Copyright: hywards / 123RF Stock Photo
Copyright: hywards / 123RF Stock Photo

France’s data protection regulator – the  Commission Nationale de L’Informatique et des Libertés (CNIL) – ordered Alphabet Inc.’s Google in 2015 to comply with the right to be forgotten.

If the ruling is upheld, the approach to personal privacy threatens the equal and competing legitimate freedom of expression and access to information rights of businesses and consumers outside the European Union.

Scott L. Vernick and Jessica Kitain recently authored the Bloomberg BNA Privacy and Security Law Report article “The Right To Be Forgotten – Protection or Hegemony?” We invite you to read the full article.

Reproduced with permission from Privacy and Security Law Report, 15 PVLR 1253, 6/20/2016. Copyright © 2016 by The Bureau of National Affairs, Inc. (800.372.1033) http://www.bna.com

Fox Partner and Chair of the Privacy and Data Security Practice Scott L. Vernick was a guest on Fox Business’ “The O’Reilly Factor” and “After the Bell” on February 17, 2016, to discuss the controversy between Apple and the FBI over device encryption.

A federal court recently ordered Apple to write new software to unlock the iPhone used by one of the shooters in the San Bernardino attacks in December. Apple CEO Tim Cook has vowed to fight the court order.

The Federal Government vs. Apple (The O’Reilly Factor, 02/17/16)

Apple’s Privacy Battle With the Federal Government (After the Bell, 02/17/16)

 

 

 

In February 2013, President Obama issued his Improving Critical Infrastructure Cybersecurity executive order, which presented a plan to decrease the risk of cyberattacks on critical infrastructure.  The US Department of Commerce’s National Institute of Standards and Technology (NIST) was charged with creating the plan, which became known as the Framework for Improving Critical Infrastructure Cybersecurity (Framework).  The NIST worked with over three thousand individuals and business organizations to create the Framework.  The goal of the Framework is to help businesses develop cybersecurity programs within their organizations and to create industry standards for dealing with cybersecurity issues.

The Framework is designed to work with businesses to reach a sufficient level of cybersecurity protection regardless of size, sector, or level of security.  The Framework consists of three parts (1) The Framework Core, (2) The Framework Implementation Tiers, and (3) The Framework Profiles.  The Framework Core is a grouping of cybersecurity activities based on industry indicators, desired outcomes, and practices.  It assists businesses in developing Framework Profiles, which are used to create cybersecurity plans.  Essentially, the Core characterizes all aspects of a business’ cybersecurity protection so that the Framework can assist the business in creating a secure network.

The Framework Implementation Tiers assess how a business acknowledges cybersecurity issues and ranks the business into one of four tiers.  Ranked from weakest to strongest the four tiers are: (1) Partial, (2) Risk Informed, (3) Repeatable, and (4) Adaptive.  The Partial Tier is for businesses that may not consult risk objectives or environmental threats when deciding cybersecurity issues.  The Risk Informed Tier is for businesses that have cybersecurity risk management processes, but may not implement them across the entire organization.  The Repeatable Tier is for businesses that regularly update their cybersecurity practices based on risk management.  The Adaptive Tier is for businesses that adapt cybersecurity procedures frequently and implement knowledge gained from past experiences and risk indicators.  The Tier assignment helps a business better understand the impact of cybersecurity issues on its organizational procedures.

After a business has gone through the necessary steps with the Framework Core and Implementation Tiers, it can create a Framework Profile based on its individual characteristics.  A “Current” Profile allows a business to have a clear sense of where it stands in terms of cybersecurity and what aspects of its cybersecurity program need improvement.  A “Target” Profile represents the cybersecurity state that a business wants to achieve through the use of the Framework.  By comparing its “Current” Profile and “Target” Profile, a business is able to prioritize its actions and measure its progress.

There are several resources that support the Framework including the NIST’s Roadmap for Improving Critical Infrastructure Cybersecurity, the NIST’s Cybersecurity Framework Reference Tool, and The Department of Homeland Security’s Critical Infrastructure Cyber Community C3 Voluntary Program.  A business that wants to utilize the Framework should visit the NIST’s Framework website at:  http://www.nist.gov/cyberframework/.

Copyright: argus456 / 123RF Stock Photo
Copyright: argus456 / 123RF Stock Photo

Fox Rothschild partner Scott L. Vernick was quoted in The New York Times article, “Hacking Victims Deserve Empathy, Not Ridicule.” Full text can be found in the September 2, 2015, issue, but a synopsis is below.

