The Illinois Supreme Court’s Ruling

On January 25, 2019, the Illinois Supreme Court issued its long awaited opinion in Rosenbach v. Six Flags Entertainment Corp, ruling that the Illinois Biometric Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) does not require an actual injury for a plaintiff to be considered “aggrieved” under the Act. The ruling, which was widely anticipated based on the court’s comments during oral argument, is widely expected to open the flood gates on class actions brought under BIPA, given the statutory damages available to plaintiffs. Indeed, in the first week since the ruling, at least 10 new BIPA class actions have been filed.

Under BIPA, parties that possess biometric identifiers (i.e. fingerprints, retina scans and voice recognition) are prohibited from (i) selling, leasing, trading or otherwise profiting from such identifiers; and (ii) otherwise disclosing or disseminating such information unless the individual consents to such disclosure. BIPA imposes penalties of $1,000 per negligent violation of the Act and $5,000 (or actual damages, whichever is greater) for intentional or reckless violations. Second, BIPA allows for the recovery of reasonable attorneys’ fees and costs, including expert witness fees.

What Next?

The court’s ruling stands at odds with the Northern District of Illinois’ recent decision in Rivera v. Google, in which that court ruled that, unless a party suffers an actual injury, it does not satisfy the “injury in fact” requirement of Article III standing to pursue a BIPA claim in Federal Court. Consequently, expect all future BIPA cases going forward to be filed in Illinois state courts.

While the Illinois Supreme Court’s ruling opens the door for an onslaught of BIPA litigation, certain defenses to such actions remain untested and will surely be litigated. For one, expect the issue of whether a plaintiff has consented to the use of his or her biometric information to be hotly contested. For plaintiffs who are employees, that likely means arguing over a company’s policies contained in a handbook or employment agreement. Indeed, employers would be well served to review their policies and agreements to specifically address its potential collection of employees’ biometric information.

Another line of defense may rest in a defendant’s ability to remove a case to federal court and then have it dismissed. If successful, a defendant could avoid liability to a plaintiff who does not suffer an actual injury if it can successfully use the parties’ diversity jurisdiction to remove the case and then argue that the plaintiff lacks Article III standing.

One thing is for sure – expect Illinois state courts to become a hotbed of BIPA litigation.

After a Cyberattack

This blog post is the sixth and final entry of a six-part series discussing the best practices relating to cyber security.  The previous post discussed the individuals and organizations that should be notified once a cyberattack occurs.  This post will focus on what a business should not do after a cyberattack.  Key points include (1) not using the network, (2) not sharing information with unconfirmed parties, and (3) not attempting to retaliate against a different network.

Do Not Search Through the Network

Once a cyberattack has been identified, most individuals may feel compelled to immediately examine their network and search through all of their system’s files.  This sudden reaction can cause further damage and may result in a total system failure.  Some hackers rely on the natural inclination to examine a network in order to cause more destruction.  They may install dormant malware that is triggered after an authorized user accesses the network to survey the damage.  If the hackers are monitoring the network after the attack, they may also be able to steal additional information such as passwords and usernames if individuals attempt to log on.

The better option is to immediately suspend all use of the network and commence the action plan.  By limiting network activity, a business may be able to contain the attack and safeguard unaffected systems.  Furthermore, suspending the network will help preserve evidence of the attack for law enforcement officials.  As a last resort, a business should be prepared to shut its entire system down in order to contain the attack if it is still active.

Do Not Release Information to Unconfirmed Parties

After a cyberattack, a business should be very careful to only communicate information to credible sources.  Some hackers will pose as law enforcement officials and send inquiring messages to the business after the attack.  These messages are sent in an attempt to gain information from the business.  The hackers may use this information to launch a second cyberattack on the already damaged network.  All communication should be via the telephone or in person if possible.  It is important that a business designate one individual to communicate on behalf of the business.  This individual should not share information with anyone until he or she has confirmed the identity of the other party.

Do Not Attempt to Retaliate Against Other Networks

If a business is able to determine the source of the cyberattack, it may be tempted to retaliate with cyber warfare against the source.  Not only is this tactic illegal under U.S. and foreign cybersecurity laws, but it may also cause further damage to a business’ system or provoke a second attack.  Additionally, many cyberattacks originate from innocent networks that have previously been hacked.  Retaliation against these networks would only hurt a previous victim and would not impact the hackers.  Remaining calm and following the action plan is always the best course of action after a business has been impacted by a cyberattack.

Notification

This blog post is the fifth entry of a six series discussing the best practices relating to cyber security.  The previous post discussed the important steps that a business should take to preserve evidence and information once a cyberattack has been identified.  This post will discuss the individuals and organizations that should be notified once a cyberattack occurs.  The four most important groups to contact are (1) individuals within the business, (2) law enforcement officials, (3) The Department of Homeland Security, and (4) other possible victims.

