Raines Feldman privacy and data security lawyers discuss privacy issues implicated by mature content appearing on Snapchat without warning to minors. Among other issues presented, the team discusses the applicability of the Communications Decency Act, both as a defense and a source of statutory damages for the plaintiffs. Also, our lawyers analyze the enforceability of Snapchat’s arbitration clause and class action waiver. Minors may not enter into binding contracts and the plaintiffs are a putative class of minors. Finally, we discuss special pleading challenges presented by claims under California’s unfair business practices statute. The statute, California Business and Professions Code section 17200, requires a pecuniary loss in order to advance claims.
The Raines Feldman cyber liability team then pivots to hacking scenarios that often affect businesses with respect to former employees stealing trade secrets.
Every business will experience hacking incidents. There is no way to achieve 100% prevention. However, when such incidents occur, companies have a multitude of legal claims that can be brought under statutes ranging from the Uniform Trade Secrets Act to federal claims under the Stored Communications Act in addition to the Computer Fraud and Abuse Act. Often common law claims related to interference with contractual relations are warranted. Damages include actual, statutory and punitives. Injunctive relief is typically available in the form of a temporary restraining order and preliminary injunction.
The cyber liability team here at Raines Feldman has endeavoured to provide weekly cyber liability law updates. While the production values are very public access, we hope that you will find some practical advice and useful legal analysis from time to time.
This week, we catch up on some recent hot topics. First, we explore the ruckus caused by the National Enquirer story alleging that Republican presidential candidate Ted Cruz had five mistresses. We wondered if any of the alleged mistresses, most notably CNN commentator Amanda Carpenter, would have viable claims for defamation. Steve Gebelin helps point out the challenges that public figures such as Amanda Carpenter face in such cases. Among other things, the law has evolved to provide cover for re-tweets, links and reporting on reporting. Bottom line is that a false narrative can spread like wildfire and it is very hard to meet the standard of actual malice required by most courts in order for a public figure to prevail.
Then we turn our attention to Apple and its refusal to comply with a federal court order to assist the FBI in hacking into the cell phone of deceased radical Islamic terrorists behind the San Bernadino massacre. Former federal prosecutor Scott Lesowitz gives us his take on the outcome and possible future fall out regarding Apple’s disobedience. In the end, it was much ado about nothing as an Israeli security firm helped crack into the Iphone. While Apple wanted to highlight the security of its phones, in actuality the Israelis proved that no device is secure.
Accepting credit cards just became a riskier and more expensive proposition for small business owners. As a law firm specializing in data breach prevention and response, we know that the United States lags behind comparable markets globally in credit card security. As a result, the nation has experienced a marked increase in credit card fraud in recent years. To combat this rise, major U.S. credit card issuers have introduced chip-cards, also known as “E.M.V.” cards, which is the worldwide standard for cards equipped with computer chips and the technology used to authenticate chip-card transactions. (E.M.V. stands for Europay, MasterCard and Visa, the companies that created the standard). Chip-card technology frustrates counterfeiters accustomed to stealing and duplicating the static data on magnetic stripe credit cards. The transition to chip-card technology coincides with a shift in liability for fraud. On October 1, 2015, the liability for card-present fraud shifted to whichever party is the least E.M.V.-compliant. If your business fails to upgrade to E.M.V.-compliant technology, you could bear the cost of a fraudulent transaction at your point of sale.
Credit card fraud in the U.S. has doubled in the past seven years, largely due to increased protection in the rest of the world resulting from the widespread adoption of E.M.V. cards. Banks and merchants lost over $16 billion dollars in 2014 on fraudulent transactions. Nearly half of these targets were based in the U.S., which accounts for only 21 percent of the world’s card transactions. Thieves obtain card information through data breaches and card skimmers and produce duplicates of the cards using the stolen data. Chip-cards will not protect against fraud following physical theft and offer no added protection online. However, roughly fifty percent of credit card fraud occurs onsite and accounted for 13.7 million fraudulent transactions in 2012 totaling $2.3 billion in charges. Aligning credit card security in the U.S. with other major global markets should diminish the disproportionate targeting of American merchants.
Data Breach incidents are a continuing threat to modern commercial activities. Almost every company of every size is affected by data breach. Large companies are obvious targets due to the size, nature and scope of their data collection practices. Similarly, small companies that often serve as vendors are targeted as gateways into larger companies and government agencies. Data breach is the modern equivalent of employment lawsuits that developed in the 1970’s and 80’s. Every company needs to be familiar with the laws and implement procedures to reduce liability.
The good news with respect to data breach incidents is that the attorney-client privilege and attorney work product doctrine are powerful tools that companies can use to effectively and honestly examine their cybersecurity holes, prepare for breaches and respond to breaches without providing evidence that could be used to establish liability. This is very important because most companies have serious security gaps and poor security hygiene. Without the protection of privilege, companies would be stuck in the classic Catch 22.
While Ashley Madison is hardly a pillar of the Fortune 500, or a traditional small market company for that matter, it should serve as a wake-up call to companies of all shapes and sizes. The fact of the matter is, we are witnessing the destruction of a company and countless lives due to a data breach. And the scary thing is, it can happen to any company.
The digital damage is staggering. The Hackers targeted two categories of information released in subsequent online dumps. The first data set included user account information including email addresses and user names. The second dump consisted mainly of Ashley Madison internal emails regarding business conduct and strategy. While not effecting consumers, this second data dump was just as devastating. It revealed, among other things, that Ashley Madison charged its users $19 to delete all account information. Apparently, this did not happen. Second, internal emails among Ashley Madison reveal executives apparently planning to hack into the networks of its competitors. Third, it turns out that Ashley Madison was full of fake female profiles likely created to entice new members and facilitate recurring charges. That’s enough criminal and civil liability to keep armies of lawyers busy for decades.
Data Security and privacy lawyers around the country have been closely monitoring the matter of FTC v. Wyndham Worldwide Corp pending in the 3rd Circuit. The case arose over multiple data breaches suffered by Wyndham and its customers in 2008 and 2009. Over $10 million fraudulent charges were booked as a result. Wyndham faced civil litigation from consumers and shareholders alike. Additionally, the FTC brought an action under its broad authority to pursue civil damages and injunctive relief for unfair business practices. While a generalized term, unfair business practices under the FTC Act requires harm to consumers. The FTC has reasoned in recent years that lax cybersecurity meets this standard because data breaches cause consumer harm.
It is worthwhile to keep in mind the facts that gave rise to the FTC’s action against Wyndham. The FTC alleged that the aforementioned breach was caused by Wyndham’s nonchalant cyber security policies. For example, Wyndham did not adequately protect the passwords to its property management system. Rather than using complex passwords including numbers and caps, Wyndham protected its system with easily guessed passwords. Additional bad facts for Wyndham include its practice of storing consumer’s payment information in plain, readable, unencrypted text. This is a big sin in the security world. Finally, Wyndham failed to implement industry standard privacy protections such as firewalls and segmented data storage.
Data breach incidents are on the rise and here to stay. It seems like every week there is a new, high profile breach regarding a government agency, movie studio, retailer or health care provider. Let’s face it, data breaches are inevitable. I know that sounds fatalistic but that’s the truth. And there seems to be no conceivable way of reducing the number of breaches.
Previously, companies that experienced a breach had to deal with minimal financial downside aside from providing notice and identity theft protection to consumers. Throw in attorney fees to guide the company through inquiries by state and federal agencies. The big cost has arguably been bad publicity and eroding of consumer good will and confidence.
The big baseball news relates to the St. Louis Cardinals hacking of the Astros scouting database and not the latest deal for a high priced middle reliever. As a data breach attorney and baseball fan, it is rare that two of my main interests collide. I must confess to feeling some schadenfreude since I am a long suffering Brewers fan.
The New York Times has been all over this, reporting that the Cardinals had an acrimonious breakup with former GM Jeff Luhnow. The hack was initiated by current Cardinals employees with an apparent ax to grind with Luhnow. The motivation appears to have been to embarrass Luhnow by exposing his private conversations about talent.
One issue that often faces small to medium sized companies is whether or not to buy cyber liability insurance policies. The need and market for such policies is developing. In this post, I will provide an overview of the product and why I recommend that our clients obtain this coverage.
First, with rare exception, today every company is a tech company. Obviously, social networks and electronic marketplaces are run from an internet platform but the same can be said for the auto body shop that interacts with insurance carriers via web portals. Just as tech companies have a significant brick and mortar presence, traditional brick and mortar companies transact large amounts of business online. Because of this simple fact, I advise my clients, large to small, to obtain cyber liability coverage.