While some data breach victims may face only minor frustrations – changing a password or getting a new credit card – it is a different story for the more than 30 million Ashley Madison users who had their accounts for the infidelity website compromised.

Many of the victims of this latest massive data breach have been plunged into despair, fearing they could lose jobs and families, and expecting to be humiliated among friends and colleagues.

“It’s easy to be snarky about Ashley Madison, but just because it’s unpopular or even immoral, it doesn’t mean this sort of activity shouldn’t be protected,” said Scott L. Vernick, a noted privacy attorney. “This gets at fundamental issues like freedom of speech and freedom of association – today it’s Ashley Madison, tomorrow it could be some other group that deserves protection.”

On July 20, 2015, in Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015), the Seventh Circuit held that the United States District Court for the Northern District of Illinois wrongfully dismissed a class action suit brought against Neiman Marcus after hackers stole their customers’ data and debit card information.  The District Court originally dismissed the plaintiffs’ claims because they had not alleged sufficient injury to establish standing.  The District Court based its ruling on a United States Supreme Court decision, Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013), which held that to establish Article III standing, an injury must be “concrete, particularized, and actual or imminent.”

However, the Seventh Circuit clarified that Clapper “does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.”  Rather, “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” are sufficient to confer standing.

In Remijas, the Seventh Circuit explained that there is a reasonable likelihood that the hackers will use the plaintiffs’ information to commit identity theft or credit card fraud.  “Why else would hackers break into a store’s database and steal consumers’ private information?” – the Seventh Circuit asked.  The Seventh Circuit held that the plaintiffs should not have to wait until the hackers commit these crimes to file suit.

The Seventh Circuit also considered that some of the plaintiffs have already paid for credit monitoring services to protect their data, which it held is a concrete injury.  Neiman Marcus also offered one year of credit monitoring services to its customers affected by the breach, which the Seventh Circuit considered an acknowledgment by the company that there was a likelihood that their customers’ information would be used for fraudulent purposes.

Ultimately, this decision may serve to soften the blow dealt by Clapper to data breach plaintiffs.  Specifically, based on this ruling, plaintiffs who have not incurred any fraudulent charges, but have purchased credit monitoring services, or have spent time and money protecting themselves against potential fraud may argue that they have standing.

On June 30, 2015, Connecticut Governor Dannel Malloy signed into law Senate Bill 949, “An Act Improving Data Security and Agency Effectiveness”, a data privacy and security bill that creates stricter data breach response requirements.  S.B. 949 specifies that an entity that experiences a data breach must give notice to those affected no “later than [90] days after discovery of such breach, unless a shorter time is required under federal law.”  Previously, Connecticut law only required entities to provide notice of a data privacy breach to affected individuals “without unreasonable delay.”

During a press conference on June 2, 2015, Attorney General George Jepsen clarified that 90 days is the floor – not the ceiling.  He stated that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.”  Projected to become effective October 1, 2015, S.B. 949 also requires entities affected by breaches to provide at least one year of free identity theft prevention services for breaches involving the resident’s name and Social Security number.

Guest Blogger: Kevin P. Demody, Summer Associate

Cyberattacks are not reserved for science fiction or corporate America; they can also impact professional sports.  An example of cybercrime is currently unfolding in Major League Baseball, where the St. Louis Cardinals are under investigation for cyberattacks.  The F.B.I. and Justice Department prosecutors are investigating whether the Cardinals hacked into the Houston Astros’ computer systems to obtain confidential baseball data.

Investigators have discovered evidence suggesting that Cardinals’ front office employees hacked the Astros’ computer systems containing information regarding possible trades, injury reports, and scouting evaluations.  If the allegations prove to be accurate, the attack would be the first known instance of corporate cyber warfare between professional sporting organizations.  The Cardinals organization, one of the most successful baseball clubs over the past two decades, has been served with subpoenas to obtain electronic correspondence that may have been related to the attacks.

In a written statement from Major League Baseball, the organization assured the public that it “has been aware of and has fully cooperated with the federal investigation into the illegal breach of the Astros’ baseball operations database.”  The League also promised to “evaluate the next steps” and “make decisions promptly” after the federal investigation concludes.

The cyberattacks may have been a revenge tactic by Cardinals’ employees against former Cardinals executive and current Astros’ general manager, Jeff Luhnow.  Mr. Luhnow, a scouting and player development executive with the Cardinals, was instrumental in the team’s World Series success by developing a unique way to evaluate players and manage talent.  Much of Luhnow’s success with the Cardinals was attributed to a computer system, named “Redbird,” which contained the organization’s collective baseball knowledge.  When Mr. Luhnow’s polarizing tenure with the Cardinals came to an end after the 2011 season, he left to become the general manger of the Astros.  Once with the Astros, he used his computer expertise to create an electronic baseball knowledge system similar to the Cardinals’ “Redbird.”

The Astros’ system, known as “Ground Control,” was a collection of the team’s baseball data that weighted information based on the opinions of the team’s physicians, scouts, statisticians, and coaches.  Investigators believe that members of the Cardinals organization used Luhnow’s old passwords to hack into the team’s system and steal data.  This is a common practice among cybercriminals who attempt to use previous passwords to gain access to other restricted networks.  The investigation initially began last year when the Astros believed that the cyberattacks had originated from rouge outside hackers.  It was only after further investigation that the F.B.I. determined the source of the cyberattacks to be a home occupied by a Cardinals’ employee.

At this point the investigation is ongoing and federal officials would not comment on which Cardinals’ employees were involved in the matter or if the front office executives had any knowledge of the cyberattacks.  No Cardinals’ employees have been suspended or put on leave yet.

In response to a data breach in 2014, employees of University of Pittsburgh Medical Center filed a two-count class action complaint against UPMC for (1) negligence and (2) breach of an implied contract for failing to protect their personal data. The employee plaintiffs alleged that their Social Security numbers, names, addresses, birthdates, W2 information and salaries were stolen and used to file fraudulent tax returns and open fraudulent bank accounts.

In dismissing the class action, Judge R. Stanton Wettick Jr. ruled that Pennsylvania law does not recognize a private right of action to recover actual damages as a result of a data breach. Judge Wettick stated that creating such a cause of action in the context of a data breach would overwhelm the state courts and require businesses – who are also victims in criminal activity – to spend substantial resources to respond to these claims. Judge Wettick noted that, to date, the only obligation imposed upon businesses by the Pennsylvania General Assembly is to provide notification of a data breach. Judge Wettick refused to interfere with the legislature’s direction in this area of the law.

This decision confirms that, under Pennsylvania law, plaintiffs will continue to have difficulty bringing claims against businesses who suffer data breaches.

The case is Dittman et al. v. The University of Pittsburgh Medical Center, Case No. GD-14-003285 in the Court of Common Pleas of Alleghany County, Pennsylvania.

Officials from both the Federal Trade Commission (FTC) and European Union (EU) recently called for enhancements to the Obama administration’s proposed Consumer Privacy Bill of Rights.

The White House’s proposed Consumer Privacy Bill of Rights seeks to provide “a baseline of clear protections for consumers and greater certainty for companies.”  The guiding principles of the draft bill are:  individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability.

But the proposed legislation also seeks to afford companies discretion and flexibility to promote innovation, which some officials argue has led to a lack of clarity.

FTC Chairwoman Edith Ramirez had hoped for a “stronger” proposal and had “concerns about the lack of clarity in the requirements that are set forth.”  However, Chairwoman Ramirez acknowledged the significance of a privacy bill backed by the White House.  FTC Commissioner Julie Brill also expressed concern over weaknesses in the draft, calling for more boundaries.

Likewise, European Data Protection Supervisor Giovanni Buttarelli felt that the proposal lacked clarity and that, as written, “a large majority of personal data would not be subject to any provisions or safeguards.”

To review the administration’s proposed bill, click here.

 

On December 31, 2014, the Federal Trade Commission announced that it approved a final order settling charges against Snapchat.

In its complaint, the FTC charged Snapchat with deceiving consumers over the amount of personal data that it collected and the security measures in place to protect the data from disclosure and misuse.

The settlement order prohibits Snapchat from misrepresenting the extent to which a message is deleted after being viewed by the recipient and the extent to which Snapchat is capable of detecting or notifying the sender when a recipient has captured a screenshot or otherwise saved the message.  Snapchat is also prohibited from misrepresenting the steps taken to protect against misuse or unauthorized disclosure of information.

Finally, the company will be required to implement a “comprehensive privacy program” and obtain assessments of that program every two years from an independent privacy professional for the next 20 years.

In its press release, the FTC noted that its settlement with Snapchat is “part of the FTC’s ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers.”  For more information from the FTC on marketing apps, click here.