FTC Loses in LabMD Data Security Case: ALJ Sets High Bar for Consumer Harm

Posted on November 24, 2015 by Gregory Fliszar, J. Nicole Martin
No Comments ↓

On November 13, 2015, an administrative law judge (“ALJ”) ruled against the Federal Trade Commission (“FTC”) in its high-profile data security case against LabMD. The ALJ ruled that the FTC had failed to show that LabMD’s conduct had caused harm to consumers according to the requirements of Section 5 of the FTC Act.

The FTC initially filed a complaint against LabMD in 2013 under Section 5, alleging that the laboratory company failed to “provide reasonable and appropriate security for personal information on its computer networks,” which the FTC claimed led to the leak of thousands of consumers’ data during two security incidents that had occurred several years prior.

Chief ALJ D. Michael Chappell, in a 92-page opinion, ruled in favor of LabMD, dismissing the FTC’s complaint because the FTC “fail[ed] to prove that [LabMD’s] alleged unreasonable data security caused, or is likely to cause, substantial consumer injury, as required by Section 5(n) of the FTC Act.” Notably, Judge Chappell concluded that, “[a]t best, complaint counsel has proven the ‘possibility’ of harm but not any ‘probability’ or likelihood of harm,” and further stated that “[f]undamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case.”

Although the FTC has indicated that it will likely appeal the ALJ’s decision, the ALJ’s ruling is significant. It sets a very high bar for the FTC to prove consumer harm, which mirrors the judicial trend in data breach class action suits. The decision also represents a major setback for the FTC, which has been vigorously investigating data security breaches and filing complaints under Section 5 of the FTC Act. Thus far, companies have chosen to settle with the FTC in the overwhelming majority of cases rather than challenge the complaint’s allegations. But such settlements often require FTC monitoring of the company’s data security practices for as long as 20 years. In light of the ALJ’s ruling, companies may now be less inclined to settle.

Practice Tip: Regardless of LabMD’s success, companies should continue to ensure that their data security policies and procedures are being implemented and followed in accordance with industry standards. Inadequate security safeguards may contribute to data breaches, potentially resulting in government investigations and enforcement actions that, even if successfully challenged, can be quite costly.

For more information about this decision go to the FTC website.

Tagged with: , , , , , , , , , , , ,
Posted in Data Breach, Data Security, FTC, HIPAA, Litigation

The Elephant in the Room – Catastrophic Property Damage from a Cyber Attack

Posted on November 23, 2015 by Matthew Siegel No Comments ↓

Much of what we discuss in this blog relates to the loss of information and the legal and regulatory framework that exists to address individual privacy concerns following a data breach.  However, as our colleague Dick Bennett points out in a recent post on the Property Insurance Law Observer, an even greater — and potentially catastrophic — risk that looms large is the potential for a cyber attack aimed at bringing about physical harm.  An attack on an energy grid or the virtual hijacking of a driverless car are just two examples; the growth of the “internet of things” will bring countless more.  Speaking of the energy grid scenario, in a report published this past summer, Lloyd’s estimated that a full-scale attack could result in damages in excess of $1 trillion.

In his article, Dick writes:

“The ultimate risk is enormous.  Computerized industrial control systems run the world’s financial institutions, its manufacturing and chemical facilities, its transportation systems, and its energy infrastructure, including the electrical grid and power and water treatment plants.  These control systems are composed of devices such programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) equipment that were originally designed to be open systems, which is to say systems focused on interoperability and ease of communication and repair.  Security was a secondary consideration at best.  If hijacked by a piece of malware, such systems could cause property damage and business interruption loss on a literally catastrophic scale.”  To continue reading Dick’s article, click here.

Posted in Cyberattack, Data Breach, Data Security

Life After Death (of Safe Harbor) – EU Data Protection in the Wake of Schrems

Posted on November 20, 2015 by Katie M. Sluss No Comments ↓

One month after the landmark decision in Schrems vs. Data Protection Commissioner (C-365/14), the European Commission (Commission) has issued guidelines, in the form of a Communication, regarding the transfer of personal data from the EU to the U.S.  As we discussed in an earlier post, the Schrems decision invalidated the Safe Harbor program, which was the easiest method for U.S. companies to comply with EU data protection laws.

