Are You Covered? CT Businesses Should Double Check Insurance Coverage for Data Loss

The Connecticut Appellate Court recently decided a case involving damages from loss of data related to 500,000 IBM employees.  The case is entitled Recall Total Information Management v. Federal Insurance Company.  The loss of data included social security numbers and birth dates. The data was lost in the process of transport for storage.  Some 4 years later after the loss, there has been no reported identity theft. 

As I have mentioned on this blog many times, data loss events can cause significant damages to a business.  In this case, IBM incurred 6 million in expenses to provide identify protection to its employees and to address the breach.  The data storage company paid IBM the full amount of its loss.  The storage company, and its subcontractor, tried to get insurance coverage for the IBM claim under a commercial general liability policy.  Obtaining coverage for a data loss breach under the terms of a commercial general liability could pose several challenges and the results have been inconsistent across difference courts and cases.  In this case, the insured party tried the most likely arguments to obtain coverage, but the insurance company denied it.

The litigation that ensured concerned whether the insurance company properly denied coverage.  The trial court agreed that it was proper to deny coverage. On appeal, one of the issues concerned the nature of data loss and whether it triggered coverage under the policy for a personal injury.  The Appellate Court found that the policy did not provide coverage under the personal injury provisions of the policy.  One of the reasons related to the fact that the data was never published to or accessed by anyone. This suggests that the results might have been different had there been dissemination of the data by a thief.  

 

The take away here is that businesses need an annual review of their insurance policies to specifically address the types of exposure they face.  A commercial general liability policy may not cover every circumstance.  In the case of data loss, security breaches, or technology errors, there are specific policies designed to cover these risks.  Seeking coverage for data loss claims under a standard commercial liability policy likely will be problematic, and may result in no coverage as highlighted by this recent case. 

Trade Secret Theft on the Cloud: Concerns For Both Employers and Employees

Max Taves authored an article posted by Law Technology News  entitled "Trade Secret Spats Center on Cloud."  The article highlights the increasing difficulty employers face when trying to avoid theft of confidential information when employees have access to third party storage providers such as DropBox, Googe Docs, SugarSync, and SkyDrive.  Third party data storage providers enable users to either locally sync or upload documents at work which can be accessed from another computer.  I have posted on tips for employers to reduce the risk of this kind of theft. Essentially, to mitigate risks and have evidence of theft, businesses need a robust and frequently updated fraud management plan.  

What I also found blogworthy in this article was how use of cloud based document storage posses a risk for employees as well.  One attorney in a high profile case pointed out that an employee's use of DropBox, or similar provider, could generate the appearance that the employee may have stolen data even if they did not intend to do so.  I have seen this happen several times and it can be a big problem.

An employee may use DropBox to store personal information (family photos, resume, etc) but also mix in company documents to work from home.  The employee may leave for another job and forget that he or she still has documents from the former employer.  The employee could end up in a lawsuit because the employer may believe documents were stolen by use of DropBox.  Having already used DropBox at work, it may be even more problematic to show evidence of returning such documents or deleting them.  

The take away here is that use of cloud storage creates a risk for both employers and employees when it comes to confidential information.  While employers should develop a fraud management plan, employees would be well advised to have clear permission to use cloud storage providers. To avoid or reduce the risk of a lawsuit, employees should also seek to address cloud storage as part of an exit strategy.  Even if an employee has no desire to use confidential information after leaving, ignoring the issue is a big risk that may create the wrong impression. 

Confidential Information and the Departing Employee

I recently ran a seminar for the Human Resources Association of Central CT on "Effectively Managing Your Departing Employees."  The issues concerned  how attorneys can help to eliminate, prevent, or mitigate the risks of intellectual property theft.  In this post, I will define the basics of the problem.  In the next post, I will cover how to address the problem.  

  • Employees will Leave (Millennials average job tenure is 2.5 years)
  • Employees will be disgruntled (Wall Street Journal: 75% of departing employees are disgruntled)
  • Employees will have access to electronically stored data (UC Berkeley study shows 90% of critical business data is digital)
  • Digital is portable, easy to copy, saved in seconds, and transferred to multiple locations
  • Employees do take confidential information, even if by mistake. (Ponemon Institute says 59% of departing employees take information, and 90% of IT professionals)

Based on the these numbers, you could fairly argue that in a three year time frame an average business will likely have to deal with an unhappy, departing employee that will copy accessible confidential information.   This paints a pretty grim picture.  Nevertheless, it is a fair way to think about the problem to manage risks appropriately. 

One of the biggest risks is financial loss from theft of intellectual property and confidential information.  This might cover any of the following:

  • Trade secrets (confidential client lists, formulas, data)
  • Patents (fully or partially disclosed inventions)
  • Copyrights (original works such as software code)
  • Trademarks (counterfeit goods, brand damage) 
  • Proprietary information (anything you do not want in hands of a competitor)

How does employee or insider theft typically happen?  Here are a few examples:

  • Email (with or without attachments)
  • Portable drives (thumb or flash drives)
  • Smartphone 
  • File Transfers (FTP sites)
  • Remote access programs (GoToMyPC)
  • File Synching programs (Dropbox)
  • Old fashion printing and copying

In the next post, I will cover what you can do to help stop or reduce the risks of intellectual property theft. 

New Update to Connecticut Data Breach Law

 Connecticut Updates Its Data Breach Statute by Attorney David Benoit.

A month after Vermont made substantive amendments to its Security Breach Notice Act to address a number of consumer protections, Connecticut followed suit on June 12th with a similar amendment to Connecticut General Statutes Sec 36a-701b to include a notice to the State’s Attorney General.

Going into effect on October 1, 2012, Connecticut’s amended breach notification requirements will now include an obligation to notify the Connecticut Attorney General’s office pursuant to a new subsection (b)(2):

“If notice of a breach of security is required by subdivision (1) of this subsection, the person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall not later than the time when notice is provided to the resident also provide notice of the breach of security to the Attorney General.”

Regarding when notice is to be made (both to the Connecticut resident and the Attorney General), the statute allows the notifying party a reasonable amount of time to accommodate delays resulting from law enforcement and company-led investigations meant to: (i) determine the nature and scope of the data breach, (ii) identify the individuals affected by the breach, and (iii) restore the reasonable integrity of the data system.

Additionally, subsection (c) was amended to clarify that the state’s notification requirements are applicable only to personal information of “a resident of this state.” 

Furthermore, pursuant to Section (g), failure to comply with the statute will continue to be deemed an unfair trade practice under Connecticut’s Unfair Trade Practices Act (“CUTPA “), however, enforcement is still limited to the Attorney General with no private right of action.

Will A Crack In Data Breach Litigation Open Floodgates

Data loss and security breach incidents have become common. However, lawsuits related to these incidents are not so common or successful. The problems plaintiffs have encountered include not only figuring out the proper cause of action to seek recovery (many states lack laws permitting private lawsuits for damages related to data loss) but also how to establish provable damages. For example, if a large retail store suffers a security breach of 2 hours leaving your personal identifying information exposed to thieves or hackers, have you really suffered any damages if the information is never used or compromised? What about so called "mitigation" damages or out of pocket expenses for future protection such as credit card insurance, fraud protection, or getting a new credit card and incurring an annual fee?


The First Circuit Court of Appeals in Anderson v. Hannaford Bros. Co recently shed some light on the potential for recovery of mitigation damages in data breach litigation. In the Hannaford case, hackers stole up to 4.2 million credit and debit numbers, expiration dates, and security codes, but they did not steal customer names. Hannaford also had received notice that there were 1,800 cases of alleged misuse or fraud from the theft. In response, many financial institutions cancelled consumers' cards and fees were incurred to reinstate new cards.  Additionally, several consumers purchased identity theft protection for fear of future misuse. 26 separate lawsuits followed that were consolidated into one action in Maine.
 

At the trial court level, nearly all of the plaintiffs' claims (20 out of 21) were dismissed based on problems with the alleged theories of recovery or the damages claims. The court found that the damages were not recognized under Maine law for claims for lost time and effort or too speculative to prove for claims involving lost points on cards, fees for replacement cards, and insurance.

On appeal, the First Circuit upheld implied contract and negligence as proper theories of recovery. In regards to damages, the First Circuit reversed the trial court and found that "a plaintiff may recover for costs and harms incurred during a reasonable effort to mitigate." To recover, however, the plaintiffs needed to establish an actual injury such as money lost as opposed to only time and effort.
 

In finding that the plaintiffs stated a proper claim for damages in a data breach case, the First Circuit noted that the Hannaford breach was not inadvertent loss or simple breach with no misuse. Rather, the court emphasized that there was actual misuse of the information that may have been global in reach running up thousands of charges. This type of breach presented a "real risk of misuse." Thus, it was foreseeable that a customer might replace a card or purchase insurance to avoid or mitigate future misuse. The court specifically noted the many other cases finding no action for damages, but distinguished those cases based on the real threat and misuse that occurred with the Hannaford breach.


Although the Hannaford case appears to show a possible breach in the dam regarding damage claims in data breach cases, a closer look reveals that it may be more limited in scope. The Hannaford case involved actual misuse of the information with sophisticated thieves intent on doing harm for financial gain. It is unlikely that Hannaford will provide support for other mitigation cases unless those claims involve actual or legitimate threats of misuse.
 

Small Business Insurance For Data Loss and Security Breach

The Hartford has recently announced a new insurance product specially tailored to fit small business for data loss and security breach. It has been touted as more affordable for the smaller business owner.  More and more small businesses are experiencing the devastating effects of a security breach incident or data loss.  The statistics and stories are well reported from various sources.  Experts agree that costs can exceed $200 per lost page of data.  This can cripple a small business and leave it exposed to lawsuits and litigation.

The front line defense to data loss and security breach risks should always be a good security and privacy plan. A technology attorney working in conjunction with your IT support can develop and help implement an effective security and privacy plan. The process of developing and implementing such plans often reveal the problem areas for any business.  Nevertheless, at the end of the day, there is no 100% fail safe plan to secure data, whether the data is on the cloud or in a server in the office.  There are also unavoidable risks associated with paper documents.  Likewise, there is no plan to provide 100% protection to paper documents.  That is why insurance is a good choice to cover the unavoidable risks.

In addition to providing valuable financial protection in the event of a covered incident, the underwriting and application process for data loss insurance will often require best practices.  This process alone will substantially reduce the likelihood of a significant data loss incident. Accordingly, small businesses should consider a three step process for data loss and security breach:

1. Develop and implement a security and privacy plan

2. Implement best practices as part of insurance application process

3.  Purchase and maintain data loss insurance

Connecticut State Court Judges Adopt Electronic Discovery Rules

Connecticut state court judges recently adopted new electronic discovery rules.  The rules will become part of the Connecticut Practice Book for civil discovery and take effect on January 2, 2012.  

The judges present at the annual meeting unanimously adopted the new electronic discovery rules. You can read the new e-discovery rules here.  I removed the sections not relevant to civil cases.  The new rules or modifications are indicated by the underlined portions of the rule. 

Here is a quick hit list, and my brief commentary, of the new e-discovery rules in Connecticut state courts:

  • Definitions of electronic and electronically stored information (ESI) added to the list of definitions.  The new definitions are intentionally broad to adapt to new technology changes.
  • Grounds to move for a protective order in discovery include the terms and conditions of discovery of ESI and the allocation of costs between the parties.  This rule permits the court to take into account a series of factors in fashioning a protective order and cost shifting for discovery of ESI.
  • Litigants should be disclosing ESI that is readily accessible and likely to lead to the discovery of admissible evidence.  This basically clarifies that reasonably accessible ESI is no different than other types of discovery. 
  • Whether a litigant needs to disclose ESI that is not reasonably accessible will depend on a variety of factors that the court may consider. 
  • Court can shift the costs of production for ESI.
  • ESI added to the list of information a party can demand to inspect.
  • Safe harbor from sanctions for not only ESI, but all information, that is lost if the information is lost as the result of routine, good faith operation of a system or process in the absence of showing of intentional actions designed to avoid known discovery obligations.  This rule is based on the federal rule 37(f) safe harbor and the commentary indicates that good faith may require a party to stop or intervene a routine destruction policy.
  • Claw back provisions permit a party to notify an opponent of inadvertently disclosed privileged information.  There is a procedure the party must follow upon receipt of the notice.  The rule does not address issues of waiver of privilege by the inadvertent disclosure. 

Until Connecticut courts interpret these provisions, a good resource for attorneys may be found in the commentary to the rules.  Additionally, the new rules are based on  the Uniform Rules Relating to the Discovery of ESI adopted by the National Conference of Commissioners on Uniform State Laws in 2007.  There are various courts in other states that have interpreted these rules. 

New Privacy Report From Federal Trade Commission (FTC)

The FTC released its 122 page Privacy Report today.  This Report has been anticipated for some time. The FTC Chairman, Jon Leibowitz, summed up the purpose behind the FTC's involvment in data privacy and security with release of the Report stating:

Technological and business ingenuity have spawned a whole new online culture and vocabulary – email, IMs, apps and blogs – that consumers have come to expect and enjoy. The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice. We believe that’s what most Americans want as well.

The Report is issued as "A Proposed Framework For Business and Policymakers."  The Report is intended to "inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy."  It is also intended to be a framework for how companies should address privacy. 

The biggest news making aspect of the Report is the endorsement of a Do Not Track system that would permit consumers to limit or control the amount of information given to advertisers that track consumers' online behavior.  This would be similar to the Do Not Call registry. 

For an excellent review of this far reaching Report, and its implications, read this post on the Privacy and Security Law Blog.  For more information on the Do Not Track and online behavior tracking aspects of the Report, here is a post from Electronic Frontier Foundation.  In the days ahead, there will be many more blog posts about the Report.

For now, if you are a company that collects data for online behavior tracking or stores personally identifiable information (PII such as name, address, ss#, date of birth, etc),  this Report should be reviewed albeit with the understanding that it is a proposed framework and will not be a final report until sometime in 2011.  The Report will be subject to much debate and critical comment, but might also serve as a best practices guide post. 

My general take away points from the Report are that the FTC: 

  • Endorses a Do Not Track system
  • Expects privacy policies to be based on notice and choice for consumers
  • Opines that many companies "do not adequately address consumer privacy"
  • States privacy policies should reflect the level of sensitivity of the data it seeks to protect
  • Wants companies to promote consumer privacy throughout development of its services and products or adopt "privacy by design"
  • Wants Companies to make it easier for consumers to understand privacy policies and data collection
  • Wants consumers to have more choice on opt in or opt out for data collection

The FTC will take public comment on the Report (click here) until January 31, 2011.

Carders, Full Wallets and Identity Theft In Connecticut

I recently attended the Connecticut Privacy Forum.  One of the presentations was by Kim Peretti who is Director of Forensic Services at Pricewaterhouse and a former federal prosecutor that chased down identity thieves globally. (read an interview with Kim here about the infamous TJX case).   I learned quite a bit of information about trafficking in personal identifying information also known as PII.  You can read my live tweets from her presentation here. 

In the data theft industry, the thieves are called "carders."  They are out there looking for victims in person and online.   The primary goal is not only credit card information, but  "full wallets."  Full wallets is when the carder gets all the information you might have in your wallet.  Credit cards, license, bank cards, etc.  The thieves might get this information from you personally, but more likely through a company that keeps this type of information.  Once they get a full wallet, they typically sell it overseas where the information is stored on computer servers and offered for sale on websites.  Scary stuff. 

As a coincidence, I have had a recent uptick of inquiries from victims of identity theft.  There are many laws that are implicated in cases of identity theft such as wire fraud, computer fraud, and theft statutes. The theft may also involve a data breach such as in the case of TJX.   

Here is a quick summary of Connecticut's statutory law for identity theft.

In Connecticut, an attorney can file a civil lawsuit on behalf of a victim of identity theft and obtain an award of one thousand dollars or treble damages, whichever is greater pursuant to statutory law. In addition, a victim can obtain an award of costs and reasonable attorney's fees.  Damages may include documented lost wages, or any financial loss that can be tied to the identity theft. Courts have the ability to award other types of relief also, including but not limited to, not less than two years of commercially available identity theft monitoring.  

In Connecticut, attorneys may prove identity theft for civil damages by showing a violation of the criminal identity theft statutes.  This is similar to the civil theft statute and computer crime statute.  In general, the criminal identity theft statutes may be broken down under the following categories:

  • Class B felony identity theft.  This violation concerns cases where the victim is under the age of 60 and the value of money or theft exceeds ten thousand dollars or the victim is over the age of 60 and the value is greater than five thousand dollars.
  • Class C felony identity theft.  This violation occurs where the victim is under 60 and the value is greater than five thousand dollars, or if the victim is over 60.
  • Class D felony identity theft.  This occurs for any violation regardless of age or value.

To prove the underlying violation or actual identity theft, an attorney must prove in the following:

A person commits identity theft when such person knowingly uses personal identifying information of another person to obtain or attempt to obtain, in the name of such other person, money, credit, goods, services, property or medical information without the consent of such other person.
 

Personal identifying information is defined by the statute as:

any name, number or other information that may be used, alone or in conjunction with any other information, to identify a specific individual including, but not limited to, such individual's name, date of birth, mother's maiden name, motor vehicle operator's license number, Social Security number, employee identification number, employer or taxpayer identification number, alien registration number, government passport number, health insurance identification number, demand deposit account number, savings account number, credit card number, debit card number or unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation.
 

If you are a victim of identity theft, you should take fast action.    Some of the actions you might consider: 

  • Identify potential defendants for a lawsuit, such as the actual perpetrator or the source where the perpetrator obtained the information
  • Assess provable damages
  • Seek police involvement and file a private complaint
  • Take immediate action to help restore credit ratings
  • Filing for an injunction, damages or other lawsuit against perpetrators

Consulting an identity theft attorney is also a good idea.  An identity theft attorney can help a victim sort through the various options, take direct action on behalf of the victim, and determine if there are grounds for a lawsuit to seek an injunction, restraining order, or damages. 

 

Only Five Days To Report Data Breach For Insurers And Agents In Connecticut

One of the many questions business owners have to answer upon learning of a data loss or security breach incident is whether to notify governmental authorities and when to do it.  The Connecticut Insurance Department has provided a new regulation for insurers and agents in a bulletin on August 18, 2010.  The new regulation requires immediate notification to the Department in writing, but no later than 5 days, upon a security incident involving personal identifiers.  

The Insurance Department defined a security incident requiring notification as follows: 

The Department considers an information security incident to be any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

 This new regulation may have been issued in response to some concerns Attorney General Blumenthal expressed over the Heatlh Net data loss.  In particular, Blumenthal was critical of the late (6 months) and inaccurate notice concerning the data loss.

Five days is a very short time frame, let alone responding immediately.  It would be very difficult for companies falling under this regulation to meet this notice requirement effectively without already having a privacy plan in place to respond to such an event.  I have posted before about the necessity for a privacy plan to addresses data loss and security breach incidents.  With these type of notice provisions, privacy plans become more critical as a risk management tool for insuers and agents to avoid administrative penalities.

Civil Liability For Computer Crimes In Connecticut

In Connecticut, a person commits a computer crime if there is any violation of the provisions in Connecticut General Statutes 53a-251.  This is Connecticut's computer crime statute.   The statute defines criminal conduct under the following categories:

  • Unauthorized access to a computer system
  • Theft of computer services
  • Interruption of computer services
  • Misuse of computer system information
  • Destruction of computer equipment

The computer crime statute itself does not provide for a civil cause of action.  Instead, a victim of a computer crime may rely on Connecticut General Statutes 52-570b, which permits a civil lawsuit for computer-related offenses. The statute provides a basis for a lawsuit for "an aggrieved person who has reason to believe that any other person has been engaged, is engaged or is about to engage in" conduct that violates the computer crime statute. 

As part of a computer crime lawsuit, a business may seek a temporary or permanent injunction, restitution, actual damages, unjust enrichment, an order to appoint a receiver who may take property into his possession, or any other equitable relief.  Punitive damages may be available if there is a showing of malicious or willful conduct. Further, a victim of computer crime may obtain an award of attorney's fees and costs.

One of the more common types of computer crime or cyber attack is an insider attack with unauthorized access to a computer network.  A common example is a disgruntled employee or vendor with some level of access to the computer network of a business that turns into unauthorized use or damaging conduct. The cyber attack might involve theft of confidential or proprietary information, installing a virus or malicious code to infect the system, or theft and disclosure of information to third parties. 

The most common defense raised to computer crime charges is "authorized access."  The statute exempts conduct that might qualify as improper, but was undertaken with a reasonable belief that it was authorized.  As such, the issue of authorization becomes a critical element in these cases.  Courts might look to the policies and practices of a business with respect to access and security to determine if a reasonable belief defense exists.  Courts will also look to the nature of the conduct to determine if a reasonable belief defense is legitimate under the circumstances of the case.

Responding quickly to a computer crime or cyber attack is important.  A business that is the victim of a computer crime or cyber attack should consider involving an attorney as part of the response team depending on the severity of the incident.  The attorney can assess whether a business that is victim of a computer crime can bring a lawsuit to recover damages or possibly make a claim for losses to an insurance company.  An attorney can  also assist with critical decision making regarding notification to outside parties in the case of a security breach or data loss.  An attorney can further assist with determining the need for involvement of an appropriate forensic expert to preserve and develop critical electronic evidence of the cyber attack. 

 

Computer Fraud and Abuse Act In Connecticut

Previously, I have posted about non-compete agreements and the duty of loyalty for employees.  Many times, businesses do not have written contracts to protect confidential and proprietary information from not only competitors and vendors, but also their own employees.  Without a contract, the common law of Connecticut concerning breach of fiduciary duty is one of the ways attorneys can seek to protect business clients against improper use of confidential information.

Another method for attorneys to seek to protect their clients' confidential information stored on a computer system or network is through the federal Computer Fraud and Abuse Act (CFAA).  The CFAA is largely a criminal statute, but is being used more frequently in civil cases on behalf of businesses faced with loss or theft of confidential and proprietary information and trade secrets.   The CFAA, 18 U.S.C. 1030, essentially provides for civil liability for unauthorized access to protected computers with intent to defraud or cause damage.  There are civil enforcement provisions that allow private actions for recoverable loss related to prohibited conduct if a series of factors can be proved in court.

Recently, Peter J. Toren wrote an excellent article in the New York Law Journal  where he detailed methods in which the CFAA might be useful for attorneys to protect client trade secrets and other confidential information.   Peter listed the six factors necessary for proof of damages.  Peter also noted some of the limitations of the CFAA when it comes to employee theft of trade secrets and described the narrow and broad views taken by different courts when interpreting improper access of a protected computer without authorization. Peter further provides some useful tips for businesses on how to construct a policy in light of the different court interpretations of improper access. 

Lee Berlik, publisher of the Virginia Business Litigation Blog, also has a recent post about the series of hurdles necessary for attorneys to prove loss or damages under the CFAA.  Lee's post describes a threshold of $5,000 in value that must fit into the categories of potential loss defined in the CFAA.  Similar to Peter's article, Lee also describes how a case was unsuccessful in court because of insufficient facts to show loss under the CFAA.

In Connecticut federal courts, the reported cases under CFAA, largely have been unsuccessful for a variety of reasons, many of which Peter's article details.  Some cases were dismissed for failing to meet damages thresholds (Register.com v. Verio, 356 F.3d 393 (2004)) , while another case was dismissed because the facts were insufficient for unauthorized access (Cenveo, Inc. v. Rao, 659 F. Supp. 2d 312 2009)).   However, in a recent case, in the federal district court, Judge Vanessa Bryant issued an order of sanctions and for production of electronic devices for forensic inspection in a case based, in part, and the CFAA. (Genworth Financial Wealth Mngmt. Inc., v. McMullan). 

The takeaway here is that the CFAA provides another potential basis for a business to protect its confidential and proprietary information when the information resides on a computer system or network.  Of course, there are a series of factors that must be met before liability can be established.  Some of these factors may not apply and eliminate the CFAA as a method of recovery as we have seen in several reported cases.  However, the CFAA should be considered and evaluated in any case involving unauthorized access of confidential information through a computer system as it provides an additional basis for potential recovery.  Also, advanced planning with sound internal policies might provide a business with a better chance of success under the CFAA.

I will do a post soon on another statute, Connecticut's Computer Crime Act, that may provide additional remedies for improper access of a computer system or network.

 

 

Will Your Data Loss Be Covered By Insurance?

I always recommend that businesses implement a plan for data loss, security breach, and privacy related to electronically stored information.   As additional protection, I also typically recommend that businesses investigate additional insurance coverage.  In particular, business owners with risk should investigate insurance coverage for first and third party claims arising out of a loss of data, security breach, or technology errors.  These insurance plans are sometimes referred to as cyber liability or technology errors insurance.  I have posted about these insurance plans in the past.

By obtaining the proper data loss insurance coverage, a business should be able to make an insurance claim for its own losses and, at the same time, have protection from lawsuits following a data loss incident.  However, after reading a recent article by  Jaikumar Vijayan from Computerworld.com,  I suppose the critical words here are "should" and "proper" as it relates to insurance coverage for a data loss incident.    

Jaikumar wrote an article about a Colorado insurance company that filed a lawsuit to deny responsibility for the University of Utah's 2008 security breach and data loss totaling $3.3 million in costs.  Colorado Casualty Insurance filed a declaratory judgment lawsuit in the United States District Court of Utah  (Download complaint here). 

The University of Utah utilized a third party vendor, Perpetual Storage, Inc.,  for data storage concerning data on 1.7 million patients over 16 years at university hospitals and clinics.   According to the lawsuit, the University of Utah incurred 3.3 million in costs to remedy the security breach and made a claim for reimbursement to Perpetual Storage.  In turn, Perpetual Storage referred the matter to Colorado Casualty, its liability insurer. 

In response to Perpetual Storage's claim, Colorado Casualty filed the lawsuit seeking a ruling that it did not have to provide Perpetual Storage with a defense to any claims brought by the University or reimburse the University for its damages. Perpetual Storage filed a motion to dismiss the complaint claiming that Colorado Casualty did not plead specific facts or mention particular insurance policy provisions.  At this point, the outcome of the lawsuit is not clear.

The takeaway here for Connecticut business owners is that not every insurance plan will provide the proper coverage for a data loss, security breach, or technology errors.  Whether Perpetual Storage had the "proper" coverage in place is not clear as the specific policies were not referenced in the lawsuit or the motion to dismiss.  Nevertheless, the lawsuit serves as a reminder that business owners need to make sure the proper insurance coverages are in place.  Do not assume that a general commercial liability policy will cover the specific risks of data loss, security breach, or technology errors.  In fact, in most instances, a general commercial liability policy will not cover such risks. 

Wondering Where The Line Is On Internet Privacy - - Just Watch Facebook

My firm receives many calls from new or existing businesses with Internet privacy questions.  Many calls come from e-commerce businesses, start ups, or businesses that want to utilize information gathered from users accessing their Web sites. Some business owners have ideas or concepts that test the limit on use of user profiles, preferences, and content.  The question becomes, just what are the limits for user expectations on privacy?

Take Facebook for example.  Facebook has a reported 400 million users.  Facebook is constantly in the headlines over its privacy policies and security settings related to its user's profile information.  Whether it is a class action lawsuit in California  or the recent $10 million settlement for its Beacon program, you can count on Facebook to have dealt with any number of privacy issues in litigation.  

Recently, another lawsuit has been filed over Facebook's "opt out" setting concerning the instant personalization feature.  Wendy Davis on  Online Media Daily reported on the story.  This feature automatically shares user information with three outside companies, Microsoft Docs, Pandora, and Yelp.  The lawsuit was filed in U.S. District Court in Rhode Island for violation of the Stored Communications Act (Download here).  By my count, Facebook has been sued at least 30 times in Federal court in recent years.

In the Internet privacy area, Facebook tests the outer limits of what is acceptable for privacy rights and user expectations.  When Facebook makes a change or tries something new, everyone pays attention.  As a result, Facebook's privacy policies get vetted by 400 million users, numerous industry and trade groups, leading technology blogs like TechCrunch, and even the federal government. 

If you want to know what crosses the line when it comes to privacy on the Internet,  just watch Facebook.   

Will Data Protection Laws Ever Catch Up To New Technology?

That was the question posed in an email newsletter I received today from the International Association of Privacy Professionals.   I am a member of this group out of personal interest and to to stay on top of issues related to privacy laws and technology.   One of the benefits of belonging to this group is that I get email newsletters with summaries of new laws, regulations, and lawsuits dealing with privacy issues from all over the world. 

Today's email posed the question in the title of this post and featured an article from the New York Times by Natasha Singer called "Shoppers Have No Secrets."   The article details the technology of "behavioral tracking" by retail and advertising businesses and how the Federal Trade Commission (FTC) is playing catch up when it comes to regulating this technology.

Online behavioral tracking has been a hot button issue for both businesses and privacy rights groups for a few years.  Natasha's article lists several types of new tracking to include:

  • Cameras that can follow you from the minute you enter a store to the moment you hit the checkout counter, recording every T-shirt you touch, every mannequin you ogle, every time you blow your nose or stop to tie your shoelaces.
  • Web coupons embedded with bar codes that can identify, and alert retailers to, the search terms you used to find them.
  • Mobile marketers that can find you near a store clothing rack, and send ads to your cellphone based on your past preferences and behavior.

The article is a very good summary of the issue and has links to advocacy groups on both sides of the debate.  The article also highlights the differences between European and US based privacy laws. In general, the EU is far more advanced and stringent when it comes to personal data protection. 

In the US, the FTC publishes guidelines and takes enforcement action under its authority to regulate unfair trade.  There are also the states' Attorney Generals and class action and individual lawsuits.  Nevertheless, to answer the question I posed in this post, it is clearly a "NO" in the US.   Data protection laws will not catch up to new technology. At least, not anytime soon.

So, should Connecticut businesses ignore consumer privacy issues?    Not if the business wants to stay ahead of the game and out of litigation over privacy violations.   The FTC and state Attorneys General still have broad enforcement powers to regulate unfair trade.  Also, individual consumers continue to bring lawsuits over these issues.  

For Connecticut businesses, it is a good idea or best practices to implement  a policy related to protection of consumer data, preferences, and personal identifiers.  I have posted some tips about these issues before.  If you are looking for "do it yourself" resources, another good place to start is the FTC guidelines on behavioral tracking or its Guide for Business in protecting personal information. 

Of course, by the time you implement a privacy plan for today's technology, it will be time to start updating it for what tomorrow brings.  Good thing I get an email to remind me.   

 

Business Blog Round Up: YouTube, Coffee Cups, Anna Nicole and Identify Theft

 

  • Ashby Jones of Wall Street Journal blog writes an intriguing post about the Google and Viacom lawsuit concerning Viacom's claims of copyright infringement against YouTube (Google subsidiary).  The post recites how Viacom employees were uploading copyrighted copies of their own videos to YouTube to help prove that YouTube was not promptly removing videos that infringe copyrights.  At stake: immunity under the Digital Millennium Copyright Act.  Google says its protected from suit under the Act because YouTube removes content upon request of a copyright holder.  Viacom says otherwise and points to some of its own videos that were not removed.  I do not know the particulars of the lawsuit, but if Viacom hopes to prevail, you would expect that they have more to proceed on than there own employee videos.
  • PatentlyO, the nations leading patent law blog, has a humorous post indicating Starbucks may soon be subject to a false marketing claim if it keeps a patent number on its corrugated cardboard cups for much longer.  Professor Dennis Crouch looked up the patent  on the cup and its set to expire in a month.  Maybe Starbucks will settle out of court like the coffee house did with Kramer on Seinfeld for lifetime free coffee!  (if you are wondering, this happened in the Maestro episode)   
  • Brendon Tavelli of The Privacy Law Blog writes about the Federal Trade Commissions settlement against LifeLock,Inc. for misrepresentation concerning its identity theft services and protections.  35 states joined in the settlement.  According the the settlement, LifeLock was not providing the comprehensive identify theft coverage it advertised.  Any consumer considering identify theft should do a very detailed investigation of the company and its services.  I wrote a post recently about data loss and noted that many victims are offered identity theft protection as part of the settlement.  Many times, the protection is not adequate. 
  • Victoria Pynchon's Settle It Now Blog has a compelling post about her project to teach women to negotiate better in retail, relationships, employment, and the law.  I recently discovered this popular blog and now I am a regular reader.  Great insights, not only for women (although she says so a few times).
  • John Buford of the North Carolina Business Litigation Report has a post about a business valuation case involving a closely held business.  At issue in the case was determining a value of an unproven technology.  The problem was setting a fair price to avoid a windfall for either side.  Although it is a North Carolina case, the concepts of valuing intellectual property, especially unproven technology, is more of a function of the science of appraisals than state law.  Some useful concepts are discussed including the appraiser's methodology that the court accepted.
  • Mashable, a top 100 blog, discusses Twitter's birthday only 4 years ago.  Twitter hit 50 million tweets per day last month. Mashable is a great blog that has just about everything there is to do with social media and web 2.0.
  • For more on social media: Nicole Black's Sui Generis - a New York Law Blog - discusses Nicole's new book, "Social Media for Lawyers: The Next Frontier."  The book is co-authored by Carolyn Elefant, who publishes the blog MyShingle.com an excellent resource for solos and small firm lawyers.  
  •  Megan Erickson's Social Networking Blog also details the Classmates.com settlement.  I guess  I was not the only one getting those annoying emails claiming my classmates were looking for me. 
  • Cannot do a business blog round up without mentioning the ScotusBlog and its post on Anna Nicole Smith's estate losing her long disputed claim for millions from her tycoon husband J. Howard Marshall.  The Post includes the decision and a summary story.  

 

Don't Get Rocked like RockYou - - Protect Your Customers' Personal Information

A recently filed class action lawsuit (download complaint) against RockYou highlights the very real threats to businesses related to hackers stealing customer data also known as personally identifiable information (PII).

According to the complaint filed in federal court in San Francisco, RockYou is a publisher and developer of popular online applications and services for use with social networking sites such as Facebook and MySpace.  RockYou allegedly exposed 32 million of its users to identity theft by failing to encrypt or otherwise protect email account information and passwords.  The suit alleges violations of California Civil Code, breach of contract, and negligence.

 Jason Remillard of Web Host Industry Review provided a detailed post on the lawsuit noting that RockYou may face more difficulties than expected because RockYou is a "launchpad type of service, that hold credentials for other services (myspace, facebook, etc)..."  As such,  RockYou may face liability for data exposures across other platforms. 

Mr. Remillard notes that he has been warning site owners about the risks of holding PII information of consumers.  I agree with Mr. Remillard that avoiding storage of such personal data  in the first place is often the best way to prevent liability exposure for both loss of data and a security breach.  If a business must store PII in its systems then a data loss and security plan must be in place to protect the data.  In prior posts, I offer some suggestions and tips for Connecticut business owners that have sensitive data or store PII of its customers.

Dave Kravets of Wired.com offers some more details about RockYou's alleged security failures that apparently resulted from the same common vulnerability exploited by hackers in the cases of Hannaford Brothers, 7-Eleven and Heartland Payment System.  The vulnerability results from RockYou's SQL database,which relates to the actual storage method and management of millions of email accounts and passwords.  The complaint against RockYou alleges that the prior well publicized flaws in SQL should have been addressed with readily available protection measures.

Brennon Slattery of PCworld wrote about the security breach and compared RockYou's security system to storing passwords and emails on sticky notes.  He noted that RockYou stored the information in plain text words.  In other words, once the hacker got inside RockYou's system, the passwords and email accounts were easy to read like sticky notes because there was no encryption of the text. 

RockYou has issued a statement explaining the breach and intends to defend the lawsuit. RockYou also has implemented new steps to avoid future breaches including implementation of encryption for all passwords.  Encryption is the method used to make the passwords unreadable once the hacker gains access to the system. 

The RockYou case is another example of the increasing number of data loss and security lawsuits and should serve as a reminder to any business that stores PII to implement a data loss and security plan. 

 

Health Net's Data Loss In Connecticut Was Theft

Attorney General Richard Blumenthal issued a scathing press release related to Health Net's recent data loss and security breach.  Blumenthal called Health Net's story on it "sanitized" and its six month delay in reporting "unconscionable."  Blumenthal called for a federal investigation and intensified state efforts because of the sensitive financial and health information at risk for exposure.

Health Net is based in Shelton, Connecticut and is one of the largest health plans in the Northeast serving approximately 580,000 members.  A report by Lucas Mearian of Computerworld stated that the information stolen was a portable hard drive that had not been encrypted.  Proper encryption could have prevented access of the information.

Connecticut consumers have been affected by the data loss and more than a million people had social security numbers and financial and medical information exposed. Consumers in Arizona, New Jersey, and New York also had sensitive information exposed.  Thus far, there has been no report of identity theft or misuse of the information.

 

New Study Shows Small Businesses Vulnerable to Cyber Attacks

The National Cyber Security Alliance recently released a new study with some startling numbers concerning small businesses and the threat of data loss, security breach, or cyber attack.  Some of the key numbers obtained from polling small business owners include:

  • 65% store customer information on computer systems
  • 43% store financial records
  • 33% store credit card information
  • 86% do not have anyone focused on system security
  • 11% of owners never check their computer security systems.
  • 75% use the internet to communicate with customers
  • 28% have formal internet security policies

What do these numbers suggest? Deborah Cohen, who covers small business for Reuters.com, published an article following release of the study and “confirmed that small businesses are among the most vulnerable to Internet crime. . .” She quoted Michael Kaiser, executive director of the National Cyber Security Alliance, who noted that “small businesses are pretty robust targets” for cyber attacks citing the lack of Internet protocol and employee training. Cohen’s article also offers some tips from Kaiser for small businesses to help confront cyber attacks.  

If you are looking for some guidance or help with cyber security, read here for some of my earlier posts.  If you are looking for a do-it-yourself placer to start, try the U.S. Chamber of Commerce.  The Chamber offers a great resource entitled“Common Sense Guide to Cyber Security for Small Businesses.” It’s a 12 step plan to increase cyber security. Here are some highlights:

·         Use strong passwords and change them regularly

·         Watch for strange email attachments

·         Install computer security software and network security

·         Keep software updated

·         Limit access to sensitive and confidential data

·         Establish and follow security plan

·         Maintain insurance coverage

The threat of data loss or security breach is not going away, but will only increase. Lawsuits concerning data loss and security breach are more frequent. Business owners need to stay on top of the threat by implementing a sound data loss and privacy plan. There is no one size fits all approach and every business will have its own risk exposures. If you are a business owner, consider having your business evaluated for risks of cyber attack or data loss. 

 

The Connecticut Privacy Forum Highlights Very Real Risks For Businesses

On Monday,  I attended the Connecticut Privacy Forum hosted by Travelers.  This Forum was a well attended inaugural meeting of privacy and data security professionals.  I came away from the meeting very impressed with the panel of speakers and topics on the agenda.  I also came away from the meeting as convinced as ever that data loss and security breaches pose a significant risk for nearly all businesses that use computers. 

In one of my earlier posts,  I touched on some of the risks involved for businesses related to data loss and security breaches.  I also offered some potential solutions.  At the Privacy Forum, data loss statistics were presented by the speakers and confirmed that these risks are very real for businesses.  Here is a sample of some of the statistics from 2008 alone:

  • 80 million records were compromised
  • 580 data loss or breach incidents were reported
  • $202 per record was the average cost to business for loss or breach 
  • 47% of the incidents involved corporations or businesses
  • 33% involved compromised social security numbers 

The speakers also offered some of the solutions for businesses in terms of risk management and planning.  The seminar further included a detailed overview of federal and state laws covering privacy rights and data security.   You can access the presentation materials at ctprivacy.com 

Overall, this was a great event concerning a topic that will continue to be relevant to business litigation in the coming years.  Congratulations to the organizers, David Baker and Peter Bernstein, from Travelers on a well run event!

Insurance Might Be An Option for Data Loss Lawsuits Alleging Negligence Against Businesses

Every business in Connecticut, big or small, faces significant financial consequences for data loss or a breach of security.  As I noted in a business tips post on this blog, implementing a strong data loss and privacy policy is critical for preventing a loss or mitigating its effects and damages.  Of course, once you have a policy or procedure in place, your business could face a lawsuit for negligence for violation of these same policies and procedures.   To add extra protection against the devastating costs of data loss or a security breach, businesses should also consider insurance coverage.

Lawsuits over data loss and security breaches are becoming more common.  Obtaining insurance to cover losses from data loss can potentially save your business.  Business litigation attorneys bringing lawsuits over data losses often include negligence as one of the grounds or theories of recovery in these cases.  Take for example, the recent class action lawsuit for data loss filed against Aetna in Federal Court in Pennsylvania.  The lead theory of recovery in the complaint against Aetna is negligence.   

There may be many reasons why attorneys pursue negligence as a theory of recovery in these security and privacy cases.  However, pursuing a negligence theory increases the possibility of triggering the breaching company's insurance coverage for data loss, if the company has a policy.  If a business has insurance coverage that applies to the allegations in the complaint, the insurance company typically will also provide a legal defense to the claim.   Legal costs alone could be enough to sink a business, let alone the damages.   

When considering the cost of a data loss insurance policy, a business owner should likewise consider the cost to the business of a data breach.  How can you estimate the cost?  One way to estimate the cost is to use a data loss calculator.  You might also estimate your data loss costs by referencing this 2009 Ponemon Institute benchmark study estimating costs at $202 per page and rising. 

The price of an insurance policy may be cost effective when you consider the potential devastating financial impact of a major data loss or security breach.  In addition, if a business has a strong data loss policy and procedure in place, the cost of insurance should be lower.   Although cyber liability insurance has been available for over ten years, more of these insurance policies are being offered at better prices today.  Here are some links to major insurance companies offering insurance policies for data loss, cyber liability, and technology errors. 

Technology 404 by Darwin.

CyberChoice by The Hartford

 CyberSecurity by Chubb

ACE DigitTech

OneBeacon @vantage

 

Technology Tips For Connecticut Businesses To Avoid Litigation

As part of this Blog, I am going to regularly post technology tips for any Connecticut business to manage risks and avoid lawsuits. These tips will be based on a presentation I did for the Hartford Business Journal's Etechnology Summit concerning technology bombs that can sink a business.

Here's todays tip for Connecticut businesses to avoid financial loss as a result of datal loss and security breaches.

Implement a Data Loss Policy and Solution

Any business that stores third party information or personal indentifiers (credit card information, social security numbers) on its computer systems faces potential exposure under a host of privacy laws.  For a good resource on privacy laws go to the Privacy Law Blog by Proskauer Rose LLP.  For an example of a new privacy law in Connecticut, consider the"Act Concerning the Confidentiality of Social Security Numbers."  Connecticut's Unfair Trade Practices Act could also be implicated in a data loss case.

Data loss or a security breach can cause a huge financial problem, bad public realtions, and signficant down time.  Consider the recent case of TJX reported on by Sheri Qaulters for the National Law Journal.  Discount retailer TJX had a data breach involving exposure of 45 million credit and debit cards.   TJX entered into various settlements including payment of $9.75 million to 41 states; $30 to every consumer who used a credit or debit card; and an undisclosed settlement with three banks. Ouch.

TJX is an extreme example, but data loss can sink a small to medium sized business.  How can a business mimize its exposure to lawsuits from data loss or security breach?

Implement a data loss policy and solution for your business.   There is no one size fits all policy and solution and every business will have different needs.  If you already have a policy, you should have it reviewed regularly for changes in the law.  If you do not have a policy in place, you need to start somewhere.  For "do it yourselfers" there is the Federal Trade Commision's Guide for Business and Protecting Personal Information.  The FTC's guide is a 5 step plan from identifying your risk exposure to implementing procedures. 

 In addition  to implementing policies, any business with a significant risk exposure for data loss (i.e. medical practice, retailers, e commerce) should consider purchasing a cyber liability insurance policy.  These policies are now more afforadable and many insurers such as The Hartford are now actively underwriting polices to cover first and third party data loss claims and providing ongoing resources and information.  

The bottom line is, a business cannot afford to take the risk of ignoring data loss and security breach exposure.  Do not wait for the first breach or lawsuit.