New Executive Order Seeks to Improve Security of Consumer Financial Transactions

Posted on October 29, 2014 by Matthew Siegel, Nicole Bakare
No Comments ↓

The Obama Administration is taking new steps aimed at improving the security of consumer financial transactions.  Specifically recognizing that identity crimes, including credit card fraud, are a risk to U.S. economic activity, President Barack Obama issued an executive order on October 17, 2014 touching on three areas: government payments, identity theft remediation, and online federal transactions.

Government Payments.  The order first tries to strengthen data security for citizens doing business with the federal government by requiring all executive departments and agencies to transition payments processing terminals as well as credit, debit, and other payment cards to use “enhanced security features, including chip-and-PIN technology.”  More specifically, the Secretary of the Treasury must ensure that all newly acquired terminals have enhanced security features and, by January 1, 2015, have developed a plan for federal agencies to install enabling software in older terminals that supports these enhanced security features.  The Secretary of the Treasury must also ensure that prepaid debit cards used for administering government benefits have enhanced security features and, by January 1, 2015, have developed a plan for the replacement of such debit card that do not have these features. The Administrator of the General Services Administration (GSA) must similarly ensure that all credit, debit, and payment cards provided through GSA contracts have enhanced security features and that, by January 1, 2015, it has begun replacing all existing cards without these features.  Finally, all other agencies with credit, debit, and other payment cards must, by January 1, 2015, provide the Office of Management and Budget (OMB) plans for ensuring that these cards have enhanced security features.

Identity Theft Remediation.  The order next aims to reduce the burden and delays of remediation, for consumers who have been victims of identity theft.  It orders the Attorney General, in coordination with the Secretary of Homeland Security, to issue guidance by February 15, 2015 to “promote regular submission . . . by Federal law enforcement agencies of compromised credentials to the National Cyber-Forensics and Training Alliance’s Fraud Alert System.”  It directs the Department of Justice, the Department of Commerce, and the Social Security Administration to identify and provide to the Federal Trade Commission (FTC) all “publicly available agency resources for victims of identity theft” no later than March 15, 2015 and then to work together to “streamline” and “consolidate” these resources on IdentityTheft.gov.  It further orders the OMB and GSA to assist the FTC in enhancing the functionality of that website and making it available to the public by May 15, 2015.  Under the order, the website’s enhanced functionality, to the extent possible, must include coordination with the credit bureaus to streamline the reporting and remediation process in the bureaus’ systems.

Online Federal Transactions.  Finally, the order gives the National Security Council, the Office of Science and Technology Policy, and OMB 90 days to present President Obama with a plan “to ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process” and 18 months to complete implementation of the plan.

In addition to issuing the order, President Obama encouraged the financial and retail sectors to follow the government’s lead and make the move to “chip-and-PIN” technology.  While such technology may not eliminate credit card fraud altogether, it is far more secure than the magnetic strips that have been at the heart of many recent data breaches.  Finally, he encouraged Congress to pass comprehensive data breach and cybersecurity legislation to help address the problems created by the current patchwork of laws governing a company’s obligations in the event of a breach.  A copy of President Obama’s executive order can be found here.

Posted in Data Breach, Data Security, Regulations

California Court Raises Anew Questions of Standing in Data Breach Cases

Posted on October 21, 2014 by Matthew Siegel, Alexa Sebia
No Comments ↓

There is no question that data breaches are among the most common and costly threats to consumers and companies alike. What remains the subject of vehement debate is whether plaintiffs in cyber-attack cases must allege stolen data was misused in order to have standing in court. In a recent decision, Judge Lucy H. Koh of the Northern District of California offered a more expansive, plaintiffs-friendly view of that question than most other federal courts that have considered the matter.

In In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK (N.D. Cal. Sept. 4, 2014), Judge Koh found that plaintiffs in a consolidated class action suit had standing to sue defendant Adobe Systems, Inc., despite plaintiffs’ failure to allege actual improper use of stolen personal information. This holding is particularly significant because the U.S. Supreme Court in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), drove many other courts across the country to dismiss similar causes of action based on a lack of standing. Judge Koh’s decision may give renewed vigor to data breach plaintiffs nationwide. Read more ›

Posted in Data Breach

EU Set to Strengthen Data Protection Laws

Posted on October 02, 2014 by Matthew Siegel, Stephen Kempa
No Comments ↓

Businesses that operate in the European Union (EU) may soon face a new set of data protection regulations. High-level discussions about a proposal to consolidate all individual EU-member nations’ data protection regulations into a single EU law are set to restart this month. If those negotiations are successful, the legislation could be approved by the end of the year.

Known as the General Data Protection Regulation (GDPR), this law would be directly applicable to each of the EU’s member states. Prior to this point, since 1995, the EU has operated under a Data Protection Directive, a much less defined system of privacy protection. A “directive” simply instructs member states to pass laws to achieve certain common goals, but does not mandate a particular approach.

Proponents of the GDPR say that it will create a unified and consistent legal regime concerning data protection within the EU. They argue that a streamlined regulatory system will facilitate economic growth throughout the region and have far-reaching effects on the global economy.

The European Commission first released a proposal for a legislative framework in January 2012. The European Parliament voted in favor of reform measures in March 2014. EU procedural rules require that both the European Parliament and the Council of the European Union jointly adopt a proposed regulation, which means that the current draft may be altered before its final enactment.

The final law would almost certainly apply to all businesses that provide goods or services within the EU, no matter where a business is based. Heiko Maas, the German Minister of Justice and Consumer Protection, recently stated that the effects of data breaches on European citizens are not confined to national boundaries, so it is only fair that companies operating within the EU be subject to any European data protection law.

While ultimate passage is highly likely, it is not inevitable. A group of Google executives met in Spain last week to discuss implementation of a ruling by the Court of Justice of the European Union regarding the “right to be forgotten.” Google and other corporate and governmental bodies (including the government of the U.K.) oppose the concept of a “right to be forgotten,” and vociferously oppose its inclusion in the current GDPR draft regulations.

It is unclear whether opposition to this single provision would be enough to derail the entire GDPR process, but Europe’s trade partners and professional services experts aren’t betting on it. Already, market participants are preparing for the big change. Some insurance industry experts, for example, are studying the potential for offering coverage for non-criminal privacy-related fines that the GDPR is expected to establish.

Some of the key changes that the draft regulation sets out are:

  • Increased Fines: There will be significant increases in potential fines for data breaches, as the draft regulation prescribes a maximum fine of 2% of the offending organization’s global revenues.
  • Data Breach Notification: In the case of any data breach, the data controller will be required to notify the supervisory authority and individual whose data was breached without undue delay and, where feasible, within 24 hours.
  • Data Protection Officer: Businesses of a certain size will be required to hire a data protection officer, who will need to be an expert in data protection law and practice.
  • Rights for Individuals: The current version of the regulation also establishes the “right to be forgotten,” which allows people who are mentioned in data to obtain the erasure of that data and prohibits further dissemination of such data once the person exercises their right.

For a look at a draft of the GDPR, please see here.

 

Posted in Data Breach, Data Security, Privacy, Regulations

Google Settles With FTC Over In-App Purchases Dispute

Posted on September 22, 2014 by Matthew Siegel, Stephen Kempa
No Comments ↓

The Federal Trade Commission (FTC) is increasingly focused on the technology sector and is using its monitoring and enforcement powers to crack down on alleged consumer protection violations by big tech firms.

Google reached a major settlement with the FTC this month, agreeing to pay $19 million to consumers whose children made purchases through Google Play, an Android-based app store. The agency alleged that Google did not properly disclose the ability to purchase items in children-oriented apps and games. Many free or low-priced mobile apps and games sold in the Google Play store encourage users to purchase virtual items in order to advance in the game. It is reported that in-app purchases have become the second largest source of revenue for the company, after advertising.

The FTC’s complaint alleged that, by billing parents for purchases made on apps downloaded through the Google Play store, Google had violated federal law prohibiting “unfair” commercial practices. When the company first introduced in-app charges to Google Play in 2011, there was no password feature. It later adjusted the system so that a popup window appeared before a purchase, requiring the account holder’s password. But account holders were not informed that subsequent purchases could be made during a 30-minute window after the password was entered. Many consumers reported hundreds of dollars of unauthorized charges that were incurred within this 30-minute time period.

As part of the settlement, Google will not only refund $19 million to consumers whose children made such purchases, it will also modify its billing practices to ensure that it obtains express consent before charging consumers for items sold within mobile apps.

Google was not the only target of the FTC’s action. This complaint arose from a three-year investigation by the FTC into in-app purchases on devices that run software by Google, Apple, and Amazon. A similar lawsuit was filed against Apple, and that company agreed to a $32.5 million settlement in January. Amazon announced this summer that it would fight FTC charges in federal court. Since the FTC first filed its complaints, Apple has changed its practices and Amazon has started offering parental safety tools to prevent such purchases.

Although Google has concluded its settlement with the FTC, the company still faces a similar class action lawsuit over in-app purchases. The plaintiffs’ case survived a motion to dismiss a few months ago and an amended complaint was filed in August. It remains to be seen how Google’s settlement with the FTC might affect that private litigation.

The FTC is accepting public comment on its Google settlement until October 6, 2014.

Posted in Privacy, Regulations

Court Holds that Privacy Violations Allegations Are Not Covered

Posted on September 8, 2014 by Meredith E. Dishaw No Comments ↓

shutterstock_129385982

A federal court in Washington recently issued an unpublished decision affirming that a common policy exclusion protects insurers from having to provide coverage in certain cases of alleged privacy violations. The same court issued a similar order earlier this year. Taken together, these decisions may persuade other courts that coverage is barred under commercial general liability policies with exclusions that bar coverage when underlying lawsuits allege disclosure of consumers’ personally identifiable information (PII) in violation of federal or state law.

Regarding the specific matters at hand, National Union insured Coinstar under two commercial general liability policies, through which Coinstar’s subsidiary, Redbox, was also an insured. Redbox operates DVD-vending machines throughout the United States. To use Redbox’s vending machines, consumers provide PII and pay for rentals with a credit card.

In Sterk v. Redbox Automated Retail, LLC, Redbox was sued for allegedly misusing consumers’ PII for marketing purposes and improperly disclosing consumers’ information to third parties, in violation of the VPPA. National Union brought a declaratory judgment action against Redbox regarding its obligations to defend or indemnify. Coinstar and Redbox brought counterclaims alleging that National Union was obligated to defend or indemnify Redbox in the lawsuit. The Court granted National Union partial summary judgment in February, finding that the Statutes Exclusion barred coverage for the Sterk lawsuit, as “[t]he sole purpose of the VPPA is to protect consumers’ privacy by prohibiting the ‘sending, transmitting or communicating’ of their personal information ‘to any other person’ except in specific, limited circumstances.”

Building on this ruling, the same Court held in August that National Union had no duty to defend or indemnify Redbox in two other lawsuits. The first lawsuit, Cain v. Redbox Automated Retail, LLC, alleged that Redbox violated Michigan’s Video Rental Privacy Act (VRPA), which prohibits business entities that rent video recordings “from disclosing to any person, other than the consumer, a record or information concerning the purchase, lease, rental, or borrowing of those materials by a customer that indicates the identity of the customer,” when Redbox sent consumer information to third parties without the consumers’ consent. The Court concluded that the VRPA “is effectively identical to the federal VPPA at issue in Sterk,” and coverage for the Cain lawsuit was also barred by the Statutes Exclusion.

The second lawsuit, Mehrens v. Redbox Automated Retail, LLC, alleged that Redbox violated California’s Song-Beverly Credit Card Act, which prohibits “entities that accept credit cards for the transaction of business from requesting or requiring the cardholder to write, or provide to the entity to write, any [PII] on a credit card transaction form,” because Redbox requested consumers’ billing zip code and/or email address. In the Court’s view, the statute was not concerned with the publication of information, but rather its collection, and the Court concluded that there was no coverage for the Mehrens lawsuit because it contained no allegation of sufficient personal and advertising injury to trigger coverage.

Posted in Insurance, Privacy, Video Privacy Protection Act

What is the Scope of the FTC’s Authority When it Comes to Data Security? Wyndham Asks Third Circuit to Consider

Posted on July 14, 2014 by Matthew Siegel No Comments ↓

shutterstock_190663154In early July, Wyndham Hotels asked the Third Circuit Court of Appeals to decide whether the Federal Trade Commission (FTC) has the authority to oversee corporate data security. Although the FTC has brought dozens of actions against businesses for insufficient data security practices, this would be the first time that the courts have been asked to consider the scope of the FTC’s regulatory powers in the data security realm. The outcome of this case will almost certainly impact the FTC’s ongoing and future data security enforcement actions, as well as litigation concerning data security and privacy.

The appeal stems from an FTC action against Wyndham in the District Court of New Jersey in which a federal judge denied Wyndham’s motions to dismiss, but certified two questions for interlocutory appeal: whether Section 5 of the FTC Act grants the FTC authority to regulate corporate data security, and, if so, what notice the FTC must give before bringing unfairness claims. The district court pointedly stated that these two issues involve “novel [and] complex statutory interpretation issues that give rise to a substantial ground for difference of opinion.”

The appellate court may decide to review the legal conclusions of the district court’s order denying the dismissal. Alternatively, it may deny Wyndham’s petition and hear these issues on appeal, following a grant of summary judgment or the conclusion of a trial in this case.

While the Third Circuit decides whether to hear Wyndham’s appeal, the FTC’s action against the hotel chain remains ongoing at the district court level. The FTC complaint alleges that Wyndham’s data security practices constitute unfair trade practices under Section 5 of the FTC Act because they were not “reasonable and appropriate” in safeguarding consumer data.  It further alleges that the hotel chain engaged in “deceptive” trade practices because their security measures fell short of “commercially reasonable efforts” to protect personal information, as claimed in the Wyndham online privacy policy. The allegations stem from three data breaches in 2008 and 2009 that compromised the personal information of an estimated 600,000 accounts.

Posted in Data Security, Regulations

Data Breach Liability Exclusion – It’s Not Your Father’s CGL

Posted on July 1, 2014 by Kenneth C. Hong No Comments ↓

shutterstock_55614910No business is immune to data breach. Digital data in particular can be lost in innumerable ways, causing serious business interruptions and consumer injuries. After falling victim to a hack, virus, or cyber theft, companies often search for coverage under their commercial general liability (“CGL”) policy, but a new endorsement by Insurance Services Office, Inc. means that such searches will likely be in vain. Effective May 1, 2014, cyber liability is excluded from the CGL form. Businesses seeking protection from data loss will need cyber liability policies specific to malicious and accidental data breaches.

Insurance Services Office’s new endorsement revises Coverage A, removing coverage for bodily injury and property damage regarding “access or disclosure of confidential or personal information, and data-related liability.” An identical exclusion modifies Coverage B, removing cyber liability coverage for personal and advertising injury claims. These new exclusions may not mention the word “cyber,” but they encompass breaches resulting from all manner of cyber accident or crime.

The endorsement bars coverage for injury or damage arising from: any access to or disclosure of customer lists; credit card, health and financial information; and other types of non-public information that may include confidential business or personal information such as patents, trade secrets, and processing methods. Data-related losses include any loss of, loss of use of, damage to, corruption of, and inability to access or manipulate electronic data. “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media,” which covers most systems that businesses rely on to perform daily operations.

The endorsement also bars bodily injury claims from damages regarding access to or disclosure of confidential or personal information. It excludes coverage for the data breach, as well as responding and remediating costs. Coverage is precluded for notification costs, credit monitoring expenses, forensic expenses, public relations expenses, or any other loss, cost or expense incurred.

The costs associated with data loss and theft can be extraordinary—from protecting customers to rebuilding computer systems to defending the company’s public reputation. As CGL policies expire and are replaced, businesses must carefully consider how to manage their financial exposure to newly excluded data losses, including those carried by third-party vendors. No longer can businesses rely on their CGL policies for cyber coverage, so they must consider seeking protection elsewhere.

Posted in Data Breach, Insurance

And You Thought Your Teenager’s Cell Phone Bill Was High…NFL Team’s Texts Cost $3 Million

Posted on May 22, 2014 by Kathryn A. Young No Comments ↓

shutterstock_113638828[1]Fans everywhere like to complain about their team’s picks in the NFL draft. Maybe their team drafted a quarterback instead of a cornerback, or maybe it fell for that highly overrated prospect. Most such complaints stay safely in the realm of sports radio or bar talk, but the Buffalo Bills recently endured a major legal headache after one fan sued the team in court over alleged Telephone Communications Protection Act (TCPA) violations. Despite seemingly innocuous infractions, settling the suit cost the Bills more than $3 million. Companies hoping to avoid the same fate should carefully choose the language of customer agreements and ensure communications with customers fit within these agreements.

The case stemmed from the Bills’ fan alert program, through which the team texts game updates and breaking news to fans’ mobile phones. The text program promises three to five text messages per week, but Bills’ fan and program participant Jerry Wojchik alleged he received six or seven texts in some weeks. He filed suit in the Middle District of Florida on October 25, 2012, as a class action on behalf of all affected fans.

The TCPA (47 USC § 227, et seq.) regulates marketing calls and electronic communications. Among other FCC rules, the TCPA bans the use of text messages unless a user gives consent or the message regards an emergency. According to FCC rulings, the burden is on the defendant to demonstrate express consent within the meaning of the statute. Read more ›

Posted in Privacy

The Next Generation of Data Breach Notice Law — Florida’s Information Protection Act of 2014

Posted on May 15, 2014 by Joseph F. Rich, David D. Brisco
No Comments ↓

shutterstock_134968730[1]In a harbinger of data-breach-laws to come, the Florida State Legislature just passed a new Florida Information Protection Act, which establishes tough new notification requirements for businesses and governmental entities. With the rapid increase in data breaches and growing awareness of the dangers, this Act may become a model for other states.

Florida’s Act provides new notice requirements and possible civil penalties arising out of a data breach incident when the notice requirements are not followed. It requires covered businesses and governmental entities to take “reasonable measures to protect and secure data in electronic form containing personal information.”

In the Florida Act, “personal information” is defined to include (1) a person’s name in combination with (a) a social security number, driver’s license number, passport number, and/or other similar number on a government ID, (b) a financial account, debit card or credit card number in combination with a related password or access code, (c) medical history information, or (d) a health insurance policy number or identification number; or (2) a user name or email address in combination with a password or security question and answer that would permit access to an online account. Under the Act, a “breach” is considered the “unauthorized access of data in electronic form containing personal information.”

With regard to the new notice requirements, the Act requires businesses and government entities to give notice to consumers “no later than 30 days after the determination of a breach or reason to believe that a breach occurred” unless the breach qualifies for exceptions. Exceptions include circumstances where information was released during an ongoing criminal investigation or the covered entity determines, after consultation with law enforcement, “that the breach has not and will not likely result in identify theft or other financial harm.” This latter exception must be documented in writing and it must be maintained for 5 years.

The Act sets out exactly what must be included in the notice to individuals. And if a breach could affect more than 500 people, the Attorney General’s office must also be notified within 30 days, along with other notice requirements.

Failure to adhere to the Act could be deemed “an unfair and deceptive trade practice” and also subject the covered entity to a civil penalty up to $500,000, with the penalties being imposed based on the number days the party is in violation of the Act. However, the Act does specifically state that it does not create a private right of action.

Forty-seven states have now enacted data breach notification statutes, but Florida is one of just seven states that require notification within a specific period of time – 30 days from determination of the breach. States that do not require a specific time period tend to use broader language merely requiring notice in a reasonable time. Florida is also one of only a handful of states that has expanded the definition of “personal information” to specifically include a user name/email address and password to access an online account.

If you are interested in reading the full text of the Act, the full text can be found at http://www.flsenate.gov/Session/Bill/2014/1524/?Tab=BillText

Posted in Data Breach

No Coverage for Alleged Violation of the Video Privacy Protection Act

Posted on April 25, 2014 by Meredith E. Dishaw No Comments ↓

A recent unpublished decision from the Western District of Washington provides yet another example of a court endorsing limits on general commercial insurer responsibility in the area of consumer privacy violations.

In Nat’l Union Fire Ins. Co. of Pittsburgh, PA v. Coinstar, Inc., 2014 U.S. Dist. LEXIS 31441 (W.D. Wash. Feb. 28, 2014), the court concluded that insurance coverage may be excluded for lawsuits alleging the insured violated a statute, regulation or ordinance related to “sending, transmitting or communicating” any material or information, including consumers’ personally identifiable information. In this case, the insurer was not obligated to defend or indemnify its insured in an underlying lawsuit alleging that the insured violated the federal Video Privacy Protection Act (“VPPA”).

National Union insured Coinstar under two commercial general liability policies through which Coinstar’s subsidiary, Redbox, was also an insured. Redbox is a well-known operator of DVD-vending machines throughout the United States. To use Redbox’s vending machines, consumers provide personally identifiable information and pay for rentals with a credit card. Redbox was sued in Sterk v. Redbox Automated Retail, LLC, Case No. C11-1729 (N.D. Ill. 2011), alleging Redbox used consumers’ personally identifiable information for marketing purposes, and improperly disclosed their information to third parties without the consumers’ express permission, in violation of the VPPA.

The National Union policies contained an exclusion: “Exclusion – Violation of Statutes in Connection with Sending, Transmitting, or Communicating Any Material or Information,” barring coverage for a claim “arising out of or resulting from, caused directly or indirectly…by any act that violates any statute…that addresses or applies to the sending, transmitting or communicating of any material or information, by any means whatsoever.”

The trial court ruled that the insurer’s exclusion clearly barred coverage for the Sterk lawsuit.  The Court noted that “[t]he sole purpose of the VPPA is to protect consumers’ privacy by prohibiting the ‘sending, transmitting or communicating’ of their personal information ‘to any person’ except in specific, limited circumstances.”  In the Court’s view, this matched up to the plain language of the insurance policy exclusion barring any injury that arises from any act that violates any statute that applies to the sending, transmitting, or communicating of any material or information.

An insurer’s obligation to defend an insured is based only on allegations against an insured in an underlying suit and is broader than an insurer’s obligation to pay for judgments. Because the Sterk lawsuit alleged that Redbox’s actions violated the VPPA—and thus only alleged actions that were barred by the policy—National Union never had an obligation to defend Redbox in the Sterk lawsuit, even if those allegations were later established to be false.

While unpublished, this decision may be persuasive to other courts addressing insurance policies containing substantially similar exclusions. Such exclusions fist became widely adopted by insurers in response to Telephone Consumer Protection Act class actions, commonly known as “fax blast” litigation, and lawsuits alleging violations of the CAN-SPAM Act of 2003. Such exclusions have since evolved and become more broadly applicable.

Posted in Video Privacy Protection Act
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs