The unprecedented cyberattack on October 21, 2016, which crippled many of the Internet’s most widely trafficked sites, should be a wakeup call for businesses about the potential for hackers to weaponize common Internet-enabled devices and cripple businesses.
The cyberattack was caused in part by malware directed to more than 10 million Internet-connected devices, including DVRs, thermostats and closed-circuit video cameras. It caused a distributed denial-of-service attack (i.e., service interruption) that hit in three waves. Dyn, an Internet services company that directs Internet traffic, reported that the attack hit all of its 18 data centers globally. Early reports show that the disruption may be responsible for up to $110 million in lost revenue and sales. Perhaps most troubling is that the group claiming responsibility said the attack is merely a dry run for much larger attacks.
Continue reading What the Recent Cyberattack Means and Ways Businesses Can Protect Themselves
Since the Supreme Court’s decision in Spokeo v. Robins, courts have begun to ratchet back prior decisions on the minimum standard to plead an injury sufficient to establish Article III standing. The recent Eighth Circuit opinion in Braitberg v. Charter Communications adds to the growing number of cases defendants will rely upon to get data breach cases dismissed at the pleadings stage. Braitberg addressed standing in the context of the retention, use, and protection of personally identifiable information. Although the case did not involve a data breach, its holding is however instructive when defending against such cases.
In Braitberg, plaintiff alleged that he was required to provide personally identifiable information to purchase cable services and that the cable provider improperly retained his information long after he cancelled the services in violation of the Cable Communications Policy Act (“CCPA”).
Prior to Spokeo, such claims would have been sufficient to establish Article III standing because the Eighth Circuit permitted the actual injury requirement to be satisfied solely by pleading that there was an invasion of a legal right that Congress created. The Supreme Court in Spokeo held that Article III standing requires a “concrete injury” even in the context of a statutory violation.
With the benefit of Spokeo’s guidance, the Eighth Circuit acknowledged that Spokeo superseded its prior precedent. Accordingly, the panel affirmed the district court’s dismissal of the complaint for lack of Article III standing and failure to state a claim. In doing so, the panel rejected arguments that CCPA created standing to sue where the defendant merely retained the data in violation of the statute with no other injury. It further rejected an economic argument that retention of the data deprived plaintiff of the full value of the services received from the company.
This decision is important for two reasons. First, the Eighth Circuit further narrowed the scope of allegations that will give rise to Article III standing in a post-Spokeo world. Second, in denying the economic argument, the court cut off an alternative avenue by which plaintiffs have successfully alleged harm.
Ransomware attacks are on the rise and expected to reach epidemic proportions. The most publicized attack took place this year at the Hollywood Presbyterian Medical Center when it was forced to declare an “internal emergency” after a ransomware attack locked down its systems. Businesses that are viewed as offering a combination of valuable data and weak security may be seen as attractive to attackers. Some attackers have strictly financial motivations while others may simply be in it for “the data.”
According to Cisco’s Midyear Cybersecurity Report, email and malicious advertising are the primary ways ransomware infiltrates a system. Businesses often pay the ransom but even when paid, files may be lost or altered in ways that could be devastating to the business.
Cisco reports that companies entering into M&A deals often do not conduct enough due diligence on the risk posture of the acquired business and realize their shortcomings after the deal is done, when it is too late to remediate problems or when it’s harder to do so because the networks are intertwined.
What can you do? Robust security is clearly the first step to prevent attacks and that begins with the creation of a comprehensive privacy and security roadmap that addresses high risk areas, compliance gaps and specific tactics for incident preparedness. It is important to involve experienced counsel at the outset to not only advise on the array of federal and state privacy and cybersecurity laws and help develop the policy but also to direct any security investigation so that consultants can report potential vulnerabilities to outside counsel to protect potentially negative findings from discovery in future litigation.
On September 7th, the Federal Trade Commission will begin its series of seminars on new and emerging technologies with a workshop on ransomware.
Last week the Future of Privacy Forum (FRF) issued “Best Practices for Consumer Wearables & Wellness Apps & Devices. The Best Practices are built on the five core principles of privacy protection, which form the foundation for privacy laws in the U.S.: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress. They also seek to add protections for data that may not be covered by specific sector legislation and to add guidance in areas where general privacy statues are applicable.
While the Best Practices may appear easy to apply, in practice, they require businesses to develop a comprehensive approach to privacy and data security practices with the guidance of experienced counsel to avoid significant risks in this emerging area.
The Best Practices can be viewed at https://fpf.org/wp-content/uploads/2016/08/FPF-Best-Practices-for-Wearables-and-Wellness-Apps-and-Devices-Final.pdf
Following the July 12, 2016, adoption by the European Commission of the EU-U.S. Privacy Shield (the “Privacy Shield”), companies engaging in trans-Atlantic data sharing can now register for the Privacy Shield. It replaces the prior Safe Harbor Program, which was invalidated by the European Court of Justice on October 6, 2015, when it ruled that the data of European citizens was not safe when stored on U.S. computer servers given the U.S. government’s ability to access information through its intelligence services.