The Communication released by the Commission offers alternative methods for compliance with EU data protection laws, while also highlighting the efforts the Commission is taking to develop a renewed and sound framework for personal data transfer to the U.S.

The Commission identifies three alternative methods for transferring personal data to the U.S.:

  1. Standard Contractual Clauses (SCCs) – The Commission has approved four sets of SCCs, which include rights and obligations regarding personal data transfers.  Because these SCCs, in principle, require national authorities to accept these clauses, the national authorities cannot refuse the transfer of personal data on the sole basis that these SCCs do not offer adequate safeguards.  This is without prejudice to their power to examine these clauses in light of the Schrems decision.
  2. Binding Corporate Rules (BCRs) – BCRs allow personal data to be transferred freely among the various entities of a corporate group.  BCRs are binding on members of a corporate group, are enforceable in the EU, and require a designated entity within the EU to accept liability for breaches of the rules by any member of the group outside the EU which is bound by the BCRs.
  3. Derogations – Derogations allow personal data to be transferred outside the EU when, among other reasons, the transfer is necessary for the performance of a contract, the transfer is necessary or legally required for the establishment, exercise, or defense of a legal claim, or unambiguous consent is given by the data subject prior to the proposed transfer.  The Article 29 Working Party, which advises the Commission, states that these derogations are to be strictly interpreted.

After identifying which alternative method is best, companies must be aware that there are often additional required steps to complete before a method is used.  For example, some Member States require notification and/or pre-authorization in order to use the SCCs, while all Member States require approval by the Data Protection Authority of data transfers on the basis of BCRs.

The Commission recognizes that these additional steps and alternative methods are more burdensome and costly to companies and as such, has intensified talks with the U.S. government to develop a framework for future transfers of personal data.  The Commission hopes to conclude the discussion and offer up a solution in three months.

In the meantime, companies will need to continue to work with counsel to ensure they are meeting the current requirements for personal data transfers from the EU to the U.S.

Posted in Data Security, Privacy, Regulations, Standards

Pennsylvania Federal Court Finds Standing in Data Breach Class Action

Posted on October 13, 2015 by Katie M. Sluss No Comments ↓

The debate over standing in data breach litigation is gaining more attention lately. While many courts have hesitated to find standing prior to lost personally identifiable information (PII) actually being misused, the U.S. District Court for the Eastern District of Pennsylvania recently joined other courts who have found standing when the plaintiff has already suffered identifiable identity attacks, marking the first time a Pennsylvania federal court has allowed a data breach class action to proceed beyond the motion to dismiss stage. 

In Enslin v. The Coca-Cola Co., No. 2:14-CV-06476 (E.D. Pa. Sept. 29, 2015), Shane Enslin, a former employee, brought a class action against Coca-Cola and several of its divisions based upon the theft of 55 stolen laptops that occurred between 2007 and 2013.  Enslin alleged the stolen laptops contained the PII of over 74,000 people, including himself.  According to Enslin, the theft of the laptops led to unauthorized access to his PII, which resulted in the theft of his identity, including theft from his bank account, unauthorized charges on his credit cards, opening of new credit accounts in his name, and the use of his identity to obtain a job at UPS.   

Following the identity theft, Enslin brought ten claims against the Coca-Cola defendants – violation of the Driver’s Privacy Protection Act, negligence, negligent misrepresentation, fraud, breach of express contract, breach of implied contract, breach of covenant of good faith and fair dealing, unjust enrichment, bailment, and civil conspiracy.  The Coca-Cola defendants moved to dismiss all of Enslin’s claims on the grounds that Enslin had no standing because he failed to properly allege an actual case or controversy and for failure to state a claim upon which relief can be granted. 

In arguing lack of standing, the Coca-Cola defendants asserted “that all future harms that [Enslin] may suffer from the loss of his PII and the preparations he has made in anticipation of these harms were speculative, hypothetical, and not an injury-in-fact.”  The court disagreed, holding that Enslin’s harms were not speculative or hypothetical, but, due to the actual fraudulent purchases made with his accounts, ongoing, present harms that gave him standing.   

The Coca-Cola defendants also argued that Enslin lacked standing because his harms were not causally connected to the Coca-Cola defendants’ conduct.  Specifically, the Coca-Cola defendants argued the seven year time period between the end of Enslin’s employment and the misuse of the information was “too great,” the defendants, other than Enslin’s employer, Keystone Coke, had no relation to the harm suffered, and the information lost was not enough to give rise to the type of harm suffered.  The court disagreed again, noting that Enslin plausibly alleged each Coca-Cola defendant had direct control over the laptops at some point prior to the theft, and the loss of Enslin’s PII is fairly traceable to Enslin’s former employer, Keystone Coke.

After establishing Enslin had standing, the court addressed the Coca-Cola defendants’ argument that Enslin failed to state a claim upon which relief could be granted.  The court agreed in part and dismissed the majority of Enslin’s claims, including violation of the Driver’s Privacy Protection Act, fraud, breach of covenant of good faith and fair dealing, bailments, and civil conspiracy. 

Following the lead of previous federal and state courts, the court also dismissed Enslin’s claim for negligence and negligent misrepresentation based upon Pennsylvania’s “Economic Loss Doctrine.”  The Economic Loss Doctrine requires economic damages to be accompanied by physical injury or property damage for a claim in negligence to stand and the court found Enslin asserted only economic damages.  While Enslin argued he had a special relationship with the Coca-Cola defendants, such that his claims fell under the “special relationship” exception to the Economic Loss Doctrine, the court disagreed and found no special relationship between the two parties. 

After dismissing most of Enslin’s claims, the court allowed Enslin’s claims for breach of contract and restitution to move forward.  The court allowed Enslin’s breach of contract claim to proceed because Enslin fairly alleged the existence of an express and/or implied contract between Coca-Cola and Enslin that required Coca-Cola to protect Enslin’s PII.  The court allowed Enslin’s restitution claim to proceed because the Coca-Cola defendants’ breach of contract may have been deliberate, with the theory being that the Coca-Cola defendants deliberately failed to safeguard the laptops and encrypt the information to save money on cybersecurity. 

Whether Enslin’s class action will ultimately be successful remains to be seen, but for now, companies should be aware that plaintiffs who are able to allege a concrete injury following a data breach will likely have standing to pursue their claims.

Posted in Data Breach, Litigation

The End of Safe Harbor – What Does it Mean?

Posted on October 12, 2015 by Katie M. Sluss No Comments ↓

This past Tuesday, in the groundbreaking decision of Schrems vs. Data Protection Commissioner (C-362/14), the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor provision of the EU Commission, 2000/560C/EC.  The Safe Harbor program was the easiest method for U.S. companies to comply with EU data protection laws, which require personal data only to be exported when it will retain a comparable level of privacy protection as it has in the EU.

To ensure this similar level of privacy in other countries, the EU uses an “adequacy” test that evaluates all of the circumstances surrounding a proposed transfer of personal data, including the nature of the data, the purpose of the transfer, the security measures in place, and the laws in that country.  The Safe Harbor agreement allowed the U.S. to pass the “adequacy” test, but Edward Snowden’s revelations about alleged mass surveillance of EU citizens’ personal data by US intelligence services provoked a challenge to, and subsequent invalidation of, Safe Harbor.

Over 4,000 U.S. companies have been certified under the Safe Harbor program and each of these companies will now need to look to alternative methods to legally transfer data from the EU.  The European Commission stated on Tuesday that they “will come forward with clear guidance for national protection data authorities on how to deal with data transfer requests to the U.S., in light of the ruling.”   While we await these guidelines, however, companies can begin looking at other options that already exist, including the Model Contractual Clauses for companies exchanging data across the Atlantic and the Binding Corporate Rules for transfers within a corporate group. 

Additionally, the Data Protection Directive contains derogations under which data can be transferred, including on the basis of performance of a contract, important public interest grounds, the vital interest of the data subject, or the free and informed consent of the individual.  These derogations are often less permissive than they appear, due to narrow interpretations given by the EU Article 29 Working Party and the data protection authorities, so companies will need to work with counsel to formulate their best options.

The U.S. and the EU have been negotiating a new safe harbor agreement for the past two years, but, as of now, it is unknown when they might reach a final agreement.  In the meantime, the invalidation of Safe Harbor may have taken the easiest path away for European data transfers, but there are still multiple options available and we are available to help guide you through the choices.      

Posted in Data Security, Legislation, Regulations, Standards

Insider Trading Hack was Cinematic in Scope

Posted on September 8, 2015 by David A. Shimkin No Comments ↓

The U.S. Department of Justice announced indictments in Brooklyn and New Jersey last month of 32 people for fraudulently obtaining inside information and then using that knowledge to make millions in the market, in the “largest scheme of its kind ever prosecuted.”  The inside information was taken from purportedly secure public relation company sites and, in some cases, the trades were made a mere minutes after the cyber breaches.

When the news broke earlier this year that bank hackers in another scheme stole millions using malware, an official from one of the banks compared the heist to the one depicted in “Ocean’s Eleven.”  This newest (alleged) hacking conspiracy brings to mind another film: “Trading Places.”  You may recall that in that film, the protagonists use deception to obtain a confidential crop report, and then use that inside information to manipulate the orange juice futures market and take revenge on the corrupt brothers who run a commodities brokerage house.  (See this link for an explanation of the scheme).

Here, the hackers allegedly obtained the inside information from the public relations companies and then went to the market and executed trades.  The Department of Justice announced that, over a five year period, the Ukraine-based defendants hacked into the sites of Marketwired L.P., PR Newswire Association LLC (PRN), and Business Wire.   The hackers collected information from yet-to-be distributed press releases and shared them with traders who quickly executed transactions before the information became public.

The wide variety of infiltration methods the hackers used is impressive.  The New Jersey indictment helpfully lists and explains the different ways the hackers wormed their way into the sites.  For example, the hackers allegedly employed “bruting,” which is defined in the indictment as the decrypting of data “by running programs that systematically check all possible passwords until the correct password [is] revealed.”  In addition to malware and phishing, the hackers also allegedly used “structured query language” or “SQL,” which is defined by prosecutors as “a computer programing language designed to retrieve and manage data in computer databases.”

Did the PR companies do enough to protect their clients’ financial information?  It’s unclear.  Although we know from the indictment that some security seems to have been in place since the alleged hackers switched from one source to the other as they lost access due to detection and increased security measures.   On the other hand, the fact that the hacking took place over a 5-year period reveals that the security measures may not have always been adequate.

It will be interesting to see how the criminal case shakes out, but also whether the public relations firms will face any civil liability for having inadequate security.  Whether investors are actually damaged by insider trading and can bring civil actions as a result is a hot topic in securities law, and perhaps the subject of another blog posting.  Still, the scope of this alleged international cyber breach is alarming to anyone who regularly stores confidential information.

Crooked brokerage houses and online dating services: take note.

Posted in Cyberattack, Data Breach, Data Security

U.S. Appeals Court Upholds the FTC’s Authority to Police Cybersecurity Practices

Posted on August 27, 2015 by Julia Gandara No Comments ↓

In a highly anticipated and precedential opinion issued earlier this week, the Third Circuit Court of Appeals upheld the FTC’s authority to regulate corporate cybersecurity. The decision in Federal Trade Commission v Wyndham Worldwide Corp et al., addressed whether the FTC has authority to regulate cybersecurity under the unfairness prong of 15 U.S.C. § 45(a); and, if so, whether Wyndham had fair notice that its specific cybersecurity practices could fall short of that provision.

Each Wyndham-branded hotel has a property management system that processes consumer information including names, home addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. A breach in Wyndham’s security opened the door for three separate hacks that resulted in the theft of personal and financial information for hundreds of thousands of consumers leading to more than $10.6 million dollars in fraudulent charges.

The FTC alleged that Wyndham unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft by storing payment card information in clear readable text, allowing the use of easily guessed passwords to access the property management systems and by failing to use readily available security measures, such as firewalls, to limit access between the hotels’ property management systems, corporate network and the Internet, among other reasons. The district court denied Wyndham’s motion to dismiss and the Third Circuit granted Wyndham’s interlocutory appeal to address the fundamental questions about the scope of the FTC’s authority in the cybersecurity space.

Wyndham argued that the three requirements of 15 U.S.C. § 45(n) are necessary but insufficient conditions of an unfair practice and asked that the Court apply the plain meaning of the word “unfair” to mean “not equitable” or “marked by injustice, partiality, or deception.” Wyndham also asserted that a business “does not treat its customers in an ‘unfair’ manner when the business itself is victimized by criminals.” The Court rejected these arguments, reasoning that although unfairness claims usually involve actual and completed harms, they may also be brought on the basis of likely rather than actual injury. Therefore, Wyndham’s cybersecurity intrusions could fall under the plain meaning of “unfair” if the intrusions were foreseeable.

Wyndham also argued that fair notice means it was entitled to “ascertainable certainty” of the FTC’s interpretation of what specific cybersecurity practices are required by § 45(a). However, the Court concluded that ascertainable certainty was not the standard. Instead, the relevant inquiry was whether Wyndham had fair notice that its conduct could fall within the meaning of the statute; it was not whether Wyndham had notice of the FTC’s interpretation of the statute.

The Court went on to state that Wyndham is entitled to a relatively low level of statutory notice because 1) Subsection 45(a) did not implicate any constitutional rights in this case; 2) it is a civil rather than criminal statute; and 3) statutes regulating economic activity receive a “less strict” test because their subject matter is often more narrow, and because businesses, which face economic demands to plan behavior carefully, can be expected to consult relevant legislation in advance of action. The Court concluded that Wyndham can only claim that it lacked fair notice of the meaning of the statute itself, a theory the Court strongly suspected would be unpersuasive under the facts of the case.

The implications here are clear. Breached companies are now officially on notice that they may have to answer to the FTC in the wake of a cyber attack, and cannot claim ignorance of what cybersecurity measures the FTC deems inadequate. As FTC Chairwoman Edith Ramirez stated, the Third Circuit decision “reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

Posted in Cyberattack, Data Breach, Litigation, Regulations, Standards

Ashley Madison Reveals Even More: Hacking May Be An Inside Job

Posted on July 28, 2015 by Jason B. Bonk No Comments ↓

In recent years, hacking has infiltrated the retail industry. Hacking has infiltrated the healthcare industry. Hacking has infiltrated the sports industry. And now, hacking has now infiltrated the most personal (some would say immoral) activities we engage in on the Internet. 

Last week, Ashley Madison, an international website that facilitates adultery, publicly announced that it was hacked and that significant amounts of customer information were stolen as a result. Worse, it was allegedly hacked by an Ashley Madison customer. 

The incident takes the traditional motivations for hacking – high-profile chaos and high-profile money – to new heights. Namely…extortion. The hacker(s) are apparently not asking for a monetary payout. They are threatening to release names and personal information of other Ashley Madison customers, unless the entire site permanently shuts down operations. If the headlines are accurate, the hackers’ motivation is discontent with a service offered by the website that supposedly wipes clean any trace of a soon-to-be former customers’ affiliation with the service.  (That service used to cost $19 and now costs $0.)  

I have to scratch the back of my head each time I remind myself that this “front page news” is in connection with a website based on adultery, and one advertising a slogan that encourages marital affairs and which displays prominently on its home page a seductive female with her finger over her lips in typical “shhh” fashion. The woman also sports a stereotypical male wedding band. Front. Page. News. While the headlines are likely being driven by prurient interest, there are real public policy and legal issues at stake here. We should be concerned with this new form of “insider hacking,” where one customer holds another customer’s information hostage—and where the threat of public disclosure (and implicit threat of the lawsuits that could follow) forces businesses to meet hacker demands.

Whether or not one agrees with the premise of Ashley Madison is irrelevant. And whether or not the motivation behind any alleged hacking is revenge or spite is irrelevant. If a current or former customer of a service itself perpetrated the hack, then we find ourselves in a place where not only are professional sports, retail giants, and banks vulnerable to potential hacking, but every individual consumer is vulnerable to the potential hacking capabilities of fellow consumers. 

Who among us hasn’t been frustrated by a website’s service before? Ever try to unsubscribe from a mailing list, only to be told it could take up to a week to process your request (even though it took you a nanosecond to “sign up” in the first place)? Most of us would never take that frustration to the next level. Most of us wouldn’t seek revenge, and even if we did, we wouldn’t take it out on our fellow customers. “Living well is the best revenge,” they say. But all it takes is one person – maybe the guy (or gal) in the cubicle next to you – to disagree.

And with the Ashley Madison hack, the stakes are high for those fellow customers. Courts have wavered on whether being the victim of a data breach constitutes harm sufficient to confer standing to sue. You can cancel your cards, you can monitor your credit, but once you’ve been outed as a cheater, you can’t put that toothpaste back in the tube. Agree or disagree with the premise of the site, it’s hard to deny that revealing that someone is an Ashley Madison user could potentially damage his or her reputation (perhaps, some would argue, deservedly so). If the information goes public, will there be a lawsuit? By a show of ring-fingered hands, who is going to line up to join the putative class? The law in this area is in flux, there are many kinks to work out, and this hack may have added a new wrinkle. Beyond the prurient interest, there are many reasons to watch as this story unfolds – and for your sake, I hope you are just watching from the sidelines.

Posted in Cyberattack, Data Breach, Data Security, Privacy

Who’s on First? And Who Stole a Base?

Posted on June 26, 2015 by Kathryn A. Young No Comments ↓

America’s oldest pastime has had a series of tech problems lately, ranging from the humorous to the scandalous. In a recent game, the Philadelphia Phillies could not call the bullpen for a new pitcher because the phone was off the hook. This left a position player on the mound and fans of other teams laughing. Last month, the Boston Red Sox benched Pablo Sandoval for a game after he “liked” a few Instagram pictures mid-game. While these incidents were comical, the St. Louis Cardinals’ alleged hacking is far more serious, for several reasons – possible criminal activity, potential civil liability, and perhaps most importantly, the sports world showing that it too is vulnerable to hacking and privacy breaches, whether the hack occurs within a league or comes from the outside.

The FBI is investigating the Cardinals after discovering multiple security breaches to the Astros’ databanks. And we can be certain of one thing: whether or not the Cardinals organization is at fault, the public does not yet have all the facts. Just days after the initial public disclosure of the investigation, the FBI disclosed that at least one additional hacking source was discovered, and still we have no certainty regarding the identity of any of these sources or the culprits. Federal officials reported that at least one of these breaches went through a popular identity-disguising network, called Tor, or “the onion router.” The network uses volunteer-operated servers that direct a user’s internet traffic through “virtual tunnels” instead of directly to their desired website. One Astros breach was traced back to a couple in Indiana, though officials believe they are merely unknowing participants in the Tor network.

Officials traced another breach in the Astros’ system to a home in Jupiter, Florida — the site of the Cardinals’ spring training facility. This and other evidence led the FBI to believe that the Cardinals might be stealing more than just bases, but it’s speculation at this point. If, in fact, if there is inter-team hacking within baseball, that’s terrible for baseball, for sports and for consumers, and any such wrongdoing must be punished. But the investigation itself highlights a bigger issue – there’s now yet another huge industry that could be subject to cyberattacks.

If there was criminal activity, the responsible part(ies) should of course be punished. Corporate espionage occurs for a variety of reasons, and the sports world is no different. And in the event it is proven that the Cardinals are responsible here, their motives have yet to emerge, but most generalist theories pontificate that it might lead back to general manager Jeff Luhnow. Now with the Astros, Luhnow started his career with the Cardinals. Some speculate that the Cardinals targeted information pertaining to Luhnow’s use of sabermetrics, the complex statistics to evaluate players. Others believe the alleged breach may have been purely motivated by revenge, regardless of where responsibility may fall. The Cardinals’ front office has disclaimed any organized attempt to undermine the Astros and say they are cooperating with authorities in their search.

A hacking attempt can be prosecuted under 18 USC § 1030, the Computer Fraud and Abuse Act (CFAA), as well as various state and local laws. The CFAA protects computers used in or affecting interstate commerce – a minimal requirement met when a computer connects to the internet. See, e.g., United States v. Drew, 259 F.R.D. 449, 457 (C.D. Cal. 2009). The statute provides penalties for individuals who obtain information through unauthorized access. “Obtaining information” can mean simply viewing it online without downloading or saving. See America Online, Inc. v. National Health Care Discount, Inc., 121 F. Supp. 2d 1255, 1275 (N.D. Iowa 2000). Violation of this prohibition can be a misdemeanor, but many aggravating factors can apply. If the information is obtained for commercial advantage, for example, the crime is raised to a felony and it can be punishable by a fine, up to five years imprisonment, or both.

Sources have also speculated that the hack could have occurred because the Cardinals kept a list of Luhnow’s passwords from his time at the organization. Whatever the reality may be, hackers allegedly tried a number of these passwords on the Astros system, and one of them worked to access the other team’s data. This story functions as a good reminder to everyone that unique passwords should be used for important accounts like email, bank websites, and of course, scouting reports. Further, passwords should contain numbers, letters, and symbols, and should avoid common dictionary words. Users can have technologically advanced anti-hacking systems, but these are not effective if the password to entry can be easily guessed. Stay tuned to Cyber Law Monitor for updates on this and other cyber security news.

Posted in Cyberattack, Social Media

Pennsylvania Court Dismisses Data Breach Claims

Posted on June 11, 2015 by Matthew F. Noone No Comments ↓

In 2014, the University of Pittsburgh Medical Center’s computer system was hacked, resulting in the disclosure of sensitive personal information of current and former employees, including names, addresses, birthdates, social security numbers and banking account numbers. Allegedly, the stolen information was used to file fraudulent tax returns for as many as 800 employees. A class action was filed on behalf of current and former employees against the hospital and its payroll company.

On May 28, 2015, the Allegheny County Court of Common Pleas applied the economic loss doctrine to dismiss the class action. The Court in Dittman v. UPMC refused to adopt a duty of care that would require employers to protect the confidential information of its current and former employees. And it refused to find that there was an implied contract between the hospital and its employees that would require the hospital to protect its employees’ confidential information from data breaches.

The Court’s holding in UPMC decided one key point:  Pennsylvania companies whose computer systems are hacked will not be liable to the persons whose confidential information was compromised.

Plaintiffs claimed that “UPMC had a duty protect the private, highly sensitive, confidential and personal financial information [of is current and former employees].” The plaintiffs also alleged that, as a result of the breach, they incurred damages relating to fraudulently filed tax returns and “are at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.”

The hospital argued that the plaintiffs’ negligence claim was barred by the economic loss rule. Noting that the only losses that the UPMC employees sustained were economic, the trial court applied the economic loss doctrine and dismissed the plaintiffs’ negligence count. The Court wrote: “The Economic Loss Doctrine provides that no cause of action exists for negligence that results solely in economic damages unaccompanied by physical or property damage.”

No doubt realizing the futility of their negligence claim in light of the economic loss rule, the plaintiffs also urged the Court to impose a duty of care upon UPMC to protect the confidential information of its employees. Specifically, the plaintiffs proposed that the court create “a private negligence cause of action to recover actual damages, including damages for increased risks, upon a showing that the plaintiff’s confidential information was made available to third persons through a data breach.”

The Court refused, finding that “the public interest is not furthered by this proposed solution.” The Court then cited a laundry list of reasons to justify its refusal to adopt the new duty of care, including the lack of a safe harbor for entities storing confidential information, the inability of the state judicial system to handle the volume of potential lawsuits, the difficulty in establishing a minimum standard of care required, and the substantial resources that for-profit and non-profit entities would be required to spend in defending these lawsuits.

Another reason for the Court’s refusal to adopt a new duty of care was the Pennsylvania General Assembly’s recent consideration of the issue in connection with Pennsylvania’s Breach of Personal Information Notification Act. The legislative history shows that the General Assembly considered adopting an expansive civil liability provision as part of the Act, but the final bill contained only a notification requirement. In refusing to adopt the new duty urged by the UPMC employees, the Court observed, “It is not for the courts to alter the direction of the General Assembly because public policy is a matter for the Legislature.”

As definitive as the ruling in UPMC appears to be, there are two caveats. If the hacked company is “in the business of supplying information for economic gain,” then it may be liable to the people whose information is compromised. See Sovereign Bank v. BJ’s Wholesale Club, Inc., No. 06-3405 (filed July 16, 2008 by U.S. Third Circuit Court of Appeals). And there are many different iterations of the economic loss rule; a victim of a security breach could possibly sue a company whose system was compromised if the breach occurred in a state that has a more expansive rule. Other than that, however, Pennsylvania is one state that will shield companies from liability in data breach events resulting in economic loss.

Posted in Data Breach, Data Security, Litigation, Privacy
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs