Food Service, Entertainment, Telecommunications and Manufacturing industries. In its report, entitled “Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model,”the ISA emphasizes thatcybersecurity is an economic rather than a technical issue and that both the U.S. government and private industry need to revisit their assessments of cybersecurity by creating economic incentives and other programs to foster broader, and more enhanced, cybersecurity efforts and systems.
At present, the government has been relying on regulations to ostensibly improve cybersecurity. The ISA suggests that this method is not only outdated, but also ineffective in dealing with a 21st Century problem. The report sets forth a number of proposed economic solutions, many of which focus on encouraging companies to educate their executives about the economic and social benefits of cybersecurity. Key among these proposals is the suggestion that businesses should create risk management programs that educate their executives about the growing problem of cyber theft and abuse, and assist them incorporating cybersecurity solutions in their corporate business plans (rather than ceding such responsibilities to computer “geeks” in their IS or IT, as is typically the case today).
The report concludes that most companies underfund their investments in cybersecurity, and suggests that economic and other incentives are needed to prompt businesses to improve their cybersecurity. ISA’s report also suggests that the insurance industry become actively involved in providing a methodology by which returns on securities investments are quantified.
Among the ISA’s recommendations designed to encourage investment is a proposal that cyber insurance be used to promote the development of standards and practices and assist companies in quantifying and managing their cyber risks. At the same time, the ISA proposes that the government create limited liability protections for certified products and processes and recognized industry best practices. Alternatively, liability might be assigned on a sliding scale (comparative liability) such as limiting punitive damages while allowing actual damages and providing affirmative defenses with reduced standards (preponderance of evidence vs. clear and convincing etc.).
The report is long (over 70 pages) and quite detailed. For those interested in reading it, the report can be found here. Irrespective of whether readers choose to take the time to read the entire report, they should familiarize themselves with its purpose and intent, as it is a major step forward in promoting dialogue on the ever-growing problem of cyber crime. At a minimum, insurance underwriters and cyber professionals should study the report and perhaps incorporate some of the ISA’s recommendations in their own due diligence processes to compliment, for example, their existing NetDiligence® cyber risk assessment service (used by many leading US & UK insurers). Only through joint and collaborative efforts can the billion dollar problem of cyber crime be mitigated. It is incumbent on the insurance industry to be among the leaders in these efforts. We can begin by collecting comments on the ISA’s proposal and submitting them to its members, including those representing the insurance industry. Please feel free to comment below. As appropriate, we will forward them to the ISA with the author’s name and contact information, if so authorized.
So you want to get production of documents from Facebook to assist you in your civil case. How do you go about it? We asked and Facebook answered.
Well, first off, you are going to need a court order (subpoena) to obtain the information. In the U.S., Facebook users’ data is protected by the Electronic Communications Privacy Act (“ECPA”). See 18 USC section 2701 et. seq. ECPA is a federal statute that prohibits Facebook from producing any “content” without notarized user consent or a Search Warrant. Facebook’s Law Enforcement Response Team has advised that, with regard to civil matters:
State Court Subpoenas must issue from a court within California or must be issued pursuant to the proper California court commission.
Federal Civil Subpoenas seeking the production of documents must issue from the court in the district where the production is to be made.
Facebook states that it requires a $150 processing fee per User ID. Checks can be made payable to Facebook, Inc. and can be sent to the attention of Facebook Security at 1601 S. California Ave., Palo Alto, CA, 94304, bearing the name and number of the case for which the fees are paid.
In addition to a valid subpoena, Facebook advises that as much of the following information as possible should be provided in order to expedite a request:
Your full contact information (name, physical address, phone and email)
Response date due (please allow 2-4 weeks for processing)
Full name of user(s)
Full URL to Facebook profile
School/networks
Birth date
Known email addresses
IM account ID
Phone numbers
Address
Period of activity (specific dates will more likely expedite your request)
It takes Facebook approximately 2-4 weeks to respond to questions from law enforcement agencies or legal representaives about the status of these requests. If Facebook is informed and has a good faith belief that the matter is an emergency regarding potential threat of serious bodily harm or threat to life (see Title 18 United States Code section 2702(b)), they generally respond within 24 hours.
Facebook advises that if you are not a member of a Law Enforcement Agency or Legal Department, you will have to contact Facebook through their Help Page or have your local law enforcement or legal representative contact them. Some other helpful Facebook links are as follows:
Personal information and data can be captured and aggregated in the most unlikely of ways. Take, for example, television viewing habits.
In the past, data aggregators such as A.C. Neilson have used a variety of techniques to measure television audiences’ viewing habits in order to assemble ratings and assist networks and advertisers in identifying viewership and demographic rankings. It began with people compiling viewing information in journals. As technology progressed, Neilson and other data aggregators used “black boxes” attached to televisions to compile the all-important viewership and demographic information. Some people equated these activities to a form of “Big Brother” watching over us, but in virtually all cases, the “Neilson families” did so willingly and were compensated for their voluntary participation.