The new Privacy Shield provides transparency in how companies use personal data, robust U.S. government oversight and increased cooperation with EU data protection authorities (the “DPA”). It includes more rigorous monitoring and enforcement by the U.S. Department of Commerce (the “Department”) and the Federal Trade Commission (“FTC”). Because the Privacy Shield is enforceable as U.S. law against a registered company, it is essential to ensure its compliance before registering.
Key provisions of the Privacy Shield include:
- Informing Individuals About Data Processing: The Privacy Shield requires more heightened notice standards than under the Safe Harbor, including additional requirements for participants’ privacy policies.
- Providing Free and Accessible Dispute Resolution: The Privacy Shield outlines several dispute resolution mechanisms and specific timelines for handling disputes.
- Cooperating with the Department of Commerce: Participants should promptly respond to Department inquiries and requests for information relating to the Privacy Shield.
- Ensuring Accountability for Data Transferred to Third Parties: Participants must enter into written agreements with third parties to ensure that data is processed for limited and specified purposes consistent with the consent provided by the individual, that the third party will provide the same level of protection and that the third party will provide notification if it can no longer meet its obligation.
- Transparency Related to Enforcement Actions: The Privacy Shield seeks to create greater transparency for enforcement actions by making public any Privacy Shield-related sections of any compliance or assessment reports submitted to the FTC as a result of an FTC or court order based on non-compliance.
- Potential Additions in the Future: The Privacy Shield is designed to be updated with time to address evolving issues and accommodate the General Data Protection Regulation (effective in 2018).
The requirements of the Privacy Shield are different than its predecessor Safe Harbor. It may be prudent for companies engaging in the cross-border transfer of data to consult legal counsel experienced with the Privacy Shield to ensure compliance.
The Federal Trade Commission recently issued revised its “Red Flag Rules” guidance. The Red Flag Rules protect consumers by requiring businesses to watch for and respond to warning signs or red flags of identity theft. The guidance outlines which businesses are covered by the Rule. A copy of the guidance can be viewed at http://business.ftc.gov/documents/bus23-fighting-identity-theft-red-flags-rule-how-guide-business.
The New Jersey Department of State issued a directive to county elections officials to permit New Jersey registered voters displaced by Hurricane Sandy to vote electronically. Specifically, the directive permits voting by e-mail or fax. Of course, there are many security addresses that must be addressed to eliminate voter fraud. Of particular concern is how election officials plan to authenticate the e-mail and fax ballots they receive from displaced New Jersey residents.
This is the first time technology has been used in this way to vote and assuming that the security issues are adequately addressed, it will likely be studied to determine if it can used for the masses in future elections.
The release can be viewed on the New Jersey state website:
On August 9, 2012, the FTC announced that Google agreed to pay a record $22.5 million civil penalty to settle charges that it made misrepresentations to users of the Safari Internet browser when Google represented that it would not place cookies or serve targeted ads to those users. In doing so, Google violated an earlier privacy settlement it had with the FTC.
FTC Chairman Jon Leibowitz said “[t]he record setting penalty in this matter sends a clear message to all companies under an FTC privacy order. . . “[n]o matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”
Continue reading FTC Imposes a Record $22.5 Million Civil Penalty on Google for Privacy Misrepresentations
The Supreme Court of Pennsylvania recently amended the Pennsylvania Rules of Civil Procedure to officially include the discovery of electronically stored information. The amended rules become effective August 1, 2012.
Changes to Rules
Amended Rule 4009.1 includes “electronically stored information” among the list of items a party may request. The person requesting electronically stored information may specify the format in which it is to be produced and the responding party may thereafter object. If no format has been requested, the responding party may produce electronically stored information in the form in which it is ordinary maintained or in a reasonably usable form.
Continue reading Supreme Court of Pennsylvania Reject Federal Case Law on E-Discovery and Adopts A Proportionality Test for E-Discovery in Amendments to the Rules of Civil Procedure
A new Second Circuit decision could change the way some service providers conduct business on the internet, imposing a greater burden to assess specific infringing activity.
In Viacom v. YouTube, Viacom sought $1 billion in damages for direct and secondary copyright infringement based on claims that its users improperly uploaded thousands of Viacom’s videos. The district previously held that YouTube was protected against claims of copyright infringement under the DMCA safe harbor primarily because it had insufficient notice of the particular infringement at issue. Essentially, it held that under the DMCA, service providers did not have a responsibility to identify which of its users’ postings infringed a copyright.
Continue reading Second Circuit Addresses DMCA Safeharbor in Landmark Case