On November 21, 2018, the Pennsylvania Supreme Court ruled that the University of Pittsburgh Medical Center (UPMC) had a legal duty to exercise reasonable care to protect sensitive employee information against an unreasonable risk of harm when that information is stored on an internet-accessible computer system. Dittman v. UPMC, No. 43 WAP 2017 (Pa. Nov. 21, 2018). In doing so, the Court made clear that the criminal acts of third parties who may breach a computer system do not alleviate the legal duty on a business to protect such information. The Court further held that the economic loss doctrine (a doctrine that precludes tort cases where the loss is purely monetary) did not apply in this case because the legal duty to protect sensitive employee information exists independently from any contractual obligations between the parties.
Ransomware, a method of electronically attacking corporations and individuals by holding their data hostage, has gained massive popularity amongst hackers in the last several years. Ransomware is the first form of malware to present the threats of both the destruction of important data and the economic harm the loss of that data can create. Ransomware attacks will continue to increase in scope and severity in years to come, necessitating continuous vigilance.
In essence, ransomware acts by taking data that is of value to an entity but not deleting it. The ransomware acts as a figurative glass wall, allowing the owner of the data to physically possess that data but not access it. This is accomplished by implanting a virus on the owner’s hard drive, usually by means of an infected link in an email or other innocuous-looking document. Once the link is clicked, the ransomware works by encrypting the entire storage system. The hackers then threaten to destroy the data unless a ransom is paid.
2017 saw some of the worst ransomware attacks to date, escalating exponentially in size and gravity over previous years. According to a study by the Kaspersky Lab, over 479 million attacks occurred from online sources during the first quarter of 2017, up by over 250 percent from years past. These attacks ranged across countries and industries, and plagued corporations of all sizes.
The Nevada Public Records Act (NPRA), NRS § § 239.001 et seq., requires that “public books and public records” must be open at all times during office hours to inspection by any person. But, what is a “public record” and what makes a record, “public”? On March 29, 2018, the Nevada Supreme Court addressed that issue and more by adding to its growing list of case law on the NPRA in Comstock Residents Association, et al. v. Lyons County Board of Commissioners, Case No. 70738, 134 Nev. Adv. Op. 19 (2018) (“Lyons County Board”). In Lyons County Board, the Court built upon its prior opinion in Las Vegas Metropolitan Police Dept. v. Blackjack Bonding, Inc., 131 Nev. 80 (2015) and further explained that an otherwise “public record” does not become “private” simply because it is maintained in or upon private property. Thus, the Lyons County commissioners’ private cellphones and email accounts constituted public records subject to disclosure so long as the records maintained on otherwise private devices and accounts concerned “the provision of public service.” Continue reading Private Texts, Public Records: Nevada Public Records Act and Personal Cellphones Used for Public Service
Duane Morris is presenting a series of webinars on strategic planning and compliance with the upcoming General Data Protection Regulation, a far-reaching EU law that affects any company doing business in the European Union. The GDPR establishes a broad range of requirements for enhanced data security, along with significant penalties for non-compliance. As the European Union focuses on protecting the data privacy of EU citizens, the GDPR has greatly expanded jurisdiction.
Join an interdisciplinary team of Duane Morris attorneys for an in-depth discussion of GDPR, along with timely and practical strategies to prepare your business for compliance with this complex rule.
The Federal Trade Commission and the Federal Communications Commission are among U.S. regulators now starting to flex their muscles when it comes to enforcing cybersecurity standards, says Burton. What enforcement trends might we expect to see in 2017?
To view the video, please visit the Bank Info Security website.
Section 230 of the Communications Decency Act (CDA) generally grants broad immunity to Internet Service Providers (ISPs) with respect to third-party content posted on the ISP sites. The legislative history behind CDA Section 230 makes plain that Congress intended for the Internet to flourish for businesses and the US economy, and that intent would be thwarted if ISPs had the onerous duty to police and somehow regulate information and communications posted on their sites by others the ISPs do not control.
Nevertheless, there have been efforts in legal cases to chip away at the broad immunity afforded to ISPs by CDA Section 230. One such effort is the recent legal case Jane Doe No. 1 v. Backpage.com, LLC. Continue reading Supreme Court Will Not Consider Backpage.com CDA Section 230 Case
Online retailers across the United States have one more issue to consider as they prepare for the next sale: a growing number of lawsuits under the New Jersey Truth-in-Consumer Contract, Warranty and Notice Act (TCCWNA) alleging that standard online terms of service agreements on websites violate the New Jersey bar on deceptive notices.
The TCCWNA—N.J.S.A. 56:12-14 et. seq.—was enacted in 1981 to prohibit businesses from using provisions that deceived consumers about their legal rights. The statute provides a private right of action that allows both actual customers and prospective buyers to bring suit against businesses. Businesses that violate the TCCWNA are liable to aggrieved consumers for $100, actual damages, or both, as well as reasonable attorneys’ fees and court costs.
To read the full text of the Alert, please visit www.duanemorris.com.
An appellate court in Paris has ruled recently that Facebook can be sued in France and a case thus can proceed against the social media giant in France with respect to Facebook’s decision to remove the account of a user in France who posted a well-known 19th century nude painting, according to Reuters.
This legal decision could be of concern to Facebook, as it has more than 30 million users in France, and because the French appellate court rejected the clause contained in Facebook’s terms and conditions, that requires worldwide lawsuits to be heard in Santa Clara, California, as “unfair.” Facebook still has the option to seek review by the highest appellate court in France.
Just over a year ago, on December 31, 2014, Russian President Vladimir Putin signed into law new personal data localization requirements, mandating that data operators collecting personal data about Russian citizens “record, systematize, accumulate, store, amend, update and retrieve” data using databases physically located in Russia. Among other things, passage of the new law generated immediate concerns regarding its scope, implementation, and implications. On August 3, 2015, less than a month before the new law was to take effect, the Russian Ministry of Communications and Mass Media published official “guidelines”, largely in the form of FAQs, in an attempt to “clarify” the law and address some of the questions and concerns it generated. http://www.minsvyaz.ru/ru/personaldata/ (in Russian). Nevertheless, one question that has remained unanswered since the law has gone into effect (September 1, 2015) is whether the law introduces trade restrictions that violate World Trade Organization regulations. Russia has been a WTO member since August 2012. Continue reading Russia’s data localization law – a violation of WTO regulations?
Many college students likely would covet an internship at Facebook. One Harvard University student landed such an internship. However, he says that the internship offer to him was rescinded by Facebook because he reportedly exposed privacy flaws in Facebook’s mobile messenger. Is that correct or not, and what lesson has been learned?
Harvard student, Aran Khanna, launched a browser application from his dorm room. The app revealed that Facebook Messenger users were able to precisely pinpoint the geographic locations of people with whom they were communicating, as reported by The Guardian. Continue reading Student’s Internship Canceled After Exposing Facebook Privacy Issue