Privacy Laws : Connecticut Business Litigation Blog

Home > Privacy Laws >

Computer Fraud and Abuse Act In Connecticut

Posted on July 6, 2010 by N. Kane Bennett

Previously, I have posted about non-compete agreements and the duty of loyalty for employees. Many times, businesses do not have written contracts to protect confidential and proprietary information from not only competitors and vendors, but also their own employees. Without a contract, the common law of Connecticut concerning breach of fiduciary duty is one of the ways attorneys can seek to protect business clients against improper use of confidential information.

Another method for attorneys to seek to protect their clients' confidential information stored on a computer system or network is through the federal Computer Fraud and Abuse Act (CFAA). The CFAA is largely a criminal statute, but is being used more frequently in civil cases on behalf of businesses faced with loss or theft of confidential and proprietary information and trade secrets. The CFAA, 18 U.S.C. 1030, essentially provides for civil liability for unauthorized access to protected computers with intent to defraud or cause damage. There are civil enforcement provisions that allow private actions for recoverable loss related to prohibited conduct if a series of factors can be proved in court.

Recently, Peter J. Toren wrote an excellent article in the New York Law Journal where he detailed methods in which the CFAA might be useful for attorneys to protect client trade secrets and other confidential information. Peter listed the six factors necessary for proof of damages. Peter also noted some of the limitations of the CFAA when it comes to employee theft of trade secrets and described the narrow and broad views taken by different courts when interpreting improper access of a protected computer without authorization. Peter further provides some useful tips for businesses on how to construct a policy in light of the different court interpretations of improper access.

Lee Berlik, publisher of the Virginia Business Litigation Blog, also has a recent post about the series of hurdles necessary for attorneys to prove loss or damages under the CFAA. Lee's post describes a threshold of $5,000 in value that must fit into the categories of potential loss defined in the CFAA. Similar to Peter's article, Lee also describes how a case was unsuccessful in court because of insufficient facts to show loss under the CFAA.

In Connecticut federal courts, the reported cases under CFAA, largely have been unsuccessful for a variety of reasons, many of which Peter's article details. Some cases were dismissed for failing to meet damages thresholds (Register.com v. Verio, 356 F.3d 393 (2004)) , while another case was dismissed because the facts were insufficient for unauthorized access (Cenveo, Inc. v. Rao, 659 F. Supp. 2d 312 2009)). However, in a recent case, in the federal district court, Judge Vanessa Bryant issued an order of sanctions and for production of electronic devices for forensic inspection in a case based, in part, and the CFAA. (Genworth Financial Wealth Mngmt. Inc., v. McMullan).

The takeaway here is that the CFAA provides another potential basis for a business to protect its confidential and proprietary information when the information resides on a computer system or network. Of course, there are a series of factors that must be met before liability can be established. Some of these factors may not apply and eliminate the CFAA as a method of recovery as we have seen in several reported cases. However, the CFAA should be considered and evaluated in any case involving unauthorized access of confidential information through a computer system as it provides an additional basis for potential recovery. Also, advanced planning with sound internal policies might provide a business with a better chance of success under the CFAA.

I will do a post soon on another statute, Connecticut's Computer Crime Act, that may provide additional remedies for improper access of a computer system or network.

Tags: Business Torts, Commercial Litigation, Data Loss & Security Breach, Employment, Fraud, Privacy Laws, Technology, Trade Secrets, computer crime, computer fraud and abuse act, duty of loyalty, non-compete

Wondering Where The Line Is On Internet Privacy - - Just Watch Facebook

Posted on June 3, 2010 by N. Kane Bennett

My firm receives many calls from new or existing businesses with Internet privacy questions. Many calls come from e-commerce businesses, start ups, or businesses that want to utilize information gathered from users accessing their Web sites. Some business owners have ideas or concepts that test the limit on use of user profiles, preferences, and content. The question becomes, just what are the limits for user expectations on privacy?

Take Facebook for example. Facebook has a reported 400 million users. Facebook is constantly in the headlines over its privacy policies and security settings related to its user's profile information. Whether it is a class action lawsuit in California or the recent $10 million settlement for its Beacon program, you can count on Facebook to have dealt with any number of privacy issues in litigation.

Recently, another lawsuit has been filed over Facebook's "opt out" setting concerning the instant personalization feature. Wendy Davis on Online Media Daily reported on the story. This feature automatically shares user information with three outside companies, Microsoft Docs, Pandora, and Yelp. The lawsuit was filed in U.S. District Court in Rhode Island for violation of the Stored Communications Act (Download here). By my count, Facebook has been sued at least 30 times in Federal court in recent years.

In the Internet privacy area, Facebook tests the outer limits of what is acceptable for privacy rights and user expectations. When Facebook makes a change or tries something new, everyone pays attention. As a result, Facebook's privacy policies get vetted by 400 million users, numerous industry and trade groups, leading technology blogs like TechCrunch, and even the federal government.

If you want to know what crosses the line when it comes to privacy on the Internet, just watch Facebook.

Tags: Data Loss & Security Breach, Facebook Lawsuits, Privacy Laws, Social Networking, Technology, facebook, federal trade commission, privacy policies, privacy rights

Will Data Protection Laws Ever Catch Up To New Technology?

Posted on May 3, 2010 by N. Kane Bennett

That was the question posed in an email newsletter I received today from the International Association of Privacy Professionals. I am a member of this group out of personal interest and to to stay on top of issues related to privacy laws and technology. One of the benefits of belonging to this group is that I get email newsletters with summaries of new laws, regulations, and lawsuits dealing with privacy issues from all over the world.

Today's email posed the question in the title of this post and featured an article from the New York Times by Natasha Singer called "Shoppers Have No Secrets." The article details the technology of "behavioral tracking" by retail and advertising businesses and how the Federal Trade Commission (FTC) is playing catch up when it comes to regulating this technology.

Online behavioral tracking has been a hot button issue for both businesses and privacy rights groups for a few years. Natasha's article lists several types of new tracking to include:

Cameras that can follow you from the minute you enter a store to the moment you hit the checkout counter, recording every T-shirt you touch, every mannequin you ogle, every time you blow your nose or stop to tie your shoelaces.
Web coupons embedded with bar codes that can identify, and alert retailers to, the search terms you used to find them.
Mobile marketers that can find you near a store clothing rack, and send ads to your cellphone based on your past preferences and behavior.

The article is a very good summary of the issue and has links to advocacy groups on both sides of the debate. The article also highlights the differences between European and US based privacy laws. In general, the EU is far more advanced and stringent when it comes to personal data protection.

In the US, the FTC publishes guidelines and takes enforcement action under its authority to regulate unfair trade. There are also the states' Attorney Generals and class action and individual lawsuits. Nevertheless, to answer the question I posed in this post, it is clearly a "NO" in the US. Data protection laws will not catch up to new technology. At least, not anytime soon.

So, should Connecticut businesses ignore consumer privacy issues? Not if the business wants to stay ahead of the game and out of litigation over privacy violations. The FTC and state Attorneys General still have broad enforcement powers to regulate unfair trade. Also, individual consumers continue to bring lawsuits over these issues.

For Connecticut businesses, it is a good idea or best practices to implement a policy related to protection of consumer data, preferences, and personal identifiers. I have posted some tips about these issues before. If you are looking for "do it yourself" resources, another good place to start is the FTC guidelines on behavioral tracking or its Guide for Business in protecting personal information.

Of course, by the time you implement a privacy plan for today's technology, it will be time to start updating it for what tomorrow brings. Good thing I get an email to remind me.

Tags: Data Loss & Security Breach, Privacy Laws, Privacy Policy, behavioral tracking, federal trade commission, privacy

Don't Get Rocked like RockYou - - Protect Your Customers' Personal Information

Posted on January 5, 2010 by N. Kane Bennett

A recently filed class action lawsuit (download complaint) against RockYou highlights the very real threats to businesses related to hackers stealing customer data also known as personally identifiable information (PII).

According to the complaint filed in federal court in San Francisco, RockYou is a publisher and developer of popular online applications and services for use with social networking sites such as Facebook and MySpace. RockYou allegedly exposed 32 million of its users to identity theft by failing to encrypt or otherwise protect email account information and passwords. The suit alleges violations of California Civil Code, breach of contract, and negligence.

Jason Remillard of Web Host Industry Review provided a detailed post on the lawsuit noting that RockYou may face more difficulties than expected because RockYou is a "launchpad type of service, that hold credentials for other services (myspace, facebook, etc)..." As such, RockYou may face liability for data exposures across other platforms.

Mr. Remillard notes that he has been warning site owners about the risks of holding PII information of consumers. I agree with Mr. Remillard that avoiding storage of such personal data in the first place is often the best way to prevent liability exposure for both loss of data and a security breach. If a business must store PII in its systems then a data loss and security plan must be in place to protect the data. In prior posts, I offer some suggestions and tips for Connecticut business owners that have sensitive data or store PII of its customers.

Dave Kravets of Wired.com offers some more details about RockYou's alleged security failures that apparently resulted from the same common vulnerability exploited by hackers in the cases of Hannaford Brothers, 7-Eleven and Heartland Payment System. The vulnerability results from RockYou's SQL database,which relates to the actual storage method and management of millions of email accounts and passwords. The complaint against RockYou alleges that the prior well publicized flaws in SQL should have been addressed with readily available protection measures.

Brennon Slattery of PCworld wrote about the security breach and compared RockYou's security system to storing passwords and emails on sticky notes. He noted that RockYou stored the information in plain text words. In other words, once the hacker got inside RockYou's system, the passwords and email accounts were easy to read like sticky notes because there was no encryption of the text.

RockYou has issued a statement explaining the breach and intends to defend the lawsuit. RockYou also has implemented new steps to avoid future breaches including implementation of encryption for all passwords. Encryption is the method used to make the passwords unreadable once the hacker gains access to the system.

The RockYou case is another example of the increasing number of data loss and security lawsuits and should serve as a reminder to any business that stores PII to implement a data loss and security plan.

Tags: Data Loss & Security Breach, PII, Privacy Laws, Rock you, RockYou, RockYou security breach, Technology, Unfair Trade Practices, data breach, data loss lawsuits, personally identifiable information, security breach

Health Net's Data Loss In Connecticut Was Theft

Posted on December 9, 2009 by N. Kane Bennett

Attorney General Richard Blumenthal issued a scathing press release related to Health Net's recent data loss and security breach. Blumenthal called Health Net's story on it "sanitized" and its six month delay in reporting "unconscionable." Blumenthal called for a federal investigation and intensified state efforts because of the sensitive financial and health information at risk for exposure.

Health Net is based in Shelton, Connecticut and is one of the largest health plans in the Northeast serving approximately 580,000 members. A report by Lucas Mearian of Computerworld stated that the information stolen was a portable hard drive that had not been encrypted. Proper encryption could have prevented access of the information.

Connecticut consumers have been affected by the data loss and more than a million people had social security numbers and financial and medical information exposed. Consumers in Arizona, New Jersey, and New York also had sensitive information exposed. Thus far, there has been no report of identity theft or misuse of the information.

Tags: Data Loss & Security Breach, Privacy Laws, attorney general, data breach, data loss, data loss attorneys, data loss lawsuits, net health, security breach

Connecticut Businesses Should Check Massachusetts Privacy Laws

Posted on December 2, 2009 by N. Kane Bennett

I have put together several posts on Connecticut's privacy laws and the potential impacts on small businesses concerning data loss or a security breach. It is important to point out that Connecticut companies doing business in Massachusetts or with Massachusetts residents must also consider Massachusetts privacy laws. Tracy Fox, from ForeSite Technologies, recently commented on the small business study I posted and provided a copy of a checklist for small businesses trying to comply with the relatively new, and complex privacy law framework in Massachusetts. I will write a more detailed post about the Massachusetts privacy law in the near future. The checklist is a good starting point.

Tags: Compliance Issues, Data Loss & Security Breach, Privacy Laws, data loss attorneys, massachusetts privacy laws, privacy, privacy rights, security breach

New Study Shows Small Businesses Vulnerable to Cyber Attacks

Posted on November 14, 2009 by N. Kane Bennett

The National Cyber Security Alliance recently released a new study with some startling numbers concerning small businesses and the threat of data loss, security breach, or cyber attack. Some of the key numbers obtained from polling small business owners include:

65% store customer information on computer systems
43% store financial records
33% store credit card information
86% do not have anyone focused on system security
11% of owners never check their computer security systems.
75% use the internet to communicate with customers
28% have formal internet security policies

What do these numbers suggest? Deborah Cohen, who covers small business for Reuters.com, published an article following release of the study and “confirmed that small businesses are among the most vulnerable to Internet crime. . .” She quoted Michael Kaiser, executive director of the National Cyber Security Alliance, who noted that “small businesses are pretty robust targets” for cyber attacks citing the lack of Internet protocol and employee training. Cohen’s article also offers some tips from Kaiser for small businesses to help confront cyber attacks.

If you are looking for some guidance or help with cyber security, read here for some of my earlier posts. If you are looking for a do-it-yourself placer to start, try the U.S. Chamber of Commerce. The Chamber offers a great resource entitled“Common Sense Guide to Cyber Security for Small Businesses.” It’s a 12 step plan to increase cyber security. Here are some highlights:

· Use strong passwords and change them regularly

· Watch for strange email attachments

· Install computer security software and network security

· Keep software updated

· Limit access to sensitive and confidential data

· Establish and follow security plan

· Maintain insurance coverage

The threat of data loss or security breach is not going away, but will only increase. Lawsuits concerning data loss and security breach are more frequent. Business owners need to stay on top of the threat by implementing a sound data loss and privacy plan. There is no one size fits all approach and every business will have its own risk exposures. If you are a business owner, consider having your business evaluated for risks of cyber attack or data loss.

Tags: Business Tech Tips, Business Tech Tips, Data Loss & Security Breach, Privacy Laws, Technology, cyber attack, cyber liability, data breach, data loss attorneys, technology tips

Connecticut Business Litigation Blog

Raymond & Bennett, LLC

90 national drive

| Glastonbury, CT 06033 |

Phone:

860.633.0415

| Fax:

860.633.0438

Raymond & Bennett - Attorneys at Law

Connecticut business litigation lawyer & attorney Neyah Kane Bennett of Raymond & Bennett Law Firm, offering services for non-compete agreements, breach of contract, interference with contracts, severance packages, home improvement lawsuits, partnership and business disputes, cyber liability, privacy laws, data loss, technology errors, domain name disputes, defamation, slander, trade secrets, non-disclosure agreement, copyright infringement, software licensing, shareholder rights, business fraud, uniform commercial code, serving Hartford, Middletown, Glastonbury, East Hartford, Manchester, Wethersfield, Windsor, South Windsor, New Haven, Waterbury, Meriden, Rocky Hill, Berlin, Enfield, Bloomfield, New Britain, Southington, Bolton, Vernon, Rockville, New London, Milford, Bridgeport, West Hartford and the state of Connecticut.

Connecticut Business Litigation Blog : Connecticut Business Lawyer & Attorney : N. Kane Bennett : Raymond & Bennett Law Firm : Hartford, Middletown, Glastonbury

Published By
N. Kane Bennett of Raymond & Bennett LLC

Commentary on lawsuits and legal issues impacting Connecticut businesses