Donate   |   Search   |   Contact Us   |   Sign In
Community Search
Data Breach, Privacy & Cyber Insurance Law Content
Share |


 

January 2018

Submitted by: Steve E. Embry

9th Circuit Finds a Substantive—and Valuable Privacy Right

 

On November 29, 2017, a 9th Circuit Panel affirmed a dismissal of a case against ESPN under the Video Privacy Protection Act (VPPA). In doing so though, the Panel recognized the Act created a substantive right of privacy and that, for standing purposes, that right had value. This could have far reaching implications in the 9th Circuit for so called non-damage cases stemming out of alleged privacy violations or data breach.

The VPPA

Interestingly, the VPPA was enacted in the 1980s by Congress in response to a video store giving The Washington Post a list of videos that Supreme Court then-nominee Robert Bork had rented. The VPPA was designed, in part, to protect consumers against the disclosure of personally identifiable information (PPI) by video providers. The basic provisions of the Act provide:

  • A prohibition against knowing disclosure of “personally identifiable information” of a “consumer” who rents or otherwise obtains video materials
  • Liability for a breach and the ability for an “aggrieved person” to bring a civil action 
  • Statutory damages of not less that $2500 per violation as well as punitive damages
  • Recovery of attorney’s fees and other litigation costs

The Allegations

In the ESPN case (Eichenberger v. ESPN), Eichenberger alleged that ESPN had disclosed videos he was watching on ESPN3 by sharing the serial number of his Roku device (Roku allows users to view videos and content on their TVs)and the events he was watching with the analytics firm, Adobe. Based on this information, Adobe was able to use information it had obtained from other sources to identify persons viewing ESPN3 and what they had viewed. Adobe then gave this information back to ESPN in an aggregated fashion and ESPN then sold to advertisers the demographic information from that material. Eichenberger argued that this constituted a violation of the VPPA since ESPN knew that Adobe would use the information to identify him.

The ESPN Response

ESPN’s response was : where’s the damage? Eichenberger suffered no real monetary loss as a result of its activities and ESPN itself did not disclose any personally identifiable information. Hence no standing and no violation.

Standing is a Hot Topic

Standing in privacy cases and in many data breach cases has been a hot issue upon which Circuits have not agreed. The Supreme Court attempted to weigh in on this issues in Spokeo v. Robins which involved standing in the context of the revelation of an individual's credit reports. The Supreme Court recognized that Article III of the U.S. Constitution "requires a concrete injury even in the context of a statutory violation" but that a "bare procedural violation, divorced from any concrete harm" was not enough to supply this standing. Since this ruling courts have not agreed on what it actually meant. Not long ago, for instance, the 2nd Circuit ruled that NBA 2K video game players lacked standing to sue Take-Two Interactive over biometric collection because the plaintiffs had failed to show injuries or at least a real risk of harm.

The 9th Circuit Found a Substantive Privacy Right

In reaching the conclusion that Eichenberger did have standing, the Panel, composed of 3 Circuit judges, held that the VPPA is a "substantive provision that protects concrete interests," and that the statute protects privacy interests more generally by ensuring that consumers retain control over their personal information.

The Panel went on to hold,  "Privacy torts do not always require additional consequences to be actionable," that the VPPA codifies a substantive right to privacy  and that it protects a consumers tight to privacy for his or her video viewing history.. Implicit in this holding is that this right has value and the breach of it creates actual damage: “plaintiff need not allege any further harm to have standing.”

The Panel went on to hold though that since the information ESPN provided Adobe was not itself personally identifiable information but only became such due to its combination with information Adobe—not ESPN—had, there was no violation of the ACT. (a holding that, itself is the subject of differing interpretation, see HULA AND THE CARTOON NETWORK: KEEPING RULE 23 VPPA CLASS ACTIONS AT BAY), there was no violation of the Act or breach of Eichenberger’s privacy rights. The Court reasoned:  "In 1988, the Internet had not yet transformed the way that individuals and companies use consumer data — at least not to the extent that it has today. Then, the VPPA’s instructions were clear. The manager of a video rental store in Los Angeles understood that if he or she disclosed the name and address of a customer — along with a list of the videos that the customer had viewed — the recipient of that information could identify the customer. By contrast, it was clear that, if the disclosure were that 'a local high school teacher' had rented a particular movie, the manager would not have violated the statute. That was so even if one recipient of the information happened to be a resourceful private investigator who could, with great effort, figure out which of the hundreds of teachers had rented the video." The panel then 9th Circuit concluded "that an ordinary person could not use the information that [ESPN] allegedly disclosed to identify an individual. Plaintiff has therefore failed to state a claim ... ."

