New Update to Connecticut Data Breach Law

 Connecticut Updates Its Data Breach Statute by Attorney David Benoit.

A month after Vermont made substantive amendments to its Security Breach Notice Act to address a number of consumer protections, Connecticut followed suit on June 12th with a similar amendment to Connecticut General Statutes Sec 36a-701b to include a notice to the State’s Attorney General.

 

Going into effect on October 1, 2012, Connecticut’s amended breach notification requirements will now include an obligation to notify the Connecticut Attorney General’s office pursuant to a new subsection (b)(2):

“If notice of a breach of security is required by subdivision (1) of this subsection, the person who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information, shall not later than the time when notice is provided to the resident also provide notice of the breach of security to the Attorney General.”

Regarding when notice is to be made (both to the Connecticut resident and the Attorney General), the statute allows the notifying party a reasonable amount of time to accommodate delays resulting from law enforcement and company-led investigations meant to: (i) determine the nature and scope of the data breach, (ii) identify the individuals affected by the breach, and (iii) restore the reasonable integrity of the data system.

Additionally, subsection (c) was amended to clarify that the state’s notification requirements are applicable only to personal information of “a resident of this state.” 

Furthermore, pursuant to Section (g), failure to comply with the statute will continue to be deemed an unfair trade practice under Connecticut’s Unfair Trade Practices Act (“CUTPA “), however, enforcement is still limited to the Attorney General with no private right of action.

Have You Received a Copyright Infringement Letter form a Connecticut Internet Provider?

What To Do If You Receive a Copyright Infringement Letter From Your Internet Service Provider (ISP)

If you’ve recently received a copyright infringement letter from your Internet service provider, you’re not alone.  Recently, there’s been a rise in the number of copyright infringement lawsuits filed across the country involving alleged copyright infringement or “piracy of content” via peer-to-peer (P2P) and file sharing services such as BitTorrent and The Pirate Bay.  A recent report has identified over 220,000 individuals as having been sued since mid-2010 in mass BitTorrent lawsuits, many of them based upon alleged downloading of copyrighted works. 

Typically, plaintiffs involved in these cases file suit against a series of “John Does” alleging the illegal downloading of images, blockbuster movies and oftentimes, adult-themed videos.  In their complaints, plaintiffs will often include a list of Internet protocol (IP) addresses that were used to engage in the illegal transfer of copyrighted materials.   

How will a plaintiff get my name and contact information?

Through the use of court-ordered subpoenas, plaintiffs will request the Internet Service Providers (ISPs) (i.e., Comcast, Verizon, Cox, Time Warner) to turn over the individual names and contact information of the Internet account holders associated with the IP addresses that were identified in their complaint.  Oftentimes, the ISPs will file motions to quash the subpoenas (motions asking the court to relieve them from having to turn over the requested information).  If an ISP does not file a motion to quash, or the court rules in favor of the plaintiff, the ISP is then ordered to produce the requested information.    Before it turns this information over to the plaintiff, the ISP will send a letter to the account holder that unless such individual takes legal action, the ISP will provide the plaintiff with their name and contact information.

What should you do if you receive a letter from your ISP?

1)      Don’t panic, but don’t ignore the letter either.  More likely than not, you have a few weeks to make a decision.  Use this time to learn more about your options and your situation.  Learning more about the facts of the case will shed more light on the types of options that you have.  Ignoring the letter won’t make it go away and could limit your chances of success.

2)      Don’t reach out to the plaintiff or its attorney.  You should not contact the plaintiff or plaintiff’s counsel without assistance of a copyright attorney to help you.    Plaintiffs’ counsel often will harass and threaten Internet subscribers who reach out and identify themselves in an attempt to plead their case as to why they were wrongly targeted.  I compare this situation to the well-known carnival game: Whac-A-Mole.  Plaintiffs’’ counsel is likely to make an example out of you in order to coerce the others if you come forward and identify yourself.  

 3)      Educate yourself. More likely than not, the letter you received from your ISP came from their legal department.  The letter is likely to provide some basic facts about the case, including the title of the litigation, the name of the plaintiff and the location of the federal court that the case is being in.  Sometimes, the  letter isn’t entirely accurate as to your specific situation – these are typically form letters and may incorrectly identify you as a defendant when you aren’t an actual party to the lawsuit.  This is an important fact to find out because it will determine what judicial rights and options you have to prevent your information from being disclosed.  

 

4)      Prepare a list of valid reasons why you’re not at fault.    By educating yourself about the specific facts of the case, importantly, the facts concerning what the copyrighted material was, when it was downloaded and by what means, you are likely to be in a better position to provide evidence to your attorney as to why you may have been mistakenly targeted.  Reasons such as using an unprotected wireless network, having multiple tenants in an apartment building share a single IP address, or being out of town on the day and time of the alleged infringement have been determined to be valid reasons in various jurisdictions for not being liable.         