Individuals within the Business

A business’ Response Plan should list the specific employees to be contacted once a business has been attacked.  These employees normally include the senior executives, information technology officers, public affairs officials, and a business’ legal counsel.  Multiple methods of communication for each employee, including cell phone numbers, home phone numbers, and personal email addresses, should be listed in the Response Plan.  These critically important individuals should be contacted at the first sign of a cyber incident.

Law Enforcement Officials

Law enforcement officials should be contacted once a business suspects that its cyber incident is a result of criminal activity.  A business should not hesitate to contact law enforcement even if it fears that its business operations will be disrupted.  Both the FBI and the U.S. Secret Service prioritize their ability to work around a business’ normal operations when conducting an investigation.  These government organizations will work with a business to ensure that sensitive information is not released and that the business’ reputation is not unnecessarily tarnished.  Both groups will help the company release a press statement and decide what information is necessary to disclose to shareholders.  In addition, law enforcement officials are able to receive support from international counterparts in order to track stolen data around the globe.

The Department of Homeland Security

The National Cybersecurity & Communications Integration Center (NCCIC) is a branch of the Department of Homeland Security that provides continuous updates on cyber incidents, cybersecurity information, and recovery efforts.  By alerting the NCCIC to a cyber incident, a business is able to share and receive information that may be beneficial in its recovery efforts.  A business should keep in regular contact with the NCCIC, even if it is not experiencing a cyber incident, in order to stay alert to the latest trends in cyberattacks.

Other Potential Victims

After a business discovers a cyberattack it should alert other businesses in its network because they are potential victims.  Cyberattacks often use network communications between businesses to spread malware and disrupt work flow.  Notifying other businesses may allow them to take preventative measures and insulate themselves from possible attacks.  If a business does not feel comfortable contacting other potential victims it should communicate through law enforcement officials.  Victims may also be able to share information to assist each other in managing the cyber incident and discovering the source of the cyberattack.

The next blog post will discuss what a business should not do after a cyberattack and how a business should begin to recover.

Preservation of Evidence

This blog post is the fourth entry of a six-part series discussing the best practices relating to cyber security.  The previous post discussed the initial steps that a business should take once a cyberattack has been identified.  This post will discuss further steps that a business should take after an attack.

Preservation is critical when responding to a cyberattack, the more evidence that a business is able to preserve, the greater the chance that the business will be able to determine how its system was hacked.  “Forensic imaging” is a useful way to preserve a system because it is an exact copy of a computer’s hard disk.  A forensic image will capture all of the deleted files, the system’s files, and any other information that may be necessary for a detailed analysis of the attack.

After the necessary information and evidence of an attack has been preserved, the business should begin to transfer its information onto a clean system.  It is important to ensure that the new data is completely free of any impacted documents when transferring information.  The business should write-protect the transferred data to ensure that it is unable to be altered by other corrupted documents.  In order to maintain authenticity of the documents, access to the documents should be restricted and a chain of custody should be used.

All personnel involved with the response to the attack should keep detailed records of their actions.  This will not only help when modifying the Response Plan in the future, but may also be useful for law enforcement during its investigation.  Preferably, one employee should be in charge of coordinating and maintaining each individual’s information.  This ensures organization and continuity between employees’ responsibilities.  Important information to record includes (1) a description of all incident-related events, (2) details of all communications regarding the incident, (3) a description of each employee’s duties in response to the attack, (4) a listing of how each network system was impacted by the cyberattack, and (5) the version of software on the network.

If an attack is continuous, like a worm circulating through the network, a business should attempt to record the attack’s actions.  A business may be able to use network monitoring devices, like a “sniffer,” to intercept and note communications between the cyberattack and the business’ servers.  This type of monitoring is usually lawful if it is done to protect the business’ property or if network users have previously given consent.  However, a business should consult its legal counsel if it plans to engage in this type of monitoring because it may implicate the Wiretap Act or impact the business’ employment agreements.  A business should also ensure that is has enabled the ability to log on an impacted server if it has not previously done so.  Finally, increasing the default size of the log files can help to prevent data loss and defeat the cyberattack.

The following blog post will discuss which individuals and organizations a business should contact after a cyberattack.

On July 20, 2015, in Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015), the Seventh Circuit held that the United States District Court for the Northern District of Illinois wrongfully dismissed a class action suit brought against Neiman Marcus after hackers stole their customers’ data and debit card information.  The District Court originally dismissed the plaintiffs’ claims because they had not alleged sufficient injury to establish standing.  The District Court based its ruling on a United States Supreme Court decision, Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013), which held that to establish Article III standing, an injury must be “concrete, particularized, and actual or imminent.”