Just as everything else, we have now progressed well beyond the activities of yesteryear. The latest news on the viewership and demographic aggregation front comes from Google, which has announced that it is teaming up with TiVo, the digital video recording company, to assist advertisers in measuring how and when their ads are viewed by consumers. As most people know, TiVo and its progeny allow viewers to “fast forward” through commercials so that they can view only the content they elect to watch. While a boon to viewers who hate commercials, this capability frustrates advertisers who pay tens of thousands if not tens of millions of dollars to television and cable networks to promote their services and products. According to Google, this new service is an attempt to re-create its AdWords and AdSense models on the small screen.
The hitch is that most TiVo users typically catch the beginning or end of a commercial or other unwanted programming as they attempt to watch their selected shows. Only the most prolific of remote controllers can precisely fast forward their recorded programming to view only what they want and not what they don’t want. Having now had TiVo for 7-1/2 years, I still suffer the fate of imperfect fast forwarding and consequent rewinding. I just can’t totally avoid those pesky commercials, no matter how hard I try. And believe me, I try.
Google is of the view that even that momentary viewership of the undesirable commercials, while not a full ad impression, is meaningful to advertisers. Thus, it plans to use “anonymous second-by-second DVR viewing data” to track how viewers see ads placed through Google TV Ads and to assemble data on viewers’ television habits.
So, what can we as TiVo users do about it? Google has not yet announced if viewers can “opt-out” of this service. If that option is not available, then the only options seem to be that we participate as willing or unwilling (and uncompensated) participants, or give up our TiVo. Needless to say, that latter option is not realistic. I love my TiVo. I won’t give it up. But at what cost? The price of my privacy, it seems.
“Phishing” refers to the fraudulent process of attempting to acquire sensitive information such as usernames and credit card details by masquerading as a trustworthy entity by way of e-mail, instant messaging or some other electronic communication. The communciation will often directs users to enter details at a fake website that is almost identical to the legitimate one.
To illustrate, in a recent example of spear-phishing launched from a web server in China, CEOs received an email message purporting to be from a federal court stating that a subpoena was being directed to the CEO with a link to a web address ending in “uscourts.com”. More than 1,800 CEOs clicked on the link. Once the victims arrived at the bogus site, they were asked to view court documents by downloading a browser plug-in, which was actually malware used to gain access to the victim’s computer.
On November 17, 2009, the FBI issued a cyber advisory warning that hackers appear to be targeting law firms and public relations firms. Here’s a not-so-clever example:
Subject: Attn: Pamela Pengelley
Alexander JLO – Solicitors
11 Lanark Square
Glengall Bridge
London E14 9RE
United Kingdom.
TEL:+44 794 4145 981
Fax:+44 794 4416 262
Good day: Pamela,
This is a personal E-mail directed to you and I request that
it be treated as such.
I am Barrister Wilson Baker, a solicitor at law. I am the personal attorney/sole executor to the late Engr Gerald Pengelley herein after referred to as’my client’ who worked as an independent oil magnate in my country and who died in a plane crash with his immediate family in December 2003.
Since the death of my client, I have written several letters to the embassy with an intent to locate any of his extended relatives whom shall be claimants/beneficiaries of his abandoned personal estate and all such efforts have been to no avail.
More-so, I have received official letters in the last few weeks suggesting a likely proceeding for confiscation of his abandoned personal assets in line with existing laws by the bank in which my client deposited a notably high amount of money.
On this note i decided to search for a credible person and finding that you bear a similar last name, I was urged to contact you, that I may with your consent, present you to the “trustee” bank as my late client’s surviving family member so as to enable you put up a claim to the bank in that capacity as a next of kin of my client.
I find this possible for the fuller reasons that you bear a similar last name with my client making it a lot easier for you to put up a claim in that capacity.
I propose that 35% of the net sum will accrue to you at the conclusion of this deal in so far as I do not incure further expenses.
Therefore, to facilitate the immediate transfer of this funds, you need, first to contact me via my private email:(wilsonbaker3@yahoo.co.uk) for better confidentiality, signifying your interest and as soon as I obtain your confidence I will immediately appraise you with the complete details as well as fax you the documents, with which you are to proceed and i shall direct you on how to put up an application to the bank.
However, you will have to accent to an express agreement which I will forward to you in order to bind us in this transaction.
Upon the receipt of your reply,I will send you by fax or E-mail the next step to take.I will not fail to bring to your notice that this proposal is hitch-free and that you should not entertain any fears as the required arrangements have been made for the completion of this transfer.
Like I said, I require only a solemn confidentiality on this.
Best regards,
Wilson Baker Esq
A word to the wise – proceed with caution before clicking on a link in an e-mail, even if the message appears to be from a reliable source. Better to seek confirmation from your information systems resources than fall victim to a spear-phishing scam. For more information, check out Microsoft’s webpage, “How to Recognize Phishing Emails and Links”.
A New Decision on Facebook: Ex Parte Injunctions and Preservation Orders
Another Ontario decision dealing with production of Facebook profiles in personal injury lawsuits was released on October 29, 2009. In Schuster v. Royal & SunAlliance Insurance Company of Canada, the defendant brought a motion before a judge, without notice to the plaintiff, seeking an injunction requiring the plaintiff to preserve and produce her Facebook webpage. The particulars of the decision are set out in detail, below.
