Only Five Days To Report Data Breach For Insurers And Agents In Connecticut

Posted on August 31, 2010 by N. Kane Bennett

One of the many questions business owners have to answer upon learning of a data loss or security breach incident is whether to notify governmental authorities and when to do it.  The Connecticut Insurance Department has provided a new regulation for insurers and agents in a bulletin on August 18, 2010.  The new regulation requires immediate notification to the Department in writing, but no later than 5 days, upon a security incident involving personal identifiers.  

The Insurance Department defined a security incident requiring notification as follows: 

The Department considers an information security incident to be any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

 This new regulation may have been issued in response to some concerns Attorney General Blumenthal expressed over the Heatlh Net data loss.  In particular, Blumenthal was critical of the late (6 months) and inaccurate notice concerning the data loss.

Five days is a very short time frame, let alone responding immediately.  It would be very difficult for companies falling under this regulation to meet this notice requirement effectively without already having a privacy plan in place to respond to such an event.  I have posted before about the necessity for a privacy plan to addresses data loss and security breach incidents.  With these type of notice provisions, privacy plans become more critical as a risk management tool for insuers and agents to avoid administrative penalities.

Tags: , , , ,

Does A Limited Liability Company Protect Its Members From Personal Tort Liability?

Posted on August 23, 2010 by N. Kane Bennett

Not always.  An individual member of an LLC or an officer of a corporation may be individually liable for their own torts.  This rule is well settled and the Connecticut Supreme Court reaffirmed it in Strum v. Harb Development, which will be officially released on August 31, 2010.  

Business owners often chose to a form a business entity to operate under, such as a limited liability company (LLC), limited liability partnership, or professional corporation.  In basic terms, the entity operates as an individual for legal purposes. There are many reasons to form a business entity. One of the more common reasons is to limit your personal liability and protect your assets.  The idea is, if you make a mistake in business, the entity is responsible, not you personally.  

Many times, a properly formed and maintained business entity, like an LLC or corporation, can provide a shield or "veil" of protection for an individual member or officer.  However, the protection is not absolute, and there are many instances where you can be personally liable in business despite the formation and operation of a business entity.    Two of the most common methods of establishing personal liability are "piercing the corporate veil" and individual responsibility for torts, such as breach of fiduciary duty, negligence, fraud, and misrepresentation. 

In the Strum case, the Connecticut Supreme Court addressed the later situation involving personal liability for torts (I will do a post on veil piercing soon). The Strum case involved a homeowner alleging poor workmanship and breach of a construction contract for new home construction.  The plaintiff homeowners in the case brought a lawsuit against not only the entity, Harb Development, LLC, but also its principal member, John Harb.   The plaintiffs alleged, among other claims, that Mr. Harb was personally liable for negligence.  Mr. Harb moved the trial court to strike the allegations against him personally seeking protections of his LLC, Harb Development.   His attorney argued that absent facts sufficient to pierce the veil of protection of the LLC, Mr. Harb personally was immune from liability.

At the lower level, the trial court granted the motion to strike primarily on the grounds that there were no facts in the complaint to pierce the veil of the LLC.  Although the Supreme Court ultimately found that there were insufficient facts alleged in the complaint to establish the negligence claim against Mr. Harb personally, the Court rejected the argument that Mr. Harb could not be personally liable for negligence merely because he was a member of an LLC. 

The Supreme Court noted that Connecticut's common law provides for personal liability of officers of a corporation for torts personally committed (such as negligence) that injure third parties provided  the injured party can show a legal duty, breach of that duty, causation, and damages.   As such, if an officer of a corporation commits a tort in business, the officer may be personally liable even if the corporation is also responsible.  The Strum case makes clear that this common law rule applies even in the absence of facts sufficient to pierce the corporate veil.  This same common law rule also applies to members of an LLC. 

The Strum case serves as a reminder to business owners that formation of a business entity will not protect you from personal liability in all circumstances.  Liability for individual torts and piercing the veil of a business entity are two common scenarios where business owners may face personal liability despite the shield that a business entity may provide.  Whether a business owner can face personal liability for negligence, fraud, or misrepresentation involving the business will often depend on the facts of the case. 

Tags: , , , ,

Cyber Crime On The Rise And Costly - What Can You Do About It

Posted on August 2, 2010 by N. Kane Bennett

The Ponemon Institute recently published the First Annual Cost of Cyber Crime Study. Download here.  The study was conducted by Ponemon, an independent research group with a focus on privacy and data protection, and ArcSight, a security and compliance management provider.  The study involved a benchmark cost analysis of 45 different companies ranging from 500 employees to over 100,000.                                                                             

Here are the significant points from the executive summary:

  • The median cost of cyber crimes for the 45 organizations was $3.8 million per year (ranging from $1 million to $52 million)
  • Cyber attacks are the most common occurence
  • The most costly attacks (amounting to 90% of the attacks) are web attacks, malicious code, and malicious insiders
  • The companies in the study were experiencing 50 successful attacks per week
  • Average number of days to address a cyber attack was 14 days, with insider attacks taking more than a month
  • Costs for company compliance depended greatly on the level of security programs at each company

The study defined cyber attack as any criminal activity conducted via the Internet, including theft of intellectual property, confiscating online information and accounts, distributing viruses, and disclosure of confidential information.  The study referred to some well publicized cases of cyber attack, such as TJX companies, which I posted about on this blog previously.

What should you do if you or your Connecticut business has been a victim of cyber attack? 

  • Act quickly.  Responding quickly to a cyber attack is essential.  Hopefully, your business has developed a data loss and privacy plan that will address the steps your business should take in response to a cyber attack.  There should be a dedicated response team and protocal for any such event.   
  • Determine whether notification is necessary.  Depending on the nature of the attack and the information compromised, notification of consumers, customers, or governmental authorities may be required.
  • Consult a privacy attorney and business litigation attorney to determine what legal steps might be taken to address the attack.  For example, if there was an identifiable person or group responsible, such as an insider or a competitor, there may be criminal or civil remedies for computer crimes that provide for the recovery of damages.
  • Determine if insurance is available to cover the damages from the cyber attack. See some of my prior posts on insurance to address data loss and security breach.  Also, read this article by Tom Risen of the National Journal that summarizes the potential solutions that insurers offer to businesses in the United States. 

Although the Ponemon study involved large companies, many experts in the field suspect that small business are equally, if not more, exposed to cyber attacks.  Therefore, regardless of the size of your company, it is a good idea to have a risk management audit to determine your company's ability to respond to a cyber attack.  Advanced planning is critical to mitigating damages from cyber attacks.

 

 

Tags: , , , ,

Civil Liability For Computer Crimes In Connecticut

Posted on July 27, 2010 by N. Kane Bennett

In Connecticut, a person commits a computer crime if there is any violation of the provisions in Connecticut General Statutes 53a-251.  This is Connecticut's computer crime statute.   The statute defines criminal conduct under the following categories:

  • Unauthorized access to a computer system
  • Theft of computer services
  • Interruption of computer services
  • Misuse of computer system information
  • Destruction of computer equipment

The computer crime statute itself does not provide for a civil cause of action.  Instead, a victim of a computer crime may rely on Connecticut General Statutes 52-570b, which permits a civil lawsuit for computer-related offenses. The statute provides a basis for a lawsuit for "an aggrieved person who has reason to believe that any other person has been engaged, is engaged or is about to engage in" conduct that violates the computer crime statute. 

As part of a computer crime lawsuit, a business may seek a temporary or permanent injunction, restitution, actual damages, unjust enrichment, an order to appoint a receiver who may take property into his possession, or any other equitable relief.  Punitive damages may be available if there is a showing of malicious or willful conduct. Further, a victim of computer crime may obtain an award of attorney's fees and costs.

One of the more common types of computer crime or cyber attack is an insider attack with unauthorized access to a computer network.  A common example is a disgruntled employee or vendor with some level of access to the computer network of a business that turns into unauthorized use or damaging conduct. The cyber attack might involve theft of confidential or proprietary information, installing a virus or malicious code to infect the system, or theft and disclosure of information to third parties. 

The most common defense raised to computer crime charges is "authorized access."  The statute exempts conduct that might qualify as improper, but was undertaken with a reasonable belief that it was authorized.  As such, the issue of authorization becomes a critical element in these cases.  Courts might look to the policies and practices of a business with respect to access and security to determine if a reasonable belief defense exists.  Courts will also look to the nature of the conduct to determine if a reasonable belief defense is legitimate under the circumstances of the case.

Responding quickly to a computer crime or cyber attack is important.  A business that is the victim of a computer crime or cyber attack should consider involving an attorney as part of the response team depending on the severity of the incident.  The attorney can assess whether a business that is victim of a computer crime can bring a lawsuit to recover damages or possibly make a claim for losses to an insurance company.  An attorney can  also assist with critical decision making regarding notification to outside parties in the case of a security breach or data loss.  An attorney can further assist with determining the need for involvement of an appropriate forensic expert to preserve and develop critical electronic evidence of the cyber attack. 