However, the Seventh Circuit clarified that Clapper “does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.”  Rather, “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” are sufficient to confer standing.

In Remijas, the Seventh Circuit explained that there is a reasonable likelihood that the hackers will use the plaintiffs’ information to commit identity theft or credit card fraud.  “Why else would hackers break into a store’s database and steal consumers’ private information?” – the Seventh Circuit asked.  The Seventh Circuit held that the plaintiffs should not have to wait until the hackers commit these crimes to file suit.

The Seventh Circuit also considered that some of the plaintiffs have already paid for credit monitoring services to protect their data, which it held is a concrete injury.  Neiman Marcus also offered one year of credit monitoring services to its customers affected by the breach, which the Seventh Circuit considered an acknowledgment by the company that there was a likelihood that their customers’ information would be used for fraudulent purposes.

Ultimately, this decision may serve to soften the blow dealt by Clapper to data breach plaintiffs.  Specifically, based on this ruling, plaintiffs who have not incurred any fraudulent charges, but have purchased credit monitoring services, or have spent time and money protecting themselves against potential fraud may argue that they have standing.

PREVENTING A CYBERATTACK (Part 2)

This is the second installment in a six-part discussion on the best practices to prevent a cyberattack.  The first part discussed four critical steps to prepare a business in the case of a cyberattack.  These included: (1) identifying the crucial assets and functions a business, (2) creating an Response Plan, (3) installing the appropriate technology, and (4) obtaining authority for network monitoring.  This article builds on those steps by suggesting further best practices in order to prevent a cyberattack.

5. Align Business Policies with the Response Plan

When an organization creates an Response Plan in the event of a cyberattack, it must ensure that the plan is cohesive with preexisting business policies within the organization.  In order for the Response Plan to be implemented effectively, it cannot clash with any of the business’ standard operating procedures.  For example, if the Response Plan states that whoever discovers the cyberattack must alert the entire organization, but the organization’s policy prevents an employee from emailing the entire company, there is a problem.  By testing the Response Plan, organizations can locate these potential problems before a credible cyberattack occurs.  Another important practice is to suspend the network access of former employees as soon as they are terminated.  This practice guards against the liability of an angry employee seeking revenge via a cyberattack.

6. Ensure Legal Counsel Understands the Legal Response to Cyber Incidents

Cyberattacks create unique legal situations that may be unfamiliar to a business’ legal counsel.  An organization should rely on its legal counsel for assistance in creating its Response Plan.  A legal counsel’s understanding of its client’s Response Plan can save valuable time and resources in the event of a cyberattack.  Legal counsel can instruct a business on its obligations to report breaches to customers, its ability to terminate employees based on cyber incidents, and its privacy concerns associated with network monitoring.  A business should also ensure that its legal counsel understands possible legal action that it can take, both in the short term and the long term, in the event of a cyberattack.  Legal counsels that are familiar with cyber security laws will be better equipped to immediately assist clients if a cyberattack occurs.

7. Cultivate Relationships with Cyber Incident Information Centers

Access to a network of cyber intrusion news and information can be a valuable resource for a business in order to keep ahead of the latest threats.  Organizations that collect and disseminate cyber security information exist in every market sector and are commonly referred to as ISACs (Information Sharing and Analysis Centers).  A business that is committed to maintaining a strong cyber security network should subscribe to the appropriate ISACs for its market sector.  This will enable the business to prepare for possible threats and share helpful information. Businesses in niche sectors can rely on government created ISAOs (Information Sharing and Analysis Organizations) for their cyber security information.

8. Establish Connections with the Appropriate Authorities

Businesses should establish a working relationship with local law enforcement and cybercrime units before a cyberattack occurs.  Familiarity between law enforcement and a business will allow for a more accurate and efficient response in the event of a cyberattack.  On the federal level, the Federal Bureau of Investigation and the U.S. Secret Service frequently deal with cyberattacks. Each agency has a department that conducts outreach to private businesses. The departments are the FBI’s Cyber Task Force and the Secret Service’s Electronic Crimes Task Force.  A business should contact these agencies to review its Response Plan and seek support prior to a cyberattack.

In response to a data breach in 2014, employees of University of Pittsburgh Medical Center filed a two-count class action complaint against UPMC for (1) negligence and (2) breach of an implied contract for failing to protect their personal data. The employee plaintiffs alleged that their Social Security numbers, names, addresses, birthdates, W2 information and salaries were stolen and used to file fraudulent tax returns and open fraudulent bank accounts.