What’s the So-What?

So why is this important? In means in the 9 Circuit at least and perhaps elsewhere, standing can be found based on the mere breach of privacy without more or without any monetary loss. It means privacy and personally identifiable information by itself have requisite value to provide standing. This could open the proverbial Pandora’s box for privacy and data breach claims unless and until the Supreme Court –or perhaps Congress-provides a better answer.

 

 




December 2017

Submitted by: Steve E. Embry

 

First of Its Kind Lawsuit Involving ICO’s

Many companies and individuals have recently attempted to raise funds through the sale of cryptocurrencies, coins or tokens. These fund-raising activities are generally called initial coin offerings (ICO) and take advantage of the interest in cryptocurrencies such as bitcoin whose rise in value the past year has been meteoric. In October, the first-class action lawsuit involving an ICO was filed in federal district of California.

 

ICOs have become popular because they are relatively easy to conduct, there have traditionally been few regulations and the law surrounding them is not particularly clear, at least not yet. Here’s how they work:  a cryptocurrency is created and then sold to early backers of a project in exchange for legal tender or other cryptocurrency like bitcoin. The investors then hope for a return from the increased value of the cryptocurrency or in some cases, a share of the returns from the project. There is typically no Prospectus although the terms may be set out in a Whitepaper or other literature.  

 

Many of these ICOs don’t employ traditional safeguards like you see with initial public offerings or with registered securities.  The industry has attracted a large number of operators and consultants some with more experience and credibility than others.

 

The SEC Position

The Securities and Exchange Commission (SEC) recently issued two pieces of guidance related to ICOs: a DAO report and an  Investor Bulletin. The DAO Report states that whether cryptocurrency generally qualifies as a security is a fact-based inquiry. (If the cryptocurrency is a security, a number of requirements with respect to such things as disclosure must be met). According to the SEC, the key question is how the future value of the cryptocurrency will be determined; if it is tied to the promoter’s efforts, it will likely be considered a security. So, for example, where the cryptocurrency is essentially worthless unless future development occurs or a promised dividend stream is established, the chances are better that the SEC would consider such cryptocurrency a security.

 

The Investor Bulletin provides more practical advice for ICO promoters and participants and suggests that for promoters, consideration of various risk factors, such as an ability to recover under federal securities laws if fraud occurs or theft, may be appropriate.

 

The Tezzie Suit

The SEC’s position on whether ICO’s involve the sale of securities will likely be at issue in a proposed class action filed against Dynamic Ledger Solutions, Inc. (DLS) and several other related entities regarding an ICO for tokens called “Tezzies.” Tezzies are tokens related to the Tezos blockchain. According to Tezos overview, the Tezos blockchain would facilitate formal verification of smart contracts by mathematically proving the correctness of the code governing transactions. This network was to launch in Summer 2017.

 

The  Complaint  alleges that the DLS launched the ICO in July 2017, and that over 607 million Tezzies were thereafter sold. In exchange, according to the Complaint, DLS and the other defendants received digital currency worth about $232 million (now worth approximately $475 million, according to the Plaintiff).

 

The plaintiff generally alleges that the Defendants:

 

·      Failed to register the offer and sale of securities in violation of federal securities laws;

 

·      Committed fraud in the offering or sale of securities in violation of federal securities laws;

 

·      Committed false advertising in violation of California statutory law;

 

·      Engaged in unfair competition in violation of California statutory law; and

 

·      Acted as alter-egos of one another and all actions could be imputed to each Defendant separately or to all Defendants severally.

 

More specifically, the Plaintiff also claims that the projected launch of Tezos network in December 2017, was postponed to February 2018; since Tezzies derive their value from the usefulness and the popularity of the Tezos network, that delay, according to the Plaintiff devalued the assets. Also according to Plaintiff, none of the development steps laid out in the overview document were met, and many terms were not even shown to the purchasers. Finally, Plaintiff asserts that the Tezos’ characterization as a donation is refuted by “significant investments made by cryptocurrency hedge funds.”

 

Plaintiff seeks restitution and disgorgement of gains, rescission of the purchases of Tezzies, and punitive damages, among other relief.

 

What’s at Stake?

The Tezzie case will likely raise questions of whether and under what circumstances an ICO will be considered a security offering subject to security related rules and regulations and the validity of the SEC views set out in the DAO Report and Investor Bulletin. The plaintiff has squarely alleged that the token’s value was related to future development and that no risk factors were included in the ICO materials – two factors specifically mentioned in the DAO Report and the Investor Bulletin. How this case and any subsequent ones will no doubt impact ICO marketplace and popularity.

 

 


 

November 2017

Submitted by: F. Marshall Wall

 

If you haven’t heard of the GDPR, it is time to learn something about it – at least for the sake of your clients. For starters, what does GDPR stand for?  It is the European Union’s General Data Protection Regulation.  You may be saying to yourself, “Wait, I practice in the US, why do I care about this?”  If you represent companies that sell products or offer services inside the EU, then this regulation matters to your clients. 

 

For some time the EU has taken a very different approach to privacy than the United States.  The EU is far more supportive of the idea that individuals should have control over what is done with their personal information.  The GDPR is a result of this focus on protecting individuals’ privacy rights.  Since the regulation runs to more than 260 pages, this article will necessarily discuss only a few of the highlights.

 

The GDPR applies both to organizations within the EU and also to those “located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”  Given the connected nature of our world and the size of the EU, the GDPR will apply to a great many companies in the US.

 

Key terms within the GDPR include “controller”, which is an entity that determines the purposes and means of the processing of data, and “processor”, which is an entity that processes data on behalf of a controller.  The term “processing” includes the storage, dissemination, or use of personal data.

 

The GDPR definition of personal data is much broader than in typical state data breach statutes in the US.  According to guidance from the EU, personal data includes, “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

 

Data subjects have the “right to be forgotten” under the GDPR, meaning a data controller must erase the subject’s data and cease any further dissemination of it.  People will also have rights to learn what personal data an entity has about them, including obtaining a copy of the data and learning where it is stored and how it is being used. 

 

Breach notification rules under the GDPR are strict.  Notification must be given to a supervisory authority in each applicable member state of the EU within 72 hours of discovery of the breach and to any data subject “without undue delay” in any situation where “the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.”

 

The GDPR also requires that consent agreements with data subjects use simple language and cannot be filled with legalese.  While these agreements can and will be used to allow entities to use, sell, and disseminate data, the typical boilerplate click-wrap agreements that we have become used to with every download or update likely will not pass muster.

 

Another significant feature of the GDPR is that many entities will be required to designate a Data Protection Officer (DPO). A DPO is mandatory wherever the data processing is carried out by a public authority or a company (controller or processor) whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a “large scale.”  These terms are not well defined and subject to interpretation. 

 

Penalties for violation of GDPR can be severe.  Data processors can be fined up to four percent (4%) of “annual global turnover” or €20 million, whichever is greater. 

 

Since the regulation is not yet in place, there is no precedent for enforcement or the level of penalties that will be applied in specific circumstances.  Many terms and provisions will require interpretation.

 

The GDPR was passed in April 2016 and becomes effective on May 25, 2018.  If companies have not started to prepare for compliance, there is no time like the present.

 

To learn more, and to see the countdown clock for enforcement of the GDPR, take a look at this link: http://www.eugdpr.org/.  At this writing your clients have 196 days, six hours, and 41 minutes to comply!

 


 

OCTOBER 2017

Advisen Cyber Risks Insight Conference Coming Up

 

There is still time to register for the Advisen Cyber Risks Insight Conference in New York City on October 26. It’s a one-day conference that I have attended for several years. It’s quite likely the preeminent industry cyber insurance and risk conference. Attendance is expected at around 1000—it is held always at the Grand Hyatt Hotel in Manhattan. Here is a link to the agenda.