5)      Speak to an experienced attorney.  In addition to the shock of receiving a letter from the ISP, you may be faced with the fear or worry of being publicly harassed or exposed due to the sensitive or adult-themed nature of the illegally downloaded material.  These factors can significantly interfere with your ability to objectively assess your options and plan the most effective course of action.  You should consider working with a copyright infringement attorney that has experience counseling clients in similar situations.  An experienced attorney can help you decide what your best options are and develop a game plan that will increase the odds of a favorable result.  

IP Advice for Connecticut Start-Ups: Protecting Your Client’s Personally Identifiable Information

 David Benoit presents his fourth post as a guest blogger on the topic of Intellectual Property for Connecticut Start-Up companies.  In his fourth installment, he focuses on the need for entrepreneurs to protect their client’s most important assets: client personal information.  

In addition to implementing best practices with respect to a company’s own IP, start-ups need to be as mindful in taking adequate safeguards to ensure that any client IP that is being collected, stored, manipulated or distributed is not being used in a manner that will expose the start-up to liability.  Client IP most often includes “NPI” (nonpublic personal information) and includes personally identifiable financial information and any lists, descriptions or other groupings of consumers derived using personally identifiable financial information.  Unauthorized disclosure or access of personally-identifiable customer data typically results in financial liability (i.e., regulatory fines, penalties and legal fees) and reputational liability (i.e., damage to goodwill that the startup has worked hard to build). 

Knowing which IP safeguards to implement and what steps need to be taken if an IP breach occurs requires a thorough understanding of the ever-changing, multi-jurisdictional laws and regulations applicable to the start-up’s business.  This could include federal regulations, state- and industry-specific requirements surrounding the collection, storage, deletion and distribution of sensitive customer or end-user data.  Utilizing the services of a privacy attorney who understands not only your business, but also your client’s, is important to implementing best practices.  

Having an understanding of these regulations and standards, such as the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), Gramm-Leach-Bliley Act (GLBA) the Fair Credit Reporting Act (FCRA), the Fair and Accurate Transactions Act (FACT Act) and the Payment Card Industry Data Security Standards (PCI DSS), is extremely important to minimizing liability exposure.  Furthermore, knowing how to use customer IP without overstepping boundaries requires a well-written privacy policy, terms of service and other applicable data use agreements.

 

 

Software Liability Act in Connecticut – Good Idea or Too Much Regulation?

Do software publishers need more regulation to encourage creation of safe and reliable software?That was the general question posed for a debate at the RSA Conference USA on February 29, 2012. Sean Doherty of Law Technology News wrote an interesting article summarizing the two different positions.  One side of the debate favors creating a regime of "civil liability for software manufacturers whose code causes harm to consumers."  Opponents view a regime of civil liability for damages caused by software as another unnecessary regulation.  In addition, opponents maintain that our existing laws already provide remedies for software liability.  

In Connecticut, there is no software liability statute or act.  However, there are various existing legal theories that might apply to the sale of defective software, including:

  • breach of contract;
  • breach of express warranty;
  • breach of implied warranty; and
  • misrepresentation.

Of course, there are also defenses to breach of warranty claims regarding software.  In many instances, a software attorney writing a contract or license agreement will include a disclaimer of all warranties and a cap on damages.  

Some consumers and purchasers do not have the ability to hire an attorney to negotiate a purchase of software.  Will a software liability act prohibit such disclaimers?  Conversely, not all software vendors or manufacturers hire a software lawyer to protect their interests by drafting appropriate disclaimers in license agreements and contracts.  Will a software liability act also protect software publishers from frivolous claims? 

As noted by the debaters at the RSA conference, everyone wants better, more reliable software. However, I doubt that creating a new software liability regime, and thus more regulation, is the right answer.  I tend to favor the market solution.  Let the better software win.  

New Connecticut Business and Technology Law Firm

I am pleased to announce that I have started a new law firm, Aeton Law Partners LLP.  At my new firm, I will continue my litigation practice involving a wide array of business and technology matters.  In this new venture,  I have partnered with Attorney David Benoit.  Dave brings a wide range of experience in transactions related to business, technology, and intellectual property. Together, we provide a broad base of experience and general counsel legal services for our existing and expanding client base.  For more information on Aeton Law Partners, please contact me at 860 724 2163.

 

Will A Crack In Data Breach Litigation Open Floodgates

Data loss and security breach incidents have become common. However, lawsuits related to these incidents are not so common or successful. The problems plaintiffs have encountered include not only figuring out the proper cause of action to seek recovery (many states lack laws permitting private lawsuits for damages related to data loss) but also how to establish provable damages. For example, if a large retail store suffers a security breach of 2 hours leaving your personal identifying information exposed to thieves or hackers, have you really suffered any damages if the information is never used or compromised? What about so called "mitigation" damages or out of pocket expenses for future protection such as credit card insurance, fraud protection, or getting a new credit card and incurring an annual fee?

The First Circuit Court of Appeals in Anderson v. Hannaford Bros. Co recently shed some light on the potential for recovery of mitigation damages in data breach litigation. In the Hannaford case, hackers stole up to 4.2 million credit and debit numbers, expiration dates, and security codes, but they did not steal customer names. Hannaford also had received notice that there were 1,800 cases of alleged misuse or fraud from the theft. In response, many financial institutions cancelled consumers’ cards and fees were incurred to reinstate new cards.  Additionally, several consumers purchased identity theft protection for fear of future misuse. 26 separate lawsuits followed that were consolidated into one action in Maine.
 

At the trial court level, nearly all of the plaintiffs’ claims (20 out of 21) were dismissed based on problems with the alleged theories of recovery or the damages claims. The court found that the damages were not recognized under Maine law for claims for lost time and effort or too speculative to prove for claims involving lost points on cards, fees for replacement cards, and insurance.

On appeal, the First Circuit upheld implied contract and negligence as proper theories of recovery. In regards to damages, the First Circuit reversed the trial court and found that "a plaintiff may recover for costs and harms incurred during a reasonable effort to mitigate." To recover, however, the plaintiffs needed to establish an actual injury such as money lost as opposed to only time and effort.
 

In finding that the plaintiffs stated a proper claim for damages in a data breach case, the First Circuit noted that the Hannaford breach was not inadvertent loss or simple breach with no misuse. Rather, the court emphasized that there was actual misuse of the information that may have been global in reach running up thousands of charges. This type of breach presented a "real risk of misuse." Thus, it was foreseeable that a customer might replace a card or purchase insurance to avoid or mitigate future misuse. The court specifically noted the many other cases finding no action for damages, but distinguished those cases based on the real threat and misuse that occurred with the Hannaford breach.

Although the Hannaford case appears to show a possible breach in the dam regarding damage claims in data breach cases, a closer look reveals that it may be more limited in scope. The Hannaford case involved actual misuse of the information with sophisticated thieves intent on doing harm for financial gain. It is unlikely that Hannaford will provide support for other mitigation cases unless those claims involve actual or legitimate threats of misuse.
 

Small Business Insurance For Data Loss and Security Breach

The Hartford has recently announced a new insurance product specially tailored to fit small business for data loss and security breach. It has been touted as more affordable for the smaller business owner.  More and more small businesses are experiencing the devastating effects of a security breach incident or data loss.  The statistics and stories are well reported from various sources.  Experts agree that costs can exceed $200 per lost page of data.  This can cripple a small business and leave it exposed to lawsuits and litigation.

The front line defense to data loss and security breach risks should always be a good security and privacy plan. A technology attorney working in conjunction with your IT support can develop and help implement an effective security and privacy plan. The process of developing and implementing such plans often reveal the problem areas for any business.  Nevertheless, at the end of the day, there is no 100% fail safe plan to secure data, whether the data is on the cloud or in a server in the office.  There are also unavoidable risks associated with paper documents.  Likewise, there is no plan to provide 100% protection to paper documents.  That is why insurance is a good choice to cover the unavoidable risks.

In addition to providing valuable financial protection in the event of a covered incident, the underwriting and application process for data loss insurance will often require best practices.  This process alone will substantially reduce the likelihood of a significant data loss incident. Accordingly, small businesses should consider a three step process for data loss and security breach:

1. Develop and implement a security and privacy plan

2. Implement best practices as part of insurance application process

3.  Purchase and maintain data loss insurance

Connecticut State Court Judges Adopt Electronic Discovery Rules

Connecticut state court judges recently adopted new electronic discovery rules.  The rules will become part of the Connecticut Practice Book for civil discovery and take effect on January 2, 2012.  

The judges present at the annual meeting unanimously adopted the new electronic discovery rules. You can read the new e-discovery rules here.  I removed the sections not relevant to civil cases.  The new rules or modifications are indicated by the underlined portions of the rule. 

Here is a quick hit list, and my brief commentary, of the new e-discovery rules in Connecticut state courts:

  • Definitions of electronic and electronically stored information (ESI) added to the list of definitions.  The new definitions are intentionally broad to adapt to new technology changes.
  • Grounds to move for a protective order in discovery include the terms and conditions of discovery of ESI and the allocation of costs between the parties.  This rule permits the court to take into account a series of factors in fashioning a protective order and cost shifting for discovery of ESI.
  • Litigants should be disclosing ESI that is readily accessible and likely to lead to the discovery of admissible evidence.  This basically clarifies that reasonably accessible ESI is no different than other types of discovery. 
  • Whether a litigant needs to disclose ESI that is not reasonably accessible will depend on a variety of factors that the court may consider. 
  • Court can shift the costs of production for ESI.
  • ESI added to the list of information a party can demand to inspect.
  • Safe harbor from sanctions for not only ESI, but all information, that is lost if the information is lost as the result of routine, good faith operation of a system or process in the absence of showing of intentional actions designed to avoid known discovery obligations.  This rule is based on the federal rule 37(f) safe harbor and the commentary indicates that good faith may require a party to stop or intervene a routine destruction policy.
  • Claw back provisions permit a party to notify an opponent of inadvertently disclosed privileged information.  There is a procedure the party must follow upon receipt of the notice.  The rule does not address issues of waiver of privilege by the inadvertent disclosure. 

Until Connecticut courts interpret these provisions, a good resource for attorneys may be found in the commentary to the rules.  Additionally, the new rules are based on  the Uniform Rules Relating to the Discovery of ESI adopted by the National Conference of Commissioners on Uniform State Laws in 2007.  There are various courts in other states that have interpreted these rules. 

Social Media Continues To Impact Litigation and Trial

The impact of social media  (Facebook, Twitter, LinkedIn, etc) continues to grow in legal matters including litigation and trial.  The court decisions cut across numerous areas from employment law and personal injury to privacy rights and defamation.  Social media use has involved all the key players in lawsuits inclding judges, jurors, consultants, attorneys, reporters, and witnesses.  Lawyers are using Facebook to screen jurors; jurors are using Facebook to post about the case they are sitting on; judges are checking Facebook to make sure jurors are not using it; jury consultants are following Twitter to give advice on trial strategy to attorneys during the trial; and reporters are giving first hand accounts of trials 140 characters at a time. Bottom line: Social media is everywhere and lawyers and litigants should pay attention.

In keeping up to date on the topic, here are some new resources and  articles on social media and litigation and trial:

Vianei Lopez Robinson published an article for Texas Lawyer featured on Law Technology News that covers some recent decisions involving Facebook and the discovery of public and non-public information.  The article also discusses some of the ethical implications for attorney’s "friending" litigation opponents. 

Dan Schwartz’s Connecticut employment law blog continues to cover social media for employers. He recently posted a new update for employers on the newest social network site, Google +. 

Corey Dennis, who previously submitted to this blog a great summary on the basics of Connecticut civil procedure, has just published a comprehensive law review article on social media and the various laws implicated by its use. Here is a link to his article for the Massachusetts Law Review. 

 Leita Walker and Joel Schroeder published a thorough review of social media "crashing into the courtroom" in an article posted by Law.com.  The article describes several recent cases, juror misconduct with social media, attorney use of social media in discovery and cases ranging from employment to trademark matters.

A year or two ago it used to be relatively easy to track social media and the impacts on lawsuits and litigation. There were very few cases, and I posted about most of them.   Now, there are new reports and articles,  cases, and legal issues involving social media almost daily.   Just today,  a Google search of social media and trial brings up articles about the Roger Clemens perjury trial and the Casey Anthony murder trial. 

The bottom line is social media is here to stay and has clearly "crashed into the courtroom."  Attorneys, and especially trial lawyers and litigators, have to become familiar with all the legal implications as social media just might crash into one your cases.   

Some Guidance From Delaware On Seeking Corporate Books and Records in Connecticut

If you own shares of a corporation or an interest in a limited liability company, there are two basic sources in Connecticut concerning your rights to have access to company books and records.  The first source may be found in any agreements that concern governance of the company such as the by-laws of a corporation or the operating of a limited liability company.  The second source may be found in Connecticut’s General Statutes (limited liability company records; business corporation records). 

The statutes permit an owner to make written demand for access to company books and records and to bring a lawsuit in court if the demand is refused.  Although the process seems straight foward enough, many times it is not.  Management may deny the request and claim the request is overly broad, not sufficiently detailed under the statute,  or sought for an improper purpose.  In Connecticut, the results of "books and records" cases are not consistent and a proper demand for books and records in not always clear. If the demand is not proper, a court will not grant the request.

As in many instances when matters are not clear in Connecticut, Delaware law is always a good resource.  Here is an informative article by Jeff Mordock of the Delaware Business Court Insider (you have to subscribe for free to get the full article) that discusses some of the details in drafting a proper, or more likely to be enforced, books and records demand.