The plaintiff claimed that, as a result of a car accident, she suffered injuries that impaired her ability to work and to participate in social and recreational activities. During litigation, she produced an “affidavit of documents” (a sworn list of all documents in a party’s possession, including electronic documents, that are relevant to the lawsuit) in which she failed to disclose the existence of her Facebook account.
The defendant hired a surveillance company and discovered the Facebook account, for which access was restricted to 67 “friends”, one being the plaintiff’s mother-in-law. The defendant was able to obtain photographs from the mother-in-law’s Facebook account in which there were pictures of the plaintiff dated before and after the accident, although she was just standing, sitting or reclining (she was not engaged in any activities in relation to which she claimed to be impaired).
The defendant had brought the motion on an ex parte basis (that is, without notice to the plaintiff) seeking anInterim Order for the Preservation of Property under Rule 45.01 of Ontario’s Rules of Civil Procedure, R.R.O. 1990, Reg. 194). (Ex parte motions are typically granted where urgency arises because there is a reason to believe that the responding party, if given notice of the motion, will take steps to frustrate the process of justice before the motion can be decided). Rule 45.01 states:
INTERIM ORDER FOR PRESERVATION OR SALE
45.01 (1) The court may make an interim order for the custody or preservation of any property in question in a proceeding or relevant to an issue in a proceeding, and for that purpose may authorize entry on or into any property in the possession of a party or of a person not a party. R.R.O. 1990, Reg. 194, r. 45.01 (1).
(2) Where the property is of a perishable nature or likely to deteriorate or for any other reason ought to be sold, the court may order its sale in such manner and on such terms as are just. R.R.O. 1990, Reg. 194, r. 45.01 (2).
The Court noted that Rule 45.01(1) is “typically used to ensure that important documents, information or other items are preserved and available for the trial of an action where there is a strong likelihood that the defendant would destroy this evidence once notified of the proceedings”. As a result, an order under Rule 45.01 is similar to a civil search warrant and therefore subject to a higher threshold test than an “ordinary” ex parte injunction, pursuant to s. 101 of the Courts of Justice Act (“CJA”). (Note that Rule 40 of the Rules of Civil Proceduresets out the procedure to be followed in order to obtain an order under s. 101 of the CJA).
Justice Price noted that it was unclear whether the defendant was seeking access to just the web site, or the preservation and production of the website contents, and noted that an order granting the defendant access to the site would be far more invasive than ordering the plaintiff to preserve the contents of the site. Since an order granting the defendant access to the plaintiff’s Facebook account would have required the plaintiff to provide her username and password to the defendant (and was beyond the scope of her obligation to disclose relevant documents), the Court proceeded on the assumption that the defendant was only seeking an order for preservation of the site.
Justice Price then considered whether the defendant had met the test for an ordinary ex parte injunction under s. 101 of the CJA:
101.(1)In the Superior Court of Justice, an interlocutory injunction or mandatory order may be granted or a receiver or receiver and manager may be appointed by an interlocutory order, where it appears to a judge of the court to be just or convenient to do so. R.S.O. 1990, c. C.43, s. 101 (1); 1994, c. 12, s. 40; 1996, c. 25, s. 9 (17)
Terms
(2)An order under subsection (1) may include such terms as are considered just. R.S.O. 1990, c. C.43, s. 101 (2).
In considering whether to grant the interlocutory injunction, Justice Price applied the test set out by the Supreme Court of Canada inR.J.R. Macdonald Inc. v. Canada (A.G.):
1.) Is there a serious question to be tried? Judge Price found that there was a serious question to be tried, namely, the extent to which the accident had prevented the plaintiff from earning and income and engaging in recreational activities.
2.) Will the applicant suffer irreparable harm if the application is not granted? This is usually determined by considering whether damages will be an adequate remedy. In this case, the defendant argued that without the content of the Facebook webpage, it woudl be deprived of the opportunity to properly respond to the plaintiff’s claim. The Judge disagreed noting that proof of irreparable harm must be clear and not speculative ; there was no evidence that there were incriminating photographs on the plaintiff’s Facebook page. In fact, Justice Price held that since the plaintiff had not listed the Facebook page in her affidavit of documents, the presumption was that this was because the Facebook page did not contain any relevant information. Unlike in previous Ontario cases dealing with Facebook production, in this case, the judge was NOT prepared to draw an inference from the nature of Facebook itself or the plaintiff’s profile that her Facebook page was likely to contain relevant evidence, stating:
I do not regard the mere nature of Facebook as a social networking platform or the fact that the Plaintiff possesses a Facebook account as evidence that it contains information relevant to her claim or that she has omitted relevant documents from her Affidavit of Documents. The photographs that the Defendant has obtained from the Plaintiff’s account in the present case do not appear, on their face, to be relevant.
3. Whom Does the Balance of Convenience Favor? In weighing the privacy interests of the plaintiff and the defendant’s interest in full disclosure, the court concluded that the balance favored the plaintiff:
The plaintiff’s failure to disclose her Facebook account in her affidavit of documents should give rise to the presumption that the information on the webpage is not relevant to the litigation – the defendant has the opportunity to rebut this presumption by cross-examining her on her affidavit of documents if it so chooses.
The defendant had been at liberty to question the plaintiff about her Facebook account at her examination for discovery.
There was no evidence to support the defendant’s proposition that the plaintiff was likely to delete any relevant contents of her Facebook profile pending trial.