 

The keynote this year is being given by Rudolph W. Giuliani, Chief of Cybersecurity, Privacy and Crisis Management Practice at Greenberg Traurig. The remaining speakers read like a who’s who in the cyber insurance field and range from underwriters, claims personnel brokers and forensic experts. They included Stephen Caitlen, founder of XL Caitlen, a leading cyber insurer, Martin South, President, US and Canada Division, Marsh and numerous others.

There will be three tracks going on simultaneously: a rack on the cyber product, a track on quantifying the insuring risk and a track on defining the risk (aka, “the threat track”). It was at this conference some three years ago that the General Counsel of Allstate stated from the podium that he believed litigation over the meaning of cyber polices was something he would be dealing with the rest of his career…and he was a pretty young guy!!

 

And here the good thing about the conference… (shhh)…. there is not many outside lawyers that attend. So, if you want to chat with the AIG head of cyber claims, you can just walk right up to him. No fighting off hordes of other lawyers trying to scarf up business.

 

If any of you are thinking of going, give me a shout, would love to meet up. Advisen publishes a daily cyber risk blog by the way if you would like to subscribe. Here is a link. It has some timely articles and news in it. And they welcome articles from outside lawyers and experts as well-I’ve had pretty good luck getting things published there.

Want more information on the now infamous Equifax breach? Here is a link to an article on the breach, the legal issues it will likely present and the impact.

 


 

 

AUGUST 2017

The FDCC’s newest section—Data Breach, Privacy, and Cyber Insurance—has planned an active year for 2017-18. Our section is led by Chair Steve Embry and Vice Chairs Chris Holecek, John Sinnott, and Marshall Wall. Feel free to contact any of the section leaders throughout the year to offer input or get involved.

 

We are planning a plenary presentation for the winter meeting in Amelia Island on cyber threats. Stay tuned for more information about this as the date approaches. The winter meeting is February 24-28, 2018 at the Omni Hotel and Resort in Amelia Island, Florida.

 

Here are some recent developments in the data breach, privacy, and cyber insurance:

  • The Internet of Things to Come in Cybersecurity: The Internet of Things is fraught with risk. The monetization of health care data has been a significant threat since as early as 2015. We are all endangered by such exploitation because pieces of anyone’s information can be sold for a handsome profit on the Dark Web.
  • Outsider or Insider: Who Will Cause Today’s Data Breach?: In today’s cybercrime landscape, threats come not only from all sides, but also from within.
  • How a Potent Defense Can Stifle Data-Breach Lawsuits by BusinessesConsumers aren’t the only plaintiffs in data-breach litigation. Businesses sue, too. When they do sue, businesses can be strong plaintiffs. This is because, unlike consumers, businesses usually can establish standing, since they’re more likely to have suffered direct financial loses that can be readily identified. This doesn’t mean, however, that a data-breach business plaintiff can waltz untouched through the Rule 12(b)(6) stage.
  • What to Know About Risk, Coverage Before You Buy Cyber Insurance: If a healthcare organization decides to insure itself against cyber-attacks, how do C-suite executives and others go about evaluating potential cybersecurity risks and insurance coverage in today’s chaotic threat landscape?
  • Data Breach Class Action Reinstated: Must plaintiffs allege actual identity theft from a data breach to avoid dismissal of their class action lawsuit? No, according to a recent opinion from a three-judge panel of the United States Court of Appeals for the District of Columbia Circuit. 

One way to stay up to date on these issues is to participate in our section’s Slack page.

 

 

JULY 2017

The Anthem $115 Data Breach Settlement: A Tipping Point?

Seven years ago, a Texas jury awarded a woman name Melinda Ballard $32 million in what was touted as a toxic mold lawsuit. Almost overnight, a cottage mold litigation industry sprang up. Seminars on how to litigate a mold case from plaintiffs’ and defendants’ perspectives proliferated and were standing room only (I know, I spoke at some). Plaintiffs lawyers advertised their mold expertise in a massive hunt for clients. Lawsuits galore. Experts and consultants came out of the woodwork as moon suits and containment centers like those used for asbestosis abatement became the norm for wiping down common mold with bleach from ordinary walls. Never mind that the Ballard case was really an insurance bad faith case. Never mind that mold was and is ubiquitous. Never mind that the causal relationship between mold and serious illness is, at best, sketchy. Millions of dollars spent in costs and legal fees until the hysteria burned itself out.

