Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

The PRC Cybersecurity Law Takes Effect

Posted in Cybersecurity / Data Security, Government Regulations & FISMA
Jeffrey L. PostonPaul RosenBrandon C. Ge

The first comprehensive data protection framework in China’s history, the PRC Cybersecurity Law, takes effect today, June 1, 2017, despite concerns from businesses around the world about the law’s stringency and scope. The law will carry with it the authority to impose fines up to approximately $145,000.00 per violation in addition to various administrative and criminal penalties.

The PRC Cybersecurity Law requires the implementation of administrative and technical security safeguards, restricts the cross-border transfer of personal information and “important data” collected through operations in China, and mandates the protection of personal information.

While much of the law remains murky, the PRC Cybersecurity Law will likely impact companies of all sizes that do business in China, including those that do not have a physical presence there. Companies should carefully review their practices to determine how the new requirements – particularly those relating to data localization and the PRC’s potential access to that data – impact their operations in China.

Click here to read Crowell & Moring’s full alert on the PRC Cybersecurity Law.

Gunning For An Anonymous Internet Defamer or Infringer’s Identity …

Posted in Advertising & Product Risk Management, Cybersecurity / Data Security, Litigation
Joe Meadows

… outside your main jurisdiction can have collateral consequences.

In Gunning v. Doe, 2017 WL 1739442 (Me. May 4, 2017), Maine’s highest court just dodged the issue of the applicable First Amendment test for the disclosure of an anonymous speaker accused of defamation.  Instead, it deferred to California’s test.  Why?  Collateral estoppel:  the defamation plaintiff lost her effort to subpoena a California website host for identifying information of the John Doe defendant, and that decision barred the plaintiff from relitigating the disclosure issue in Maine.  Continue Reading

Can You Copyright Infringe Anonymously?

Posted in Advertising & Product Risk Management, Cybersecurity / Data Security, Litigation
Joe Meadows

Yesterday, the Sixth Circuit heard an anonymous copyright infringement case of first impression. See Signature Management Team, LLC v. Doe, No. 16-2188 (6th Cir.). The issue: whether an adjudicated copyright infringer can remain anonymous.

The infringer said he can.

“John Doe” appeared in the case through counsel and defended against Signature’s infringement claim. He lost. But he maintained his right to anonymity under the First Amendment. According to Doe, a court should balance a defendant’s right to remain anonymous against a plaintiff’s need for the defendant’s identity at all stages of litigation, including post-judgment. And here, as the lower court held, Signature prevailed but it didn’t need Doe’s identity where no damages were sought and Doe agreed to cease the infringement. Continue Reading

What’s Next For Federal Anti-SLAPP Legislation

Posted in Cybersecurity / Data Security, Government Regulations & FISMA
Clifford J. ZatzJoe MeadowsLaura Aradi

Congress may re-introduce federal anti-SLAPP legislation this session.  Similar bills in 2009, 2012, and 2015 never made it out of committee.  Our Law360 article identifies several areas to improve on a fourth attempt to enact a universal anti-SLAPP law.  The article also highlights the constant battle between First Amendment rights and rights to protect one’s name and business.  There’s room for a middle ground by drafting a narrow definition of “matter of public concern,” setting reasonable dismissal and disclosure standards, including limited discovery, and restricting removal of cases to only those involving the First Amendment.

Go to article

Court Allows Data Breach Claims Against Kimpton

Posted in Data Breach, Privacy
Maida Oringher LernerKate M. GrowleyCharles Austin

On April 13, a federal court ruled that theft of credit card information, even prior to misuse of that data, could permit a plaintiff to pursue claims based on a 2016 data breach at certain Kimpton hotel properties.  In Walters v. Kimpton Hotel & Restaurant Group, the court denied in part Kimpton’s motion to dismiss and rejected Kimpton’s position that actual injury, for standing purposes, requires unauthorized charges or other misuse of payment data.  Based on the allegations, the court found it plausible that, given the dates the plaintiff stayed at an affected hotel, the plaintiff’s payment card information “was taken in a manner that suggests it will be misused.”  It was not necessary, the court concluded, that the plaintiff wait until actual misuse occurred before seeking relief for both the theft and the time and effort spent monitoring his credit and mitigating potential misuse.  The court further ruled that the plaintiff alleged out-of-pocket expenses and other actual damages sufficient to support his claims for implied breach of contract, negligence, and violation of California’s Unfair Competition Law.

The court also found that Kimpton’s privacy policy provided a plausible basis for the existence of an implied contract between Kimpton and its patrons.  Specifically, the court noted that Kimpton’s privacy policy stated that “Kimpton is ‘committed’ to safeguarding customer privacy and personal information,” and that this commitment may create an enforceable promise.

New OCR Settlement Targets Safety Net Provider on Security Rule Deficiencies

Posted in Cybersecurity / Data Security, Information Management
Daniel VinishMaida Oringher LernerStephanie WillisKate M. Growley

On Wednesday, the U.S. Department of Health and Human Services, Office for Civil Rights announced a $400,000 settlement with Metro Community Provider Network arising from MCPN’s alleged failure to implement adequate security management processes to safeguard electronic protected health information in accordance with the Health Insurance Portability and Accountability Act Security Rule. This settlement followed an investigation that OCR undertook in response to a breach report that MCPN filed on January 27, 2012. While OCR found that MCPN took necessary corrective action in response to the reported breach, OCR determined that MCPN had never conducted a security risk analysis to assess the potential threats to its ePHI environment and concluded that MCPN did not have appropriate risk management policies in place at the time of the breach. OCR further found that the security risk analyses that MCPN ultimately did undertake following the breach were insufficient to satisfy the requirements of HIPAA’s Security Rule. Violations of the Security Rule have been a consistent focus of the OCR within the past year. The OCR’s willingness to go after a federally qualified health center, a safety net health care provider, in this settlement further underscores the importance of conducting robust security risk analyses to identify, assess, and address potential threats and vulnerabilities to a covered entity or business associate’s ePHI environments.

 

Home Depot Settles Major Data Breach Suit with Financial Institutions for $25 Million

Posted in Data Breach
Maida Oringher LernerJustin Kingsolver

On Wednesday, in one of the most high-profile data breach settlements to date, The Home Depot agreed to pay $25 million to settle a consolidated class action involving more than 60 nationwide financial institutions harmed by the retailer’s September 2014 data breach.  That month, the home improvement giant announced that hackers had installed malware on Home Depot’s checkout kiosks and, over a five-month period, stolen credit card information of more than 56 million shoppers.  Immediately thereafter, financial institutions filed more than 25 suits seeking compensation for reissuance fees and fraudulent transaction reimbursements, suits that were then consolidated before a federal court in Atlanta.

The agreement requires the retailer to establish a $25 million settlement fund to reimburse financial institutions for the reissuance of credit cards compromised by the data breach.  The Home Depot has also agreed to a series of additional security measures, including implementing new safeguards developed through a risk exception process and enacting new vendor security programs.

Prior to Wednesday’s announcement, Home Depot had already spent more than $140 million to settle claims by many of the nation’s large credit card issuers – including MasterCard, Visa, American Express, and Discover – for damages sustained in this breach.

CFAA Conviction for Accessing and Damaging Former Employer’s Computer System

Posted in Cybersecurity / Data Security
Jeffrey L. PostonKate M. GrowleyCharles Austin

Last week, a federal court sentenced a former systems administrator convicted of accessing his former employer’s computer network and uploading malicious code designed to disrupt and damage the company’s manufacturing operations.

Brian P. Johnson worked for years as an information technology specialist and systems administrator at Georgia-Pacific’s Port Hudson, LA facility.  In February 2014, Georgia-Pacific terminated Mr. Johnson’s employment and had him escorted from the  premises.  During the following two weeks, Mr. Johnson remotely and repeatedly accessed the computer system at the Port Hudson facility and uploaded malicious code that damaged the facility’s automated operations for making paper towels, causing more than $1.1 million worth of damage.  His activity stopped only after federal agents executed a search warrant at his home and seized his computer that was, at the time of the search, connected to Georgia-Pacific’s network.  Mr. Johnson pleaded guilty to a criminal violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(5)(A).