The Plaintiff has set her Facebook privacy settings to private and has restricted its content to 67 “friends”. She has not created her profile for the purpose of sharing it with the general public. Unless the Defendant establishes a legal entitlement to such information, the Plaintiff’s privacy interest in the information in her profile should be respected.
As a result of the foregoing, the Court concluded:
The Defendant has not established a basis for a preservation order in the present case, especially on an ex parte motion. The Defendant has not put forward evidence, beyond a bald assertion, that there is relevant evidence that needs to be preserved. It also has not put forward evidence beyond mere speculation to support a conclusion that an order is required on an ex parte basis to prevent the destruction of evidence after a notice of motion for production is given and pending the return of such a motion.
The Court did decide, however, that ”[b]ecause Facebook is a relatively recent phenomenon and the disclosure obligations and remedies are still being articulated in relation to it”, the Court was prepared to grant the defendant a further opportunity to cross-examine the plaintiff on her affidavit of documents if it chose to do so.
According to an interesting article posted by Shaunna Mireau, ‘Substitutional Service via Facebook in Alberta’ on Slaw, on February 5, 2009 Master Breitkreuz ordered in Knott v. Sutherland that the plaintiffs could substitutionally serve one of the multiple defendants by publication of a notice in the newspaper, by forwarding a copy of the statement of claim to the human resources department where the defendant (formerly) worked, and also by sending notice of the action to the Facebook profile of the defendant. Precedent for service in civil matters via Facebook exists from Australia and New Zealand, but has not been previously been allowed in Canada.
The Order can be cited as: This order can be cited Knott v. Sutherland (5 February 2009), Edmonton 0803 02267 (Alta. Q.B.M.)
A British Columbia Court agreed that a plaintiff’s late night computer usage on Facebook was relevant to his claim that he was unable to work. The Court ordered production of his computer hard drive to determine the period of the time he spent on Facebook between 11 p.m. and 5 a.m.
In Bishop v. Minichiello, [2009] B.C.J. No. 692 (S.C.J.), the plaintiff alleged that a brain injury caused him ongoing fatigue which prevented him from being able to maintain employment. The defendant brought a motion to obtain production of the plaintiff’s hard drive of his family computer so that he could have it analyzed in order to determine the periods of time that the plaintiff spend on Facebook between 11 p.m. and 5 a.m. each day. The defendant argued that the plaintiff’s late night computer usage was relevant to the lawsuit; the plaintiff had told a doctor that he spent a substantial amount of time on Facebook chatting with his friend late at night, and that his sleep varied with the time that his friend went to bed.
On examination for discovery, the plaintiff’s mother had confirmed that the plaintiff was the only person using the family computer between those hours. The plaintiff argued that, at times, his friends could use the computer once he logged into Facebook, and that the hard drive contained information that was irrelevant to the litigation and so should not be produced. Justice Melnick noted, however, that simply because the hard drive contains irrelevant information to the lawsuit does not alter a plaintiff’s duty to disclose all relevant information. The Court concluded:
Facebook login/logout records are documents stored in electronic form for the purpose of litigation;
The information sought by the defense could have significant probative value in relation to the plaintiff’s past and future wage loss;
The value of production was not outweighed by confidentiality, or time and expense required to produce the documents; and
The order sought was so narrow that it did not have the potential to unnecessarily delve into private aspects of the plaintiff’s life.
Given that not all of the information on the hard drive was relevant, and that privacy issues of other family members might be implicated, the Court ordered that an independent expert was to review the hard drive and isolate and produce the relevant information for the defendant’s counsel.
A married woman in Nevada sued her employer, claiming that he sent her inappropriate emails and gave her unwanted sexual attention. During the lawsuit, the employer’s lawyer discovered that the woman had set up a MySpace account where she pretended to be single. The employer’s lawyer wanted to see her MySpace emails; if this woman was looking for extra-marital affairs on MySpace, this might speak to her credibility. The judge refused.
In a decision of the Nevada District Court, Mackelprang v. Fidelity National Title Agency of Nevada Inc, a married plaintiff alleged that she was sexually harassed by senior members of her company, and that this led to her constructive dismissal. She alleged, among other things, that a vice president of her company sent sexually explicit emails to her office computer a weekly basis. During the course of litigation, the defendant’s lawyer discovered that, a few months after leaving the defendant’s employ, the plaintiff had opened two MySpace accounts; in one of the accounts, the plaintiff identified herself as a single 39 year old female who did not want children, and in another account, she identified herself as a married woman with six children whom she loved.
The defendant’s lawyer obtained a subpoena directing MySpace to produce all records for those accounts, including private email exchanges between the plaintiff and others. In response to the subpoena, MySpace produced the “public” information regarding the accounts, but refused to produce private email messages in the absence of a search warrant or a letter of consent to production by the owner of the account. The plaintiff refused to consent to the obtaining of the release of the private messages on the grounds that the information sought by the defendants were irrelevant to the lawsuit and improperly invaded her privacy. She contended that the defendants were on a “fishing expedition” and that they had no relevant basis for discovering the private email messages on either account.
The defendant’s lawyer brought a motion seeking to compel the plaintiff to consent to production of the emails. The defendant’s pointed to the usual circumstances of the plaintiff’s two MySpace accounts as creating an inference that the plaintiff was using MySpace email to facilitate the same types of electronic and physical relationships that she had characterized as sexual harassment in her lawsuit. If the plaintiff had, in fact, been voluntarily pursuing extra-marital relationships through MySpace, then this information could be used to impeach her credibility and rebut her sexual harassment claims. The emails could telling as to whether the plaintiff had actually suffered emotional distress as a result of the harassment, and might contain admissions relevant to the case.
The Court disagreed with the defendant and refused to order production of the emails. The defendant had nothing more than a suspicion and speculation that the plaintiff may have engaged in sexually related email communications on MySpace. There was an insufficient connection between the accounts and the workplace to make her private emails relevant. The Court noted:
Ordering plaintiff to execute the consent and authorization form for release of all of the private email on Plaintiff’s MySpace.com internet accounts would allow Defendants to cast too wide a net for any information that might be relevant and discoverable. It would, of course, permit Defendants to also obtain irrelevant information, including possibly sexually explicit or sexually promiscuous email communications between Plaintiff and third persons, which are not relevant, admissible or discoverable.
The Nevada District Court opined that, although it was theoretically possible that emails on the Myspace account might contain relevant information, the defendant should have limited the request to the production of relevant email communications. The determination of whether certain email communications were relevant could be properly ascertained through the discovery process.
No Canadian case to date has considered a request for the production of Myspace or Facebook emails. It seems likely that Courts will treat these emails differently than the other information on a social network profile; even a “private” Myspace profile is viewable by all a user’s “friends” whereas email is not; consequently, a Court may not be able to infer from the nature of the social network service either the intent to make public, or the likely existence of, relevant email communication. As a result, courts will likely hold that there is a greater expectation of privacy with respect to Myspace or Facebook email communications. It also remains to been seen whether evidence contained in a profile itself could give rise to a sufficiently reasonable inference that that email communications are relevant. For example, if relevant postings on a Facebook wall made express reference to email communications, this might be sufficient to convince a Canadian court to order disclosure, notwithstanding the expectation of privacy surrounding such communications.
In December 2008, after several failed attempts to serve a couple with court documents by email and text messaging their mobile phones, an Australian lawyer won the right to serve a default judgment by posting the terms of the judgment on the defendants’ Facebook “Wall”. In a ruling that appears to be the first of its kind anywhere in the world, Master Harper of the Supreme Court of the Australian Capital Territory held that the lawyer could use the social networking site to serve court notices.1 The Facebook profiles showed the co-defendants’ dates of birth, email addresses and ‘friend’ lists and declared the co-defendants to be friends of one another. This information was enough to satisfy the Master that Facebook would be effective in bringing knowledge of the legal proceedings to the attention of the defendants.2 Facebook, for its part, was quite happy with the result, stating: “We’re pleased to see the Australian court validate Facebook as a reliable, secure and private medium for communication. The ruling is also an interesting indication of the increasing role that Facebook is playing in people’s lives.”3
There is no doubt that Facebook4 is now playing an increasing role in people’s lives. For the few who are unfamiliar with the application, Facebook is a non-commercial “social website” or, as put by its Terms of Use, “a social utility that connects you with the people around you.”5 The site’s “Facebook Principles” state that a user may “set up a personal profile, form relationships, perform searches and queries, form groups, set up events, add applications and transmit information through various channels.”As of June 2007, Facebook had more than 70 million active users, and users over the age of 25 made up its fastest growing demographic.6 If you have a computer, the odds are good that you are one of the now over 140 million people who have posted personally sensitive information onto Facebook or a similar social network site such as Myspace,7Faceparty,8Friendster,9Bebo,10 Badoo,11Habbo,12Nexopia,13Tagged14 and many more.15 If you are a typical user, you network with friends, upload photographs of yourself and your family members, enter your email address and cell phone number, and much more.16
Facebook asserts that this information is “secure and private” and it is possible for a user to adjust their privacy settings to restrict access to a Facebook site. Yet it was just a few weeks prior to the writing of this article that Facebook backed down (for now) following a firestorm of protest regarding a change in its “Terms of Use” to claim ownership over user-generated content in perpetuity even after someone closed or cancelled their account.17 For insurance professionals who handle claims that proceed to civil litigation, this then begs the question; how does a user’s expectation of privacy play out in the litigation context?
Consider that a fully filled-out Facebook profile contains over forty pieces of recognizably personal information, including name; birthday; educational and employment history; online and offline contact information; sex; sexual preference and relationship status; political and religious views; favorite movies, books and music, and of course, pictures.18 Facebook is the largest photo-sharing application on the web with more than fourteen million photos uploaded daily. Facebook further offers multiple tools for users to search out and add potential contacts. In completing a typical Facebook profile, a person will have created a comprehensive database of information about both who they are and who they know.19 This is, for the most part, information that our laws treat as highly private. Not surprisingly, then, courts are struggling to define how the plethora of private information contained in social network websites should be used in litigation. Should a person’s choice to keep their Facebook profile private and share it only with selected “friends” override the right of other litigants to access information that may be relevant to a case?
For professional “fact-gatherers” such as lawyers, insurance adjusters, claims handlers and private investigators, the vast wealth of information that people volunteer on Facebook can be a goldmine or a smoking gun, depending on your perspective. The personal information contained in a Facebook profile may be highly relevant to matters at issue in litigation; when dealing with claims, particularly in the personal injury context, the information contained on a Facebook page can make or break a case. It is therefore crucial that insurance professionals stay informed of new developments in this emerging area of law. This article summarizes the approach currently adopted by Canadian courts.
FACEBOOK AND THE LITIGATION PROCESS
It is important to understand that litigation is a fact-gathering process. In , our procedural rules of litigation facilitate this process in two ways. First, courts place a positive obligation on each party to identify all of the documents in their possession or control that may be “relevant” to issues in the litigation, and to produce each such document unless privilege is claimed over it.20 Second, lawyers are allowed to question a representative of each adverse party under oath – a process referred to as “examination for discovery”. The purpose of these processes is to uncover the facts of a case so that the law can be properly and fairly applied.
How does Facebook fit into these processes? Canadian courts have considered web-based networking sites such as Facebook and MySpace pages to be ‘documents’. If a party posts content on Facebook that relates to any matter at issue in an action, then that party is required to identify the content for the other side.21 In fact, a recent Ontario decision has held that it is now incumbent on lawyers to specifically raise the issue of Facebook profiles with their clients and explain that any relevant material that is posted on such sites will need to be produced in litigation.22
It sometimes happens though, that relevant documents are overlooked or omitted. Facebook profiles are often among these overlooked documents. As noted by one judge, “[t]he concept of Facebook is relatively new. I see no fault on the part of counsel for the Plaintiff for not disclosing the existence of the Facebook page in the Affidavit of Documents. I suspect that when this action was filed in 2004, few people had heard of Facebook.”23 In such instances, here the privacy setting on a Facebook profile has been set to allow public access, few issues arise; anyone who learns of the site can search for and download any relevant information. Problems arise, owever, where access to a Facebook page has been restricted.
Public Facebook Profiles
A number of cases in Canada have already admitted photographs or other information posted on a public Facebook page as evidence relevant to issues raised in the litigation.24 In one case, the discovery of photographs of a party posted on a MySpace page was the basis for a request to produce more photographs that were not posted on the site.25
In Kourtesis v. Joris,26 the plaintiff claimed that, following a car accident, she was unable to engage in Greek dancing, an activity that she had previously enjoyed. During the course of trial, but after the plaintiff had testified, a member of the defence lawyer’s staff happened across the plaintiff’s private Facebook page showing post-accident pictures of her dancing at a party. The lawyer attempted to put these pictures into evidence. In deciding what to make of the photos, the judge decided that the photographs, as “snapshots in time” and “taken out of context,” had only minimal evidentiary weight, but they were still “highly relevant” to the assessment of damages regarding the plaintiff’s claim for loss of enjoyment of life. Further, the photographs were not on the same footing as surveillance photos because, unlike surveillance photos, the plaintiff had control of the photographs on her Facebook site and so she could not be surprised by their existence and content. Finally, the mere fact that the photographs were contrary to the plaintiff’s evidence at trial did not make them “prejudicial”. The judge held, however, that the plaintiff should be permitted to be recalled at trial so that she could have the opportunity to explain them.
Private Facebook Profiles
Canadian courts have mechanisms in place to monitor compliance with the disclosure duty. Where a party has reason to believe that another party has not complied with these disclosure obligations, he or she can ask the court to order disclosure of the documents. However, a court can refuse to order the disclosure of documents where the information is of minimal importance to the litigation but may constitute a serious invasion of privacy.27 A private document is, quite simply, any document that is not public, and includes private Facebook profiles.28 This creates a dilemma for a party seeking production of a private Facebook page: in order for a court to order production of a document, a court requires evidence, as opposed to mere speculation, that a potentially relevant undisclosed document exists. Yet a party is unable to access a private Facebook site in order to determine whether it contains relevant information.
To date, there are two cases in which have dealt with the production of the access-limited contents of a Facebook profile. The first case, Murphy v. Perger, is a decision of Justice Rady issued in October of 2007.29 In that case the plaintiff, Ms. Murphy, was involved in a car accident which, she alleged, caused her to suffer from a chronic pain disorder. She sued the other driver, seeking damages for the detrimental impact on her enjoyment of life and her inability to participate in social activities. Shortly before the trial, the defendant’s lawyer discovered a public website called “The Jill Murphy Fan Club” which contained post-accident pictures of Ms. Murphy at a party. This public webpage led the lawyer to Ms. Murphy’s private Facebook page. The lawyer was able to view Ms. Murphy’s name and a list of her 366 Facebook “friends”, but she had set the privacy settings so that permission was required to view her other Facebook material. The defendant’s lawyer sought production of the Facebook pages (but not the Facebook emails) on the basis that it likely contained relevant information. The plaintiff’s lawyer objected, claiming that the defendant was on a “fishing expedition” because there was only a mere possibility of there being relevant material on the site, and that this was too speculative to justify an order for production given the plaintiff’s expectation that the site would be kept private.