Have we reached a Melinda Ballard moment with data breach litigation?  Last month, Anthem agreed to settle a class action over the health insurer’s massive January 2015 data breach. In that breach, hackers obtained and compromised the data of some 78.8 current and former Anthem insureds and employees that led to a probe by the Federal Bureau of Investigation and massive publicity. The information compromised included names, birthdates, Social Security numbers, medical IDs, street and e-mail addresses and employee data, including income.

After the predicable litigation commenced and ran its course, Anthem agreed to pay $115 million to resolve consumer claims over the attack in the largest data-breach settlement in history. As part of the proposed settlement, Anthem agreed to set aside some $15 million to pay for out-of-pocket expenses incurred because of the data breach and to establish a fund to buy at least two years of credit monitoring services for the class to help protect them from fraud. For individual class members who already have their own credit-monitoring services and don’t want to enroll in the settlement’s plan, the settlement provides alternative compensation of as much as $50 per class member.

The proposed accord, which would end class-action lawsuits filed in several states, requires approval from a federal judge in San Jose, California.

Data breach suits have had mixed success in the courts. Substantial Article III standing issues exist since often the damages are only possible or threatened, not actual. Where the breach is compromised financial information, fraudulent changes resulting from compromised account information are reversed by card issuing banks, and only a small percentage of people are actually victimized by identity theft. And even if plaintiffs get past a motion to dismiss for lack of standing, there remain lots of procedural and substantive hurdles. So while other breach cases have outright failed in proving standing (as with Barnes & Noble’s data breach), others have settled for relatively modest sums, such as Target’s recent $18.5 million settlement over its 2013 breach with state attorneys general and a $10 million settlement with consumers.


But some believe the announcement of a $115 million settlement could suggest to the plaintiffs bar that these cases are now lucrative, initiating a feeding frenzy similar to that which occurred after the Ballard case. After all, data breach cases are costly to defend and, if successful, could pose significant exposure particularly if the numbers involved are large. And there are regulatory and attorney general potential liabilities. Not to mention the publicity and complicated nature of responding to data breaches prelitigation and the multitude of often inconsistent state laws which make the chance for errors in the initial handling process possible.

But before we all gear up for another wild litigation ride, there are several points to keep in mind. First, the Anthem breach involved a huge number of people and tons of data. Much of the data was health records, some of the most sensitive and valuable information on the black market. The possibility for mischief with a person’s health records is pretty significant. The regulatory framework involving health records is daunting. So from a standing perspective, it would be easier for a court to conclude that the data has value and/or the threat of harm is “imminent”.  Stolen health records increase the “anger factor” that often drives huge verdicts. These factors all make the Anthem case pretty unique.

Damages in most run of the mill data breach cases not involving health data, though, remain hard to show with any certainty. Given the number of data breach incidents that have already occurred, more and more people already have credit monitoring in place reducing the value of this as damage element. In financial breaches, consumers at least are fairly well protected and knowledgeable.

And unlike the mold situation, the threat of data breach is not one to a person’s health as much as it is to their convenience, making individual damages in most cases pretty low. So that means to succeed, plaintiffs must pursue class actions with uncertain recoveries in an area the law relating to which is still uncertain. From the plaintiffs perspective, a proverbial long shot that could be expensive to bet on.

 

 

JUNE 2017

WannaCry: An Aptly Named Beginning to Large-Scale Ransomware Attacks?

 

On Friday, May 12, 2017, the ransomware attack known as WannaCry began.[1] Within a day, the malware infected more than 230,000 computers in over 150 countries.[2] Thankfully, on May 15, 2017, a web security researcher discovered a mistake in the malware’s code.[3] The web security researcher was then able to disable the further spread of the malware by exploiting the coding mistake. But future cyberattackers may not make the same mistake that WannaCry’s coders did.

