Data Security Law Journal

Where Can You Be Sued For Using A Computer?

By Al Saikali on January 15th, 2013 Posted in All Things E, Jurisdiction, Lawsuits

It is sometimes easy to forget with the increasing mobility of electronic information and our ability to “work from anywhere” that behind our office laptop, desktop, or tablet computing device is a network of servers that may be located anywhere in the world. When we hit “send”, “save”, or “open”, we use the network to transmit, store, or obtain information that may be located outside our office building. A recent U.S. Second Circuit Court of Appeals decision reminds us why it is a good idea for companies and their employees to know where and how data is stored.

In MacDermid, Inc. v. Deiter, No. 11-5388-cv (2d Cir. Dec. 26, 2012), the Second Circuit held that a Connecticut court can exercise jurisdiction over a defendant who, while domiciled in another country, allegedly accessed a computer server located in Connecticut to obtain confidential information belonging to her employer.

The plaintiff in MacDermid, Inc., a Connecticut-based company, sued the defendant, a former employee living and working in Canada, because the defendant allegedly forwarded confidential and proprietary company information to her personal email account from her work email account after she became aware of her impending termination from the company. The U.S. District Court for the District of Connecticut dismissed the lawsuit, ruling that it lacked personal jurisdiction over the defendant. The Second Circuit reversed.

In reversing the District Court, the Second Circuit applied a two-step analysis: (1) did Connecticut’s long-arm statute provide jurisdiction over the defendant and, if so, (2) would such jurisdiction meet due process requirements of the Fourteenth Amendment. Both questions would have to be answered affirmatively for the Connecticut court to exercise personal jurisdiction over the defendant.

Long-Arm Jurisdiction

Connecticut’s long-arm statute states that a “court may exercise personal jurisdiction over any nonresident individual . . . who in person or through an agent . . . uses a computer . . . or a computer network . . . located within [Connecticut].” The long-arm statute adopts the definitions of a “computer” and a “computer network” set forth in the state’s computer crimes statute:

“Computer” means an electronic, magnetic or optical device or group of devices that, pursuant to a computer program, human instruction or permanent instructions contained in the device or group of devices, can automatically perform computer operations with or on computer data and can communicate the results to another computer or to a person. “Computer” includes any connected or directly related device, equipment or facility that enables the computer to store, retrieve or communicate computer programs, computer data or the results of computer operations to or from a person, another computer or another device. . . . “Computer network” means a set of related, remotely connected devices and any communications facilities including more than one computer with the capability to transmit data among them through the communications facilities.

The District Court reasoned that the defendant had not used a Connecticut computer or computer network but had simply sent email from one computer in Canada (her work computer) to another computer in Canada (her personal computer). The Second Circuit rejected this analysis, pointing to the fact that to use her work email and access work data, the defendant accessed computer servers located in the plaintiff’s Connecticut offices.

The court held that a “computer server” meets the Connecticut long-arm statute’s definition of a computer because it is:

An electronic . . . device . . . that, pursuant to . . . human instruction . . . can automatically perform computer operations with . . . computer data and can communicate the results to another computer or to a person [or is a] connected or directly related device . . . that enables the computer to store, retrieve or communicate . . . computer data . . . to or from a person, another computer or another device.

In short, the court noted, “[i]t is not material that [the defendant] was outside of Connecticut when she accessed the [Connecticut] servers. The statute requires only that the computer or network, not the user, be located in Connecticut. The statute reaches persons outside the state who remotely access computers within the state.

Due Process

Having concluded that jurisdiction over the defendant existed under the Connecticut long-arm statute, the court next turned to the second step in the analysis: whether such jurisdiction meets the due process requirements of the Fourteenth Amendment. To make this determination, the court had to decide that: (1) there were minimum contacts between the defendant and Connecticut, and (2) the exercise of personal jurisdiction over the defendant was reasonable.

In determining whether minimum contacts existed between the defendant and Connecticut, the court looked to whether the defendant purposefully availed herself of the privilege of conducting activities within Connecticut, thus invoking the benefits and protections of its laws. The court held that the defendant did purposefully avail herself because she:

was aware of the centralization and housing of the [plaintiff’s] email system and the storage of confidential, proprietary information and trade secrets in Waterbury, Connecticut, and she used that email system and its Connecticut servers in retrieving and emailing confidential files. . . . [The plaintiff alleged that the defendant] knew that the email servers she used and the confidential files she misappropriated were both located in Connecticut. She used those servers to send an email which itself constituted the alleged tort. And . . . she directed her allegedly tortious conduct towards [the plaintiff], a Connecticut corporation.