The judge disagreed with the plaintiff’s argument and ordered the Facebook pages to be produced. He concluded that it was reasonable to assume that there would be relevant photographs on the site because www.Facebook.com is a social networking site where a large number of photographs are posted by its users. Since the plaintiff had already put preaccident pictures of herself into evidence, the judge decided that post-accident pictures of the plaintiff would also be relevant. Finally, the judge decided that the plaintiff could not have any serious expectation of privacy given that 366 people had already been granted access to the private site.
The second case to consider this issue is Leduc v. Roman, in which a decision of a Master was appealed to Justice Brown.30 The plaintiff, Mr. Leduc, was involved in a car accident which, he claimed, caused him to suffer various ailments and loss of enjoyment of life. Mr. Leduc underwent a psychiatric medical evaluation and told the defendant’s expert psychiatrist that he did not have a lot of friends in his current area, although he had “a lot of Facebook friends.”This remark apparently went unnoticed by the defence lawyer, for it was not until after Mr. Leduc had been examined for discovery that the defence lawyer’s office was conducting a search of Facebook and discovered that Mr. Leduc had a Facebook account. His publicly available profile showed only his name and picture. Because Mr. Leduc had restricted access to his site to only his Facebook friends, the defence lawyer’s office was unable to view the site.
The defence lawyer requested an up-to-date affidavit of documents from the plaintiff’s lawyer including the Facebook profile. When this was refused, the defence lawyer brought a motion before the court seeking, among other things, (1) an order requiring Mr. Leduc to preserve all the information on the Facebook profile; and (2) production of the Facebook profile itself. Mr. Leduc’s lawyer argued that it would be too speculative to infer that relevant material was posted on his Facebook site merely by proving the site’s existence. He sought to differentiate his case from that in Murphy. In that case there was a public website that posted relevant pictures of the plaintiff, creating a reasonable inference that there was also relevant material on her private Facebook page. In this case, there could be no such inference.
When the matter had first been argued, the Master had granted the preservation order, but had refused to order production of the Facebook profile, holding that the request was a fishing expedition. Justice Brown disagreed. He was of the opinion that a court can infer from the social networking purpose of Facebook that users intend to take advantage of it to make their personal information available to others. He stated:
From the general evidence about Facebook filed on this motion it is clear that Facebook is not used as a means by which account holders carry on monologues with themselves; it is a device by which users share with others information about who they are, what they like, what they do, and where they go, in varying degrees of detail; they enable users to construct personal networks or communities of “friends” with whom they can share information about themselves, and on which “friends” can post information about the user.
A party who maintains a private, or limited access, Facebook profile stands in no different position than one who sets up a publicly-available profile. Both are obliged to identify and produce any postings that relate to any matter at issue in an action. ….To permit a party claiming very substantial damages for loss of enjoyment of life to hide behind self-set privacy controls on a website, the primary purpose of which is to enable people to share information about how they lead their social lives, risks depriving the opposite party of access to material that may be relevant to ensuring a fair trial.
Justice Brown noted that mere proof of the existence of a Facebook site would not entitle a party to gain access to all of the material placed on that site. Some material on the site might be relevant to the action, some might not. In order to gain access to this material, the level of proof required to show that the information may be relevant should take into account the fact that one party has access to the documents and the other does not.32 Judge Brown also noted that a defendant would normally have the opportunity to ask about the existence and content of a Facebook profile during the examination for discovery, and where the answers reveal that the Facebook page may contain relevant content, a court can order that those portions be produced.
Facebook Emails
No Canadian case to date considers a request for the production of Facebook emails. It is likely that Facebook emails will be treated differently than the other information on a Facebook profile; the profile is viewable by all a user’s “friends” whereas email is not. As a result, courts will likely hold that there is a greater expectation of privacy with respect to Facebook email communications. For this reason, a court may not be able to infer from the nature of the Facebook service the likely existence of relevant email communication. That being said, it seems likely that if there is enough evidence in a Facebook profile itself to suggest that email communications may be relevant and probative, this may be sufficient to convince a court to order disclosure.
CONCLUSION
It is important to note that lawyers’ rules of professional conduct strictly prohibit them from making direct contact with parties who are represented by counsel, and this certainly includes contact by way of Facebook. It would be a breach of a lawyer’s duties of honesty and candor to create a false profile in an attempt to elicit information from another party’s private Facebook profile. Similarly, adjusters, private investigators, and claims handlers should be aware that attempts to elicit Facebook information through surreptitious means would likely not be looked upon favorably by a court and may constitute a breach of Facebook’s Terms of Use. Consider the case of Knight v. Barrett.33 In that case, it was unclear how a party had obtained information from another’s private Facebook profile, so the court ordered the party who had obtained this information to include it in their affidavit of documents, and allowed cross-examination on that affidavit so that it could be determined how they had obtained the information. The judge stated that such disclosure would allow both parties to prepare for trial in the same light, and that it was not appropriate for the defendants to seek to ambush the plaintiff with his or her own Facebook page. With this cautionary tale in mind, a number of salient points should be taken from the cases referred to above:
Where a party’s personal information is relevant to an action, insurance professionals should be cognizant of the potential wealth of relevant information available on the Internet. Internet searches, including “Google” searches and searches of common social network websites should be commenced as soon as possible in the course of adjusting the claim. Follow-up searches should be commenced at regular intervals thereafter.
The current case law suggests that many a lawyer has been surprised to learn that his or her own client maintained a Facebook page, and this fact was not brought to their attention until very late in the litigation. Thus, internet searches should be performed not just on opposing parties, but also on one’s own insured/client.
Insurance professionals should ensure that their insured understands that Facebook profiles are producible “documents”, and that any relevant content that is posted on a Facebook profile will need to be disclosed, and preserved in order to avoid spoliation issues.
Facebook pages are dynamic – where relevant material is discovered, this material needs to be preserved. Webpages should be downloaded, saved and dated. High-quality colour copies of these pages should be printed out for future use in litigation.
Depending on the circumstances, it may be prudent to obtain a preservation order respecting the content of a Facebook page or other social network profile – for this reason, it is highly recommended that a lawyer who is experienced in these matters be consulted and involved early on in the investigative stage of a claim.
As observed by Mitchell Kapor, the pioneer of the personal computer revolution, “getting information off the internet is like taking a drink from a fire hydrant. ”The Internet is transforming the way we share and disclose personal information. In order for insurance professionals to obtain optimal results in litigation, be it a subrogated, defence or coverage action, it is important to be aware of the vast amount of potentially relevant information available online, and to stay alert for new developments in web-based technologies. If you have not heard of blogs, Twitter, Flickr, Internet communities, Wikipedia, cyber mobs, and other current trends, you are already “out of date” and could be missing out on key sources of relevant information. Cyberspace awaits – boldly go.
Footnotes
1. This appears to be an unreported decision, although the details are provided in a number of online articles. The defendants, Carmel Rita Corbo and Gordon Kingsley Maxwell Poyser failed to keep up the repayments on $150,000 they borrowed from MKM in 2007 to refinance the mortgage on their Kambah townhouse. It seems that the news of the default judgment got out before the lawyer, Mr. McCormack, had the opportunity to serve the papers. The couple’s Facebook profiles disappeared from the social networking site. See: “Facebook okay for serving court documents: Australian Court,” National Post (Wednesday, December 17, 2008) http://www.nationalpost.com/news/world/story.html?id=1084050; Rod McGuirk, “Aussie Court OKs Using Facebook for Serving Lien,” ABC News (December 16, 2008) http://abcnews.go.com/International/wireStory?id=6470258; Bonnie Malkin, “Australian couple served with legal documents via Facebook,” Telegraph (December 16, 2008), http://www.telegraph.co.uk/news/newstopics/howaboutthat/3793491/Australiancouple-served-with-legal-documents-via-Facebook.html.
20. A party is required to prepare a list all the relevant documents, although the precise nature of the list will depend on the province. For example, in Ontario, the list of documents must be set out in an affidavit sworn by the party: Rule 30.03, Rules of Civil Procedure, R.R.O. 1990, Reg. 194.
23. Knight v. Barrett, 2008 NBQB 8 (CanLII) at para. 7 [“Knight”].
24. For example, Hollingsworth v. Ottawa Police Services Board, [2007] O.J. No. 5134 (S.C.J.) (A plaintiff’s entry on his Facebook page wherein he described how he became intoxicated on public occasions was used to contradict his claim of unlawful arrest); Pawlus c. Hum, [2008] J.Q. No. 12565 (J.C.Q.) (A landlord terminated a lease because of loud noises. The apartment would, on occasion, become a “fraternity house”. In reaching the conclusion that the tenant did not fulfill his obligation as a renter, the Board examined evidence which included pictures published on the Fraternity’ Facebook site). See also Goodridge (Litigation Guardian of ) v. King, [2007] O.J. No. 4611 (S.C.J.); (C.M.) v. R (O.D.), 2008 N.B Q.B. 253.
25. Weber v. Dyck, [2007] O.J. No. 2385 (S.C.J.).
26. [2007] O.J. No. 5539 (S.C.J.) [“Kourtesis”].
27. United Services Funds v. Carter (1986), 5 B.C.L.R. (2d) 222 (B.C.S.C.), leave to appeal dismissed (1996), 5 B.C.L.R. (2d) 379; M.(A.). v. Ryan (1994), 98 B.C.L.R. (2d) 1 B.C.C.A., aff’d [1997] 1 S.C.R. 157.
28. Leduc, supra, note 6.
29. Murphy, supra note 21.
30. Leduc, supra note 6.
31. Ibid, at paras. 31-32 & 35.
32. R.C.P. Inc. v. Wilding, [2002] O.J. No. 2752 (Master) at para. 12., Leduc.
So, you think that a corporate cyberattack has nothing to do with you? If so, think again. Indeed, to the extent you own stock or securities, the value of your holdings could be at risk in the event of a cyberattack. I’ve said it before and I’ll say it again: Cybersecurity is an economic issue. See here.
I. 
The risk of cyberattacks is real and growing. While many of us theorize and speak in hypotheticals about the possibility of a major and potentially devastating cyberattack (or twenty), those considered most “in the know” are taking these risks seriously. And for good reason.
Cyber breaches occur on a daily basis. Or at least it seems like they do…but consider the breaches that we don’t hear about.
In the security industry there is a generally accepted philosophy that no system or network is completely secure – a competent attacker with enough time, patience and resources will eventually find a way into a target. 