 

Tags: , , , , , ,

eBay sued for $3.8 Billion - - Patent Troll or David v. Goliath?

Posted on July 15, 2010 by N. Kane Bennett

Is it David v. Goliath or a patent troll case?  Connecticut based XPRT Ventures, LLC has filed a lawsuit in the U.S. District Court in Delaware (download lawsuit here) against eBay for $3.8 billion dollars over the technology for automating and securing online payment portals. The suit was also filed against eBay's PayPal, Bill Me Later, Shopping.com, and StubHub.

In the suit, XPRT alleges that PayPal and others have used its systems and methods for electronic auction and e-commerce transactions subject to XPRT's six U.S. patents since at least 2002.  XPRT also alleges that eBay received confidential information in 2001 from the inventors and misappropriated information from patent applications assigned to XPRT. XPRT alleges a loss to date of $600 million with expected future losses of $3.2 billion.

The suit is for willful patent infringement, but at its heart is XPRT's allegation that eBay stole XPRT's trade secrets obtained from patent applications to use in eBay's own patent applications and for use by eBay in multiple platforms for PayPal and others.  The complaint states that XPRT passed on confidential information related to its patents to eBay in 2001 with the expectation of compensation should eBay be interested in the technology. The complaint alleges that the confidential information included how eBay could benefit from acquiring PayPal's payment platform.  Instead, eBay allegedly used the information provided in support of its own patent applications and online uses for PayPal and others.

The suit has been summarized and covered by various online media with some support and others criticizing the suit. Read here for the Reuters report on eBay suit and PCWorld's story.  Another good summary is the post today from Rajeev Saxena of Trends Updates. The post includes the following statement from XPRT's Connecticut based counsel, Steven Moore

This involves a trade secret theft, along with sheer patent infringement.  It is bad enough to take someone's technology, but it is a bit much to use it in your own patent application. 

Attorney Moore's firm also issued a press release that states, in part:

 In a nutshell, XPRT asserts eBay unfairly stole the idea and method of payment used in eBay's PayPal and similar electronic payment systems.

Techdirt, a technology blog, came out swinging and criticized the suit as "another patent lawsuit against a big company for doing something obvious, filed by a company that appears to exist solely for the purpose of suing a company that actually does stuff."   Mike also includes in his post some additional details about the history of XPRT's trail of patent rejections.  His take is basically that the case is a patent troll stick up suit.    For a good and balanced definition of "troll patent" or "patent troll" read this post form PatentlyO, the nations leading patent law blog.


Erik Sherman, a freelance writer, had a somewhat different take in his blog post.  After a providing a detailed summary of his own investigation and fact finding, Erik wrote that "this is not a simple case of a troll finding an obscure patent that could be stretched to cover an intended target."  He also focused on another case where eBay was alleged to have engaged in similar unethical behavior and the complications potentially created for Meg Whitman (eBay CEO at the time) currently running for California governor.

Thus far, eBay only issued a short statement denying that there is any merit to the suit. What's your take, Patent Trolling or David v. Goliath?

 

 

Tags: , , , , , , , ,

Computer Fraud and Abuse Act In Connecticut

Posted on July 6, 2010 by N. Kane Bennett

Previously, I have posted about non-compete agreements and the duty of loyalty for employees.  Many times, businesses do not have written contracts to protect confidential and proprietary information from not only competitors and vendors, but also their own employees.  Without a contract, the common law of Connecticut concerning breach of fiduciary duty is one of the ways attorneys can seek to protect business clients against improper use of confidential information.

Another method for attorneys to seek to protect their clients' confidential information stored on a computer system or network is through the federal Computer Fraud and Abuse Act (CFAA).  The CFAA is largely a criminal statute, but is being used more frequently in civil cases on behalf of businesses faced with loss or theft of confidential and proprietary information and trade secrets.   The CFAA, 18 U.S.C. 1030, essentially provides for civil liability for unauthorized access to protected computers with intent to defraud or cause damage.  There are civil enforcement provisions that allow private actions for recoverable loss related to prohibited conduct if a series of factors can be proved in court.

Recently, Peter J. Toren wrote an excellent article in the New York Law Journal  where he detailed methods in which the CFAA might be useful for attorneys to protect client trade secrets and other confidential information.   Peter listed the six factors necessary for proof of damages.  Peter also noted some of the limitations of the CFAA when it comes to employee theft of trade secrets and described the narrow and broad views taken by different courts when interpreting improper access of a protected computer without authorization. Peter further provides some useful tips for businesses on how to construct a policy in light of the different court interpretations of improper access. 

Lee Berlik, publisher of the Virginia Business Litigation Blog, also has a recent post about the series of hurdles necessary for attorneys to prove loss or damages under the CFAA.  Lee's post describes a threshold of $5,000 in value that must fit into the categories of potential loss defined in the CFAA.  Similar to Peter's article, Lee also describes how a case was unsuccessful in court because of insufficient facts to show loss under the CFAA.

In Connecticut federal courts, the reported cases under CFAA, largely have been unsuccessful for a variety of reasons, many of which Peter's article details.  Some cases were dismissed for failing to meet damages thresholds (Register.com v. Verio, 356 F.3d 393 (2004)) , while another case was dismissed because the facts were insufficient for unauthorized access (Cenveo, Inc. v. Rao, 659 F. Supp. 2d 312 2009)).   However, in a recent case, in the federal district court, Judge Vanessa Bryant issued an order of sanctions and for production of electronic devices for forensic inspection in a case based, in part, and the CFAA. (Genworth Financial Wealth Mngmt. Inc., v. McMullan). 

The takeaway here is that the CFAA provides another potential basis for a business to protect its confidential and proprietary information when the information resides on a computer system or network.  Of course, there are a series of factors that must be met before liability can be established.  Some of these factors may not apply and eliminate the CFAA as a method of recovery as we have seen in several reported cases.  However, the CFAA should be considered and evaluated in any case involving unauthorized access of confidential information through a computer system as it provides an additional basis for potential recovery.  Also, advanced planning with sound internal policies might provide a business with a better chance of success under the CFAA.

I will do a post soon on another statute, Connecticut's Computer Crime Act, that may provide additional remedies for improper access of a computer system or network.

 

 

Tags: , , , , , , , , , , ,

The Standard of Proof in Connecticut for Civil Theft

Posted on June 21, 2010 by N. Kane Bennett

In Stuart v. Stuart, to be officially released on June 22, 2010, the Connecticut Supreme Court clarified the standard of proof for civil theft cases in Connecticut (download decision here).  Prior to this ruling, there was some confusion amongst attorneys and trial courts as to the appropriate standard of proof for a civil theft claim under Connecticut General Statutes section 52-564.  

Connecticut's civil theft statute states, in pertinent part:

Treble damages for theft. Any person who steals any property of another, or knowingly receives and conceals stolen property, shall pay the owner treble his damages.
 

To successfully allege civil theft, an attorney must plead and prove the elements of larceny under Connecticut General Statutes section 53a-119.  The key element that must be established is the taking or withholding of property with the intent  to deprive another person of the property.  Some examples of successful use of Connecticut's civil theft statute:

  • Overdrawing on bank accounts
  • Theft of business or corporate property
  • Accepting insurance premium payments in excess of required amounts
  • Defrauding another of bank funds
  • Refusal to return deposit on purchase and sale agreement
  • Wrongful seizure of personal or business property
  • Stealing utilities
  • Depleting business accounts
  • Diverting account receivables

The takeaway from the Stuart case is that the cause of action for civil theft remains the same.  However, the Connecticut Supreme Court has clarified that an attorney only needs to establish proof of civil theft by a preponderance of the evidence.

Tags: , , , , ,

Will Your Data Loss Be Covered By Insurance?

Posted on June 14, 2010 by N. Kane Bennett

I always recommend that businesses implement a plan for data loss, security breach, and privacy related to electronically stored information.   As additional protection, I also typically recommend that businesses investigate additional insurance coverage.  In particular, business owners with risk should investigate insurance coverage for first and third party claims arising out of a loss of data, security breach, or technology errors.  These insurance plans are sometimes referred to as cyber liability or technology errors insurance.  I have posted about these insurance plans in the past.

By obtaining the proper data loss insurance coverage, a business should be able to make an insurance claim for its own losses and, at the same time, have protection from lawsuits following a data loss incident.  However, after reading a recent article by  Jaikumar Vijayan from Computerworld.com,  I suppose the critical words here are "should" and "proper" as it relates to insurance coverage for a data loss incident.    

Jaikumar wrote an article about a Colorado insurance company that filed a lawsuit to deny responsibility for the University of Utah's 2008 security breach and data loss totaling $3.3 million in costs.  Colorado Casualty Insurance filed a declaratory judgment lawsuit in the United States District Court of Utah  (Download complaint here). 

The University of Utah utilized a third party vendor, Perpetual Storage, Inc.,  for data storage concerning data on 1.7 million patients over 16 years at university hospitals and clinics.   According to the lawsuit, the University of Utah incurred 3.3 million in costs to remedy the security breach and made a claim for reimbursement to Perpetual Storage.  In turn, Perpetual Storage referred the matter to Colorado Casualty, its liability insurer. 

In response to Perpetual Storage's claim, Colorado Casualty filed the lawsuit seeking a ruling that it did not have to provide Perpetual Storage with a defense to any claims brought by the University or reimburse the University for its damages. Perpetual Storage filed a motion to dismiss the complaint claiming that Colorado Casualty did not plead specific facts or mention particular insurance policy provisions.  At this point, the outcome of the lawsuit is not clear.

The takeaway here for Connecticut business owners is that not every insurance plan will provide the proper coverage for a data loss, security breach, or technology errors.  Whether Perpetual Storage had the "proper" coverage in place is not clear as the specific policies were not referenced in the lawsuit or the motion to dismiss.  Nevertheless, the lawsuit serves as a reminder that business owners need to make sure the proper insurance coverages are in place.  Do not assume that a general commercial liability policy will cover the specific risks of data loss, security breach, or technology errors.  In fact, in most instances, a general commercial liability policy will not cover such risks. 

Tags: , , , , ,

Wondering Where The Line Is On Internet Privacy - - Just Watch Facebook

Posted on June 3, 2010 by N. Kane Bennett

My firm receives many calls from new or existing businesses with Internet privacy questions.  Many calls come from e-commerce businesses, start ups, or businesses that want to utilize information gathered from users accessing their Web sites. Some business owners have ideas or concepts that test the limit on use of user profiles, preferences, and content.  The question becomes, just what are the limits for user expectations on privacy?

Take Facebook for example.  Facebook has a reported 400 million users.  Facebook is constantly in the headlines over its privacy policies and security settings related to its user's profile information.  Whether it is a class action lawsuit in California  or the recent $10 million settlement for its Beacon program, you can count on Facebook to have dealt with any number of privacy issues in litigation.  

Recently, another lawsuit has been filed over Facebook's "opt out" setting concerning the instant personalization feature.  Wendy Davis on  Online Media Daily reported on the story.  This feature automatically shares user information with three outside companies, Microsoft Docs, Pandora, and Yelp.  The lawsuit was filed in U.S. District Court in Rhode Island for violation of the Stored Communications Act (Download here).  By my count, Facebook has been sued at least 30 times in Federal court in recent years.

In the Internet privacy area, Facebook tests the outer limits of what is acceptable for privacy rights and user expectations.  When Facebook makes a change or tries something new, everyone pays attention.  As a result, Facebook's privacy policies get vetted by 400 million users, numerous industry and trade groups, leading technology blogs like TechCrunch, and even the federal government. 

If you want to know what crosses the line when it comes to privacy on the Internet,  just watch Facebook.   

Tags: , , , , , , , ,

Laticrete Responds To 50 Million Dollar Verdict

Posted on May 28, 2010 by N. Kane Bennett

Following my post about the Dur-A-Flex v. Laticrete jury verdict, I received a statement from Laticrete's CEO, David Rothberg.  You can read the full statement here.   Mr. Rothberg stated that he is "extremely disappointed in the verdict." He added that the jury finding against Laticrete was "absolutely baseless."  He left no secret as to Laticrete's post trial plans as he says the company intends a vigorous defense on appeal.

Trial counsel for Laticrete, Elizabeth Stewart, confirmed to me today that Laticrete does expect to appeal.  She commented that no decisions have been made yet on which issues Laticrete will raise on appeal.  Attorney Stewart had no further comments on the case.   

One of the most intriguing aspects to the appeal in this case is that Judge Eveleigh presided over the trial.  Judge Eveleigh has a very good reputation as a trial court judge.  In addition, he is now set to take a seat on the Connecticut Supreme Court.  I do not know yet what potential grounds might exist for the appeal, but I can say it seems very likely Judge Eveleigh considered the potential appellate issues in this case very closely.   

Stay tuned.  I expect there will be additional posts on this case.

Tags: , , ,