In dismissing the class action, Judge R. Stanton Wettick Jr. ruled that Pennsylvania law does not recognize a private right of action to recover actual damages as a result of a data breach. Judge Wettick stated that creating such a cause of action in the context of a data breach would overwhelm the state courts and require businesses – who are also victims in criminal activity – to spend substantial resources to respond to these claims. Judge Wettick noted that, to date, the only obligation imposed upon businesses by the Pennsylvania General Assembly is to provide notification of a data breach. Judge Wettick refused to interfere with the legislature’s direction in this area of the law.

This decision confirms that, under Pennsylvania law, plaintiffs will continue to have difficulty bringing claims against businesses who suffer data breaches.

The case is Dittman et al. v. The University of Pittsburgh Medical Center, Case No. GD-14-003285 in the Court of Common Pleas of Alleghany County, Pennsylvania.

Officials from both the Federal Trade Commission (FTC) and European Union (EU) recently called for enhancements to the Obama administration’s proposed Consumer Privacy Bill of Rights.

The White House’s proposed Consumer Privacy Bill of Rights seeks to provide “a baseline of clear protections for consumers and greater certainty for companies.”  The guiding principles of the draft bill are:  individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability.

But the proposed legislation also seeks to afford companies discretion and flexibility to promote innovation, which some officials argue has led to a lack of clarity.

FTC Chairwoman Edith Ramirez had hoped for a “stronger” proposal and had “concerns about the lack of clarity in the requirements that are set forth.”  However, Chairwoman Ramirez acknowledged the significance of a privacy bill backed by the White House.  FTC Commissioner Julie Brill also expressed concern over weaknesses in the draft, calling for more boundaries.

Likewise, European Data Protection Supervisor Giovanni Buttarelli felt that the proposal lacked clarity and that, as written, “a large majority of personal data would not be subject to any provisions or safeguards.”

To review the administration’s proposed bill, click here.

 

On December 31, 2014, the Federal Trade Commission announced that it approved a final order settling charges against Snapchat.

In its complaint, the FTC charged Snapchat with deceiving consumers over the amount of personal data that it collected and the security measures in place to protect the data from disclosure and misuse.

The settlement order prohibits Snapchat from misrepresenting the extent to which a message is deleted after being viewed by the recipient and the extent to which Snapchat is capable of detecting or notifying the sender when a recipient has captured a screenshot or otherwise saved the message.  Snapchat is also prohibited from misrepresenting the steps taken to protect against misuse or unauthorized disclosure of information.

Finally, the company will be required to implement a “comprehensive privacy program” and obtain assessments of that program every two years from an independent privacy professional for the next 20 years.

In its press release, the FTC noted that its settlement with Snapchat is “part of the FTC’s ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers.”  For more information from the FTC on marketing apps, click here.

The Federal Trade Commission announced yesterday a settlement with Epic Marketplace, an online advertising network, which prohibits Epic from further collection of data obtained by “browser sniffing” the surfing history of Internet users and requires Epic to destroy all previously collected data.

According to the FTC complaint, Epic was collecting information from millions of individuals by “browser sniffing,” which is a practice that allowed Epic to determine whether the user had previously visited more than 54,000 websites, including websites relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy. Once Epic had this information, it would then send targeted advertisements to the user.

Many users have no idea that this technology even exists, and the FTC’s main gripe appears to be that the user did not have knowledge this was occurring on sites outside of Epic’s advertising network. Epic’s privacy policy promised that Epic would collect information about users only for use in Epic’s 45,000 website network. Apparently, the FTC was not concerned with the practice but it’s concern was centered around Epic collecting information from users about visits to websites not in Epic’s website network.

“Consumers searching the Internet shouldn’t have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge,” FTC Chairman Jon Leibowitz said in a statement. “This type of unscrupulous behavior undermines consumers’ confidence, and we won’t tolerate it.”

Stated another way, the FTC is saying that Epic could collect information about whether consumers visited sites in its advertising network having to do with fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy, and then use that information to serve that consumer advertisements. The problem was that Epic went beyond its own advertising network. That makes sense.  A company breaching the representations in its own privacy policy is low hanging fruit.

What the FTC is NOT saying is that consumers would never know what the heck Epic’s privacy policy says, so how could they consent to this collection and use of their information. Online advertisers are in this wonderful position where the consumer never really “gets” to them, the consumer only sees the advertisements that are served. .

So is the take away that any company besides Epic can use “browser sniffing” as long as its use is disclosed in its privacy policy (which consumers would not even know existed) and followed by that company?  The FTC is certainly not taking a contrary position.

The FTC press release follows:

Continue Reading FTC “History Sniffing” Settlement Meaningless or the Start of Something Bigger