 

WannaCry is classified as a ransomware attack. It was unique in that it spread in a devastating fashion. All ransomware attacks target vulnerabilities in a victim computer’s software. Through those vulnerabilities, attackers then spread malware that scrambles and encrypts the victim’s computer. The attackers then offer to unscramble and decrypt the victim’s computer for a fee/ransom. Many ransomware attacks are limited in scope because when software developers become aware of vulnerabilities in their programs, they issue patches that eliminate those weaknesses. However, every so often, cyberattackers discover a vulnerability in software that had never been found before so when the cyberattackers target that vulnerability, everyone who uses that software is at risk. These vulnerabilities are known as zero-day vulnerabilities because there is no time to patch the vulnerability prior to an attack. The WannaCry attack targeted a zero-day vulnerability in Microsoft’s software. Therefore, all computers that ran Microsoft were at risk until Microsoft could issue a patch.

 

Usually ransomware spreads through phishing—fraudulently sending emails with infected attachments which when opened target a software vulnerability and thus encrypt the computer. WannaCry, however, was so effective because the vulnerability it targeted was Microsoft’s Server Message Block (SMB) protocol.[4] The SMB is an application-layer network protocol, meaning that it is the mechanism by which networked computers share access to files, printers, etc.[5] Thus, WannaCry was not dependent on phishing in order to spread, but rather spread automatically to all computers in a network. In other words, the vulnerability WannaCry targeted made it spread quickly, and uncontrollably.

 

Fortunately, WannaCry was not as devastating as it could have been. However, there is no reason to believe that similar cyberattacks will fail like WannaCry. There are many ways that law firms and businesses can reduce the likelihood of being the victims of cyberattacks, ranging from buying cyberattack insurance to hiring outside firms to supply security. In the meantime, it’s important to update your computers’ software when available, because those patches can prevent you from being the next ransomware WannaCry victim.



[1] Bill Brenner, “WannaCry: the ransomware worm that didn’t arrive on a phishing hook,” Naked Security by Sophos, May 17, 2017.

[2] “Unprecedented” cyberattack hits 200,000 in at least 150 countries, and the threat is escalating,” CNBC, May 14, 2017.

[3] Elizabeth Weise, “How a 22-year-old inadvertently stopped a worldwide cyberattack,” USA Today, May 13, 2017.

[4] Bill Brenner, “WannaCry: the ransomware worm that didn’t arrive on a phishing hook,” Naked Security by Sophos, May 17, 2017.

[5] “Microsoft SMB Protocol and CIFS Protocol Overview,” Microsoft, October 22, 2009.


MAY 2017

Data breach, privacy, and cyber insurance continue to be hot topics in the news. Here are some recent headlines:

We discuss these and other topics of interest to our section on our Slack page. Please join the discussion. Check your email for the invitation to join our Slack team or email one of the section leaders for more information.

 

 

APRIL 2017

IBM recently released its “X-Force Threat Intelligence Index” for 2017.  The report addressed security breaches during 2016 and noted that more than 4,000,000,000 records were leaked in 2016 – more than the total from 2014 and 2015 combined.  This number was influenced by the massive breach disclosed by Yahoo but even excluding that event, the volume of breaches continues to increase.

 

Distributed denial of service (DDoS) attacks continue to increase in size and in many cases the bots leading these attacks prey on unsecured Internet of Things (IoT) devices.  Malware attached to spam email continues to increase and ransomware, which can result in the infected system being locked until the target pays a ransom to the hacker, makes up a large majority of the malware.  2016 also ended with a record number of disclosures of software vulnerabilities by developers.

 

The top five industries breached in 2016 were: (1) Information and communications; (2) Government; (3) Financial services; (4) Media and entertainment; and (5) Professional services.  The last category serves as a reminder to attorneys of their obligations to clients to take care of the information entrusted to them. 

 

If you have an interest, the report can be accessed here:

https://www-01.ibm.com/marketing/iwm/dre/signup?source=urx-13655&S_PKG=ov57325

 

 

 

more Calendar

1/22/2018
Webinar - Succession Planning for In-House Counsel

2/14/2018
Webinar - Responding to PR Nightmares

2/25/2018 » 2/28/2018
2018 Winter Meeting - Amelia Island

2/27/2018
Professional Women's Forum 2018

4/6/2018 » 4/8/2018
TechU

4/10/2018
FDCC Europe Regional Meeting

Featured Members

Special Thanks

Membership Software Powered by YourMembership  ::  Legal