Next, the court determined that personal jurisdiction was reasonable, relying on factors such as the lack of burden on the defendant, the interests of Connecticut, and the plaintiff’s interest in obtaining relief. The court held that although the defendant would have to travel to Connecticut to defend the lawsuit, that burden alone did not render the exercise of personal jurisdiction unreasonable. The court also pointed to the fact that the plaintiff is based in Connecticut, the majority of corporate witnesses are located in Connecticut, and Connecticut has an interest in the proper interpretation of its laws. The court ended its analysis by noting that “efficiency and social policies against computer-based theft are generally best served by adjudication in the state from which computer files have been misappropriated.”

Let’s Keep This Decision In Context . . .

Some may argue that the Second Circuit’s opinion will pave the way for plaintiffs to obtain personal jurisdiction over foreign defendants in cases involving electronic information, but it is important to keep this decision in context with the facts that may distinguish it from other situations.

For example, Connecticut’s long-arm jurisdiction statute explicitly provides for jurisdiction based on the use of a computer or computer network in Connecticut. Not all states provide such long arm jurisdiction or provide specific definitions of computers and computer networks.

Also, the court noted that the defendant purposefully availed herself of the privilege of conducting activities in Connecticut in part because she was informed ahead of time that her company’s email system and the storage of confidential information were in Connecticut. If the defendant had not previously been informed of the location of those company servers, it is quite possible (perhaps even likely) that the outcome would have been different.

Finally, it is not clear from the facts presented in the opinion whether servers existed in states other than Connecticut. If a company has servers in multiple jurisdictions and employees are not informed about the location of data/systems they might access (email, document management, etc.), the plaintiff will have a more difficult time persuading a court that the defendant purposefully availed herself of the privilege of conducting activities in that forum.

Despite these cautionary notes, the opinion is still an example of a U.S. court’s impressive jurisdictional reach where the underlying controversy involves electronic information. The fact that a person and her computing device may be located in one jurisdiction does not mean that she is not subject to jurisdiction in another state (or country). The court’s opinion reminds us that a computer is like the tip of an iceberg—beneath the surface is a much larger support system that facilitates the storage, transmission, and monitoring of an entire network of computers and electronic information.

The Takeaway

There are several important points that underlie this opinion, but if I were corporate counsel reading this opinion, one practical “next step” I might want to take is to ensure that my employees are informed (in writing) about the location of the company’s electronic information and computer servers, assuming that the information is stored in a jurisdiction where I may want to file a lawsuit to protect the company’s confidential and proprietary information in the future. Another “next step” might also include researching the long arm jurisdiction statute where my company might want to invoke personal jurisdiction at some point in the future to see whether and under what circumstances they include the use of a computer or computer network.

DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.

What’s In Your Trash?

By Al Saikali on December 4th, 2012 Posted in Data Privacy, Data Security, FTC

How does your company dispose of personally identifiable information (medical records, financial information, applications containing sensitive information, etc.) and other sensitive information when the information is no longer needed? Do you throw it in the trash can next to your desk? Where does it go after that? Is it securely shredded, or thrown into an unsecured dumpster with the trash of other offices and companies? What about sensitive electronic information?

These questions might not seem important, but the way in which your company disposes of sensitive information can have significant consequences on your business, as two companies learned recently when they discarded personally identifiable information in unsecured dumpsters and were fined over $100,000 by the Federal Trade Commission (FTC).

What Happened?

The FTC filed charges against three companies that own, manage, and operate payday loan and check cashing stores, alleging that they failed to safeguard personally identifiable information by discarding “documents containing sensitive personal identifying information – including Social Security numbers, employment information, loan applications, bank account information, and credit reports – in unsecured dumpsters near [the defendants’] locations.”

What Were The Causes Of Action?

The FTC’s complaint claims that the defendants violated:

(1) the FTC’s Disposal Rule, which requires companies that maintain or possess certain consumer information for a business purpose “properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information”;

(2) the Gramm-Leach-Bliley Safeguards Rule and Privacy Rule, which require that financial institutions (companies significantly engaged in providing financial products or services) develop and use safeguards to protect consumer information, and deliver privacy notices to consumers explaining their policies and practices; and,

(3) the FTC Act, which prohibits misrepresentations about the reasonable measures companies implement to protect sensitive consumer information.

What Was The Result?

Two of the three defendants settled with the FTC after agreeing to pay a $101,500 fine and agreeing to establish what will likely be an expensive and comprehensive information security program, obtaining regular independent, third-party audits every other year for 20 years, and adopting a number of recordkeeping and compliance monitoring requirements.

What Are The Takeaways?

First, you need to assess how your company disposes of sensitive information. Next, you must identify the policies and procedures your company has adopted to ensure that sensitive information is disposed of securely. Can those policies and procedures be improved? Do your employees comply with existing policies and what “checks” are in place to maximize compliance and minimize risk? When was the last time you trained and reminded employees about the proper way to securely dispose of sensitive information? Do you know how your vendors and business associates, with whom you share sensitive information, are disposing of that information? If you are not sure whether the safeguards your company has adopted meet the legal requirements for secure disposal, it might be wise to retain counsel.

Is Secrecy A Prerequisite For Privacy?

By Al Saikali on November 16th, 2012 Posted in Data Privacy

It can be easy in the data privacy and security sphere to focus significantly on best practices, changing statutes, new administrative investigations, and evolving industry standards. It is important, however, not to lose the forest for the trees by ignoring larger issues like “what criteria should we use to determine whether information is in fact ‘private’ information?” The issue was recently addressed by Brad Smith, General Counsel of Microsoft, in a recent InsideCounsel article .

When many of us think of what it means for information to be “private”, we assume the information must be kept secret. Instinctively, it would seem to make sense that publicly known information cannot also be “private” information. But can information be private if the owner of the information purposefully provides it to certain individuals and not others? That issue was recently addressed by the U.S. Supreme Court and discussed in Smith’s article.

Smith’s article argues that legal change may be coming to the definition of privacy, and he cites by way of example Justice Sotomayor’s concurring opinion in the recent U.S. Supreme Court decision in U.S. v. Jones. In Jones, the court held that the government was required to obtain a warrant where it installed a tracking device on a suspect’s vehicle, as this conduct was a search under the Fourth Amendment.

In her concurring opinion, Justice Sotomayor began with the general principle that “a Fourth Amendment search occurs when the government violates a subjective expectation of privacy that society recognizes as reasonable.” Does this expectation of privacy extend to information shared with some individuals and not others? Justice Sotomayor posited that:

it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medication they purchase to online retailers. . . . I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.

Justice Sotomayor also quoted Justice Marshall’s dissent in the 1979 case of Smith v. Maryland – “Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes.”

Ultimately, the Jones Court did not decide whether a reasonable expectation of privacy exists in information voluntarily disclosed to third parties, but as Mr. Smith observes, “the Fourth Amendment will likely evolve and influence the future of privacy rules and practices with implications for inside counsel across the country.”

Where’s Your Privacy Policy?

By Al Saikali on November 11th, 2012 Posted in Data Privacy, FTC

Regulators increasingly want to know what companies are telling consumers about how the companies are using information about their consumers. Companies that do not properly explain how they collect, store, and use their customers’ information are facing increased scrutiny. Nowhere is this increased scrutiny move evident than in the $22.5 million civil penalty that the FTC levied against Google, or the FTC’s complaint and decision against Facebook.

Now, the Office of the Attorney General for the State of California has weighed in by cracking down on companies that do not include privacy policies in their mobile apps. In a recent press release, California Attorney General Kamala Harris announced that her office has begun formally notifying up to 100 mobile application developers and companies that they are not in compliance with California privacy law. According to Bloomberg, some of these companies receiving letters include United-Continental, Delta Air Lines, and Open Table.

The law that the Attorney General is referring to is the California Online Privacy Protection Act, which requires commercial operators of online services who collect personally identifiable information from California residents to conspicuously post a privacy policy. Companies that violate this law face fines of up to $2,500 each time the non-compliant app is downloaded.

Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft, and Research in Motion, as platforms for mobile applications, all agreed to privacy principles earlier this year that allow consumers to review an app’s privacy policy before they download the app rather than after. The companies also agreed to offer consumers a consistent location for an app’s privacy policy on the application-download screen in the platform store.

So what is the takeaway? If you collect information about individuals, make sure you have a clear privacy policy. Make sure the policy is placed in a location that makes it easy to find. If you offer a mobile app, try to work with your mobile app platform to provide the privacy policy to consumers before they download the app. It’s also a good idea to update your privacy policy periodically to ensure it remains current with your company’s information collection practices.

When was the last time your company took a fresh look at its privacy policy?

The Southern District of Florida Weighs In On Data Breach Lawsuits

By Al Saikali on October 22nd, 2012 Posted in Data Breach, Data Security, Lawsuits

Late last week, another Federal District Court (the Southern District of Florida) weighed in on the circumstances under which a plaintiff may sue a breached entity civilly for damages when the plaintiff’s personally identifiable information (PII) is inappropriately accessed or acquired. The Court allowed the case to proceed with counts for violation of Florida’s Unfair and Deceptive Trade Practices Act and negligence (assuming Plaintiff can clarify the damages he is seeking).

In Burrows v. Purchasing Power, LLC, No. 1:12-cv-22800-UU (S.D. Fla. Oct. 18, 2012), the court denied a motion to dismiss a class action lawsuit arising from a data breach. According to the allegations of the lawsuit, Defendant Winn-Dixie, allegedly shared Plaintiff’s PII (without his consent) with Defendant Purchasing Power, to help Purchasing Power implement a program that allowed Winn-Dixie’s employees to purchase merchandise via automatic payroll deductions. In January 2012, Winn-Dixie notified Plaintiff that a Purchasing Power employee inappropriately accessed Winn-Dixie employees’ PII. Plaintiff alleges that Winn-Dixie and Purchasing Power knew of this access three months earlier. Plaintiff claims that his PII was used to file a fraudulent federal income tax return on his behalf, causing him to incur credit monitoring costs to protect against identity theft and continued exposure to damages from people stealing his identity because his PII has been accessed.

Defendants moved to dismiss the lawsuit on several grounds, which are discussed in turn below:

I. Standing

The Court held that Plaintiff had standing to proceed. Defendants argued that Plaintiff lacked standing because he has not suffered an injury in fact and because his injury is not “fairly traceable” to Defendants. The Court rejected this argument, citing to the Eleventh U.S. Circuit Court’s recent decision in Resnick v. AvMed as support for the proposition that the alleged misuse of an individual’s PII amounts to an injury in fact. The Southern District Court determined that Plaintiff suffered a monetary loss when he failed to obtain his tax refund due to fraud. Defendants argued that Plaintiff’s injury was speculative because Plaintiff has not yet even challenged the denial of his tax refund with the IRS. The Court rejected the argument, ruling that the allegation of actual identity theft alone gave Plaintiff standing independent of any economic damages he claimed to have suffered. The Court also ruled that Plaintiff’s injury was “fairly traceable” to Defendants’ actions, in part relying on the allegation that Plaintiff’s PII was used within months of the breach.

II. Negligence (Count I)

The Court dismissed Plaintiff’s negligence count without prejudice, ostensibly to clarify some of the damages Plaintiff is seeking. Plaintiff alleged that Defendants were negligent in storing his personal data, causing him to suffer monetary loss for the use of his PII and identity theft, loss of privacy, lost monetary value of his PII, and out-of-pocket expenses. The Court held that Plaintiff “sufficiently alleged facts to support his claims for damages resulting from the monetary loss from the use of this PII and identity theft.” The Court did not, however, allow Plaintiff to recover damages for the “monetary value of his PII” (perhaps in contrast to the RockYou decision, the Court held that “[p]ersonal data does not have an apparent monetary value that fluctuates like the price of goods or services”). The Court also required Plaintiff to clarify what “other economic damages” he suffered. Finally, the Court rejected Plaintiff’s damages for loss of privacy because invasion of privacy is an intentional tort that cannot be pleaded as part of a negligence claim.

III. Violation of the Federal Stored Communications Act (FSCA) (Count II)

The Court dismissed the FSCA count with prejudice. Plaintiff claimed that Defendants violated the FSCA, which makes it unlawful for an entity providing an electronic communications service or a remote computing service to the public to knowingly divulge to any person or entity the contents of any communication that is carried or maintained on that service. Defendants argued successfully that the count should be dismissed because they do not provide an electronic communications service or a remote computing service.

IV. Florida’s Deceptive and Unfair Trade Practices Act (FDUTPA) (Count III)

The Court denied Defendants’ motion to dismiss Plaintiff’s FDUTPA claim. Plaintiff alleged that Defendants violated FDUTPA by: (1) failing to properly implement adequate, commercially reasonable security measures to protect Plaintiff’s PII; (2) failing to immediately notify Plaintiff of the nature and extent of the data breach, and; (3) representing their services to be of a particular standard and quality which they failed to adhere to.

The Court held that Defendants’ alleged failure to adequately secure his PII was an unfair practice under FDUTPA because Winn-Dixie allegedly transferred to Purchasing Power the personal data of Winn-Dixie’s employees regardless of whether those employees had participated in the Purchasing Power program.

On Plaintiff’s second theory—Defendants’ alleged failure to immediately notify Plaintiff of the breach—the Court again agreed with Plaintiff that this was unfair. The Court stated that by not “immediately” notifying Plaintiff that his PII had been compromised, Defendants did not afford Plaintiff the chance to take remedial measures such as credit monitoring or filing his federal tax return earlier. As I read this portion of the opinion, I question whether the Court’s use of the term “immediately” unintentionally creates an obligation to notify affected individuals of a breach sooner than the “without unreasonable delay” standard currently set forth in section 817.5681(1)(a), Florida Statutes (2012) (Florida’s data breach notification law).

The Court did not appear to address Plaintiff’s third theory of FDUTPA violation—Defendants’ representation that their services were of a particular standard and quality that they failed to meet.

V. Invasion of Right to Privacy (Count IV)

The Court dismissed Plaintiff’s count for invasion of right to privacy. Plaintiff had relied on Florida’s constitutional right to privacy, which the Court dismissed with prejudice as Defendants were not acting on behalf of the government. Plaintiff also relied on the common law right to privacy, which the Court also dismissed (though without prejudice) because any release of Plaintiff’s PII was not intentional.

Plaintiff must file an Amended Complaint no later than October 26^th.

Congress asks the Fortune 500: “Where’s your cybersecurity plan?”

By Al Saikali on September 25th, 2012 Posted in Data Security

On September 19^th, U.S. Senator John Rockefeller, writing on behalf of the Senate’s Committee on Commerce, Science, and Transportation, sent a letter to the Fortune 500 Chief Executive Officers seeking information about their cybersecurity policies and their positions on certain cybersecurity issues. (Read the Committee’s press release here).

The letter is a result of the Senate’s recently failed effort to pass the Cybersecurity Act of 2012 in August. As Senator Rockefeller explains in his letter, the Committee “would like to hear more – directly from the chief executives of leading American companies about their views on cybersecurity, without the filter of beltway lobbyists.” Senator Rockefeller argued that the legislation failed in part due to significant opposition from various business lobbying groups, including the U.S. Chamber of Commerce. (The Chamber disagrees that this is the reason why it failed).

The letter asks the Fortune 500 CEOs to answer the following questions:

Has your company adopted a set of best practices to address its own cybersecurity needs?

If so, how were these cybersecurity practices developed?

Were they developed by the company solely, or were they developed outside the company? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?

Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?

What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?

What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?

What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outline in the Cybersecurity Act of 2012?

These questions raise several issues for the companies responding to them. For example, how much detail should a company provide in response to these questions, keeping in mind that responses will likely be a matter of public record and may be viewed by competitors or potential cyber attackers? What about companies that have not yet prepared formal cybersecurity practices? Do they now have to admit this failure on the record, keeping in mind that the Committee also wants to know when those practices were developed? Regarding the Cybersecurity Act, the responses will likely need to express concern about excessive government intervention and regulation while at the same time demonstrate sensitivity to protecting critical infrastructure like utilities, transportation, and telecommunications.

The lessons to be learned from this letter are not just for the Fortune 500. All companies can benefit from auditing their systems and policies, implementing properly tailored cybersecurity measures for their organizations, and staying abreast of the best practices in their respective industries.

Responses to Senator Rockefeller’s letter are due by October 19^th.

Private Lawsuits Arising From Data Breaches – The Eleventh Circuit Weighs In

By Al Saikali on September 12th, 2012 Posted in Data Breach, Data Security, Health Care Industry, Lawsuits

Last week, the United States Court of Appeals for the Eleventh Circuit decided Resnick v. AvMed, Inc., No. 11-13694 (11th Cir. Sep. 5, 2012). The Court’s opinion addresses some important issues regarding an individual’s right to bring a private lawsuit when her personally identifiable information or protected health information is compromised. In its decision, the Court reversed the dismissal of all but two counts in a class action lawsuit that arose from a data breach suffered by an integrated managed care organization.

Background

AvMed, Inc., an integrated managed care organization was the victim of a theft. Two of AvMed’s unencrypted laptops containing PHI and PII for approximately 1.2 million current and former AvMed members (Plaintiffs) were stolen. Plaintiffs alleged that an unknown third party used their information for fraudulent purposes 10 to 14 months after the theft.

The operative complaint alleged the following causes of action: negligence, breach of implied and express contracts, unjust enrichment, negligence per se, breach of fiduciary duty, and breach of implied covenant of good faith and fair dealing.

The Southern District of Florida dismissed the lawsuit, in part because the complaint failed to allege cognizable injury. The Eleventh Circuit has now reversed the trial court’s dismissal on all but two counts, holding that Plaintiffs had standing, alleged a cognizable injury, and adequately alleged causation.

Standing

The Court first addressed the issue of whether Plaintiffs had standing. The Court held that Plaintiffs alleged all three elements necessary to meet the standing requirement:

Plaintiffs suffered an injury in fact – they were victims of identity theft and suffered monetary damages
Plaintiffs’ injuries were “fairly traceable to AvMed’s actions” – Plaintiffs had personal habits of securing their sensitive information yet became the victims of identity theft after the laptops containing their PHI were stolen
A favorable resolution of the case in Plaintiffs’ favor could redress their injuries – compensatory damages would redress their injuries.

Cognizable Injury

The Court next dealt with the issue of whether Plaintiffs suffered a cognizable injury. Plaintiffs alleged the following damages: money spent placing alerts with various credit reporting companies, money spent contesting fraudulent charges, money spent purchasing credit monitoring services, lost wages for missing work while filling out police reports, travel related costs, cell phone minutes, postage, and overdrawn amounts in their bank accounts. The Court held that Plaintiffs’ allegations of monetary loss and financial injury were cognizable injuries under Florida law, though the Court did not address the validity of each one of these damages elements separately.

Causation

The Court then addressed causation – whether Plaintiffs had alleged sufficient facts showing that the theft of the AvMed computers caused Plaintiffs’ injuries. The Court held that Plaintiffs’ allegations were sufficient to show that causation was “plausible”. Specifically, the Court relied on three allegations: (1) before the breach, Plaintiffs never had their identities stolen or sensitive information compromised; (2) before the breach, Plaintiffs took substantial precautions to protect themselves from identity theft; and, (3) Plaintiffs became the victims of identity theft for the first time in their lives 10 to 14 months after the laptops containing the PHI were stolen.

A key fact for the Eleventh Circuit was that the sensitive information on the stolen laptops was the same sensitive information used to steal Plaintiffs’ identity.

With respect to unjust enrichment (the one count that did not require causation), Plaintiffs alleged that a portion of Plaintiffs’ monthly premiums went towards AvMed’s data security administrative costs, and AvMed should not be permitted to retain that money because AvMed failed to implement proper security measures. The Court allowed this count to proceed.

The Dismissed Counts

The Eleventh Circuit did, however, affirm the dismissal of Plaintiffs’ negligence per se and breach of covenant of good faith and fair dealing. The negligence per se count was based on an allegation that AvMed violated Section 395.3025, Florida Statutes, by disclosing Plaintiffs’ health information without authorization. The Court held that because AvMed is a managed-care organization and not a hospital, ambulatory surgical center, or mobile surgical facility, it was not subject to the statute. The Court dismissed the breach of covenant of good faith and fair dealing count because any failure by AvMed to secure Plaintiffs’ data did not result from a “conscious and deliberate act” on AvMed’s part.

The Dissent

The opinion included a vigorous dissent that argued Plaintiffs had failed to allege a plausible basis for finding that AvMed caused Plaintiffs to suffer identity theft. The dissenting judge observed that an obvious alternative explanation for the identity fraud existed – an unscrupulous third party that possessed the Plaintiffs’ sensitive information might have sold it to identity thieves who opened the fraudulent accounts, or a careless third party might have lost the information that then found its way into the hands of those thieves.

What Are The Takeaways?

First, it is important to note that as of the date of this alert, the opinion is not yet final. That said, the opinion in its current form could lead to a dramatic uptick in data security litigation within the Eleventh Circuit, as plaintiffs will likely use the opinion to argue that the bar for causation in such cases is low and cognizable damages can be extensive (and arguably speculative).

Companies maintaining personally identifiable information and protected health information about residents in the Southeast United States would be well served to ensure that they are taking proactive steps to implement reasonable data security measures in an effort to avoid a data breach. In this instance, for example, encryption of the subject laptops might have prevented the subject lawsuits.

The SEC Is Cracking Down on Companies That Do Not Disclose Cyber Incidents

By Al Saikali on September 10th, 2012 Posted in Data Security, SEC

As I wrote in a previous post, the Securities and Exchange Commission’s (SEC) Division of Corporation Finance issued a Disclosure Guidance on October 13, 2011, that states publicly traded companies may be obligated to disclose cyber incidents and the risk of cyber incidents, depending on the application of various factors.

Now, according to a recent Bloomberg article, the SEC is cracking down on publicly traded companies’ failure to comply with the Guidance. The SEC apparently sent “dozens” of letters to companies asking about their cybersecurity disclosures and pushing them to disclose. Six of the companies who the SEC instructed to disclose included AIG, Amazon.com, Eastman Chemical Co., Google, Hartford Financial Services Group, and Quest Diagnostics, Inc.

With respect to Amazon.com, its Zappos.com unit was the victim of a cyber attack that resulted in the theft of addresses and credit card numbers belonging to 24 million of its customers. In April, the SEC asked Amazon to disclose the attack, which, according to Bloomberg, Amazon now has, though not without objection. Amazon initially resisted disclosing the cyber attack because, according to Amazon, Zappos did not contribute material revenue to Amazon.

Google, too, has now agreed to disclose a cyber attack that it had previously disclosed publicly in January 2010. The SEC believed that disclosure in a formal SEC filing was necessary to “provide the proper context for your risk factor disclosures.” Accordingly, Google agreed to repeat the information in its earnings report.

Hartford told the SEC that it hadn’t suffered a “material” cyber attack, but the SEC instructed it to disclose “any” attack.

AIG agreed to state in a future quarterly report that it had “from time to time, experienced threats to our data and systems, including malware and computer virus attacks, unauthorized access, systems failures and disruptions.”

The SEC’s action is significant because the Guidance is not technically a rule, though the SEC is effectively creating a rule by taking the position that these companies should have disclosed their breaches. Failure to comply with an SEC letter can lead to fines amounting to hundreds of thousands of dollars; fighting the SEC in litigation could cost millions. It will be interesting to see whether and to what extent the SEC will continue to crack down on companies that do not disclose cyber attacks and risks of cyber incidents.

How Secure is the Health Care Industry?

By Al Saikali on August 30th, 2012 Posted in Data Security, Health Care Industry

For years, health care providers have worked hard to comply with the HIPAA Security Rule that requires implementation of administrative, technical, and physical safeguards to secure protected health information (PHI). This recent study by Jorge Rey and Tyler Quinn at Kaufman, Rossin & Co. analyzes data breaches reported to the U.S. Department of Health and Human services between January 1, 2010, and December 31, 2011, in an effort to help health care providers and their vendors (business associates) develop more effective risk assessments.

What Caused PHI Data Breaches?

The study showed that theft comprised approximately 53% of data breaches, other “unauthorized access” caused approximately 20% of data breaches, loss of data caused approximately 15% of data breaches, while hacking and improper disposal of information comprised a very small number of data breaches (6% each).

Where Was The PHI Compromised?

The study further found that laptops, paper, and “other” media (portable electronic devices, backup tapes, CD’s, and X-ray films) were evenly split as locations of data breaches, with approximately 25% each. Desktop computers and servers were the next most likely location for PHI breaches (approximately 10% to 15%), while email (approximately 2%) and electronic medical records (1%) were the least frequently breached locations of PHI. The “other” category grew dramatically from 2010 to 2011, signifying the increased use of portable electronic devices among health care providers.

Conclusion

The study found that, overall, reported data breaches of PHI declined from 2010 to 2011, indicating that “[c]overed entities and business associates seem to have a better understanding of where e-PHI resides, and many have implemented safeguards to protect it.” The bad news, however, is that the number of individuals whose PHI was compromised nearly doubled from 2010 to 2011. Importantly, one of every five breaches occurred at or due to a business associate, indicating that health care providers need to do more to assess and monitor their vendors’ security weaknesses.

The study ends with a very helpful “Risk Score Tool” or checklist to help health care providers measure whether they are implementing effective safeguards for the PHI they collect and maintain. I highly recommend this study to anyone in the health care industry who is interested in security and privacy issues that arise from the collection, storage, and use of PHI.

Data Privacy – Is Your Business Ready For HB 300?

By Al Saikali on August 27th, 2012 Posted in Data Privacy

On September 1, 2012, a new law will go into effect in Texas that imposes new requirements on organizations that maintain protected heath information (PHI). The new legislation, HB 300, imposes even tighter standards than required by the federal Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Who Does HB 300 Apply To?

Like HIPAA and HITECH, HB 300 applies to “covered entities.” But the definition of a covered entity under HB 300 is broader than the definition of a covered entity under HIPAA (expanded by HITECH). A “covered entity” under HB 300 is any individual, business or organization that:

Engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting PHI;
Comes into possession of PHI;
Obtains or stores PHI; or
Is an employee, agent, or contractor of a person described in the above three categories, if they create, receive, obtain, maintain, use, or transmit PHI.

In short, HB 300 would theoretically apply to entities such as law firms that maintain medical records in prosecuting/defending lawsuits, schools that maintain or use PHI, and information management entities that transfer and sell PHI.

What Does HB 300 Require?

HB 300 imposes a number of requirements on covered entities, including but not limited to:

Employee Training – Covered entities must train their employees regarding federal and state law related to the protection of PHI. The training must be specifically tailored for the employee’s responsibilities and the ways in which the covered entity uses PHI. New employees must be trained within 60 days of their hire dates, training should take place at least once every two years, and upon the completion of a training program, the employee must sign a statement verifying the employee’s attendance at the training program. The covered entities must maintain these signed employee statements. In contrast, HIPAA requires training only within a reasonable period of time after an employee is hired or whenever there are material changes to privacy policies.

Patient Record Requests – HB 300 requires covered entities to provide patients with electronic copies of their electronic health records within 15 business days of the patient’s written request. This requirement differs from HIPAA, which allows covered entities 30 days to respond to such requests.

Disclosure of PHI – HB 300 prohibits the sale of PHI. Additionally, a covered entity may only disclose PHI to another covered entity for the purpose of treatment, payment, health care operation, performing an insurance or health maintenance organization function, or as otherwise authorized or required by state or federal law. If disclosure is made, then the covered entity must give notice to patients about the disclosure.

Consumer Information Website – The Texas Attorney General must maintain a website explaining consumer privacy rights regarding PHI under Texas and federal law, a list of the state agencies that regulate covered entities, detailed information about each agency’s complaint enforcement process, and contact information for each agency for reporting a violation of HB 300.

Audits of Covered Entities – Texas’s Health and Human Services Commission may request that the U.S. Secretary of Health and Human Services conduct an audit of a covered entity to determine compliance with HIPAA and the commission must periodically monitor and review the results of those audits.

What Are The Consequences For Violating The Law?

HB 300 imposes significant civil penalties, ranging from $5,000 to $1.5 million, on covered entities that fail to comply with its requirements. The Texas Attorney General is responsible for pursuing these penalties. In determining the amount of a penalty imposed, the court will consider the seriousness of the violation, the entity’s compliance history, the risk of harm to the patient, the amount necessary to deter future violations, and efforts made to correct the violation.

To the extent the violation arises from a failure to comply with the disclosure requirements of HB 300, factors that may limit a covered entity’s liability include whether the disclosed information was encrypted, whether the recipient did not use or release the PHI, and whether the covered entity had developed, implemented, and maintained security policies, including training of its employees responsible for the security of PHI.

What’s The Point?

The point is that your business needs to evaluate whether HB 300 applies to you. Are you a covered entity under this new, broader definition? Do you have training policies and procedures in place that meet the requirements of HB 300? Are you ready to respond quickly to requests for PHI? Even if the law doesn’t apply to you, best practices in your industry might make it wise to become compliant, as concerns about the privacy and security of PHI continue to grow.

Focusing on legal trends in data security, cloud computing, data privacy, and anything E