Technology, Privacy, And Data Security

Defining the Limits of the Computer Fraud and Abuse Act: The Ninth Circuit’s Second Take on United States v. Nosal.

 
Everett Monroe
November 4, 2015

Is it a federal crime to use a co-worker’s password with permission in order to access information for an improper purpose? What about those who get usernames and passwords from unwitting victims in an email scam? What does it mean to have authority to access a computer system, and who can give that authority? Could Congress have anticipated these questions in 1986 when it passed the Computer Fraud and Abuse Act (“CFAA”)? A three judge panel of the Ninth Circuit Court of Appeal wrestled with these questions recently as they tried to augur the limits of the CFAA during oral argument in United States v. Nosal.

The CFAA makes it a criminal offense to use a computer without authorized access or in a manner that exceeds authorized access. The Act also provides a civil right of action to hacking victims. The same prohibition applies to both criminal and civil causes of action, and requires proof on the issue of whether the activities of the alleged hacker either accessed the computer without authorization or exceeded the authorization he or she had.

Continue reading Defining the Limits of the Computer Fraud and Abuse Act: The Ninth Circuit’s Second Take on United States v. Nosal.

California Practice Tips

Timing Is Critical For Erecting Ethical Wall

 
Michele Trausch
November 2, 2015

A case from the Central District of California earlier this year highlights the critical issue of the timeliness of erecting a wall.

In Signature MD, Inc. v. MDVIP, Inc., the defendant moved to disqualify plaintiff’s counsel on the grounds it had previously represented the defendant from 2008 to 2012. The motion was granted because the current and former relationships were substantially similar and because the ethical wall the plaintiff’s counsel’s firm had erected was ineffective.

In fact, the wall was erected two days after the firm was retained by plaintiffs. There was no evidence preventative measures were in place before the wall went up to prevent disclosure of privileged information. Even declarations stating that there was no disclosure during that time would not have helped defeat the motion.

LESSON TO BE LEARNED: It is essential that no work be done before an ethical wall is in place. Courts will require strict compliance with all the elements of an effective ethical wall when ruling on a motion to disqualify. The timeliness of erection of the wall can make all the difference.

Technology, Privacy, And Data Security

Senate Passes Cybersecurity Information Sharing Act

 
Everett Monroe
October 30, 2015

On Tuesday, the United States Senate passed S. 754 – the Cybersecurity Information Sharing Act (“CISA”). CISA’s goal is to facilitate and improve sharing about cybersecurity threats between private business and the federal government. While CISA will likely undergo some changes and still has some steps to overcome before it becomes law, Senate passage was a major hurdle. Bills similar to CISA have been pending before Congress since 2012 without success.

Under CISA, the federal government would set guidelines and procedures for receiving cyberthreat information from businesses and sharing cyberthreat information with businesses. The Department of Homeland Security would create a preferred process for businesses to use when sharing cyberthreat information.

Businesses would be given legal protections from anti-trust, trade secret, and some civil suits for cyberthreat information they share under the statute. Businesses and government entities would be required to remove unnecessary personal information before sharing it. Businesses would also be given immunity from suit to monitor their computer networks for cybersecurity purposes, and be authorized to deploy defensive measures.

CISA will now go to conference committee to be reconciled with HR 1560, which is a combination of two similar bills passed by the House of Representatives in April. A single form of the legislation will be agreed upon. Once passed, the resulting bill is expected to be signed by President Obama consistent with the directives he announced at the Cybersecurity Summit at Stanford University on February 13, 2015, at which time he signed Executive Order No. 13691 entitled Promoting Privacy Sector Cybersecurity Information Sharing.

Technology, Privacy, And Data Security

California Updates Its Data Privacy And Security Laws For 2016

 
Everett Monroe
October 20, 2015

The end of the first year of California’s legislative session brings several bills that modify California’s data privacy and security regime. A number of these bills expand California’s protections for personal information and will affect how California businesses and government agencies protect, use, and disclose the data they collect. The bills will go into effect January 1, 2016.

Three new laws modify California’s data breach notification statute:

AB 964 defines “encrypted” information as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” The new law provides a definition of encryption similar to that used by HIPAA. Notification to consumers is not required if only encrypted data is breached.

SB 570 mandates that data breach notices sent to California residents have specific titles that are clearly and conspicuously in the notice, and the body of the notice can be in no less than 10 point font. It also provides an optional model form.

SB 34 includes Automatic License Plate Reader (“ALPR”) data in the personal information definition of the data breach statute, which means that ALPR operators would have to provide notice to California residents if they experience a data breach. This law also requires ALPR system operators to publish a privacy policy.

Continue reading California Updates Its Data Privacy And Security Laws For 2016

Technology, Privacy, And Data Security

European Court Of Justice Rules US-EU Safe Harbor Invalid

 
Everett Monroe
October 9, 2015

This week the European Court of Justice issued a judgment in the case of Maximillian Schrems v. Data Protection Commissioner finding that the US-EU Safe Harbor is invalid for failing to provide adequate limitations on data processing for national security purposes.

The US Department of Commerce and the European Commission negotiated the Safe Harbor framework to provide adequate privacy protections for the personal information of European data subjects transferred to businesses in the United States. US companies participating in the Safe Harbor self-certified to the Department of Commerce that they would abide by seven privacy principles: notice, choice, onward transfer, security, data integrity, access, and enforcement.

The decision from the European Court of Justice removes this protection for US businesses seeking to transfer data from European entities and individuals. The judgment also increases the obligations on national data protection authorities to more closely monitor the adequacy of data transfer mechanisms and to depend less on the European Commission’s authority. Businesses in the US participated in the Safe Harbor to get approval to transfer data out of Europe without seeking approval from each individual EU country. It removed the need to get 28 different approvals for Europe wide business transactions, and protected cloud service providers from being forced to maintain separate European servers. It eased the way for cooperation between US and EU businesses, and lowered barriers for data transfers between US companies and their European subsidiaries.

Responses from US regulatory authorities have been guarded. The Chairman of the Federal Trade Commission, the primary enforcement body for the Safe Harbor in the United States, issued a short statement that “we will continue to work together with our European colleagues to develop effective solutions that protect consumer privacy with respect to cross-border data transfers.” The Department of Commerce expressed deep disappointment in the decision and called for an expedited release of the Updated Safe Harbor Framework, noting that it is prepared to work with the Commission to address uncertainty created by the Court’s decision. Meanwhile, the Article 29 working group, a body made up of the national data protection authorities and representatives from EU governing institutions, announced a meeting this week to consider what guidance to provide European and United States organizations in the wake of the decision.

Continue reading European Court Of Justice Rules US-EU Safe Harbor Invalid

Environmental Law

Proposed Prop. 65 Amendments to Require Greater Accountability and Transparency by Private Plaintiffs

 
Samir Abdelnour
October 8, 2015

The California Attorney General has proposed amendments to regulations implementing the state’s Safe Drinking Water and Toxic Enforcement Act of 1986 (Prop. 65), in an effort to address her “significant ongoing concerns with respect to private enforcement actions under the statute.” The Attorney General’s proposed amendments appear to stem from similar concerns previously raised by Gov. Jerry Brown in his attempts to encourage Prop. 65 reform. While these amendments seem intended to benefit businesses targeted in Prop. 65 litigation, by requiring private plaintiffs to provide greater justification for certain monetary settlement terms, they will not likely reduce the number of Prop. 65 private enforcement actions and may result in higher settlement demands by plaintiffs.

The main emphasis of the Attorney General’s proposed amendments is to create greater accountability for private plaintiffs who funnel to themselves Prop. 65 settlement payments, under the guise of “payments in lieu of penalties,” that might otherwise go to the state’s Office of Environmental Health Hazard Assessment (OEHHA). Specifically, the proposed amendments are designed to:

  1. ensure that the state’s Office of Environmental Health Hazard Assessment (OEHHA) receives civil penalty payments specified in the statute;
  2. limit the ability of private plaintiffs to keep “in lieu of penalty” payments for themselves, defined in the amendments as “Additional Settlement Payments;”
  3. require entities receiving Additional Settlement Payments to show that those payments are spent to further the environmental and consumer protection goals of the litigation being settled and of the State of California; and
  4. reduce private plaintiffs’ financial incentive to prosecute Prop. 65 cases that do not confer a substantial public benefit.

If the Attorney General’s amendments are adopted, the regulations would cap Additional Settlement Payments at the amount of civil penalties that OEHHA receives under the settlement. Settlements including Additional Settlement Payments would have to specify the activities to be funded with such payments, and such settlements would require judicial approval. Recipients of Additional Settlement Payments would also be required to document how those funds are spent and provide such documentation to the Attorney General upon request. The amendments also propose other changes to the Prop. 65 regulations, such as adding a rebuttable presumption that reformulation of a product confers a significant benefit on the public, and explicitly requiring settlements obtained without court approval to be served on the Attorney General.

However, without addressing any requirements for private plaintiffs to make a prima facie demonstration of the merits of their claims, the amendments are unlikely to reduce the number of Prop. 65 actions brought in California. Businesses faced with Prop. 65 notices of violation should also not expect these amendments, if adopted, to mean private plaintiffs will settle for less money over the long term. Rather, private plaintiffs will likely “adapt” to the new regulations by increasing their demands for civil penalties to be paid to OEHHA to match the Additional Settlement Payments they seek to recover in settlement.

The proposed amendments can be found here. Written comments are due to the Attorney General’s Office on November 9, 2015.

Technology, Privacy, And Data Security

With data privacy, you better do what you say you are doing

 
Everett Monroe
September 28, 2015

Enforcement actions relating to data privacy often get enforced by administrative agencies under State and Federal Unfair Competition Laws. Enforcement actions against companies that fail to meet their commitments to consumers are a common occurrence.

Comcast’s recent $33,000,000 settlement with the California Attorney General is a good example of how state agencies will take administrative action against companies who tell customers one thing and then do something else. Between 2010 and 2012, Comcast mistakenly published the directory information of VoIP customers that had paid Comcast not to list them. The first cause of action in the complaint against Comcast was for a violation of California’s unfair competition law: Comcast broke its promise to its customers that it would not publish directory listing information.

The Federal Trade Commission often uses its enforcement authority over unfair and deceptive business practices to pursue companies that do not fulfill their privacy commitments. A recent example of this is the Commissions complaint against Nomi Technologies. Nomi Technologies tracked mobile devices in participating retail locations, which could generate data on the duration and frequency of customers entering the location and their shopping habits. The FTC’s complaint alleged that Nomi failed to meet two commitments: (1) that customers would be informed as to which retail locations used Nomi’s service, and (2) that customers would be able to opt out of the tracking at the participating retail locations. The FTC obtained a 20-year monitoring agreement over Nomi.

A recent FTC update shows a group of thirteen companies caught claiming that they were certified under the US-EU Safe Harbor in their privacy policies when, in fact, their certifications had lapsed or they were not certified at all. Another group of six companies faced similar charges in 2009.

Intentional wrongdoing is not the centerpiece of these charges. The Comcast complaint alleges that the disclosures were the result of a technical mistake, and the Nomi Complaint does not claim that the company was intentionally deceiving consumers. Regardless, these agencies have made it clear that companies will be held responsible for failing to keep commitments they make to the public.

Technology, Privacy, And Data Security

US/EU “Safe Harbor” Agreement Ruled Invalid By EU Judge

 
William Kellermann
September 23, 2015

In an influential opinion published September 23, 2015, European Court of Justice (ECJ) Advocate General Yves Bot recommended the ECJ find the US/EU “Safe Harbor” Agreement invalid.   The 40-page ruling provides a preliminary victory for Austrian law student and privacy advocate Maximillian Schrems, but stands to cast the data transfer practices of many companies into turmoil.

The case stems from Shrems’ crusade against the data privacy and data transfer practices of Facebook in light of Edward Snowden’s revelations about the US National Security Agency’s Prism data surveillance program.  Shrems sued Facebook in Ireland, where it locates its servers for services to it’s EU user-base.  The High Court of Ireland referred the matter to the ECJ for a preliminary ruling.

While Bot’s ruling is preliminary, subject to confirmation by the ECJ and would only be directly binding as to Facebook, the recommendations found in Bot’s opinion upend many commercial practices regarding data transfer from the EU to US-based servers.  While the NSA’s Prism program targeted the data transfers of nine internet companies, such as Microsoft, Google, Apple, Facebook, etc. the unraveling of the Safe Harbor agreement could have far-reaching effects on any company with EU operations sending data about EU citizens, including employees, to the US.

The case is  Maximillian Schrems v Data Protection Commissioner, Case # C‑362/14, pending in Luxembourg.

California Practice Tips

Give Experts All The Facts Before They Form An Opinion

 
Eric Junginger
September 9, 2015

It’s easy to have your expert opine exactly what you think you need to support or oppose a summary judgment motion when the expert is not given all of the pertinent facts. In Shiffer v. CBS Corporation, ___ Cal.App.4th ___ (2015 Cal.App. LEXIS 788) [9/8/15], the First District Court of Appeal made clear that “[a]n expert’s opinion is only as good as the facts on which it is built,” and if the expert has not been given the complete set of facts to form an opinion, the expert’s opinion lacks foundation and can be excluded from evidence.

In Shiffer, plaintiff conceded at deposition that the original asbestos-containing insulation on a Westinghouse turbine generator was already installed when he arrived at the job site, and it was never repaired, maintained, installed, or removed in his presence. Westinghouse moved for summary judgment based on no asbestos exposure. In opposition to Westinghouse’s MSJ, plaintiff submitted a contradictory declaration that insulation was being applied on the turbine when he arrived at the job site.

Relying solely on this declaration (and not reading any of plaintiff’s deposition testimony), plaintiff’s experts Charles Ay, Christopher Depasquale, and Barry Horn submitted declarations collectively opining that plaintiff was exposed to Westinghouse’s asbestos which was a substantial factor in causing his mesothelioma. However, the trial court rejected the plaintiff’s declaration because it failed to raise a triable issue of exposure, and the expert declarations because they did not consider plaintiff’s deposition testimony. Finding no admissible evidence of asbestos exposure, summary judgment was granted.

The Court of Appeal affirmed, observing that plaintiff’s experts relied on “a significantly incomplete universe of information, leaving them without an adequate basis” to form their opinions. Under Sargon Enterprises v. University of Southern California (2012) 55 Cal.4th 747, 770, expert opinions “may not be based on assumptions of fact without evidentiary support.” While it remains true that expert declarations in opposition to a summary judgment motion are to be liberally construed, expert opinions may nevertheless lack foundation and be excluded from the summary judgment record if the experts did not analyze the complete set of relevant facts.

An expert never wants to be surprised at a deposition or trial with facts – that if the expert had known about them – would have materially changed the expert’s opinion. The same goes for a pre-trial expert declaration. It is incumbent on counsel to provide their expert with the complete set of relevant facts. This is not just a good tip in managing your relationship with an expert, but it provides a sound foundation to reduce the risk that the expert’s opinion will be excluded from evidence.

Technology, Privacy, And Data Security

Third Circuit Affirms FTC Authority to Regulate Cybersecurity

  
Batya Forsyth and William Kellermann
September 2, 2015

If it wasn’t clear before, data breaches are now a federal affair, in addition to falling under various statutes and regulations in 47 states. Since 2000, the Federal Trade Commission (FTC) is the self-styled “primary federal data security regulator” in the United States. Beginning in 2005, the FTC instituted numerous data security enforcement actions, primarily under authority found in Section 5 of the Federal Trade Commission Act. Yet nowhere in the Act are there explicit references to “data privacy,” “data security” or the more modern moniker, “cybersecurity.”

Until recently, targets of FTC investigations or enforcement actions arising from data breaches have chosen administrative settlements rather than fight. That changed as a result of the Wyndham Worldwide hotel chain data breaches and Wyndham’s subsequent resistance to FTC enforcement. Under the recent ruling in Federal Trade Commission v. Wyndham Worldwide Corporation, et al., __ F.3d __, 2015 WL 4998121 (3d Cir. Aug. 24, 2015), FTC regulatory authority appears to be on solid ground.

Section 5 of the FTC Act grants the FTC broad authority to prevent the use of unfair and deceptive trade practices. 15 U.S.C. § 45(a)(1) and (2). While  banks, savings and loans, federal credit unions and transportation companies are exempt, 15 U.S.C. § 45(a)(2), the Act otherwise casts a broad net across industries.

Wyndham Worldwide owns or operates a hotel chain and provides centralized IT services to franchises, as well as its own properties. The FTC enforcement action stemmed from a series of data breaches that gave hackers access to payment card information for more than 619,000 customers. The hacks later gave rise to more than $10.6 million in fraudulent charges.

The FTC brought its action against Wyndham in the United States District Court for the District of New Jersey alleging the company’s data security practices were an “unfair practice” and that its privacy policy was “deceptive” under section 5 of the Act. The FTC complaint alleged Wyndham misrepresented the security measures it took to protect customer personal information, and that Wyndham’s cybersecurity efforts were unfair in the face of the FTC’s published security guidance. The District Court denied Wyndham’s motion to dismiss, finding the FTC had the authority to regulate data security practices. Notably, the Court further found the FTC did not have to issue formal regulations before bringing enforcement actions. The Third Circuit certified two issues for interlocutory appeal:

  1. Whether the FTC has authority to regulate cybersecurity under the unfairness prong of 15 U.S.C. § 45(a); and,
  2. Assuming such regulatory authority, whether Wyndham had fair notice its specific cybersecurity practices could fall short of the statutory requirement.

The Third Circuit affirmed the District Court finding ample authority for the FTC to regulate cybersecurity under the Act, as well as clear guidance under the Act, the FTC’s regulatory enforcement history and published guidance as to acceptable conduct in setting cybersecurity policies and practices.

While the FTC Act grants the FTC both rulemaking and enforcement authority under Section 5, the FTC has not enacted formal rules or regulations that apply to data security requirements. As set forth in the Wyndham Worldwide order, companies must rely on FTC publications, data security complaints and consent decrees to determine if their data security programs comply with FTC standards. To that end, the FTC published Protecting Personal Information, A Guide for Business which sets forth five principles on which a company must base its data security practices:

    • Be aware of all the personal information collected, retained and shared.
    • Keep only personal information required for legitimate business operations.
    • Use physical and electronic security to protect the information an organization retains.
    • Properly dispose of personal information as soon as it is no longer necessary for business operations.
    • Have a plan to respond to security incidents.

The FTC is seen as having a central role in protecting consumers. However, just as the FTC Act is silent on the topic of data security, nothing in 15 U.S.C. § 45(a) limits the FTC’s authority to “consumer” data per se. The Act empowers the Commission to address “unfair or deceptive acts or practices in or affecting commerce.” That broad mandate, coupled with the guidelines established by the Commission and the holding in the Wyndham opinion strongly suggests all companies must now address their cybersecurity policies and practices. Companies must ensure the policies and practices meet the guidelines set by the FTC, at least with respect to the personally identifiable information (PII) of employees, contractors and business partners that finds its way onto company systems.

The first four bullets of the FTC Guidelines are essential elements of an Information Governance program. One could argue after the Wyndham opinion that the failure to institute an information governance program puts an enterprise squarely in the sights of a costly and time consuming FTC enforcement action in the event of a data breach. Conversely, implementing an IG program, coupled with a well-crafted cyber incident response plan, will help a company stave off or mitigate the effects of FTC scrutiny. Moreover, an IG program comes with added benefits of reduced cost and risk associated with data storage as well as reduced cost whenever a company must respond for compliance or other investigations or to parties in litigation. If your company has not considered an Information Governance program before now, perhaps now is the time. Moreover, outside counsel are essential members of an incident response team, providing legal risk analysis, representation and the umbrella of privilege for communications.

A California Litigation Blog