This conviction is yet another reminder of the danger of lax network access policies, especially with regard to employee departures.  Companies should consider creating and enforcing robust protocols for network access, including prompt revocation and termination of access rights for employees who leave, particularly those with access to critical systems.  Companies should also consider implementing routine review of access credentials and taking steps to repossess company hardware and data from departing employees.

Vizio Agrees to $2.2M Settlement Regarding Data Collection Practices

Posted in Government Agencies, Information Management, Internet of Things, Privacy, Uncategorized
Charles Austin

Last week, the Federal Trade Commission (“FTC”) announced an agreement settling claims against a television manufacturer arising from the alleged unauthorized collection of television viewing data.  The FTC, along with the State of New Jersey, alleged that certain “smart TVs” manufactured and sold by VIZIO, Inc. and its subsidiary VIZIO Inscape Services (collectively, “VIZIO”) failed to adequately inform consumers that viewing data—which VIZIO later sold to or otherwise shared with third parties—would be collected and disclosed.  In settling the charges, VIZIO agreed to pay $2.2 million, cease unauthorized data tracking and collection, and update its collection and disclosure notices.  For more on VIZIO’s practices, the allegations, and important lessons from the settlement, see the recent blog entry by Lauren Aronson of our Advertising and Product Risk Management team.

December 2016 Monthly Update

Posted in Cybersecurity / Data Security, Data Breach, Ethics, Government Agencies, Health IT, Privacy, Rules
Crowell & Moring

Kansas Judge Rules that Class Action over CareCentrix Data Breach may Proceed

On December 19, 2016, in Hapka v. Carecentrix, the United States District Court for the District of Kansas denied CareCentrix, Inc.’s (CareCentrix) motion to dismiss a class action suit arising from a data breach affecting CareCentrix’s personal and tax information regarding thousands of employees.  The Court found that plaintiff Sarah Hapka, individually and on behalf of all others similarly situated, met the Article III standing requirements and sufficiently alleged a claim upon which relief could be granted.

Hapka claimed that in February 2016, an unauthorized person posed as one of CareCentrix’s employees and emailed a request for current and former employees’ Internal Revenue Service (IRS) Wage and Tax Statements (W-2 Forms). One of CareCentrix’s employees complied with the request, providing the W-2 Forms which included employees’ names, addresses, birth dates, wages, and Social Security Numbers.  Hapka alleged that shortly after this data breach, she received a letter from the IRS indicating that someone filed a fraudulent tax return in her name.  She later brought the underlying putative class action claiming that CareCentrix negligently permitted the data breach and that she and the class of plaintiffs will suffer imminent and certain impending injury of fraud and identity theft.

CareCentrix conceded that Hapka suffered some form of actual, concrete injury due to the filing of a false tax return. However, it argued that the other allegations of injury—the impending costs of countering the current tax fraud and heightened risk for future identify theft—are too speculative to meet the Article III standing bar set by the Supreme Court’s decision in Spokeo, Inc. v. Robins, which required plaintiffs to show an invasion of a legally protected interest and allege a concrete injury.  The Court rejected CareCentrix’s attempt to look at the plaintiff’s alleged injuries in a vacuum, stating that “[t]he fact that her stolen information has been used once has a direct impact on the plausibility of future harm.” Although the Court acknowledged that federal courts have disagreed about whether an alleged increased risk of identity theft is a sufficient injury to meet standing requirements, it followed the line of cases finding standing because the plaintiffs suffered from identity theft after a data breach.  Ultimately, the Court held that the plaintiffs met standing requirements.

The Court further rejected CareCentrix’s claim that Hapka failed to adequately plead the negligence claim because it did not have a statutory duty of care regarding employee information, and that plaintiff failed to allege any common-law duty. The Court found that identification of a statutory duty was unnecessary, and that the allegations that the harm was foreseeable established a common-law duty to exercise reasonable care.

This case further highlights how the Supreme Court’s decision in Spokeo earlier this year has produced varied results in breach litigation.  The Kansas Court acknowledged the split among federal courts on standing requirements, but effectively avoided ruling on the issue since Hapka actually suffered injury due to the filing of a false tax return.  If the plaintiffs did not have this example demonstrating that a concrete injury had in fact occurred, it is questionable whether the Kansas Court would have decided to deny CareCentrix’s dismissal motion on standing grounds.

Continue Reading